This is the first in a series of blog posts looking at the considerations around adopting a GMS deployment in the enterprise. Each post features a summary along with recommendations. For other posts in this series please see the links below:
- Preventing unattended application updates initiated via the Play Store
- The managed Google Play Store
- Application deltas between Android GMS and AOSP
- GMS Location services and tracking
- Distributing private apps in the Managed Play Store
- Data usage of GMS applications and services
- Factory Reset Protection
- The setup wizard and how to bypass it
The Google Play Store can be used to install and manage the applications on your Android device. For unmanaged devices it coexists alongside other techniques for application management including Zebra's value-added MX layer, which may be used standalone or as part of your EMM / MDM solution. For managed devices we see the Play Store taking a more central role as the app distribution and installation paradigm, with concepts such as the Play Store for Work integrating more tightly with EMM solutions.
As the Play Store gains traction in the enterprise a common question is how to prevent unattended updates? For applications deployed via the Play Store, how can my Enterprise ensure it is on a known baseline or how can I avoid my validated and tested device configuration from changing unpredictably in the field. There is of course an argument to be made for allowing unattended updates however for the sake of brevity, this document assumes a desire to prevent automatic updates. Application deployments which do not rely on the Play Store are outside the scope of this document but the advice here will be equally applicable to both managed and unmanaged devices.
This information is true at the time of writing (November 2017), but as Google continues to focus on enterprise use cases additional recommendations may be made in the future. Some of the techniques described here are proprietary to Zebra hardware but the general principles will be the same throughout the Android ecosystem.
- Disabling the Play Store entirely is a reliable way of ensuring no user or system applications get updated in the field. The down side is that this approach lacks the ability to control individual applications as it is an all-or-nothing solution. StageNow barcodes are attached to this document to enable and disable the Play Store.
- Play Store automatic updates can be reliably turned off via a Play Store setting however it requires manual interaction to adjust two settings. Firstly, the automatic updates themselves must be disabled from the play store and secondly, the Play Store must be blocked from presenting notifications which prompt the end user to install available updates manually.
- Whilst it is possible to prevent a specific application from being updated by disabling the app, the obvious side effect is that the app is no longer available to the end user.
Types of update
There are multiple types of update that an Android device is subject to:
- User applications are those apps which are installed on the device after it is received from the factory.
- System applications can mean different things in different contexts, technically Zebra services and apps like DataWedge or StageNow are installed as System apps but since they are not installed via the Play Store, they can be considered distinct from the System apps provided by Google such as Maps, Chrome, Gmail etc.
- Play Services (https://developers.google.com/android/guides/overview) are available via the Play Store (https://play.google.com/store/apps/details?id=com.google.android.gms) but are not considered a user or system application per se. Play Services underpin the majority of GMS functionality such as user authentication, location services, user accounts and more and are subject to different update restrictions. Play Services are not covered in detail in this blog apart from the effect of disabling the Play Store.
- Device updates are updates to the entire OS which also includes security patches. Device updates are outside of the scope of this document.
Techniques to prevent an application from automatically updating
The following table shows the different techniques which can be used to prevent Play Store applications from automatically updating:
|Disable the application you do not wish to update.||There are multiple ways to disable applications, some of which effect whether the application will be automatically updated and these techniques are discussed in the next section. Both the MX AppManager and MX AccessManager can be used on Zebra devices to disable applications with differing levels of control.|
|Disable the Play Store||
Disabling the Play Store can be achieved via the MX AppManager and will prevent all automatic user and system application updates. This is an all-or-nothing solution and applications cannot be selectively updated; to update any Play Store application it is necessary to first re-enable the Store.
This technique will work equally well on managed and unmanaged Android devices.
Since Google Play Services relies on the Play Store to update, disabling the Play Store will also prevent Google Play Services from updating.
Change the Play Store setting for automatic updates (Global setting).
This applies to both user and system applications.
Note that Google reserve the right in their Terms of Service to override this setting to fix critical security vulnerabilities.
The global Play Store setting is (Play Store) --> (Menu) --> Settings --> Auto-update apps
Applications will only automatically update if configured to do so however this must currently be configured manually since there is no Staging or EMM API to adjust this setting.
If you disable automatic updates, an additional UI component in the Play Store suggests end users turn it back on:
The user is also nagged through a notification from the Play Store to perform the update manually:
The user can then perform the update directly from the notification. There is no setting to specifically prevent this notification from being shown, it is therefore necessary to block all notifications from the Play Store app to prevent a manual update initiated by the end user.
Change the Play Store setting for automatic updates (application specific setting).
This applies to both user and system applications.
The application specific setting is (Play Store) --> My Apps --> (Select App) --> (Menu) --> Auto-update check
In common with the global setting, if updates are available the end user is presented with a notification prompting them to manually update the application. An additional confirmation dialog is shown when the user updates an application manually that is configured to not allow auto-updates. This confirmation dialog is unique to this scenario and is not shown if automatic updates are disabled globally:
Techniques for disabling applications
There are numerous techniques for disabling user or system applications, summarised in the table below:
Package manager shell:
adb shell pm disable <app name>
|Disabling an application via the Package Manager shell command is only available on rooted devices and therefore will not be discussed in this blog.|
Manually disable the app from the app info screen by pressing the ‘DISABLE’ button
The disable button will only appear for system apps so this technique is not applicable for user applications.
Applications disabled in this manner will NOT automatically update regardless of whether the Play Store is configured for automatic updates.
|MX ApplicationManager. Via the AppManager’s “Action” command an application can be enabled or disabled, http://techdocs.zebra.com/mx/appmgr/#action||
Will work for both System and User applications but is only supported on Zebra devices.
MX is accessible through an SDK or via Zebra’s StageNow tool.
The Play Store itself can be disabled via this technique.
Applications disabled with the AppManager will NOT automatically update regardless of whether the Play Store is configured to auto-update applications. If the end user has access to the Play Store application, they are given the option to manually ‘Enable’ the app from the Play Store UI:
Enabling an application previously disabled by the AppManager undoes the effects of AppManager; the application reappears in the launcher and is once again subject to automatic updates.
This technique will also prevent the end user from using the application.
|MX AccessManager. The AccessManager’s whitelist functionality will only enable those user applications which have been whitelisted, with all other user applications being disabled. http://techdocs.zebra.com/mx/accessmgr/#add-packages||
Will only work for user applications, not system applications meaning this technique cannot be used to disable the Play Store.
Applications disabled with the AccessManager will NOT automatically update regardless of whether the Play Store is configured to auto-update applications. If the end user has access to the Play Store application, they are given the option to manually ‘Enable’ the app from the Play Store UI:
Enabling an application previously disabled by the AccessManager does not undo the effect of AccessManager whitelisting and the app will not appear in the launcher, in contrast to the AppManager technique described previously.
An application enabled in this manner will now appear in the list of pending updates in the Play Store however it will not be automatically updated and attempting a manual update will lead to a generic error:
To avoid confusion, tools like Zebra's Enterprise Home Screen can be used to prevent the user from accessing the Play Store, if appropriate.
This technique will also prevent the end user from using the application.
|On Managed Android devices in Device Owner (DO) mode several system applications may be disabled by default (e.g. Google Photos, Google Maps etc.)||
Whether or not these system apps are disabled will depend on your method of provisioning as it can be configured. Your EMM is able to re-enable system apps by calling a client-side API.
Exactly which system applications are disabled will depend on how the Operating System was built and may be customized by the OEM but the Play Store and Play Services will always remain enabled.
System applications disabled in this manner will not appear to the user or show as installed in the Play Store app so are not be subject to automatic updates.
|On managed Android devices running API level 24 or higher, the EMM or DO can suspend packages via the setPackagesSuspended API||
Suspended packages will still be shown to the user but will be grayed out and attempting to click on the icon will present the user with a DO branded message box indicating that the operation is not allowed.
Both system apps and user apps can be suspended however suspension has no effect on whether or not the application is updated. If the Play Store is configured for automatic updates then suspended apps will be updated alongside their non-suspended counterparts.
Recommended approaches to prevent applications from automatically updating
|Recommendation||Conditions / Implications|
|Disable the Play Store (com.android.vending) via the MX AppManager||
Will prevent all user and system apps from updating but it is not possible to selectively specify which apps are subject to updates, it is an all-or-nothing solution. There is a distinction and often a confusion between the Play Store and the Play Services, disabling the former can be achieved without negatively impacting the functionality of the OS or system apps, in stark contrast to the latter.
StageNow barcode to disable the Play Store
StageNow barcode to enable the Play Store
The two barcodes above (also available as attachments to this document) can be used to enable or disable the Play Store with Stage Now.
Note that disabling the Play Store will also prevent Google Play Services from updating.
Disable application updates from the Play Store [(Play Store) --> (Menu) --> Settings --> Auto-update apps]
Block notifications from the Play Store.
Prevent end users from accessing the Play Store to change the setting
Requires additional provisioning steps to:
At the time of writing, both of these steps can only be performed manually.
There are numerous ways to prevent users from accessing the Play Store e.g. Zebra’s Enterprise Home Screen (EHS). This leaves the Play Store itself available if required e.g. for remote installation of applications on managed android devices or allowing critical updates to be pushed by Google.
|The MX AccessManager can be used to prevent updates to applications which will not be used by your end user.||
This could save on bandwidth as non-essential apps would not be updated.
Of all the techniques discussed to disable applications, the MX AccessManager provides the most complete solution as it cannot be circumvented from the Play Store and is easily configurable from StageNow or supported EMMs.