Use Managed App Configuration on Android Apps delivered via Workspace ONE UEM

This is a natural progression of a series of blogs I have written while working on a pretty innovative Line of Business use case.  Like the post about Managing Public Apps Updates this post enables the use of a critical feature originally developed for Google Play to be used when applications are delivered through Workspace ONE UEM's internal app management capabilities.



Managed App Config


Managed App Configuration is the ability to send key value pairs from the Workspace ONE UEM servers to a specific app on a set of devices.  This can be useful for instance to pre-configure certain applications. Mostly none of this is new news.  There have been resources all over for configuring Managed App Config for Android Apps delivered via Google Play for years.




With those resources and examples on how to use Managed App Config using Public Apps I want to discuss how we can achieve the same outcome for applications your organization chooses not to deliver through Google's Managed Play.  The "Why" is not the topic for this blog post however lets say you have an Android application which supports some flavor of Managed App Config, that you want to deliver using Workspace ONE UEM's Internal App delivery mechanism. Could be because you are using the new capabilities of Workspace ONE UEM allowing closed network Android Enterprise enrollment or your organization doesnt approve uploading certain IP to a public cloud. 

High Level Steps:


  1. Upload Application using Workspace ONE UEM's Internal App delivery
    1. How to do this from docs.vmware.com
  2. Assign Application to group of devices
    1. How to do this from docs.vmware.com
    2. Do not enable the 'Application Configuration' section.  ---->
  3. Create Managed App Configuration Profile
    1. Steps below
  4. Assign new Profile to selected devices

Anatomy of an Managed App Config Profile

The Managed App Config Profile is all Custom XML payload.  Here is where the magic happens. I have pasted some examples to show first. 


Above is an example of Managed App Config that you can push to an internally developed application which is looking for 3 specific values, a string value, a boolean value, and a json array as a string value. This configuration helps pre-configure the application so on first use the user experience is pristine.  The highlighted yellow bits contain 2 values needed in order for the Hub to understand what type of Profile this is and what app to deliver the payload to.

  • type="com.airwatch.android.androidwork.app:com.developer.yourapplidentifier"
    • This com.developer.yourapplidentity is the bundle id of the application you wish to push this configuration to.
  • uuid={some uuid} 
    • This is a unique uuid which is required to be unique to the entire Workspace ONE UEM environment.  I recommend exporting the XML from another profile deployed already. Then take 4-5 characters and change them. Valid values of each character in the uuid are hex or 0-9 and A-F


This example is a real example of pushing Managed App Configuration to Chrome.  This is a hybrid scenario where you continue to push the the app through Google Play however want to leverage Profiles to deliver configuration.  Profiles are a bit more powerful then the embedded public app managed configuration because you can easily edit 1 value without reloading the page, its easy to track success of the installation of the Profile, and repush the configuration to a single device for troubleshooting.

Lastly the below Managed Configuration is easily the most complex using many embedded string-array data types. This is for the oemconfig application from Samsung call Knox Service Plugin

I'm pasting the actual configuration because its so long and you can copy and paste into your own environment. I've gone ahead and added dummy values as examples.  This is not the full list of support from KSP but should give an example of good.




Bringing this all home the Workspace ONE UEM Profile would look similar to the below picture. 


Hope this helps with some deployment flexibility when using Google's Managed App Config concepts for Android applications published through Workspace ONE UEM.

Comments

  1. Great!! It works for Android Legacy with type=com.airwatch.android.container.app.
    Application Assignment / App Configuration didn't work. App is installed inside Knox Workspace. Thx a lot, Ralf

    ReplyDelete
    Replies
    1. RalfHB, glad I could help. Just to make sure you are saying within the Knox Workspace you change the type to com.airwatch.android.container.app:com.samsung.android.knox.kpu ?

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Great help Joe. Hats off! I have been banging my head around this since a week and now i have found out a way. Thank you once again...

    I also wanted to know your thoughts on, can we register a MS Authenticator remotely via the WS1 console without an end user intervention? e.g. registering it in shared device mode etc.

    ReplyDelete
  4. Hey Joe... referring the article https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#configuration-keys

    How can we use the same keys for registering authenticator? Any idea?

    ReplyDelete
    Replies
    1. Hey Prip, I did some digging on the MS Authenticator app. It only supports 1 app config value (shared mode). It doesnt seem to support pushing down any other configuration to preregister.

      Delete
    2. Thank you for your feedback Joe. Please do let me know if you have any more interesting findings and btw i really love your blog, great exciting stuff you have been posting. Would love to read more!

      Delete
  5. Hi. Will this work for Android Enterprise with dual partition? Am unable to access app configuration as well.

    ReplyDelete
    Replies
    1. This would work in the partition that the Hub is installed in. So if using Android Enterprise Work Profile. You can push app config to the applications inside the Work Profile

      Delete
  6. Hi, this article is great. Where can I fid the documentation for the XML i have to create to configure Knox Service Plugin? I could not find a XSD or else on the Samsung Knox Support pages.

    ReplyDelete
    Replies
    1. Hi, my coworker Nishant actually posted how to grab the XML that is applicable with each version. https://blogs.vmware.com/euc/2020/02/deploying-knox-service-plugin-ksp.html

      Delete
  7. Hi Joe, i have a question, here´s the think, if i want to disable or deactivate the omnibox bar on google chrome, what its the parm name that i need to do that?

    ReplyDelete
  8. This has been an eye opener for me as far as I can see this is missed from the WorkspaceOne documentation. I have been trying in vane to get a private app to be configured. I have followed the examples above to set a few strings on my app. The Profile is pushed to the device, but as far as I can my Android app is not picking up the values. The AppRestrictions work fine when I set them with "Test DPC" but not so with WorkspaceOne. It just seems to fail silently. Any tips on how to work out where this is failing?

    ReplyDelete
    Replies
    1. Hi! So whats a sample if you can paste it of your custom xml? Android Enterprise? Pushing the app through 'Internal' apps in UEM?

      Delete
  9. Nice post! I wonder if I can build easy-to-use mobile apps with the help of a Native android application development platform.

    ReplyDelete
  10. Very interesting, do you think that may work with legacy and non GMS devices ?

    ReplyDelete
    Replies
    1. It absolutely does. When not using Play Store, the Hub can directly write these.

      Delete
    2. Thanks for this quick reply, I'm desperately trying to use configuration for the app Ivanti Velocity, on non-gms devices with android 5.1.1 . But no success at this time :( Maybe the version of intelligent hub, I will try with older versions.

      Delete
    3. Well after many attempts, I think it's not possible on devices without Android Enterprise support, wich is my case. To use managed config, device can be non-GMS, but at least Android Enterprise capable.

      Delete

Post a Comment