This is the third in a series of blog posts looking at the considerations around adopting a GMS deployment in the enterprise. Each post features a summary along with recommendations. For other posts in this series please see the links below:
- Preventing unattended application updates initiated via the Play Store
- The managed Google Play Store
- Application deltas between Android GMS and AOSP
- GMS Location services and tracking
- Distributing private apps in the Managed Play Store
- Data usage of GMS applications and services
- Factory Reset Protection
- The setup wizard and how to bypass it
There is an important distinction between the “Play Store” and the “Managed Play Store”, both versions of the Play Store enable applications to be installed on user devices but the managed store does so in a way designed to target enterprise use cases. The managed Play Store offers an alternative to a customised launcher like Zebra’s Enterprise Home Screen but is not a 1:1 replacement.
Executive Summary (tl;dr)
The Managed Play Store forms part of a bigger solution with managed Android devices, an EMM and managed Play accounts, at least for the majority of our customers who will be adopting a COSU (single use device) model. At this stage it is worth understanding the differences with the standard Play Store, the advantages of Managed Play accounts and how these would work with your organization; since the EMM plays a key role in a managed Android deployment a good place to start (other than this post) is the documentation provided by your chosen EMM. If you are not using an EMM and have no intention of doing so then existing methods for application management will continue to work and be supported.
If you want to better understand the workflow end to end you have two options:
- Your chosen EMM will likely have webinars or blogs demonstrating how managed Android works with enterprise devices, for example one recent (November 2017) webinar from Soti is available as well as a blog from AirWatch on the subject.
- Google’s Managed Android Experience, as described towards the end of this post shows how managed accounts work with the managed Play Store without requiring a separate EMM to test.
At the time of writing, the full end to end solution is still being built out but be on the lookout for announcements from Zebra and our key EMM partners in the near future.
Comparing the Play Store with the Managed Play Store
|Play Store||Managed Play Store|
|Installed on all consumer and unmanaged enterprise Android devices running GMS.||Present on managed devices only (in the case of device owner mode) or within the managed profile (in the case of profile owner mode)|
|Device user can download applications from a choice of millions of apps.||Device user can only see those applications which have been provisioned to them by their administrator.|
|Device user can uninstall previously installed applications.||Depending on the EMM and configuration, the device user may be blocked from uninstalling applications.|
|Play Store is owned and controlled by the device user||Play Store is owned and managed by the EMM.|
|How an application is configured depends on how that application is written.||Applications can optionally take advantage of “managed configurations” which enable them to be configured remotely in a consistent and standard way. Google Chrome for example can have its proxy settings configured on the EMM without the EMM having to know anything specific about Chrome.|
|All apps in the Play Store are public||As well as all the public Play Store applications, organizations or 3rd party developers can also choose to distribute private applications which will not be available to devices outside of their organization. As an entry to this concept I recommend Google's blog on "distributing private enterprise apps with Google Play".|
|URL: https://play.google.com||URL: https://play.google.com/work|
|Supports paid and free apps||Supports paid and free apps. Apps can support bulk licenses which are handled by the managed Play Store administrator.|
|Exposes a number of device settings via the UI (for example auto-update apps)||Also exposes those same device settings via the UI.|
|Google developed system apps e.g. Maps cannot be uninstalled.||Depending on the EMM, it is possible for Google developed system apps e.g. Maps to be uninstalled using the server UI and so will not be available to the user. There are some exceptions to this e.g. Contacts and the managed Play Store itself.|
|Supports Play Protect||Also supports Play Protect|
Managed Google Play Accounts
Android has introduced the notion of managed Google Play accounts which exist purely for application management. The table below compares a standard Google account with a managed Play account
|Standard Google Account||Managed Play Account|
|Managed by Google, typically though not necessarily ending with @gmail.com||Managed by the EMM (Enterprise Mobility Manager)|
|Separate from organization’s user directory (except for GSuite customers)||Can optionally make use of the organization’s existing user directory (dependant on EMM)|
|Cannot be used with the managed Play Store but can be used with the standard Play Store.||Provide access to the managed Play Store only|
|Associated with a user only||
Associated with a device or a user.
Note: Zebra device deployments will most typically associate with an account with a device.
|Can be used to sign into Google services such as drive, Gmail, YouTube, Docs etc.||Cannot be used to sign into Google services such as drive, Gmail, YouTube, Docs etc.|
|User identity is known to Google||User identity is anonymous to Google with a mapping between user and device being provided by the EMM.|
|Lifecycle of the account is managed by the user (account owner) i.e. create, delete, update.||Lifecycle of the device account is managed by the EMM|
Google break down managed Play accounts into User accounts and Device accounts with device accounts being associated with a particular device regardless of who is using that device. Device accounts exist to support COSU deployments (Corporate Owned, Single Use) which cover the majority of Zebra’s mobile device use cases. User and Device accounts are documented by Google under their documentation for EMMs and at their Google Play support portal.
The mechanics of setting up a managed Google account and provisioning a device will be provided by your EMM (Google’s documentation for EMMs on this topic is also available), in general the steps will be:
- Configure the device to be managed and associated with a particular EMM by either:
- Tapping an NFC tag
- Scanning a specific barcode
- Entering a string with the format emm#identifier in the start-up wizard email field
- Device will download the required DPC (Device Policy Controller application) for your EMM
- EMM will prompt you to associate the device with the correct managed account, e.g. by scanning an EMM generated barcode or entering additional data.
- Device ID is associated with the managed Play account via the Play services REST API and that account is provisioned onto the device (see diagram).
EMM will configure the device and will download required applications from the managed Play store
EMM registering a managed Google Play account with the Enterprise device
Deploying & managing applications without the Play Store
Existing techniques will continue to be supported and available to system administrators; as well as the Play store and Managed Play store the following techniques exist to deploy and manage applications:
- Deploy the application via adb to connected devices. This offers limited app management capabilities.
- Side-load the application via an SD card or copy it to internal storage. This does require manually installing the application from the file browser and offers limited management capabilities.
- Use AppGallery, Zebra’s own enterprise application store.
- Use an EMM (MDM) to provision applications on the unmanaged Android device. Some EMMs may start referring to this as ‘legacy mode’ but it will continue to work if you are not using managed Android devices.
- Use Zebra’s StageNow tool, ideal if you do not plan on using an EMM and want to install applications on your device automatically, http://techdocs.zebra.com/stagenow/2-8/Profiles/manageapps/
- Use the MX App Manager to install previously downloaded applications to the device, perhaps invoked at runtime from another application.
Both adb and side-loading require you to enable the ability to “install applications from unknown sources” which can be achieved either with the settings UI or via MX. The device settings UI contains an option under “developer options” and Zebra’s MX interface provides the DevAdmin Profile which can “enable installation of apps from unknown sources”. MX also provides the ‘Settings manager’ profile which can hide or show the option in the device settings UI.
Zebra remain committed both to supporting existing customer workflows and simplifying & standardizing our customer experience moving forward.
Play Store Settings
The Google Play Store has a number of settings of particular interest to enterprise administrators. Note that these settings are available from the Play Store itself and not from the Android device settings screen; they are available in both the managed and unmanaged play stores and at the time of writing are not configurable via StageNow or EMM.
Automatic application updates can be configured either:
Via a global Play Store setting, which can be configured for:
- Do not auto-update apps
- Auto-update at any time
- Auto-update over Wi-Fi only (Only shown on WAN devices)
(Play Store) --> (Menu) --> Settings --> Auto-update apps
or on an application specific basis
(Play Store) --> My Apps --> (Select App) --> (Menu) --> Auto-update check
Both settings to update applications are discussed more thoroughly in my previous post about preventing application updates via the Play Store. Popular play store apps are often updated weekly whereas most apps are updated monthly or less frequently. The size of updates will vary from app to app but this external blog gives some typical sizes as well as explaining Google’s efforts to reduce the size of updates using ‘file-by-file’ patching.
The Play Protect settings can be found under (Play Store) --> (Menu) --> Play Protect and offer settings for enabling the feature (Scan device for security threats) and sending unknown apps to Google for better detection. The latter option will only apply to applications installed via side-loading, adb or a non-Google application store such as Zebra’s AppGallery since any application uploaded to Google Play has already been scanned by Google’s security heuristics. Although these options can only be configured manually via the application UI, the defaults (as shown in the image) should meet the majority of enterprise use cases.
Test without an EMM with the Android Management Experience
The best way to understand the managed Play Store experience is to try it yourself. The dependence on an EMM for a full end to end solution could be a potential barrier to this but Google has provided the “Managed Android Experience” to use the managed Play Store before integrating or choosing an EMM partner and they document how to use it on their support site.
- The requirements for the “Managed Android Experience” are detailed on Google’s Android support portal. Note that in my testing I could not get the experience running on some devices but your experience may vary, I did get the experience running on a Zebra Nougat device as well as my own phone.
- To access the landing page for the managed Android Experience, you will need to provide a Google account to access the page which will act as the demo organisation owner and agree to some terms of service. Going to “Manage users & devices” then “Add first device” gives you instructions on setting up your device. Note the options to either provision in Profile Owner mode or to provision in Device Owner mode, be sure to choose Device Owner for a typical enterprise solution. Follow the instructions to get the managed android experience on your device.
- The managed play store has a different URL from the standard Play Store and will show which applications have been provisioned to your device. Note the managed experience is functioning as the EMM in this case, just with very limited functionality compared to more mature EMMs but it gives you an idea of the workflow. You can click the ‘+’ symbol to add applications to registered devices or you can use the interface in the managed play store to achieve the same thing.
- Once you have selected applications you can configure them by clicking the gear icon which lists the managed configurations available for that app. Chrome or Gmail are good apps to demonstrate this with as they expose a lot of configuration options.
- Observe the experience on the device, with a few exceptions like contacts or the Google app the user only sees the applications you have chosen to deploy to them.
- There is now a managed Play account on the device called ‘Managed Account’. If you need your user to have access to Google services like Drive that require a standard account (See the earlier table comparing account types) then that can be provisioned separately.
Both Google and Zebra are committed to the Managed Play Store as the recommended application distribution platform for managed Android devices, it is therefore worth understanding the solution and how it would fit into your organization. This post cannot offer specific recommendations for your deployment since every solution is unique but in general:
- If you are not currently using any form of EMM then existing techniques for application deployment continue to work and be supported. Zebra are aware that a significant minority of our customers do not use EMMs.
- If you are considering adopting an EMM or looking to change EMM provider then a good place to start is our partner locator (select ‘Software Applications and Providers’, then the Cross-Veritical of ‘Device Management’). Soti also have a dedicated page on our partner portal.
- For those customers using EMMs, it is best to refer to the managed Android documentation provided by that EMM but be aware they may be using the legacy terminology of ‘Android For Work’ or AFW.
At the time of writing, the full end to end solution is still being built out so depending on your set-up you may require some custom staging with StageNow or calls into the MX framework to complete provisioning. In the case of Soti they have recently announced support for Android Enterprise on Zebra devices but for other partner EMMs, you may see them recommending a Zebra specific agents which act as a Device Administrator rather than a Device Owner. Please refer to the documentation for your chosen EMM for more information.