Hassle free app management with Android Enterprise & Hexnode

Alessia Forster

Jun 1, 2021

11 min read

Our workspaces have never remained static; it has come a long way from the legacy Windows OS, accommodating many fewer known concepts, including the BYOD (Bring Your Own Device). With BYOD emerged the new trend of employees using their personal devices for work. Though it simplified the work of the employees, its challenges weren’t something that could be ignored. A need for effective work and personal app segregation and enterprise app management was what surfaced as an immediate consequence. For accommodating this trend, while ensuring security, Google began implementing APIs for extending its control over Android devices.

We then witnessed its rapid evolution from the Device Admin API to the Android for Work, launched initially as an optional solution that was then made a mandatory component for manufacturers. And it was this Android for work that was renamed to what we now know as the Android Enterprise.

Before we begin- A peek into some Enterprise terms

Android Enterprise has reduced the device management burden on the IT teams to a great extent. To dive deeper into Android Enterprise, it is important to familiarize yourself with some of its terms. Let’s have a look at some of these


It refers to creating a separate work container within the device hosting the work apps and data. With this container in place, it is easier to manage the work data without affecting the personal files on the device.

Work profile

It is a separate space created in managed devices to host the work apps and data. Enterprises have full control over the data in this workspace. The personal apps and data, however, remain inaccessible to the IT team.

Profile owner

It is a device management aspect whereby the IT manages only the work profile, and the user has full control over all the other personal apps and data.
Device owner- Here, the organizations have full management control over the device. It is meant for corporate devices with a great emphasis on security.

Enterprise apps

These are organization-specific apps that are developed to meet the needs of their employees. The distribution of these apps is restricted to organizations and is not accessible through public platforms like Google Play.

How are Android devices used in an enterprise scenario?

Different types of enterprise devices
Different types of enterprise devices

Android Enterprise- The basic framework

An Android Enterprise solution comprises three major elements; the EMM console, Android device policy, and the Managed Google Play, which works in unison to manage the different endpoints.

Components of Android Enterprise solution
EMM console basically acts like a unified platform from which the IT can easily manage the apps and devices in their organization. This is achieved by integrating the console with the APIs and UI components provided by Android Enterprise. Next on the list is the Android device policy which acts as a communication channel between the EMM console and the device, ensuring that all your policies are being applied to your devices. Additionally, you have Managed Google Play- the Play store tailored for the enterprises, simplifying app addition and approval by integrating into EMM console and supplying them with features like public app search, private app publishing, web app publishing, and app organization.

Hexnode For Work

Android Enterprise provides organizations the flexibility to choose between Google’s Android device policy app with Android management API or the EMM’s custom Device Policy Controller (DPC) app along with Google Play EMM API. The Device Policy Controller app acts just like the Android device policy app, serving as a link with the EMM software for applying the required profiles and settings to the devices. Hexnode’s DPC- Hexnode For Work makes it easier to manage enterprise devices by making it possible to incorporate features beyond the well-defined ones laid out by Google’s Android Management API.

App management with Android Enterprise and Hexnode

Mobile devices have come a long way from their communication-only use case, evolving into an all-in-one tool capable of managing a business. And this wouldn’t be possible without the vast array of apps that we now have on our devices.

“The Google Play app revenue has grown from 15 billion in 2016 to 38.6 billion in 2020”

Now users can easily access and record enterprise data without any restrictions. Though this seems like an advantage, it can easily turn into a disadvantage without an effective device management mechanism in place capable of securing data, potentially turning these devices into weak data-exposing links. EMM solutions have developed a lot of features that make app management easier. Let’s take a look at how Hexnode makes this possible.

Enterprise app addition and distribution

Managed Google Play is the Android Enterprise’s store that allows you to select, purchase and manage your organizational apps. Hexnode allows you to easily approve and add Managed Google Play apps to the app inventory from the Managed Google Play and directly deploy them to the target devices.

How is this done?

  • Navigate to Add Apps under the Apps tab and select Managed Google Apps
  • Select the required work application and select Approve
  • Further, please select the required approval options as to whether the app should be automatically approved or revoked when it requests new permissions
  • Further, add an email address if you need notification for each permission request made by the app and then save
  • The approved apps will then be added to your app inventory

As enterprise apps are specially designed for organizations, they can’t be distributed publicly through the Play store. Hence, EMMs have a pivotal role here. They distribute these apps to the required targets by initially adding them as APK files, Manifest URLs or as Managed Google Play apps into the Hexnode app inventory.

Enterprise app addition methods
Enterprise app addition methods

Through EMM console

APK file

These apps are uploaded as Android Package (APK) files to the Hexnode app inventory. These can then be distributed to the targets specifically or to all the devices in bulk.

Manifest URL

Enterprise apps can be added to the hexnode app inventory by adding the Manifest URL or the direct download link to the APK files

Private apps in Google play

Android Enterprise allows its users to distribute apps specific to their organization by publishing them privately in Managed Google Play. For apps to be added privately in the Managed Play Store, you need to have a developer account and get your app approved. You can learn more about developer account creation and app approval here.
These apps can be easily added to the Hexnode app inventory by selecting the required apps from the Private apps section in the Managed Google Play.

After adding these apps into the Hexnode app inventory they can be easily deployed to the target users. This can be done in multiple ways:

  • From Actions under the Manage tab that allows you to install applications to a single device or a set of devices
  • To a particular device by navigating to the Actions tab that is seen when the required device is selected
  • By pushing a mandatory app policy with the required apps to the target devices

Silent app installation without user intervention

Silent App installation is yet another aspect that simplifies the app installation process. Organizations can easily install the required apps to the work devices without waiting for user consent. The devices enrolled in Android Enterprise as device owner supports the silent installation. For profile owner devices, the apps added as private apps can be pushed to the devices silently.

Updating Enterprise apps

Updating Enterprise apps has become a no-brainer with Hexnode in place. You can easily replace the old APK with a new file or modify the manifest URL for upgrading the previously added app version. The updated version will automatically get added to the device if the app was installed via a mandatory app policy. Otherwise, it will need to be initiated again through any of Hexnode’s methods. Updating the required app can also be carried out by adding the higher version of the app as a new app and pushing it to the devices directly.

Store layout for customizing the Managed Play Store

Sometimes aesthetics is often a forgotten aspect when we focus too much on the more technical aspects of management. Hexnode solves this issue too. It allows you to arrange apps in pages and create clusters within these pages depending on the various departments or the purposes that these apps serve, giving them a better sense of order.

Permissions and configurations for specific apps

Setting permissions and configurations for Enterprise apps before pushing the same to target devices can help restrict all those app aspects that are not required from an enterprise standpoint. It helps organizations have better control over the device apps. For a browser, while configurations include aspects like allowing images, JavaScript, cookies etc., on sites to allowing or blocking access to a list of URLs, permissions usually follow a yes-or-no approach, enabling or restricting aspects like location, reading contacts, recording audio etc.

Advanced restrictions for increased security

One of the prime areas of app management that can never be compromised is its security. Sometimes we unknowingly ignore certain app-specific features, which eventually create issues by emerging as sources of vulnerabilities. Hexnode’s advanced restrictions help you avoid these issues by sealing most of the sources of vulnerabilities.

Enforcing verify apps

With this option enabled, Google verifies the app content for the absence of harmful behavior before installation. This helps avoid instances of app-related security issues.

Install, uninstall and control apps

Disabling these options prevent users from controlling any app-related action like installation, uninstallation, clear app data, clear cache and related aspects. This curbs all instances of data loss or device tampering knowingly or unknowingly from the user end, thus securing enterprise data.

Install apps from unknown sources

App installation from unknown sources can act as a direct entry point for threats. It is usually recommended to disable the same for enterprise use cases as most applications can be deployed remotely through MDMs, and a need for such app installations rarely arises.

Work container deactivation on non-compliance for app and data protection

When devices fall out of the organization’s compliance requirements, measures can protect corporate apps and data. One such implementation is the work container deactivation. When the device becomes non-compliant, the work container deactivates, and all the apps in the container will remain hidden. The container gets reactivated again once the device regains its compliance.

Elevating device management with App configurations of OEM

A handful of devices is now running our enterprises. Android is becoming its major element due to its wide popularity. It is also a flexible platform undergoing many new implementations in device aspects as per the Enterprise needs. This is where EMM providers struggle with device management. With many OEM providers in place, implementing new features as per the different OEM requirements into device management solutions is not an easy process.

OEMConfig emerged as a solution to this problem. With this new Android standard called OEMConfig, device makers could easily make custom features universally supported by EMMs, putting an end to the time-consuming process of integrating different APIs from OEMs separately.

The OEMConfig process
The OEMConfig process

Original equipment manufacturers (OEMs) build their own OEMconfig applications containing their APIs for OEM-specific management and host these applications on the Google play store. As these applications are based on the Android Enterprise feature called managed configurations, it can be easily accessed by your Enterprise mobility management (EMM) provider to configure OEM-specific policies on devices and control various device aspects which are beyond the scope of their EMM solution. It allows you to easily customize the OEM-specific policies of any managed Android 5.0+ device, provided it has its OEMconfig application installed.

Well, it doesn’t end there; you can also Request Application Feedback on these managed applications and access them from the Hexnode console without any physical contact with the device. You can make use of this feature in supported apps on devices enrolled in Android Enterprise. With the help of this feedback log, you can easily identify the reasons for app failures and fix them at the earliest to ensure uninterrupted device use within the Enterprises.
Alessia Forster

Product Evangelist @ Hexnode. Take life as it comes. One day at a time.

Share your thoughts