How to manage app using Intune
I want some suggestions on how to manage applications in our workplace.
We purchased an Android app for our employees to work in the warehouse. The vendor provides two methods of getting the app to our devices. One is to download it directly from the Play Store, and the other is from the vendor's website. When something is broken, the vendor will roll back by uploading the new version of the app to the Play Store if the problem is informed on time. Sometimes, we have to go to the download site to download the previous version to solve the immediate issue due to the time zone difference.
There, we want to manage the app using Intune. We want to deploy the apk directly to the device using Line Of Business. However, it only works if we enrolled devices using Device Administrator.
Unfortunately, it is impossible now since Intune has stopped supporting this enrollment type.
If we use the Play Stores managed private app to upload the apk, it would get an error with the package name. We do not think that the vendor will build different package names for every customer.
So here is my question: How could we achieve something we achieved in the past and now we cannot?
Intune said it is the change that Google made due to security reasons.
Any suggestion would be much appreciated!!!
Welcome to the Customer Community. I've had a look into this for you.
Device Administrator is considered a bit of a legacy way of managing Android devices. I would recommend that devices be enrolled as Android Enterprise in the EMM at least with a Android Work Profile at a minimum, in order for devices to have some type of communication with Intune and download any applications made available by your Intune console.
Intune allows the admin to manually upload application packages such as apk. Of which, this application package can be acquired by the admin from the vendor or the given site. In the event that the app needs to be rolled back or patched on the Play Store, but is expected to be delayed due to timezone differences for example, you can resort to manually uploading and managing the apk in the Intune consoles app panel.
As an admin, i'd prefer that the vendor patch or update their application on Play Store. With the Play Store you can get a seamless approach in application management, as you will no longer need to worry about the nuances of deploying and updating the application changes manually, everytime there is a change such as patches and rollbacks to the application. But, uploading the package manually to Intune would be your other option and you'd be able to deploy it to the enrolled devices in this regard.
How does this sound to you? Would this work for you? Feel free to add extra context if this doesn't quite work.
Welcome to the Community everyone!
Have a question or want to start a conversation, click here.
You were on the right track with this comment mate -
We do not think that the vendor will build different package names for every customer.
Yes they will, and do quite often. Is there a commercial aspect to it? Perhaps, but often not if you're already a paying customer. With the unique package name, upload it either to your Google Play iFrame as a private application, or within your own Google Play Console (with a developer account) and set the managed google play options accordingly to keep it private. Which way you go depends on your preference, though if you have a Google Play Console developer account, I'd lean to that as it's not locked to an enterprise ID you might change if moving to another EMM in future.
Thank you for the response.
Our case is slightly different.
The vendor does not provide the apk with a different package name since they have over 1000 customers. Furthermore, every customer uses the app differently. For context, it is the manufacture and warehouse app. The customers might have different ways to do tasks. Therefore, there are customisations and adjustments to suit each customer.
Every now and then, we could have an issue with the new version. We use Intune to manage the rollout. However, if we enrol the device with Android Enterprise, we cannot upload the rollback on time using private since it has an issue with the package name.
Our devices are currently enrolled as Device Admin. However, we are concerned about Intune to stop supporting it next year.
1 or a million customers, developers and customers will have to adapt to this alternative method of app management if relying on a platform that cannot distribute APKs.
It's an outdated and higher-risk method of app distribution in any case, so once transitioned you'll benefit from lower network usage, faster installs, and other benefits of Play.
Your struggles with version update issues can also be quelled with more intentional testing periods and app update management policies that'll allow you to install on test devices and validate before going live to your estate. This same approach can delay updates to periods when your developer is available too for more convenient version iterations.
But ultimately if it's a critical business application they need to work with you to support a custom package name and allow you to manage this end-to-end yourself. It's not difficult, nor high-effort since a bit of scripting can automate as many packages and names as they could want.
Discuss it with them.
Is it possible to share private Google Play apps between different organizations?
Process could be something like this:
- From MDM #1 Play iframe (for instance Intune) upload a private app
- Goto Advanced Editing / Google Play Console
- Under advanced settings add another organization id
- On MDM #2 it should show up as a "public" app in Play.
This is similar to what I would do with a public app that is only shared with a select organizations.
The advantage over public Play would be the less strict rules of private Play that allow older target SDKs etc.
Will this even work and if so is there something to be aware off?
Yes it is, and the process follows essentially what you just described. Though if you're in a situation needing to support multiple enterprise IDs, going through the Google Play console from the start and marking the app as private will give you all the benefits of private apps, without the burden of it being locked to one particular enterprise ID.
Marking private is under advanced settings > managed Google Play in the store listing area
Thanks for the input, James!
I followed the official instructions here:
High-level summary of steps:
- Created a test dummy app with a new (unused) package name using targetSdkVersion = 29 (intentionally too old for public Play app)
- Created a new private app in Play Console using a dev account and shared it with 2 test organizations enterprise id's (one from Intune and one from SOTI MobiControl)
- Published a production release, which went super-fast.
Now I would like to see the app in the Play iframe (opened from Intune or SOTI) but I could not find it with the search (even if I searched for the exact package name, I get all kind of odd games etc.). Is there a better way to search in the iframe?
Anyway, then I went old school logged into play.google.com/work where I could put the package id in the url query, this worked, and I could approve the app and now is showed up in the play.google.com/work/licenses/apps list with status approved.
Also, now it shows up in the iframe app collection, but it does not get synced to Intune / SOTI.
I have seen something similar with private apps uploaded through the iframe namely I uploaded it and wait for it to be ready, then I need to “choose” it in the iframe before it gets synced to the MDM.
So getting close but still no cigar 🙂
Hi @jasonbayton ,
It works now when searching in "app name", I tried that also the other day but maybe it takes a bit of time to become available in search. Anyway now I can select - thanks for the help Jason.
Hi @King the reason I wrote in this thread is that maybe a private app could be helpfull your software vendor? Fast releases and less restrictions can be useful for enterprise apps.
It can be combined with Play release tracks for explicit version control and managed config for "customization".
One old trick for rollback via Play is to re-release the previous app version with a higher versionCode. Again this could be combined with release tracks.
Anyway I agree with Jason that it should be manageable with proper release management and testing to run the "latest" versions of an enterprise app.
However there are options for running it with a more classically / controlled approach for enterprise apps on Play.
- Work Profile Password Complexity affects Personal Space device password that unlocks the device : Intune in General discussions
- Zero-Touch-Registration is not available in General discussions
- Migration from MI to Intune in General discussions
- Exporting the MDM (Security) policy installed in my Work Profile (BYOD) in General discussions
- Android management api in General discussions