Assign a Managed Google Play app to Android Enterprise personally owned and
Managed Google Play app types
There are three types of apps that are available with Managed Google Play: * Managed Google Play store app – Public apps that are generally available in the Play Store. Manage these apps in Intune by browsing for the apps you want to manage, approving them, and then synchronizing them into Intune. * Managed Google Play private app – These are LOB apps published to Managed Google Play by Intune admins. These apps are private and are available only to your Intune tenant. This is how LOB apps are managed and deployed with Managed Google Play and Android Enterprise. * Managed Google Play web link – Web links with IT admin-defined icons that are deployable to Android Enterprise devices. These appear on devices in the device’s app list just like regular apps.
Managed Google Play store apps
There are two ways to browse and approve Managed Google Play store apps withIntune: 1. Directly in the Intune console – browse and approve store apps in a view hosted within Intune. This opens directly in the Intune console and does not require you to reauthenticate with a different account. 2. In Managed Google Play console – you can optionally open the Managed Google Play console directly and approve apps there. See Sync a Managed Google Play app with Intune for more information. This requires a separate login using the account you used to connect your Intune tenant to Managed Google Play.
Add a Managed Google Play store app in the Managed Google Play console
(Alternative)If you prefer to synchronize a Managed Google Play app with Intune rather thanadding it directly using Intune, use the following steps.ImportantThe information provided below is an alternative method to adding a ManagedGoogle Play app using Intune as described above. 1. Go to the Managed Google Play store. Sign in with the same account you used to configure the connection between Intune and Android Enterprise. 2. Search the store and select the app you want to assign by using Intune. 3. On the page that displays the app, click Approve. In the following example, the Microsoft Excel app has been chosen.A window for the app opens asking you to give permissions for the app toperform various operations. 4. Select Approve to accept the app permissions and continue. 5. Select an option for handling new app permission requests, and then select Save.The app is approved, and it is displayed in your IT admin console. Next, youcan Sync a Managed Google Play app with Intune.
Managed Google Play private (LOB) apps
There are two ways to add LOB apps to Managed Google Play: 1. Directly in the Intune console – This allows you to add LOB apps by submitting just the app APK and a title, directly within Intune. This method does not require you to have a Google developer account and does not require you to pay the fee to register with Google as a developer. This method is simpler and has a significantly reduced number of steps, and makes LOB apps available for management in as little as ten minutes. 2. In the Google Play Developer Console – If you have a Google developer account or want to configure advanced distribution features that are only available in the Google Play Developer Console (like adding additional app screenshots), you can use the Google Play Developer Console.
Managed Google Play private (LOB) app publishing directly in the Intune
console 1. Sign in to the Microsoft Endpoint Manager admin center. 2. Select Apps > All apps > Add. 3. In the Select app type pane, under the available Store app types, select Managed Google Play app. 4. Click Select. The Managed Google Play app store is displayed within Intune. 5. Select Private apps (next to the lock icon) in the Google Play window. 6. Click the button at the lower right to add a new app. 7. Add an app Title and click Upload APK add the APK app package.NoteYour app’s package name must be globally unique in Google Play (not justunique within your enterprise or Google Play Developer account). Otherwise,you will receive the Upload a new APK file with a different package nameerror. 8. Click Create. 9. Close the Managed Google Play pane if you are done adding apps. 10. Click Sync on the App app pane to sync with the Managed Google Play service.NotePrivate apps may take several minutes to become available to sync. If the appdoes not appear the first time you perform a sync, wait a couple minutes andinitiate a new sync. You can also sync apps from the Manged Google Play store.For related information, see Sync a Managed Google Play app with Intune.For more information about Managed Google Play private apps including a FAQ,see Google’s support article:https://support.google.com/googleplay/work/answer/9146439ImportantPrivate apps added using this method can never be made public. Only use thispublishing option if you are sure that this app will always be private to yourorganization.
Managed Google Play private (LOB) app publishing using the Google
Developer Console 1. Sign in to the Google Play Developer Console with the same account you used to configure the connection between Intune and Android Enterprise.NoteIf you are signing in for the first time, you must register and pay a fee tobecome a member of the Google Developer program. 2. In the console, add new application. For details, see Google’s support doc: Publish Private apps. 3. You upload and provide information about your app in the same way as you publish any app to the Google Play store. However, you must specifically add your organization using the Google Play Console. For details, see Google’s support doc Publish to your own organization.NoteFollow Google’s support documentation to make the app available only to yourorganization. The app won’t be available on the public Google Play store.For more information about uploading and publishing Android apps, see GoogleDeveloper Console Help. 4. After you’ve published your app, sign in to the Managed Google Play store with the same account that you used to configure the connection between Intune and Android Enterprise. 5. In the Apps node of the store, verify that the app you’ve published is displayed. The app is automatically approved to be synchronized with Intune.
Sync a Managed Google Play app with Intune
If you have approved an app from the store and don’t see it in the Appsworkload, force an immediate sync as follows: 1. Sign in to the Microsoft Endpoint Manager admin center. 2. Select Tenant administration > Connectors and tokens > Managed Google Play. 3. In the Managed Google Play pane, choose Sync. The page updates the time and status of the last sync. 4. In the Microsoft Endpoint Manager admin center select Apps > All apps. The newly available Managed Google Play app is displayed.
Assign a Managed Google Play app to Android Enterprise personally-owned and
corporate-owned work profile devicesWhen the app is displayed in the App licenses node of the Apps workload pane,you can assign it just as you would assign any other app by assigning the appto groups of users.After you assign the app, it is installed (or available for install) on thedevices of the users that you’ve targeted. The user of the device is not askedto approve the installation. For more information about Android Enterprisepersonally-owned work profile devices, see Set up enrollment of AndroidEnterprise personally-owned work profile devices.NoteOnly apps that have been assigned will show up in the Managed Google Playstore for an end user. As such, this is a key step for the admin to take whensetting up apps with Managed Google Play.
Assign a Managed Google Play app to Android Enterprise fully managed
devicesAndroid Enterprise fully managed devices are corporate-owned devicesassociated with a single user and used exclusively for work and not personaluse. Users on fully managed devices can get their available company apps fromthe managed Google Play app on their device.By default, an Android Enterprise fully managed device will not allowemployees to install any apps that are not approved by the organization. Also,employees will not be able to remove any installed apps against policy. If youwish to allow users to access the full Google Play store to install appsrather than only having access to the approved apps in Managed Google Playstore, you can set the Allow access to all apps in Google Play store to Allow.With this setting, the user can access all the apps in the Google Play storeusing their corporate account, however purchases may limited. You can removethe limited purchases restriction by allowing users to add new accounts to thedevice. Doing so will enable end users to have the ability to purchase appsfrom the Google Play store using personal accounts, as well as conduct in-apppurchases. For more information, see Android Enterprise device settings toallow or restrict features using Intune.NoteThe Microsoft Intune app, the Microsoft Authenticator app, and the CompanyPortal app will be installed as required apps onto all fully managed devicesduring onboarding. Having these apps automatically installed providesConditional Access support, and Microsoft Intune app users can see and resolvecompliance issues.
Manage Android Enterprise app permissions
Android Enterprise requires you to approve apps in the managed Google Play webconsole before you sync them with Intune and assign them to your users.Because Android Enterprise allows you to silently and automatically push theapps to users’ devices, you must accept the app permissions on behalf of allyour users. Users don’t see any app permissions when they install the apps, soit’s important that you understand the permissions.When an app developer updates permissions with a new version of the app, thepermissions are not automatically accepted even if you approved the previouspermissions. Devices that run the previous version of the app can still useit. However, the app is not upgraded until the new permissions are approved.Devices without the app installed do not install the app until you approve theapp’s new permissions.
Additional Managed Google Play app reporting for Android Enterprise
personally-owned work profile devicesFor Managed Google Play apps deployed to Android Enterprise personally-ownedwork profile devices, you can view the status and version number of the appinstalled on a device using Intune.
Android Enterprise system apps
You can enable an Android Enterprise system app for Android Enterprisededicated devices or fully managed devices. For more information about addingan Android Enterprise system app, see Add Android Enterprise system apps toMicrosoft Intune.