A managed version of Google Play is used by enterprises and their employees to access a rich ecosystem of work and productivity apps.
Android's built-in management features enable IT admins to fully manage devices used exclusively for work. For personal devices and personally-enabled work devices, admins can create and manage a separate work profile. Apps in managed Google Play are installed in the work profile, giving admins full control over the app and its data. Any apps or data outside the work profile remain private to the user.
Enterprises can also use managed Google Play to securely deploy free apps to their employees in bulk and bulk-purchase licenses for paid apps*.
Managed Google Play and Android's enterprise features present significant opportunities for developers from several domains, including:
- Software vendors and ISVs: Independent companies that develop software products or services to sell or distribute to enterprises.
- Agency developers and system integrators (SI): Companies that develop custom or semi-custom software, services, and solutions based on requirements that an enterprise provides.
- In-house enterprise developers: Developers working within the enterprise to create software and solutions for internal distribution.
Google Play — a secure app distribution platform
Google Play has a proven track record of minimizing the risk of Potentially Harmful Applications (PHAs) being installed on Android devices. The Android Year in Review report, published on the Google Security Blog , shows how devices that install apps exclusively from Google Play, rather than sideload unknown apps from other sources, are at a much lower risk.
Together, Google Play and Android work to make your users' experiences on Android safe by scanning every app published on Google Play for malware and vulnerabilities. Google Play also ensures that app updates are always signed by the original developer, avoiding app hijacking.
Best practices for managed Google Play
For all developers
Security is a major concern for enterprises managing mobile apps and devices. When developing an app for use in the workplace, remember that businesses are more conscious of data security than ever before, especially when it comes to features that share information with other services. To keep your app's data secure, follow the best practices for security and privacy . In particular:
- Only use secure network protocols.
- Use the default local storage in Android, rather than shared or external storage.
- If you're worried about abuse or have sensitive data, use the SafetyNet Attestation APIs, which enable your app to confirm that the device it's running on is authentic and hasn't been compromised.
Work profile compatibility
A work profile is a logical space provisioned on an Android device that keeps work and personal data separate. You may have to modify your app so it functions reliably on a device with a work profile (see Set up Managed Profiles for detailed best practices). Many apps are already compatible, but always test your app with the BasicManagedProfile sample app to be sure.
Your app should support managed configurations , which let IT admins remotely configure app settings for all users or individual users. Examples of these setting include:
- Server address and protocol settings: For example, a VPN client app can be complex for a user to configure manually. Allow the IT admin to send the full configuration bundle directly to the user's device. The user will then be able to use the app immediately.
- The ability to switch features on and off: For example, you might wish to offer multiple cloud storage backends for your app, but an enterprise might only want to allow use of the one they have purchased. So, allow them to block the others.
- Login hint to bootstrap SSO for the optimal user login experience.
Watch the Android enterprise I/O presentation to see these examples in action.
Within the app, you specify which options can be configured and should publish this information to managed Google Play.
If you update the managed configuration schema for your app, make sure it remains backwards compatible. Maintaining this compatibility is desirable because it's possible that various users will have different versions of your app (at least temporarily), and IT admin will want a consistent remote configuration experience between versions to ensure efficient management of apps.
Use the Google Play Console to upload, manage, and publish your apps. The Play console comes with a wide range of configuration options and testing features designed to help you provide the best possible apps to your users.
- Run internal, closed, and open tests on updates to collect feedback from interal users or a subset of your external users, then make improvements or corrections before releasing your app more broadly.
- Use staged rollouts to release app updates to your user base gradually. If you run into problems, you can halt the rollout at any time.
- Once your app is published, access performance statistics and other key reports to gain more insight into your user base.
Learn more about the Play Console features available to help publish and distribute your app.
For software vendors
As a Google Play developer, your free apps are automatically available to be discovered and approved by IT admins. IT admins can then distribute those apps to their workforces using managed Google Play.
Get your business-related apps listed on the managed Google Play Store , so they stand out from consumer apps.
Managed Google Play is also embedded in many popular Enterprise Mobility Management systems, such as Google Mobile Management and VMWare Airwatch, which IT admins use daily to manage mobile devices and apps.
If your Android app is a companion app to a larger end-to-end service, then you should describe your full service in your app's Play Store listing. Remember that IT admins and users will read your app description to choose your whole service and not just your Android app.
Reach new audiences at scale with bulk deployments and bulk purchasing. Businesses can use managed Google Play to deploy free apps in bulk to managed devices. The managed Google Play Store also supports bulk purchases of paid apps*.
New monetization opportunities
Enterprises are often interested in purchasing extended support for business-critical apps, opening up new monetization opportunities. Depending on your product or service, you can consider introducing pricing schemes for extended features, extended hours, live contact, in-house training, or tiered support levels.
For agency developers
Managed configurations for app customization
Managed configurations can help customize apps for clients while minimizing the overhead of maintaining multiple APKs. By using managed configurations to define the set of parameters for app customization (for example, color scheme, UI strings, client logo, switching different modules on and off, and so on), each client can have an entirely different experience while you maintain a single APK.
Delegated access to your client's Google Play Developer account
If you're responsible for publishing and maintaining your clients' internal apps, your client can configure delegated publishing access to their Google Play Developer account. You can then publish new or updated apps directly, rather than sending your client APKs for them to publish. This developer account access can be restricted to particular roles or particular apps, so your client remains in control.
There's also a publishing API that enables you to plug your publishing pipeline directly into the Play publishing flow for your client.
For in-house enterprise developers
Private apps are apps that are distributed to your organization only. They don't appear on the public Play Store. Private apps are a great way for enterprises to use all the power and scale of Google Play to deploy internal apps securely and privately.
There's also an API to publish a private app for an enterprise. To learn more, read Publish a private app.
Google-hosted vs. self-hosted APKs
There are two options for hosting your app's APK. You can upload the APK to Google Play and it distributes it securely to your users. Alternatively, you can host the APK on your servers. You might wish to do this if you want to host the APK on your premises, behind your firewall.
However, there are several benefits to hosting your APK on Google Play:
- Google's app vulnerability scanning: It's often difficult to tell what SDKs and libraries your developers used to build an internal app. Also, developers may not always use best security practices. Google's vulnerability scanning engine checks for many known security vulnerabilities, giving you greater confidence in the security of your app.
- App update patches: Google optimizes the app updates that it serves to devices, only sending the differences and compressing all data. This means faster delivery of updates with lower data consumption.
- Global server presence: Google Play's edge caches ensure that wherever your employees are, they're being served by servers closest to them, giving them the best possible download performance.
- Pre-launch reports: After you upload and publish an app to the default closed testing track or open testing track, a range of test devices in the Firebase Test Lab will automatically launch and crawl your app for several minutes. The crawl will perform basic actions every few seconds on your app, such as typing, tapping, and swiping. This helps you check for any obvious crashing problems with your app, on a range of popular Android devices.
In either case, the metadata about your app that's shown to your users in the Play Store app on their managed device or work profile is stored in Google Play.
Google Play makes it easy to deploy app updates. Auto-updates are enabled by default on every Android device with Google Play installed. Just publish your app update through the Google Play Console, and Google Play will automatically do the rest.
It might take a few days for your app to be updated on every device. This is because Google Play waits for the optimal time to update an app, such as when the device is charging and on Wi-Fi.
* US and Canada only.