Public and private Android Enterprise app deployment

Ivanti EPMM provides administrators with the following options for deploying apps to Android Enterprise device users.

  • Public apps: These apps are developed outside of your organization and are available to Android Enterprise device users from the public Google Play store. They are hosted by Google, but administrators can manage public apps using Ivanti EPMM.

  • Private apps:These apps are available only to your organization. Private apps are hosted by Google and available from the Google Play Apps Catalog. They are hosted by Google, but administrators can manage private apps using Ivanti EPMM.

    These apps are available to only users of your domain and can be available in a non-English language that is supported by Ivanti, Inc. The following private apps are described below.

    • Private in-house apps: These apps are developed in-house, available only to your organization and can be available in a non-English language that is supported by Ivanti, Inc. Private in-house apps are more secure because they are hosted by Ivanti EPMM (not Google), but are available from the Google Play Apps Catalog. The apps generate an APK definition file you upload to the Google Play Developer Console to use for installing the apps. These apps not available through Apps@Work; see Distributing your enterprise apps in the Google Play App catalog or in Apps@Work for details.

When the API connection in Ivanti EPMM's Access Control List is enabled, device attempts to download private self-hosted apps from an IP address range that is not listed in that Access Control List will be rejected. This is expected behavior. In order for devices to download private self-hosted apps, devices must have an IP address that is on Ivanti EPMM's Access Control List.

To deploy apps see:

Related topics 

App management action workflows

Deploying public Android Enterprise apps

A public app is available in the public Google Play store. You can add public apps to the App Catalog using the app wizard that helps you through all the options and configurations. You can also add public apps using the Google Play iFrame. See Adding an Android Enterprise public app using the app wizard.

Adding an Android Enterprise public app using the app wizard

Before you begin 

Enable Android Enterprise in Ivanti EPMM. See "Enabling Android Enterprise" in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

When adding the app, the app wizard guides you through all options and configurations of public and private apps on Android Enterprise. In-house and self-hosted apps are applicable to Android Enterprise, but are not configured using the app wizard.

Once Android Enterprise is installed, the Quick Import option for Google Play is disabled.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Services > Google.
  2. Use the browse button to navigate to the JSON file you downloaded as part of the Android Enterprise enrollment and then select Connect.
  3. A confirmation displays stating that you have been enrolled in Google Services.
  4. Go to Apps > App Catalog.
  5. Click Add+.
  6. Click Google Play. The Google Play store opens below displaying only Android Enterprise apps.

  7. The pop-out sidebar displays three options:

    • Search Play store – search for a specific app in the Google Play store. Only public apps and enterprise domain / package name apps can be searched upon. Once a private app has been uploaded, you can search for the private app.
    • Private apps – allows you to import private Android apps into Google Play for Android device users to download and use.

    • Web app – allows you to create a web app.

      This flow is generated by Google Play and may change in the future as Google adds new features.

  8. In the Search field, enter the app name and then select Search. Google Play Store displays app icons with their names in the search results.

  9. Select an app’s icon.

  10. You will need to approve the app to be part of the Android Enterprise app collection for device users’ consumption. Select the Approve button. The app’s Approval Settings and Notifications dialog box opens to the Approval Settings tab.

  11. Every app requires permissions to access specific aspects of an Android phone, for example, Contacts. As an administrator, you will need to review these permissions because you will be accepting or revoking them on behalf of your organization. Select one of the options:

    • Keep approved when app requests new permissions – permissions can change due to app updates. If this option is selected, it means the device user may not know about the access permission changes.

    • Revoke app approval when this app requests new permissions – If this option is selected, when a new update has changed its access permissions, the device user will be notified of the access permissions when the app is updated. The device user must accept the new permissions otherwise the app will be disabled for that user.

  12. Select Notifications tab.

  13. Enter the email address and then select Add to have specific people be notified that an app has been updated. Repeat for multiple email addresses.

  14. After you select Done, a confirmation email is sent to the listed person(s). The button in the confirmation email needs to be clicked to activate the email subscription. Successful subscribers will list in the Notification tab of the app.

    If you selected the “Keep approved when app requests new permissions” option and no email is entered into the Notification tab, all updates are silent.

  15. The app information displays with a check mark next to "Approved". If you want to review the access permissions or notifications, select the Approval Preferences button.

  16. Choose Select.

  17. Select Next. Now that you have set the access permissions to the app, you can finish configuring the app. Configurations are determined by the app developer and are key-value pairs unique to each app.

    You may need to refer to the app's documentation for how to proceed with these configurations. For example, Ivanti EPMM supports the Knox Service Plugin app. In order to enter the configurations for this app, you will need to access the Knox Developer documentation for Knox Service Plugin at https://docs.samsungknox.com/dev/knox-service-plugin/index.htm?Highlight=KSP. A login may be required to access app documentation.

  18. Use the following guidelines to complete the page.

    Item

    Description

    Application Name

    Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable.

    Description

    The app description as retrieved from Google Play displays. You can edit the description. Users will see this description in Apps@Work on their devices.

    Category

    Select one or more categories to display this app in a category tab in Apps@Work or add a new category.

    Click Add New Category to define new categories.

    Enter a category Name (up to 64 characters).

    Enter a Description (up to 255 characters).

    In the Category Icon section, click the Replace Icon button.

    Browse and select an icon that will represent this Category.

    Click Save.
  19. Click Next.

  20. Use the following guidelines to complete the page.

    Item

    Description
    Use Global App Config Policy Selecting the check box makes the policy settings take priority over the app settings if and only if the global policy is created and available for a particular device. Leaving the check box empty means the app's configuration settings will be used. For more information, see "Global App Config Settings policy" in the Ivanti EPMM Device Management Guide of your OS.

    Feature this App in the Apps@Work catalog

    If check box is selected, this app appears in the Featured Apps tab in Apps@Work.

    Featured Banner

    Selecting the check box will display this app as part of the top banner on the Apps@Work Home page on device users' devices. The latest five apps will be picked to be part of Apps@Work Home page.

    Per App VPN by Label Only

    Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will be deprecated in future Ivanti EPMM releases and become selected by default.

    Per app VPN is not supported for MAM-only Android devices.

    Ivanti does not recommend using Per App VPN with apps that utilize device spaces.

    License Required

    The Selected VPNs column lists the VPN configuration that may be installed on the device, in priority order:

    • If Per App VPN by Label Only is selected, then the VPN configuration must be assigned to a label matching the device in order to be installed. The first VPN in the list that is also assigned to a label associated with the device has the highest priority.

    To populate the Selected VPNs column, select the VPN configuration you created for per app VPN in the All VPNs column, and click the right arrow. You can select multiple per app VPN settings.

    To reorder the per app VPN configurations in the Selected VPNs column, drag the configuration names to the correct positions in the list.

    See “Managing VPN settings” in the Ivanti EPMM Device Management Guide for information on creating a per app VPN.

    Per app VPN is not supported for MAM-only Android devices.

    Install this app for Android enterprise

    You must be a Global Space administrator to use this setting. Select to enable public and private apps available to device users for download to Android devices. You can change the “Install this app for Android enterprise” setting for each app in the app’s details page at any time.

  21. Select Finish.

  22. In the App Catalog, select the newly-added app.
  23. Select Actions > Apply to Label.
  24. Select the appropriate labels to make the app available to device users.

    You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

All apps that are available to be installed for Android Enterprise have the “suitcase” badge on their icon. These apps can also be installed on non-Android Enterprise devices. For more information about labels for Android Enterprise, see Distributing alternate Release Tracks for Android Enterprise apps.

Note the following:

  • You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.
  • Depending on the configuration of the customers firewall, the metadata and reviews for an app selected for installation from Google Play may not be displayed.

Related topics 

Deploying private Android Enterprise apps

The high-level steps to deploy a private Android Enterprise app are:

Publishing your private app on Google Play to your organization only

Before you begin 

These steps are performed on Google’s websites.

  1. If you are doing icon customization and plan on sharing the private app with other UEMs, your Google Enterprise account must be registered as a Google developer.

    If you are using iFrame option via Ivanti Neurons for MDM / Ivanti EPMM, you can import private apps without registering the Enterprise account as a developer.

  2. Follow Google’s instructions to publish the app on Google Play.

  3. To make the app available privately to other UEMs or organizations, please refer to this KB article: How to share private Android Enterprise Apps with other UEMs.

Adding your Android Enterprise private app using the app wizard

This procedure covers how to add a private Android Enterprise app to the Ivanti EPMM App Catalog. In-house apps are supported with Android Enterprise but you cannot configure them using the app wizard.

If you are adding a new version of an existing app, see Adding new versions of an existing Android Enterprise app.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog .
  2. Click Add+.

  3. Click Google Play. The app icons for the private apps you published to Google Play display.

    If you need to update the email address associated with the app, click Update.

    Select the desired app and then click Next.
  4. The Choose page displays the private app's title and APK file name.
  5. Click Select and then click Next.

  6. The Describe page displays. Use the following guidelines to complete the page.

    Item

    Description

    Application Name

    Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable.

    Description

    The app description as retrieved from Google Play displays. You can edit the description. Users will see this description in Apps@Work on their devices.

    Category

    Select one or more categories to display this app in a category tab in Apps@Work or add a new categor

    1. Click Add New Category to define new categories.
    2. Enter a category Name (up to 64 characters).
    3. Enter a Description (up to 255 characters).
    4. In the Category Icon section, click the Replace Icon button.
    5. Browse and select an icon that will represent this Category.
    6. Click Save.
  7. Click Next.

  8. The App Configuration page displays. Use the following guidelines to complete the page.

    Item

    Description
    Use Global App Config Policy Selecting the check box makes the policy settings take priority over the app settings if and only if the global policy is created and available for a particular device. Leaving the check box empty means the app's configuration settings will be used. For more information, see "Global App Config Settings policy" in the Ivanti EPMM Device Management Guide of your OS.

    Feature this App in the Apps@Work catalog

    If check box is selected, this app appears in the Featured Apps tab in Apps@Work.

    Featured Banner

    Selecting the check box will display this app as part of the top banner on the Apps@Work Home page on end users' devices. The latest five apps will be picked to be part of Apps@Work Home page.

    Per App VPN by Label Only

    Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will be deprecated in future Ivanti EPMM releases and become selected by default.

    Per app VPN is not supported for MAM-only Android devices.

    Ivanti does not recommend using Per App VPN with apps that utilize device spaces.

    License Required

    The Selected VPNs column lists the VPN configuration that may be installed on the device, in priority order:

    • If Per App VPN by Label Only is selected, then the VPN configuration must be assigned to a label matching the device in order to be installed. The first VPN in the list that is also assigned to a label associated with the device has the highest priority.

    To populate the Selected VPNs column, select the VPN configuration you created for per app VPN in the All VPNs column, and click the right arrow. You can select multiple per app VPN settings.

    To reorder the per app VPN configurations in the Selected VPNs column, drag the configuration names to the correct positions in the list.

    See “Managing VPN settings” in the Ivanti EPMM Device Management Guide for information on creating a per app VPN.

    Per app VPN is not supported for MAM-only Android devices.

    Install this app for Android enterprise

    Selecting enables public and private apps available to device users for download to Android devices. You can change the “Install this app for Android enterprise” setting for each app in the app’s details page at any time.
  9. Click Finish.
  10. Select the app in the App Catalog. 
  11. Click Actions > Apply to Label, and select the appropriate labels to make this app available to device users. 

    You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

Manually provide an app's package name

You can manually provide the package name of an Android app along with the app details.

  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog
  2.  Click Add+.
  3.  Click Google Play. The app icons for the private apps you published to Google Play display.
  4. Scroll down to the bottom of the page and select the check box for Skip this step and manually provide Bundle ID and all app details.

  5. Click Next. The Describe page displays.

    Item

    Description

    Package Name

    You must provide the app’s package name. Ivanti EPMM can upload an Android Google Play Store app that has the same package name as a public app, such as com.mobileiron.phoneatwork, that is already loaded on Ivanti EPMM. This feature is always on and does not require any configuration in the user interface.

    Application Name

    Displays the app name defined by the app developer. This is the name that displays to device users. This field is not editable.

    Min OS Version

    The minimum OS version as retrieved from Google Play displays.

    Devices that don’t have the minimum OS version installed will not be able to install the app.

    Description

    The app description as retrieved from Google Play displays. You can edit the description. Users will see this description in Apps@Work on their devices.

    Category

    Select one or more categories to display this app in a category tab in Apps@Work or add a new categor

    1. Click Add New Category to define new categories.
    2. Enter a category Name (up to 64 characters).
    3. Enter a Description (up to 255 characters).
    4. In the Category Icon section, click the Replace Icon button.
    5. Browse and select an icon that will represent this Category.
    6. Click Save.

  6. Click Next. The App Store page displays.

    Item

    Description
    Use Global App Config Policy Selecting the check box makes the policy settings take priority over the app settings if and only if the global policy is created and available for a particular device. Leaving the check box empty means the app's configuration settings will be used. For more information, see "Global App Config Settings policy" in the Ivanti EPMM Device Management Guide of your OS.

    Feature this App in the Apps@Work catalog

    If check box is selected, this app appears in the Featured Apps tab in Apps@Work.

    Featured Banner

    Selecting the check box will display this app as part of the top banner on the Apps@Work Home page on end users' devices. The latest five apps will be picked to be part of Apps@Work Home page.

    App Icon

    Icon and Screenshots appear when editing an app entry.

    The icon retrieved from Google Play displays.

    To replace the icon, click Replace Icon button. Select the icon to represent this app. The file must be no larger than 1024 x 1024 pixels and in JPG, PNG, or GIF format. We recommend PNG for best resizing results. Icon height and width must be equal.

    Screenshots

    Icon and Screenshots appear when editing an app entry.

    The screenshots retrieved from Google Play are displayed.

    • Click Upload to select and upload optional screenshot files in PNG, GIF, or JPG formats. The supported dimensions are 480x800 pixels and 480x854 pixels. We recommend PNG for best resizing.
    • To delete a screenshot, click Remove under the screenshot.

  7. Click Next. The App Configuration page displays.

    Item

    Description

    Per App VPN by Label Only

    Select this check box to require the Per App VPN configuration to be assigned to a label that matches the device. Ivanti does not recommend de-selecting Per-App VPN by Label Only, as this field will be deprecated in future Ivanti EPMM releases and become selected by default.

    Per app VPN is not supported for MAM-only Android devices.

    Ivanti does not recommend using Per App VPN with apps that utilize device spaces.

    License Required

    The Selected VPNs column lists the VPN configuration that may be installed on the device, in priority order:

    • If Per App VPN by Label Only is selected, then the VPN configuration must be assigned to a label matching the device in order to be installed. The first VPN in the list that is also assigned to a label associated with the device has the highest priority.

    To populate the Selected VPNs column, select the VPN configuration you created for per app VPN in the All VPNs column, and click the right arrow. You can select multiple per app VPN settings.

    To reorder the per app VPN configurations in the Selected VPNs column, drag the configuration names to the correct positions in the list.

    See “Managing VPN settings” in the Ivanti EPMM Device Management Guide for information on creating a per app VPN.

    Per app VPN is not supported for MAM-only Android devices.

    Install this app for Android enterprise

    Selecting enables public and private apps available to device users for download to Android devices. You can change the “Install this app for Android enterprise” setting for each app in the app’s details page at any time.
  8. Click Finish.
  9. Select the app in the App Catalog.

  10. Click Actions > Apply to Label, and select the appropriate labels to make this app available to device users.

    You can edit the app’s settings at any time. Select the app in the App Catalog, and click Edit.

Related topics 

Deploying a self-hosted app

Self-hosted apps allow administrators to publish in-house app entries in the Google Play Apps Catalog without uploading binaries to Google. For security reasons, self-hosted apps are hosted by Ivanti EPMM and not Google, however they are still available in the Google Play Apps Catalog. Self-hosted apps require the definition of APK location to be uploaded to Google Play. Revisions are required to be published to Google Play, which points only to the latest version of Ivanti EPMM.

Silent install of the APK is supported only on work-managed devices. You can manually install self-hosted apps from Google Play. You can use this feature to block or allow users to show in-house app widgets on the home screen inside the Work Profile. By enabling the "Block Widget on Home Screen" and "Block Uninstall" options, you can also block or allow users from uninstalling the app. This feature applies to managed devices only.

These apps are not available for Android Enterprise devices users to install from Apps@Work.

Procedure 

If you are adding a new version of an existing app, see Adding new versions of an existing Android Enterprise app.

  1. In the Ivanti EPMM Admin Portal, select Apps > App Catalog.

  2. To upload a new APK that becomes an in-house / self-hosting app.

    1. Select Add+ > In-House > Browse.
    2. Locate and select the app, then select Next.

    3. Skip to the next step.

    If you want to redefine an existing app:

    1. Select the app and then select Edit.
    2. Continue with the next step.
  3. Scroll down to the ANDROID ENTERPRISE (ALL MODES) section.
  4. Select the Install this app for Android enterprise check box.
  5. Click the Download APK Definition file link. The APK definition file downloads automatically.
  6. Open a new browser window and log into the Google Play Developer Console site.

  7. Follow Google's steps on publishing.

    • Under Distribution > Managed Google Play, make sure you have the "Privately target this app to a list of organizations" check box selected. Select Choose Organizations.
    • When uploading the APK file, be sure to select the "I am uploading a configuration for an APK hosted outside of Google Play" check box.
    • Go to Services > API > Licensing & in-app billing section and copy the license key.

  8. Return to the Ivanti EPMM App Catalog browser window and paste the key in the App License box provided.

    Every version of that app uses the same License Key.

  9. Select one or more of the following check boxes:
    • Silent install for work managed devices
    • Block Widget on Home Screen
    • Block Uninstall
  10. Click Save.
  11. Select the app in the App Catalog.
  12. Click Actions > Apply to Label.
  13. Select the appropriate labels to make this app available to device users.

Adding new versions of an existing Android Enterprise app

When uploading a newer version of an app, an extra page opens to allow you to select whether to keep the app's old version information or to adopt the information from the app's new version. This feature is applicable to Android Enterprise in-house / private / self-hosted apps.

Procedure 

  1. In the App Catalog, select the Add+ button.

    The Add App Wizard opens.

  2. Select In-House.
  3. Select Browse and navigate to the in-house Android or Android Enterprise app you want to upload.
  5. Select Next.

    6. The An earlier version of this App exists page opens.

  6. Select an option:

    • Another version of this App was previously uploaded. Reuse its description, icon and screenshot. If the Description, Icon or Screenshot fields of the new app are empty, then the system will populate those fields with information from the previous app version (default).
    • Upload a new description, icon or screen shot. Information related to the Description, Icon or Screenshot fields of the new App will be utilized. If those fields are empty, nothing will be copied from the previous app version.

  7. Select Next and finish configuring the new version of your app (see Adding your Android Enterprise private app using the app wizard .)

    Once finished, the new version displays in the App Catalog.

Distributing your enterprise apps in the Google Play App catalog or in Apps@Work

By default, Android Enterprise apps are distributed from a managed Google Play. However, you can opt to distribute the apps from Apps@Work.

Use these steps to set up your distribution choice for your enterprise apps:

  • If you selected Google Play, in Google Play App Catalog section:

    Select Yes to use a layout based on the characteristics of apps in this instance of Ivanti EPMM. The apps are presented in Google Play using the categories and featured apps as you defined for each app in the App Catalog. Apps added recently to the App Catalog are presented in a “What’s New” list.

    Select No (the default) to use a basic layout in Google Play. In this layout, the apps are presented in alphabetical order in a single list.

    Note the following:

    • If more than one Ivanti EPMM instance is publishing with Google Play, you will be sending redundant (possibly conflicting) layouts to Google. This does NOT affect the distribution of apps, only the layout visible in Google Play.
    • The Google Play layout definition is based on the Android Enterprise apps available on the Ivanti EPMM that you marked as primary on help.mobileiron.com when setting up your Android Enterprise enrollment. If you have multiple Ivanti EPMMs that use the same enterprise account, the devices registered to users in each Ivanti EPMM receive the same layout. This layout can be consistent only if one Ivanti EPMM is set to publish the layout. If multiple Ivanti EPMMs are marked as the primary Ivanti EPMM, then they will attempt to publish the layout and cause the layout to become unstable.
  1. Make sure your device is set up for Android Enterprise. See “Enabling Android Enterprise for your enterprise” in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.
  2. In the Ivanti EPMM Admin Portal, in Services > Google, in Enterprise Apps Distribution, choose either Google Play or Apps@Work.
  3. If you change the setting, click Apply.

Updates to the Google Play App catalog may take several minutes to take effect.

Related topics 

Distributing alternate Release Tracks for Android Enterprise apps

For Android Enterprise 10.4.0.0 or newer versions, this feature works for private and public Android apps, and Android Enterprise apps. Any public app that the app developer allowed Android Enterprise access to their tracks will work. You can deploy numerous versions of private apps to allow rapid and flexible deployment of different builds of the same app to different groups.

In Ivanti EPMM versions below 10.4.0.0, there were three static options (Alpha, Beta, Production) that you can select from in the list of releases (Track ID) defined by the developer who uploaded the application to Google Play. Upon upgrade to Ivanti EPMM 10.4.0.0, Ivanti EPMM supports as many tracks as the app developer published and assigned to the enterprise. This list is dynamically retrieved from Google Play and displays in the release column of the Add to Label dialog box. Ivanti EPMM uses the Track IDs to specify which track, but for administrators, Ivanti EPMM displays the track aliases. As the list can include new and different Track aliases, during the upgrade to 10.4.0.0, Ivanti EPMM will try to match existing Track IDs, but if there is no Track ID match, Ivanti EPMM will assign the track to Production.

If a device is assigned to multiple Track IDs, all Track IDs will be sent to the device and Google will choose the highest available track to use. Since the tracks are set by label, it's possible for a device to belong to multiple labels getting multiple Track IDs for the same app.

Before you begin 

  • Select Android Enterprise apps to be used in the Ivanti EPMM Admin Portal.
  • Identify one or more private apps administrators want to deploy to users within their organization.
  • Set up separate labels to include alpha users and beta users.
  • Verify that your in-house app developers have whitelisted the alpha and beta apps for distribution to your enterprise using the Google enterprise ID for Ivanti EPMM as the target organization.

Procedure 

  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog.
  2. Select one of the Android Enterprise-enabled apps you want to add to an alpha or beta label.
  3. Click Actions > Apply to label.
  4. Select one or more labels.
  5. Go to the Release column and click inside the cell to enable the drop down option.

  6. Select Alpha, Beta, Production (default) or an alternate option as per Google's dynamically-updated list.

    Ivanti EPMM only displays the track aliases for the tracks that are possible for the app for that enterprise. It does not have to be Alpha or Beta.

  7. Click Apply.

At the next sync the specified track is downloaded to the designated devices. If multiple labels are applied to a device introduce conflicts, label priority applies the highest version in the following order: Alpha, Beta, then Production.

Related topics