Use Managed App Configuration on Android Apps delivered via Workspace ONE UEM

This is a natural progression of a series of blogs I have written while working on a pretty innovative Line of Business use case.  Like the post about Managing Public Apps Updates this post enables the use of a critical feature originally developed for Google Play to be used when applications are delivered through Workspace ONE UEM's internal app management capabilities.

Managed App Config

Managed App Configuration is the ability to send key value pairs from the Workspace ONE UEM servers to a specific app on a set of devices.  This can be useful for instance to pre-configure certain applications. Mostly none of this is new news.  There have been resources all over for configuring Managed App Config for Android Apps delivered via Google Play for years.

With those resources and examples on how to use Managed App Config using Public Apps I want to discuss how we can achieve the same outcome for applications your organization chooses not to deliver through Google's Managed Play.  The "Why" is not the topic for this blog post however lets say you have an Android application which supports some flavor of Managed App Config, that you want to deliver using Workspace ONE UEM's Internal App delivery mechanism. Could be because you are using the new capabilities of Workspace ONE UEM allowing closed network Android Enterprise enrollment or your organization doesnt approve uploading certain IP to a public cloud. 

High Level Steps:

  1. Upload Application using Workspace ONE UEM's Internal App delivery
    1. How to do this from
  2. Assign Application to group of devices
    1. How to do this from
    2. Do not enable the 'Application Configuration' section.  ---->
  3. Create Managed App Configuration Profile
    1. Steps below
  4. Assign new Profile to selected devices

Anatomy of an Managed App Config Profile

The Managed App Config Profile is all Custom XML payload.  Here is where the magic happens. I have pasted some examples to show first. 

Above is an example of Managed App Config that you can push to an internally developed application which is looking for 3 specific values, a string value, a boolean value, and a json array as a string value. This configuration helps pre-configure the application so on first use the user experience is pristine.  The highlighted yellow bits contain 2 values needed in order for the Hub to understand what type of Profile this is and what app to deliver the payload to.

  • type=""
    • This com.developer.yourapplidentity is the bundle id of the application you wish to push this configuration to.
  • uuid={some uuid} 
    • This is a unique uuid which is required to be unique to the entire Workspace ONE UEM environment.  I recommend exporting the XML from another profile deployed already. Then take 4-5 characters and change them. Valid values of each character in the uuid are hex or 0-9 and A-F

This example is a real example of pushing Managed App Configuration to Chrome.  This is a hybrid scenario where you continue to push the the app through Google Play however want to leverage Profiles to deliver configuration.  Profiles are a bit more powerful then the embedded public app managed configuration because you can easily edit 1 value without reloading the page, its easy to track success of the installation of the Profile, and repush the configuration to a single device for troubleshooting.

Lastly the below Managed Configuration is easily the most complex using many embedded string-array data types. This is for the oemconfig application from Samsung call Knox Service Plugin

I'm pasting the actual configuration because its so long and you can copy and paste into your own environment. I've gone ahead and added dummy values as examples.  This is not the full list of support from KSP but should give an example of good.

Bringing this all home the Workspace ONE UEM Profile would look similar to the below picture. 

Hope this helps with some deployment flexibility when using Google's Managed App Config concepts for Android applications published through Workspace ONE UEM.


  1. Great!! It works for Android Legacy with
    Application Assignment / App Configuration didn't work. App is installed inside Knox Workspace. Thx a lot, Ralf

    1. RalfHB, glad I could help. Just to make sure you are saying within the Knox Workspace you change the type to ?

  2. This comment has been removed by the author.

  3. Great help Joe. Hats off! I have been banging my head around this since a week and now i have found out a way. Thank you once again...

    I also wanted to know your thoughts on, can we register a MS Authenticator remotely via the WS1 console without an end user intervention? e.g. registering it in shared device mode etc.

  4. Hey Joe... referring the article

    How can we use the same keys for registering authenticator? Any idea?

    1. Hey Prip, I did some digging on the MS Authenticator app. It only supports 1 app config value (shared mode). It doesnt seem to support pushing down any other configuration to preregister.

    2. Thank you for your feedback Joe. Please do let me know if you have any more interesting findings and btw i really love your blog, great exciting stuff you have been posting. Would love to read more!

  5. Hi. Will this work for Android Enterprise with dual partition? Am unable to access app configuration as well.

    1. This would work in the partition that the Hub is installed in. So if using Android Enterprise Work Profile. You can push app config to the applications inside the Work Profile

  6. Hi, this article is great. Where can I fid the documentation for the XML i have to create to configure Knox Service Plugin? I could not find a XSD or else on the Samsung Knox Support pages.

    1. Hi, my coworker Nishant actually posted how to grab the XML that is applicable with each version.


Post a Comment