Add Managed Google Play apps to Android Enterprise devices with Intune

  • Article
  • 17 minutes to read

Managed Google Play is Google's enterprise app store and sole source of applications for Android Enterprise in Intune. You can use Intune to orchestrate app deployment through Managed Google Play for any Android Enterprise scenario (including personally-owned work contour, dedicated, fully managed, and corporate-endemic work profile enrollments). How you add Managed Google Play apps to Intune differs from how Android apps are added for non-Android Enterprise. Shop apps, line-of-business organization (LOB) apps, and web apps are approved in or added to Managed Google Play, then synchronized into Intune and so that they appear in the Client Apps list. Once they appear in the Customer Apps listing list, yous can manage assignment of any Managed Google Play app as you would any other app.

To arrive easier for you to configure and use Android Enterprise management, upon connecting your Intune tenant to Managed Google Play, Intune will automatically add four common Android Enterprise related apps to the Intune admin console. The four apps are the following:

  • Microsoft Intune - Used for Android Enterprise fully managed scenarios. This app is automatically installed to fully managed devices during the device enrollment process.
  • Microsoft Authenticator - Helps yous sign-in to your accounts if you use two-cistron verification. This app is automatically installed to fully managed devices during the device enrollment process.
  • Intune Company Portal - Used for App Protection Policies (APP) and Android Enterprise personally-owned piece of work profile scenarios. This app is automatically installed to fully managed devices during the device enrollment process.
  • Managed Habitation Screen - Used for Android Enterprise dedicated multi-app kiosk scenarios. It admins should create an consignment to install this app on dedicated devices that are going to exist used in multi-app kiosk scenarios.

Notation

When an end user enrolls their Android Enterprise fully managed device, the Intune Company Portal app is automatically installed and the application icon may exist visible to the finish user. If the end user attempts to launch the Intune Company Portal app, the end user will exist redirected to the Microsoft Intune app and the Company Portal app icon will be subsequently hidden.

Earlier you first

  • Make sure you have connected your Intune tenant to Managed Google Play. For more than information, encounter Connect your Intune account to your Managed Google Play account.
  • If y'all intend to enroll personally-owned work profile devices, brand sure you have configured Intune and Android personally-endemic work profiles to work together in the Device enrollment workload of the portal. For more information, see Enroll Android devices.

Note

When you work with Microsoft Intune, nosotros recommend that you lot utilise either the Microsoft Edge or Google Chrome browser.

Managed Google Play app types

In that location are three types of apps that are available with Managed Google Play:

  • Managed Google Play shop app - Public apps that are generally available in the Play Store. Manage these apps in Intune by browsing for the apps you want to manage, approving them, and then synchronizing them into Intune.
  • Managed Google Play private app - These are LOB apps published to Managed Google Play by Intune admins. These apps are private and are available just to your Intune tenant. This is how LOB apps are managed and deployed with Managed Google Play and Android Enterprise.
  • Managed Google Play web link - Web links with It admin-defined icons that are deployable to Android Enterprise devices. These appear on devices in the device's app list just like regular apps.

Managed Google Play shop apps

Annotation

Most newly-created items in Intune take on the scope tags of the creator. This is not the case for Managed Google Play Store apps. Admins can assign a scope tag to use to all newly-synced Managed Google Play apps on the Managed Google Play connector pane. For more information, run into Connect your Intune Account to your Managed Google Play business relationship.

There are two ways to browse and approve Managed Google Play store apps with Intune:

  1. Directly in the Intune console - Scan and approve store apps in a view hosted within Intune. This opens directly in the Intune console and does non require y'all to reauthenticate with a different account.
  2. In Managed Google Play console - You tin optionally open the Managed Google Play console directly and corroborate apps at that place. Run into Sync a Managed Google Play app with Intune for more information. This requires a divide login using the account you used to connect your Intune tenant to Managed Google Play.

Add a Managed Google Play store app directly in the Intune panel

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Apps > All apps > Add together.

  3. In the Select app blazon pane, under the available Store app types, select Managed Google Play app.

  4. Click Select. The Managed Google Play app shop is displayed.

  5. Select an app to view the app details.

  6. On the folio that displays the app, click Approve. A window for the app opens asking you to give permissions for the app to perform various operations.

  7. Select Approve to have the app permissions and continue.

  8. Select Keep approved when app requests new permissions in the Approval Settings tab and then click Done.

    Important

    If you practice not cull this choice, yous will need to manually corroborate any new permissions if the app developer publishes an update. This volition crusade installations and updates of the app to stop until permissions are approved. For this reason, it is recommended to select the option to automatically approve new permissions.

  9. Click Select to select the app.

  10. Click Sync at the pinnacle of the blade to sync the app with the Managed Google Play service.

  11. Click Refresh to update the app list and brandish the newly added app.

Add a Managed Google Play store app in the Managed Google Play console (Culling)

If you lot prefer to synchronize a Managed Google Play app with Intune rather than adding it directly using Intune, use the following steps.

Important

The information provided below is an culling method to adding a Managed Google Play app using Intune as described to a higher place.

  1. Go to the Managed Google Play store. Sign in with the aforementioned account you lot used to configure the connection between Intune and Android Enterprise.

  2. Search the store and select the app you lot want to assign by using Intune.

  3. On the folio that displays the app, click Approve.
    In the following example, the Microsoft Excel app has been chosen.

    The Approve button in the Managed Google Play store

    A window for the app opens asking y'all to give permissions for the app to perform various operations.

  4. Select Approve to accept the app permissions and continue.

    The Approve button for app permissions

  5. Select an option for treatment new app permission requests, and then select Relieve.

    Options for handling new app permission requests

    The app is approved, and it is displayed in your IT admin console. Adjacent, you can Sync a Managed Google Play app with Intune.

Managed Google Play private (LOB) apps

There are two ways to add LOB apps to Managed Google Play:

  1. Directly in the Intune console - This allows you lot to add LOB apps past submitting just the app APK and a championship, directly inside Intune. This method does not require you to have a Google developer business relationship and does not require you to pay the fee to register with Google as a developer. This method is simpler and has a significantly reduced number of steps, and makes LOB apps available for direction in as little as x minutes.
  2. In the Google Play Developer Console - If you have a Google developer account or desire to configure advanced distribution features that are only bachelor in the Google Play Developer Console (like calculation additional app screenshots), you can use the Google Play Programmer Console.

Managed Google Play private (LOB) app publishing directly in the Intune panel

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Apps > All apps > Add together.

  3. In the Select app type pane, under the available Store app types, select Managed Google Play app.

  4. Click Select. The Managed Google Play app store is displayed within Intune.

  5. Select Private apps (next to the lock icon) in the Google Play window.

  6. Click the "+" button at the lower right to add a new app.

  7. Add an app Title and click Upload APK add the APK app package.

    Note

    Your app's package name must be globally unique in Google Play (not just unique within your enterprise or Google Play Programmer account). Otherwise, you will receive the Upload a new APK file with a different package name error.

  8. Click Create.

  9. Shut the Managed Google Play pane if you are done adding apps.

  10. Click Sync on the App app pane to sync with the Managed Google Play service.

    Note

    Private apps may take several minutes to become available to sync. If the app does not announced the get-go fourth dimension y'all perform a sync, wait a couple minutes and initiate a new sync. You tin can also sync apps from the Managed Google Play shop. For related information, see Sync a Managed Google Play app with Intune.

For more than information well-nigh Managed Google Play private apps including a FAQ, see Google's support article: https://support.google.com/googleplay/work/reply/9146439

Important

Private apps added using this method can never be made public. Only employ this publishing option if you are sure that this app will always be private to your system.

Managed Google Play individual (LOB) app publishing using the Google Developer Console

  1. Sign in to the Google Play Programmer Panel with the same account you lot used to configure the connection between Intune and Android Enterprise.

    Annotation

    If you are signing in for the first fourth dimension, you must register and pay a fee to get a member of the Google Developer plan.

  2. In the console, add together new application. For details, see Google'southward support doc: Publish Private apps.

  3. Y'all upload and provide data near your app in the same way as yous publish any app to the Google Play store. Nonetheless, you must specifically add your organization using the Google Play Console. For details, see Google'due south support md Publish to your own organization.

    Note

    Follow Google'southward back up documentation to make the app available just to your organization. The app won't be available on the public Google Play store.

    For more than data virtually uploading and publishing Android apps, see Google Developer Console Help.

  4. After you've published your app, sign in to the Managed Google Play store with the same account that you used to configure the connectedness between Intune and Android Enterprise.

  5. In the Apps node of the store, verify that the app yous've published is displayed.
    The app is automatically canonical to be synchronized with Intune.

Managed Google Play spider web links are installable and manageable only like other Android apps. When installed on a device, they will appear in the user's app list alongside the other apps they take installed. When selected, they volition launch in the device's browser.

Note

Web links pushed downwards from Managed Google Play volition not open in the corporate context of Microsoft Edge if you have configured your Intune application protection policy setting Receive data from other apps to be Policy managed apps. When a web link is pushed downwardly through Managed Google Play, it'south not recognized as a MAM-managed app, which is why Microsoft Border will open in the personal context or InPrivate mode if the user is non signed in with a personal account. For related information, see Android app protection policy settings in Microsoft Intune.

Web links will open with Microsoft Border or any other browser app you choose to deploy. Exist sure to deploy at least one browser app to devices in order for web links to exist able to open properly. Withal, all of the Display options bachelor for web links (total screen, standalone, and minimal UI) will simply work with the Chrome browser.

To create a Managed Google Play web link:

  1. Sign in to the Microsoft Endpoint Manager admin heart.

  2. Select Apps > All apps > Add.

  3. In the Select app type pane, under the bachelor Store app types, select Managed Google Play app.

  4. Click Select. The Managed Google Play app shop is displayed within Intune.

  5. Select Web apps (next to the Earth icon) in the Google Play window.

  6. Click the "+" button at the lower right to add a new app.

  7. Add an app Title, the web app URL, select how the app should exist displayed, and select an app icon.

  8. Click Create.

  9. Shut the Managed Google Play pane if yous are done adding apps.

  10. Click Sync on the App app pane to sync with the Managed Google Play service.

    Note

    Web apps may take several minutes to get available to sync. If the app does not appear the first time you perform a sync, wait a couple minutes and initiate a new sync.

Sync a Managed Google Play app with Intune

If you have approved an app from the store and don't run into information technology in the Apps workload, force an immediate sync as follows:

  1. Sign in to the Microsoft Endpoint Managing director admin center.
  2. Select Tenant administration > Connectors and tokens > Managed Google Play.
  3. In the Managed Google Play pane, cull Sync.
    The folio updates the time and status of the final sync.
  4. In the Microsoft Endpoint Director admin center select Apps > All apps.
    The newly bachelor Managed Google Play app is displayed.

Assign a Managed Google Play app to Android Enterprise personally-owned and corporate-owned work profile devices

When the app is displayed in the App licenses node of the Apps workload pane, yous can assign it just every bit y'all would assign any other app by assigning the app to groups of users.

Subsequently y'all assign the app, it is installed (or available for install) on the devices of the users that you've targeted. The user of the device is not asked to corroborate the installation. For more than information about Android Enterprise personally-owned piece of work contour devices, see Gear up enrollment of Android Enterprise personally-owned work profile devices.

Annotation

Only apps that accept been assigned will show upward in the Managed Google Play store for an terminate user. As such, this is a key step for the admin to take when setting upwards apps with Managed Google Play.

Assign a Managed Google Play app to Android Enterprise fully managed devices

Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used exclusively for piece of work and not personal utilise. Users on fully managed devices can get their available company apps from the Managed Google Play app on their device.

Past default, an Android Enterprise fully managed device will not let employees to install any apps that are not approved past the organization. Too, employees will non exist able to remove any installed apps against policy. If y'all wish to allow users to access the total Google Play store to install apps rather than only having access to the approved apps in Managed Google Play store, you can set the Allow access to all apps in Google Play store to Allow. With this setting, the user can access all the apps in the Google Play store using their corporate account, however purchases may limited. You can remove the express purchases restriction by allowing users to add new accounts to the device. Doing so will enable end users to have the ability to purchase apps from the Google Play store using personal accounts, too as deport in-app purchases. For more than information, see Android Enterprise device settings to allow or restrict features using Intune.

Notation

The Microsoft Intune app, the Microsoft Authenticator app, and the Company Portal app volition be installed as required apps onto all fully managed devices during onboarding. Having these apps automatically installed provides Conditional Admission support, and Microsoft Intune app users can meet and resolve compliance problems.

Update a Managed Google Play app

Past default, Managed Google Play apps will non update unless the following conditions are met:

  • The device is connected to wi-fi
  • The device is charging
  • The device is non actively existence used
  • The app to be updated is non running on the foreground

For more than data, see the Manage App Updates documentation from Google.

You can choose to configure the wi-fi requirement for defended, fully managed, and corporate-endemic work profile devices by configuring app auto-updates in device configurations policies.

For defended, fully managed, and corporate-owned work contour devices, you tin can choose an app update mode when an app is assigned to groups. The update modes available are:

  • Default: The app's updates are subject to default conditions (described in a higher place).
  • High Priority: The app volition update as soon as possible from when a new update is released, disregarding all of the default conditions. This may exist disruptive for some users since the update can occur while the device is being used.

To edit the app update mode:

  1. Sign in to the Microsoft Endpoint Director admin center.
  2. Select Apps > All apps.
  3. Select the app from the apps list.
  4. Select Properties.
  5. Select Edit by the Assignments section.
  6. Find the grouping you'd similar to edit the app update fashion for past clicking the respective group style for that group.
  7. Under app settings, select the desired update mode.

Manage Android Enterprise app permissions

Android Enterprise requires you to approve apps in the Managed Google Play web console before you sync them with Intune and assign them to your users. Because Android Enterprise allows you to silently and automatically button the apps to users' devices, you lot must accept the app permissions on behalf of all your users. Users don't see any app permissions when they install the apps, then it's important that you understand the permissions.

When an app developer updates permissions with a new version of the app, the permissions are not automatically accustomed even if yous approved the previous permissions. Devices that run the previous version of the app tin notwithstanding apply it. However, the app is not upgraded until the new permissions are approved. Devices without the app installed do not install the app until you lot approve the app'south new permissions.

Update app permissions

Periodically visit the Managed Google Play console to check for new permissions. You tin configure Google Play to transport you or others an e-mail when new permissions are required for an approved app. If you assign an app and observe that it isn't installed on devices, check for new permissions following these steps:

  1. Go to Google Play.
  2. Sign in with the Google business relationship that you used to publish and approve the apps.
  3. Select the Updates tab, and check to encounter whether any apps require an update.
    Whatsoever listed apps require new permissions and are non assigned until they are applied.

Alternatively, you can configure Google Play to automatically reapprove app permissions on a per-app basis.

Additional Managed Google Play app reporting for Android Enterprise personally-endemic work contour devices

For Managed Google Play apps deployed to Android Enterprise personally-owned work profile devices, you can view the status and version number of the app installed on a device using Intune.

Working with Managed Google Play airtight testing tracks

You can distribute a not-production version of a Managed Google Play app to devices enrolled in an Android Enterprise scenario (Android Enterprise personally-endemic piece of work contour (BYOD), Android Enterprise fully managed (COBO), Android Enterprise dedicated devices (COSU), and Android Enterprise corporate-endemic work profile (COPE)) in order to perform testing. In Intune, yous can see whether an app has a pre-production build test track published to information technology, equally well as exist able to assign that track to Azure Active Directory user groups or device groups. The workflow for assigning a production version to a group that currently exists is the same as assigning a non-production channel. Subsequently deployment, the install condition of each track volition represent with the track's version number in Managed Google Play. For more than data, see Google Play's airtight examination tracks for app pre-release testing.

Annotation

Required app deployments for not-production app tracks are currently unavilable for devices enrolled in Android Enterprise personally-owned piece of work contour (BYOD).

Delete Managed Google Play apps

When necessary, yous tin can delete Managed Google Play apps from Microsoft Intune. To delete a Managed Google Play app, open Microsoft Intune in the portal and select Apps > All apps. From the app list, select the ellipses (...) to the correct of the Managed Google Play app, and then select Delete from the displayed list. When you delete a Managed Google Play app from the app list, the managed Google Play app is automatically unapproved.

Note

If an app is unapproved or deleted from the managed Google Play store, it volition not be removed from the Intune customer apps list. This allows you to withal target an uninstall policy to users even if the app is unapproved.

To turn off Android Enterprise enrollment and management, see Disconnect your Android Enterprise administrative account.

Android Enterprise organisation apps

You can enable an Android Enterprise system app for Android Enterprise dedicated devices or fully managed devices. For more information most calculation an Android Enterprise system app, see Add Android Enterprise system apps to Microsoft Intune.

Adjacent steps

  • Assign apps to groups