Changes to Enterprise App Distribution for both Android and iOS apps
With the launch of Android Enterprise, the way apps are published to managed devices has changed. This article runs through the changes, provides insight on how your business can avoid any impact and shares best practices for enterprise app deployment for both Android and Apple apps.
Both Apple and Google prefer you to distribute apps to your devices via the public Apple App store or Google Play store, respectively. Each has a vetting process to load apps – apps are checked for code compliance, checked to make sure they match the content guidelines, and checked for vulnerabilities and malicious behaviours.
In the enterprise world you don’t always want your app published to the public app store though – internal apps for internal use are a valid use case that Apple and Google support. In the past, a customer would have an IPA file (iOS App) or APK file (Android app) and deploy it privately to devices using their MDM server.
The days of being given an IPA or APK file by a developer are numbered.
Let’s start with the why – simplicity and security
In the past when a customer wanted to deploy an app that a developer had built for them, at least in the Apple iOS world, they needed an Enterprise Developers account to be able to sign the application and deploy it via their MDM. This process was complex and confusing.
A customer who might never do any app development themselves would end up paying for an Apple Developers account and had to learn how the Apple Developer portal worked – provisioning profiles, certificates, etc.
Some organisations also took advantage of this mechanism to share their apps with other organisations – bypassing Apple’s strict code review process. This meant that Apple was unable to protect their product; bypassing Apple’s process put their customers at risk.
In contrast, Google didn’t have any solution other than the public Google Play store. Developers could sign their APK with a certificate if they wanted to, but many didn’t and side loading of APK files to devices was a common distribution method.
As vendors become more accountable around security, they have a responsibility to ensure their products are safe, secure and that they are protecting their customers from malicious intent. As a result, the enterprise app distribution process has changed.
With Android Enterprise, Google released the concept of the private Google Play store – each enterprise customer has their own private store where they can add and curate a set of apps for their employees’ managed devices.
There are three ways to distribute a private Enterprise App with Android Enterprise.
Have your developer push the app to your private Google Play Store
This option is great for customers who are not developing their own apps and have a third-party developer building apps for them.
The third-party developer can publish your app to your store by using your Google Account ID.
When they update the app, it will automatically be pushed to your app store and out to your managed devices.
Upload an APK file to your Private Google Play Store
If you are building your own Android apps and have an APK file you can load this to your Google Developer Console and then deploy to your private Play Store.
As with any public Android app deployment you will need to have the following information loaded with your APK file.
Store Listing
-
Add a high-res icon.
-
Add a feature graphic.
-
Add at least 2 non-Android TV screenshots.
-
Select a category.
-
Add a short description.
-
Add a full description.
-
Enter a privacy policy URL.
Content Rating
-
Set your content rating (Go to your app’s Content Rating page and complete a rating questionnaire).
-
Acknowledge that the application meets Content Guidelines.
-
Acknowledge that this application complies with US export laws.
-
Upload an APK or Android App Bundle for this application.
-
Target at least one country.
Pricing and Distribution
-
Set a price – free or otherwise.
-
Declare whether the application contains ads.
-
Indicate if your app is primarily directed towards children.
Load your Android app directly to your MDM server
With some MDM solutions it is still possible to load the APK file directly to the MDM server.
This is only supported when you are managing devices using the Android Enterprise Fully Managed device profile, not the BYOD Work Profile or COPE.
If you want to push apps to the Work Profile or COPE, you must do so via private Google Play.
We see a lot of engineers getting stuck with apps not deploying to their Android Enterprise Work Profile devices as they have not set up the Private Google Play store.
Google App Development Best Practices
It’s not all smooth sailing when moving apps to private Google Play. The main problem we see customers run into when they migrate old enterprise apps is that these apps have not been maintained and have not been updated for some time.
When these old apps are loaded to the admin console, Google will only accept the app if it meets the target API requirement level. This Google article explains target API levels and all apps must meet this requirement before they can be uploaded.
If you are thinking about moving to Android Enterprise and are deploying Android apps via your MDM, you will want to get them reviewed and updated before you start the migration.
Apple iOS App Deployment
There are two ways to deploy a private Enterprise App to managed iOS devices.
Custom App Deployment via Apple Business Manager
Apple are moving away from enabling customers with an Enterprise Developers Account if they are not developing apps themselves.
Apple’s preference is to have your third-party developer distribute the app to your Apple Business Manager account via their App Store Connect and let you publish the apps to your devices via your MDM integration with Apple Business Manager.
This let’s your third-party developer manage all the app signing, profiles, certificates etc on their side, streamlining the process for their customers at the time of release.
You can read more about Apple’s custom app deployment via this link.
Self-signing with an Apple Enterprise Developers account
For customers that are developing in-house apps and have an Enterprise Developers account, it is still possible to sign your own apps and load them to your MDM console.
What about testing apps with this new mode of Enterprise App deployment?
One concern when moving to an enterprise app deployment model where you don’t have access to the app file is around testing. It’s still very important that apps are fully tested before they are released as a private Google Play or custom Apple app.
Apple customers must leverage TestFlight for testing app versions. TestFlight is a container where you can push beta versions of apps to your device to complete your testing. You can read about TestFlight via this link. Once your TestFlight versions have been approved, your third-party developer can then deploy the production version of the app to your Apple Business Manager account.
For Android apps testing via the Google solution is a bit more complicated and requires G-Suite you can read about testing tracks via this link.
A couple of alternative options include having a separate version of the app loaded into Google Play for testing (a different bundle ID would be required) or to put some test devices into Developer mode and side load the apps for testing and then roll-out via Google Play when ready.
We recommend you discuss testing with your developer at the start of the project, so you work out the best options for you and your team.
Conclusion
The world of Mobile Device Management continues to evolve in 2021 and enterprise app support is becoming more streamlined.
If you are interested in setting up management for corporate or personal devices at your company, check out our BYOD 365 service and our Zero Touch Provisioning service, or contact us.