IBM Security MaaS360

 View Only

App deployment for Android: the times are a-changin'

By Eamonn O'Mahony posted Tue June 22, 2021 09:49 AM

  
Hi all

You're probably familiar with public apps from the Google Play Store, managed in the MaaS360 App Catalog (ie added and available for pushing to devices), and distributed to devices ('pushed').  The public apps can be added through the App Catalog, via Apps > Catalog and choosing the option Add > Android > Google Play app. 

Setting up Android Enterprise integration and Managed Play Store
- Play Store apps can be added to the Catalog so they become managed, and available for distribution to devices. In the old Android world (Device Admin), there was no connection between the apps you added into your Catalog and the ability to manage them on the Google side. 
- Android Enterprise integration with MaaS360 is set up by creating a free Google account (Gmail/Google) and using this to integrate with MaaS360 (Setup > Services > Mobile Device Management > More > Android Enterprise).  The fact of authenticating or 'binding' to the Google Play platform, automatically "promotes" a standard Google account into a Play Store admin account. So by virtue of integrating with Android Enterprise, and authenticating via MaaS360 portal, you are setting up a Play Store Administrator, and a Managed Play Store. This is your "Android Enterprise" - a place where you can manage your apps, private and public. 
- Please note that from here onwards, "Android Enterprise integration" refers to the setup performed in the last point. 

Synch of apps between Managed Play Store and MaaS360 App Catalog
- Once the integration is set up, the apps added on Google Play will synch with MaaS360 portal. Try it - log into https://play.google.com, with your credentials (used to integrate with MaaS360), add an app, and after a few hours it will automatically appear in the MaaS360 App Catalog (if it wasn't already there). 
- After having performed the Android Enterprise integration, you may see that your existing Google Play apps in the App Catalog now show an exclamation point in a red circle. This is where you need to accept permissions. Device Admin mode didn't do this - you had to install the app, and then each user had to accept permissions to access Contacts, WiFi and so on. In the Android Enterprise world, however, the permissions must be pre-authorised (globally) by an admin so that the permissions are not requested during device setup. This is very useful for reducing impact on users; but also for configuration of things like COSU mode - where you wouldn't want the need to have pop-ups accepted. So, when you set up Android Enterprise integration, your App Catalog detects that for your existing apps, the permissions haven't been pre-authorised. The exclamation point indicates you need to accept permissions. Just click on the exclamation point and follow the prompts. Note: yes, you will need to do this individually for each app. It doesn't take long! For new apps you add via the App Catalog, you will be asked for permissions at point of addition to Catalog. If you are concerned about legal / privacy / authorisation issues, please read the Google documentation on Play Store (see document in point 1 below). 
- Relative to the previous point, if you don't have an Acceptable Usage Policy (a document that defines what your enrolled mobile users should and shouldn't do), it may be the right moment to create one! See recommendations in point 2 below. 

Using APK files to install apps to devices
- Now I want to raise an issue that a number of our customers have raised recently and which has been a concern for some time. It's the use of APK files as apps ("Enterprise apps for Android") where if you upload the APK to MaaS360 App Catalog, you can distribute as a Non-Google Play app to devices. See point 3 below for full details. The concern here is on several levels.
> 1. Security. When you want to install non-Play Store apps on devices, you have to unlock access to installing Non-Google Play apps. This is done in your Android policy: Device Settings > Security > App Security > Allow installation of non-Google Play Applications (note the equivalent can also be found under Android Enterprise settings, following the same menu options). The problem with using this is that you are opening up the device to installation of apps which may not be intended and which can contain things like malware. A workaround can be using the App Compliance Approved list and Blocklist, and use a Threat Defence product such as IBM Trusteer Threat Management. 
> 2. App permissions. We found that activating specific properties on APK's in Device Admin mode created a behaviour issue on the device, where if either 'Enforce Authentication' or 'Enforce Compliance' was switched on for any APK app, the MaaS360 app would then require the user to accept Usage Permissions before proceeding, rendering the device practically unusable for these apps for the short term. See our Support document below in point 4. 
> 3. Verification. APK's are not really tied to any organisation, and anyone who gets a copy of the file can use it. So there is very little protection particularly where you have developed an app in-house or paid a 3rd party software house to write the code for you. 

So what do I do now? 
In the new world of Android Enterprise, Google recommends that you migrate your apps from pushing APK files and instead upload the APK to the Play Store, and publish for distribution to devices. This can either be done in Public mode (available to all Play Store devices irrespective of who owns or manages them), or Private mode (specify which Managed Play Store can be used to distribute them. I will publish a further document describing the steps for this and the advantages and disadvantages of each. 

Documentation
1. Google: Control your app permissions on Android 6.0 & up. https://support.google.com/googleplay/answer/6270602?hl=en

2. IBM: Top 10 Rules for BYOD. https://www.ibm.com/downloads/cas/YK52D6GD
3. IBM: Add an enterprise app for Android. https://www.ibm.com/docs/en/maas360?topic=catalog-adding-enterprise-app-android
4. IBM: Support document on Device Admin app permissions. https://www.ibm.com/support/pages/node/959709

0 comments
23 views

Permalink