IBM Security MaaS360

 View Only

App version control in MaaS360

By Eamonn O'Mahony posted Thu April 07, 2022 12:06 PM

Hi all
We had a recent question on the Security Community which prompted me to write this, I had promised it already!
This is intended to address how companies using in-house or 3rd-party apps developed by external organisations, can test their new app versions in a beta-type context. 
There are a number of limitations and things to consider so we'll cover them by platform and I may come back to update this blog with further detail as it arises. 

General app versioning
Where you are putting an app file on the MaaS360 App Catalog, and not pushing to a Store, you can use a feature which allows you to manage multiple versions of that app. This is using the 'Manage as Additional Version' which we're going to explain here. This applies to: 
- Enterprise apps for Android (APK files)
- Enterprise apps for iOS (IPA files)
- Enterprise apps for Windows (such as EXE/MSI)
- Enterprise apps for MacOS (such as DMG/PKG)
The idea here is that you have a production app, say version 1, and you have a new app version (say v.2) which you want to test on devices. However you don't want it to replace the production app on all devices, only a limited number for testing purposes. 

Upgrading an app
To upgrade the app you use one of two options: 
- From the App Catalog, under the app name, you choose More > Upgrade App
- Or clicking into the App, and on the right-hand side click More > Upgrade App
Here I've taken an example of an Android app but the principle and method apply equally to other device/app types. 
The option "Manage as Additional Version" is highlighted. 
Manage as Additional Version

Now you have 2 options: click the Manage as Additional Version box (meaning the app will go in as a testing or Secondary version), or do not click the box, and it will update the existing Production app. 
If you wish to test the v2 app prior to rollout to Production, the scenario is mapped below: 
Phases of app deployment

In this scenario we avoid updating the Production app until the v2 version has been tested. To do this, we first upgrade the app using the function Manage as Additional Version (remember to check the box).  So the app will now show separately in the App Catalog, and we can distribute to testing devices. This does not impact devices if they don't get this distribution - so we can test and conclude before making any further changes. 
Now once testing is complete, and I am satisfied that I want to update the app in production, I go once more to the upgrade feature.  The difference is that this time, I don't check the box for Manage as Additional Version. This ensures that the app in production gets upgraded to v2, and the distribution ('push') will be done to existing production devices in the same way as before. 
Please note: if you are using Android (APK) apps and want to have multiple copies of the same app on your MaaS360 App Catalog, you may need to contact our Support team and ask them to allow duplicate app id's in the portal. 
This approach is well supported for in-house or 3rd party apps which won't be pushed to a store, as you manage them exclusively in the MaaS360 App Catalog. 
But what happens for apps which are in the relevant App Stores? 
That's the next bit. 

Updates to apps on App Stores
Whether we're talking about the Microsoft Store, the Apple App Store, or the Google Play Store, the principle is the same - there is only one version currently in production. So software companies like IBM will push a version of their app (say the MaaS360 app for example), and when a new version is available, they upgrade it in the store.  When this is complete, and the new version becomes available, it will update manually or automatically to the existing devices (depending on your store settings). 
Now you would ask, what do I do if I have an app which I have created, or to which I have the rights for publication on store, but I want to manage additional versions? Please note, we are assuming that you have the publication rights, meaning that if you acquired the app from a 3rd party, they have given their approval for you to publish this on the relevant store. By verifying this with them you ensure that if they have already uploaded it to store from their side, you'll find out. 
Because the specifics change for each platform I'll refer to each separately. 

Apple (iOS) B2B apps
Adding these assumes they already exist on the Apple iTunes B2B store (you need to get the URL or web link for the existing B2B app).
So this needs to be done first. There's a link to the Apple site below where you can get more information. 
After this, you add the app to the MaaS360 App Catalog for distribution to users (instructions via link below). 

Windows apps
Again the app must have already been published on the Windows Store, there's a link below to Microsoft documentation for this. 
When you add the Store app to the MaaS360 App Catalog, you need to find the URL for the app from the Microsoft store. 

Google Play Store apps 
Google have a distinction between Private and Public Play Store apps: 
- Public apps are available to the general public and without restrictions. 
- Private apps are made available only to restricted sets of users. 
This might have been done in one of two ways: either you get the link to an existing Private app from a 3rd party publisher (they uploaded to Play Store), or you publish it to the Play Store as your own private app.  Please note that Private Apps while previously available for Device Admin mode, are no longer available - you can only distribute them to devices enrolled into Android Enterprise (PO/DO mode). If you're not familiar with Android Enterprise, please have a look at documentation below. Now assuming your devices are in PO or DO mode, you can add the private apps in one of two ways: 
1. Add a Private App for Android Enterprise to the MaaS360 App Catalog. 
This doesn't require you to have an Android Developer account, you just upload it to MaaS360 and we look after the rest. 
However if you're looking to do version control as referred to earlier, you may need to look into the 2nd option. 
2. Add the app first to Android Developer platform, and then to the MaaS360 App Catalog. 
This takes a few more steps and will take a little bit more effort on your part, but ensures you can do app versioning ('beta'-type app management). 
In order to get this up and running you'll need an Android Developer account, which has a small subscription cost. 
Once you do this you can upload your app to the Google Android Developer platform, and retrieve the app link. 
Now we go back to MaaS360 App Catalog, and click Add > Android > Private app for Android Enterprise. 
Add Private Play Store app to MaaS360 App Catalog

The window above shows you a field where you can copy in the URL from the Play Store for the Private App. If you uploaded to  your managed Play Store, and wish to select the file, click on "Switch to managed play store" on the top right. 
Once the app is added to the App Catalog you can distribute to devices, users or groups as appropriate.
We generally recommend user and user group distributions for apps. 

Managing multiple versions of a Private app in the Play Store 
This takes your app management to the nth degree and gives you superpower! But there is some detail here. 
- Uploading the app to the Play Store means it the app will have an exclusive (non-repeatable) App ID
- This means that if you want to do management of another version for testing purposes, you'll have to package the app with a separate app ID. 
This also fulfils the unique constraint on Android where each app on a device has to have a separate App ID.  Now let's assume we have app version A and app version B, both uploaded to the Private Play Store.  Each app has its own app ID which is unique. Each can be added to MaaS360 App Catalog as separate apps (in this case they won't appear as multiple versions of the same app, as they did for APK's. 
If you can deploy the testing app directly to your Production MaaS360 portal
If this is the case you can upload both private apps directly through the MaaS360 App Catalog, and then just distribute the separate apps to production devices or testing devices as appropriate. When you're ready to upgrade the production app, you'll need to re-package with the same App ID as used in Production. Then, just use the upgrade option as above. 
If you don't want to deploy the testing app to your Production MaaS360 portal
This presupposes that you have 2 MaaS360 portals, and 2 Google Play instances (managed Google Play / Android Enterprise). The effort required for testing purposes is significant, so if you don't want to spend time on this, just use the other option. However, if you prefer to have a completely isolated testing environment, you would create a MaaS360 testing portal ('Sandbox'), and a separate Google account for your managed Google Play and Android Enterprise.
If you have a MaaS360 testing portal ('sandbox'), this may be of interest to  you. If you don't have one, and would like one, please contact your point of contact in IBM Sales or Client Success, or your IBM Business Partner, to request one. 
If you want to do multiple app version management for Private Apps on Google Play, and not make the app available on your production instance of MaaS360, you must use your Android Developer account to upload the app and not MaaS360 in the first instance. The reason for this is that you're going to do a very specific distribution from Android Developer to the specific Android Enterprise / managed Play Store instance. Have a look here: 

If you log in to the Play Store (link below), you have an option for "Admin settings" on the left.  This gives you the identifier of the managed Play Store or Android Enterprise.  This identifier (Organisation ID) needs to be given to the Android Developer who manages the private app, and ask them on Android Developer console to distribute the app to the specific managed Play Store instance, using this identifier. 
Once this happens, and after a default period of synchronisation (up to 4 hours), your testing portal and the testing instance of Google Play should have synched, and you'll be able to add the Private App in your MaaS360 App Catalog. 
Once you're satisfied with testing, you just go back to the developer and get them to upgrade the app but with the package name used for the production instance. 

Your feedback is welcome here. 
Thanks and happy app deployment!

Supporting documentation
Google Play store (managed section): Managed Google Play Store
MaaS360 - Document - Manage as Additional Version: MaaS360 - Manage as Additional Version
MaaS360 - adding a private (B2B) app for iOS: Adding B2B app for iOS in MaaS360 App Catalog
Apple - different approaches to app deployment: Apple Developer - deploying apps
Apple - offering custom apps on the App Store and via ABM/ASM: Apple Developer - custom apps
Apple - deploying beta apps (Apple Developer): Apple Developer Beta
Microsoft - publishing apps to the Microsoft Store: Microsoft - publishing apps to Store
MaaS360 - adding a public app for Windows: MaaS360 - adding Windows Store app
Google - managing private apps in Google Play: Google - managing private apps
MaaS3360 - adding a Private App for Android Enterprise: MaaS360: add Private App
MaaS360 - Android Enterprise enrollment: MaaS360 - Android Enterprise enrollment
Google - Android app development: Android Developer