An introduction to managed Google Play

With Android enterprise, EMMs leverage an enterprise version of Google Play to distribute public and in-house apps. Jason Bayton explains how it works.

If you’re an Android user or manage Android devices in your organization today, I probably don’t need to tell you what the Google Play store is; you are no doubt familiar with Android’s equivalent to the Apple App Store. Google Play is a cornerstone of the Android ecosystem, and while it’s not the only way to source applications for Android devices, it is the most secure. For businesses, however, Google Play has been something of a challenge.

Traditional application management

Traditionally, securely provisioning applications on Android has required a few things:

  • An Enterprise Mobility Management Server
  • A Google account for every device
  • Full, unrestricted access to Google Play

The account mandate is the biggest challenge for organizations. In order to download applications from Google Play, you have to ensure that every user has a Google account, but then once it’s present on the device, users can download any applications they wish, back up data to Google’s servers, or accidentally lock devices with Android’s Factory Reset Protection (FRP). Obviously there are ways and means of preventing this (wholly or in part) via an EMM; however, the fact remains that just as iTunes accounts on iOS devices are a pain, so too are Google accounts on Android devices.

If an organization doesn’t want to deal with Google accounts, the alternative has been to enable “unknown sources” on devices (in and of itself a security risk) and push Android application APK files directly from the EMM server. Ignoring the breaches in distribution agreements this may invoke, it’s also extremely unreliable due to the various APK versions potentially targeting different form factors, architectures, and Android versions. There’s no guarantee that the one APK uploaded to the EMM will install on all devices, and this can also potentially lead to hefty data bills given that some EMMs will re-push a failing APK repeatedly, forever.

There are of course third-party app stores, however these are absolutely not a viable alternative, as third-party app stores are a haven for malware and PHAs (potentially harmful applications) and are the leading cause of infection globally.

So it’s fair to say, it hasn’t been the best possible experience to date.

Introducing managed Google Play

There is, however, another way. With the introduction of Android enterprise also came managed Google Play (yes, with a lowercase m). This is an enterprise-targeted version of Google Play that:

  • Provides access only to applications an organization explicitly approves;
  • Enables the bulk-purchasing of paid applications;
  • Removes the requirement for user-managed Google accounts;
  • Can push applications and updates silently without requiring user intervention; and,
  • Offers managed configurations for provisioning settings to applications as they’re installed.

Note that managed Google Play isn’t available for legacy-enrolled devices. (Devices that aren’t managed using the newer Android enterprise APIs must use the traditional provisioning approach described previously.) However, given that Android enterprise is becoming the default and only option for managing newly-purchased Android devices from next year, organizations should be evaluating a migration already.

Approved applications

By default, the managed Google Play instance for a given environment will be empty. Administrators approve all applications, either through their EMM solution or directly.

Additionally, organizations have the capability to upload their own in-house applications, and then use the global Google Play infrastructure to host and distribute these apps. Naturally, in-house app distribution can be limited to your own organization. There’s also an option to self-host the APKs, but again, do the actual provisioning and management with managed Google Play.

A quick note about malware and Google Play: According to the Android Security 2017 Year In Review (PDF), the probability that a user downloaded a PHA from Google Play was .02% in 2017. And that number represents the 3.5 million applications available in all of Play today—again, remember that administrators have control over the apps in managed Google Play.

In tandem with default options preventing such things as application installation via unknown sources, organizations can rest easy knowing managed Google Play will be the only option for application installation available to end-users either within the work profile for BYOD/COPE deployments, or across the whole device if work-managed (COBO/COSU).

Bulk Purchase Program

For anyone reading this situated outside of the US, the Bulk Purchase Program (BPP) may jump out at you as something mostly unheard of. Unfortunately that’s because it’s not available globally just yet, but I expect it to expand out of the US soon.

BPP answers a familiar problem—if users need to use apps requiring payment, how does the organization deal with this?

  • Ask the user to purchase and expense the license?
  • Purchase the license on the user’s behalf with a corporate-managed Google account?
  • Work out ad-hoc licensing deals with developers directly?

In practice, much like Apple’s VPP, the managed Google Play BPP allows an organization to purchase and manage application licenses for distribution and retrieval. This eliminates the burden of end-users purchasing and expensing app licenses, and allows organizations to reuse them repeatedly, rather than having licenses leave with ex-employees if associated with the ex-employee Google account.

As with most Android enterprise APIs, the Bulk Purchase Program needs to be supported by the organization’s EMM platform, so it is worth enquiring about before attempting to sign up.

Google account management

Managed Google Play eliminates the need for users to use personal Google accounts—it simply uses the same managed accounts that are used for Android enterprise.

If an organization happens to use G Suite, then the users will already have managed corporate Google accounts. For everyone else, EMM vendors can create managed Google Play accounts on the fly—they offer no personal customization, they’re there purely to facilitate application management.

Silent app provisioning

Managed Google Play offers organizations the ability to silently install public applications from the Play Store with absolutely no interaction from the end-user; corporate applications can install silently and automatically as soon as the device is enrolled.

Managed application configurations

With Android enterprise and managed Google Play, application developers can choose to expose app settings to be configured by EMM servers. It is possible for an EMM to install and configure an application so that, for example, email credentials are installed and ready to go, or the Kerberos environment is fully configured for password-less login across all managed apps, without any user intervention.

Organizations are no doubt familiar with support calls requesting enrollment/setup assistance, or dedicating resource to creating in-depth enrollment guides in an attempt to alleviate the burden on support teams. With managed app configurations, there’s little need since the EMM can provision settings automatically.


If you’re not using Android enterprise yet, you will be in the next year or two. Managed Google Play is a bit under-acknowledged at the moment, but according to the Android Security 2017 Year in Review, activity increased 2000% in 2017.There’s no doubt that it will continue to revolutionize how organizations manage their Android applications in the future.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Great summary - many thanks!
Well written brief, but I find it unclear whether managed Google Play will allow provisioning dedicated devices the way you can with the Android Management API.

However, it also seems that you can neither create an enterprise using a GSuite email id, nor can you use the organization ID of your GSuite organization in the Android Management API (fails with a "caller is not authorized to manage enterprise").

Is my reading correct, then, that you cannot use dedicated (kiosk) device profiles and provisioning with a GSuite EMM through the GSuite admin console)?

I would very much appreciate your views on this. Many thanks.
I have someone who torchers me with this, who tries to control my every move. Ive never given my permission to be enrolled in this, and he doesnt have a real buissness. He enrolled me in it to control what apps I could use, and mainly so he could know every move I made all day. I would change email addresses, do a factory reset, and it would be ok for a few days then it would go right back, I would change my number, and I would still end up managed. Google doesnt care. Im not techy and dont know what these things are hete lately its been cloud platform and cloud identity something and I have really messed up open source license applied to my playstore called "animal sniffer" and license with just letters. Ive begged google for help, im trapped in someones hell and losing my mind. Ive now got PTSD, and theres fays I eant to die rather than be watched or controlled thru googles products another day and no way out, and nobody to save me. I fear this person has applied my child under the samr policies or whatever they are, and controling her too- Bethany R.
Hi, I've found the same - you cannot create an Enterprise with a G Suite account, and you cannot use your existing Organization ID. Did you ever find a workaround for this?
How do we install applications to the work managed personal profile on the device rather than the CMWP? Will applications default to the personal container if the APK is hosted locally rather than pulling from Google Play?