If you’re an Android user or manage Android devices in your organization today, I probably don’t need to tell you what the Google Play store is; you are no doubt familiar with Android’s equivalent to the Apple App Store. Google Play is a cornerstone of the Android ecosystem, and while it’s not the only way to source applications for Android devices, it is the most secure. For businesses, however, Google Play has been something of a challenge.
Traditional application management
Traditionally, securely provisioning applications on Android has required a few things:
- An Enterprise Mobility Management Server
- A Google account for every device
- Full, unrestricted access to Google Play
The account mandate is the biggest challenge for organizations. In order to download applications from Google Play, you have to ensure that every user has a Google account, but then once it’s present on the device, users can download any applications they wish, back up data to Google’s servers, or accidentally lock devices with Android’s Factory Reset Protection (FRP). Obviously there are ways and means of preventing this (wholly or in part) via an EMM; however, the fact remains that just as iTunes accounts on iOS devices are a pain, so too are Google accounts on Android devices.
If an organization doesn’t want to deal with Google accounts, the alternative has been to enable “unknown sources” on devices (in and of itself a security risk) and push Android application APK files directly from the EMM server. Ignoring the breaches in distribution agreements this may invoke, it’s also extremely unreliable due to the various APK versions potentially targeting different form factors, architectures, and Android versions. There’s no guarantee that the one APK uploaded to the EMM will install on all devices, and this can also potentially lead to hefty data bills given that some EMMs will re-push a failing APK repeatedly, forever.
There are of course third-party app stores, however these are absolutely not a viable alternative, as third-party app stores are a haven for malware and PHAs (potentially harmful applications) and are the leading cause of infection globally.
So it’s fair to say, it hasn’t been the best possible experience to date.
Introducing managed Google Play
There is, however, another way. With the introduction of Android enterprise also came managed Google Play (yes, with a lowercase m). This is an enterprise-targeted version of Google Play that:
- Provides access only to applications an organization explicitly approves;
- Enables the bulk-purchasing of paid applications;
- Removes the requirement for user-managed Google accounts;
- Can push applications and updates silently without requiring user intervention; and,
- Offers managed configurations for provisioning settings to applications as they’re installed.
Note that managed Google Play isn’t available for legacy-enrolled devices. (Devices that aren’t managed using the newer Android enterprise APIs must use the traditional provisioning approach described previously.) However, given that Android enterprise is becoming the default and only option for managing newly-purchased Android devices from next year, organizations should be evaluating a migration already.
By default, the managed Google Play instance for a given environment will be empty. Administrators approve all applications, either through their EMM solution or play.google.com/work directly.
Additionally, organizations have the capability to upload their own in-house applications, and then use the global Google Play infrastructure to host and distribute these apps. Naturally, in-house app distribution can be limited to your own organization. There’s also an option to self-host the APKs, but again, do the actual provisioning and management with managed Google Play.
A quick note about malware and Google Play: According to the Android Security 2017 Year In Review (PDF), the probability that a user downloaded a PHA from Google Play was .02% in 2017. And that number represents the 3.5 million applications available in all of Play today—again, remember that administrators have control over the apps in managed Google Play.
In tandem with default options preventing such things as application installation via unknown sources, organizations can rest easy knowing managed Google Play will be the only option for application installation available to end-users either within the work profile for BYOD/COPE deployments, or across the whole device if work-managed (COBO/COSU).
Bulk Purchase Program
For anyone reading this situated outside of the US, the Bulk Purchase Program (BPP) may jump out at you as something mostly unheard of. Unfortunately that’s because it’s not available globally just yet, but I expect it to expand out of the US soon.
BPP answers a familiar problem—if users need to use apps requiring payment, how does the organization deal with this?
- Ask the user to purchase and expense the license?
- Purchase the license on the user’s behalf with a corporate-managed Google account?
- Work out ad-hoc licensing deals with developers directly?
In practice, much like Apple’s VPP, the managed Google Play BPP allows an organization to purchase and manage application licenses for distribution and retrieval. This eliminates the burden of end-users purchasing and expensing app licenses, and allows organizations to reuse them repeatedly, rather than having licenses leave with ex-employees if associated with the ex-employee Google account.
As with most Android enterprise APIs, the Bulk Purchase Program needs to be supported by the organization’s EMM platform, so it is worth enquiring about before attempting to sign up.
Google account management
Managed Google Play eliminates the need for users to use personal Google accounts—it simply uses the same managed accounts that are used for Android enterprise.
If an organization happens to use G Suite, then the users will already have managed corporate Google accounts. For everyone else, EMM vendors can create managed Google Play accounts on the fly—they offer no personal customization, they’re there purely to facilitate application management.
Silent app provisioning
Managed Google Play offers organizations the ability to silently install public applications from the Play Store with absolutely no interaction from the end-user; corporate applications can install silently and automatically as soon as the device is enrolled.
Managed application configurations
With Android enterprise and managed Google Play, application developers can choose to expose app settings to be configured by EMM servers. It is possible for an EMM to install and configure an application so that, for example, email credentials are installed and ready to go, or the Kerberos environment is fully configured for password-less login across all managed apps, without any user intervention.
Organizations are no doubt familiar with support calls requesting enrollment/setup assistance, or dedicating resource to creating in-depth enrollment guides in an attempt to alleviate the burden on support teams. With managed app configurations, there’s little need since the EMM can provision settings automatically.
If you’re not using Android enterprise yet, you will be in the next year or two. Managed Google Play is a bit under-acknowledged at the moment, but according to the Android Security 2017 Year in Review, activity increased 2000% in 2017.There’s no doubt that it will continue to revolutionize how organizations manage their Android applications in the future.