Android Application Management in MDM

Topic

This article discusses how to manage applications for Android devices in NinjaOne Mobile Device Management (MDM).

Environment

NinjaOne Mobile Device Management (MDM)

Description

NinjaOne lets technicians use a mobile device management (MDM) policy to manage the addition and behavior of Android applications on managed devices.

Upon provisioning company-owned Android Enterprise devices (those configured as "work" in the Add Device flow), NinjaOne deactivates system applications during the provisioning process, rendering the device blank and ready for corporate management.

NinjaOne lets you activate or block system applications. Refer to the Add an Application section of this article for more information.

Select a topic to continue.

Application Management
Kiosk Settings
Advanced Settings
Add an Application
Configure or Edit Application Restrictions and Settings
Application Assignment Types
Managed Configurations
Remove an Application
Additional Resources

Application Management

Follow these steps to navigate to your policy's configuration options:

In NinjaOne, navigate to Administration → Policies → MDM Policies, then select an Android policy from the list.

**Figure 1**: Administration → Policies → MDM policies (click to enlarge)

The policy's configuration page will open. Click Applications. The menu will expand to show three configuration page links:

**Figure 2**: Applications settings (click to enlarge)

Management Settings

In the Applications drop-down menu, click Management to access application management configuration options.

**Figure 3**: Applications → Management (click to enlarge)

Here, you can configure the following settings:

Setting	Description
Default permission policy	Set a default NinjaOne policy to manage these applications. This option applies globally to all installed applications. More granular, per-app permissions management is available within the app settings.
Play store mode	There are two Play Store modes: Allowlist: Only approved apps will be displayed in the Google Play Store. No other apps will display or be searchable. Blocklist: The Google Play Store displays all apps except those explicitly blocked through the policy.
Untrusted apps policy	Define whether users can sideload applications onto the device via the web, file transfer, or developer options.
Content protection policy	Activate content protection, which prohibits users from sharing content from the device through electronic means or output devices.
Native multi-app kiosk launcher	Activate or deactivate the Kiosk Settings tab. Refer to the Kiosk Settings section of this article for more information.
Configure always-on VPN package	Define an app package name that the Android OS will consider the launch virtual private network (VPN) package and ensure it runs as the always-on VPN app.
Block network access if VPN disconnects	Block network access through WiFi or cellular signal if the VPN is no longer present.
Managed applications	Add managed applications and edit their settings as needed. Refer to the Add an Application section of this article.
Managed Applications	Select specific applications to be automatically installed or blocked, or made optionally available to users, when the mobile device becomes NinjaOne-managed. Refer to the Managed Applications section of this article for more information.

Managed Applications

The Managed Applications table lets you select specific applications to be automatically installed or blocked, or made optionally available to users on a NinjaOne-managed Android device. Apps that you add will appear in this table.

APKFiles_NewManagedApps screen.png — **Figure 4**: The Managed Applications table (click to enlarge)

Managed Applications Table Columns

The Managed Applications table shows data about each app in a series of data columns. You can add or remove columns by clicking the gear icon. You can also rearrange columns by dragging them up and down in the stack.

Kiosk Settings

The multi-app kiosk launcher dedicates devices to run a specific set of apps so they can function as single-purpose kiosks (such as information terminals, point-of-sale pads, or digital signs). Refer to Android Kiosk Documentation (external link) to learn more about Android kiosk mode.

Activating Kiosk Options

You must activate the native multi-app kiosk launcher before configuring kiosk settings.

On the Android policy's configuration page, click Applications, then select Management from the drop-down menu and activate the Native multi-app kiosk launcher toggle.

**Figure 5**: The kiosk launcher toggle (click to enlarge)

Editing Kiosk Settings

On the Android Mobile Policy's Applications page, click Kiosk settings, then configure the settings to your requirements.

**Figure 6**: Kiosk settings (click to enlarge)

Kiosk Settings Explained

Refer to the table below for an explanation of each kiosk setting.

Setting	Description
Power button	Allow or block the long-press button behavior in kiosk mode.
System error warnings	Activate or hide system error warnings. Unresponsive apps will automatically close.
System navigation	Activate or block navigation buttons such as Home or Overview.
Status bar	Activate or deactivate system info and notifications in kiosk mode. System navigation settings will affect the ability to activate this setting.
Device settings	Allow or block a user's access to the device's Settings app in kiosk mode.

Advanced Settings

The Advanced tab allows you to configure persistent preferred activities, which are rules that determine which apps the managed devices will employ when users perform specific actions.

Configuring Persistent Preferred Activities

On the Android policy's configuration page, navigate to Applications → Advanced and click Add activity.

**Figure 7**: Applications → Advanced (click to enlarge)

In the Add activity window, enter the following information:

Option	Description
Configuration name	Assign a descriptive name to the configuration.
Activity	Enter the application activity to use for the following actions and categories. Refer to the app developer for supported activities.
Select an action	Choose an action from the drop-down menu. The action options include the intent filter and the app packages.
Select a category	Choose an action category from the drop-down menu.

Add an Application

This section explains how to add Google Play Store, system, custom, and private applications.

Special Considerations

Remember these considerations when adding applications.

Users without update permissions in the Android MDM Policy cannot add, edit, or remove Android applications. Refer to our NinjaOne Mobile Device Management (MDM): Android Policy Management article for more information on assigning user permissions.
The Privacy Badger browser extension and similar extensions may block cookies, which could prevent Google Play from displaying in the NinjaOne console.

In NinjaOne, navigate to Administration → Policies, then choose an Android Mobile policy from the MDM policies list.

**Figure 8**: Administration → Policies → MDM policies (click to enlarge)

On the policy configuration page, click Management → Add Apps and select whether you want to add an application from the Google Play Store, add a system app, or upload a custom app via APK file.

**Figure 9**: Management → Add apps (click to enlarge)

Add Apps from the Google Play Store

You can add any apps available on the Google Play Store.

On the Android policy's configuration page, click Management → Add Apps and select Play Store from the drop-down menu. The Add New Package menu will open.
Select the Android connection (Enterprise account) from the drop-down menu. If you are creating a new Android connection, refer to MDM: Enable the Android Enterprise Device Management.
Find the application by scrolling or searching, then click the application name.

**Figure 10**: The Add New Package window (click to enlarge)

Click Select to add the application to the device policy. NinjaOne will show the app, along with its details and assignment type, in the Managed Applications table's Installed applications column. The assignment defaults to Preinstalled. Follow the steps in the Configure or Edit Application Restrictions and Settings section below to change default assignment types.

**Figure 11**: Adding the app from the Google Play Store (click to enlarge)

Add System Apps

You may want to install additional apps as system apps on managed Android devices.

On the policy configuration page, click Management → Add Apps and select System app from the drop-down menu.

**Figure 12**: Adding the app from the Google Play Store (click to enlarge)

In the Add system app window, enter the following information:

Option	Description
Package name	Enter the exact package name that the policy will manage. You can find the Android package name in the Google Play Store URL by using the Share function on the app page, via Android debug bridge (ADB) commands, or by using a third-party package name viewer app.
Assignment type	Specify how NinjaOne should deliver the app to managed devices. Refer to the Application Assignment Types section for a description of each type.
Name	Enter an optional display name, which will appear in the Android policy's Applications list.
Publisher	Enter an optional publisher name, which will appear in the Android policy's Applications list.

Add Private Apps

NinjaOne will only deploy private apps to the devices that share the Android Connection name. We recommend using a separate policy to segment connections from other devices that should not have access.

Private App Considerations

The Google Play iframe has a size limitation in line with the Google Play Developer Console for Android package kit (APK) files. Avoid uploading files in excess of 100 MB. Larger apps should be uploaded as AAB files in the Developer Console and not through the iframe as an APK.
Organizations should leverage external resources and on-demand payloads where possible (for example, any large app or game that alerts you upon launch that it has more to download). These resources provide a better user experience and reduce network failures, as they can be stopped and started as needed.

The Android Connection column in Managed Applications will be updated when you add a private app.

Click Add Apps and select Play Store.
Select the Android connection (Enterprise account) from the drop-down menu. If you need to create a new Android connection, refer to MDM: Enable the Android Enterprise Device Management.
Place your cursor over the navigation pane and click Private Apps.

**Figure 13**: Adding a private app from the Google Play Store (click to enlarge)

Click the + icon and follow the prompts to upload your private apps.

Add Custom App APKs

NinjaOne MDM supports uploading custom apps via Android package kit (APK) files

On the policy's configuration page, navigate to Management → Managed Applications.
Click Add apps, then select Upload application from the drop-down menu.

APKFiles_NewMain Screen.png — **Figure 14**: Management → Add Apps → Upload application (click to enlarge)

The Upload application window will open. Configure the following settings:

Option	Description
Android connection	This optional field lets you specify the Android Enterprise connections that should receive the APK installation. Only the technicians attached to the connection specified will be able to view and manage the app. Leave this field blank to allow APK installation to your full Android MDM ecosystem.
Allow user uninstall	Decide if the device end user is able to uninstall the app.
Upload an application	Click this button, then navigate to the APK file's location to upload it to NinjaOne.
Name	Enter an optional display name, which will appear in the Android policy's Applications list.
Publisher	Enter an optional publisher name, which will appear in the Android policy's Applications list.
Default permission policy	Select the required behavior when the app requests user permission: Prompt: The device will ask the user if the app should allow or deny the permission. Grant: The device automatically approves the permission request. Deny: The device automatically denies the permission request.
Delegated scope access grants	Android apps can have additional delegation scopes, letting applications install certificates, access managed configurations, block uninstallation, activate system apps, and more. Use the drop-down menu to select from the following: Certificate installation and management Managed configurations management Blocking uninstallation Permission policy and permission grant state Package access state Enabling system apps

Add Web Apps

Web apps are apps that are maintained online and displayed in a web browser. NinjaOne MDM points to the application website.

On the Android policy's configuration page, click Management → Add Apps and select Play Store from the drop-down menu. The Add New Package menu will open.
Select the Android connection (Enterprise account) from the drop-down menu. If you need to create a new Android connection, refer to MDM: Enable the Android Enterprise Device Management.
Place your cursor over the navigation pane and click Web Apps.

**Figure 15**: Adding a web app (click to enlarge)

Click the + icon and follow the prompts to upload your private apps. Refer to Create web apps - Android Enterprise Help and Android Management API: Google for Developers (external links) for more information about this process from Google.

Configure or Edit Application Restrictions and Settings

Technicians can edit the applications installed at the policy level to override default settings for each application.

On the Android policy's configuration page, click Applications, then select one or more applications from the Managed Applications list.

**Figure 16**: Managed Applications → Edit (click to enlarge)

The Edit applications policy window will open. In this tab, you can configure the following options:

Setting	Description
Enabled	Control app use on the device with this toggle: Activate the Enabled toggle to prevent the app from being used on the device. Deactivate the Enabled toggle to allow the app to be used on the device.
Assignment type	Specify how NinjaOne should deliver the app to managed devices. Refer to the Application Assignment Types section for a description of each type.
Default permission policy	Set the default policy for permissions. You can choose from the following settings: Permission Policy Unspecified Prompt Grant Deny
Connected work and personal app	Allow or disallow work apps and personal apps to share data. You can choose from the following settings: Unspecified Disallowed Allowed
Auto update mode	Control automatic update behavior. You can choose from the following settings: Unspecified Default Postponed High Priority
Allow force stop and clear data	Allow or restrict a user from force-stopping an app and clearing the cache. This option requires Android 11 or later.
Application track for installation	Select available closed-track app versions within Google Play. If an app developer supports application tracks and the app has been shared with the customer's connection ID, NinjaOne will show these versions of the app here. This setting will only change versions on a device when a newer version code is available than what is already installed.
Per app permission overrides	Select a permission from the drop-down menu to allow granular permission control. Each app provides its own declared permissions and will have a different list of available overrides.
Overrides	Each selection made from the Per app permission overrides drop-down menu will display here. These overrides will bypass any global permission settings. When you add an override, a new drop-down menu will display. You can allow, deny, or prompt access to the permission. Click the X icon to remove the override.
Delegated scope overrides	Android apps can have additional delegation scopes, letting applications install certificates, access managed configurations, block uninstallation, activate system apps, and more. Use the drop-down menu to select from the following: Certificate installation and management Managed configurations management Blocking uninstallation Permission policy and permission grant state Package access state Enabling system apps

Application Assignment Types

You can configure application assignment types when editing an application that has been added in a policy. Choose from the following assignment types:

Assignment Type	Description
Unspecified	Unspecified assignments will default to Available. This assignment type is not available for system apps.
Preinstalled	NinjaOne automatically installs the app, and the user can remove it.
Force Installed	When set, the application will ignore any constraints or windows for installation and install as soon as possible. The user cannot remove the app. Removing the policy will also remove the app from the device.
Blocked	Restrict the user from using or installing the selected app. If the app is already installed, this setting will uninstall it. If a system app is blocked, NinjaOne will deactivate it on the device.
Available	NInjaOne makes the application available for the user to install from the managed Google Play Store. NinjaOne will not install the app automatically; the user must select it. This assignment type is not available for system apps.
Required for Setup	NinjaOne automatically installs the app, and the user cannot remove it. The device cannot complete device setup until the application is installed and configured. This assignment type is not available for system apps.
Single app Kiosk	NinjaOne automatically installs the app in kiosk mode and sets it as preferred and allowlisted for lock task mode. The device cannot complete device setup until the application is installed After installation, users cannot remove the app. You can select this assignment type for only one application per policy. When this assignment type is present in the policy, the status bar will be automatically deactivated.

Managed Configurations

In the Managed configurations tab, you can further modify the application, if available.

On the Android policy's configuration page, click Management, then select an app from the Managed Applications list. The Edit applications policy window will open.

**Figure 17**: Management → Select app → Edit (click to enlarge)

Click the Managed configurations tab. If this tab is not present, the app does not support managed configurations. The data provided in this tab depends on the application. For example, Microsoft Teams allows you to configure which user accounts can log in and whether a password is required, whereas Google Chrome lets you configure the domain name system (DNS) queries and cache control.
In the Android Connection drop-down menu, select your enterprise account. Refer to our Enable Android Enterprise Device Management article for information on creating a new Android connection.

**Figure 18**: Edit application policy options (click to enlarge)

Supported Variables

NinjaOne supports the following variables for managed app configuration:

Variable	Description
${device.location.name}	The device's assigned location name value
${device.location.id}	The device's assigned location ID value
${device.organization.name}	The device's organization's name value
${device.organization.id}	The device's organization's ID value
${device.serialNumber}	The device's serial number value
${device.id}	The device's GUID value (unique identifier)
${device.owner.email}	The device's assigned user email address value
${device.owner.firstName}	The device's assigned user's first name value
${device.owner.lastName}	The device's assigned user's last name value
${device.owner.displayName}	The device's assigned user's display name value

Remove an Application

Follow these steps to remove applications from NinjaOne MDM management.

On the Android policy's configuration page, click Applications.
Select one or more applications from the Managed Applications list, then activate the checkboxes for the apps you wish to remove and click Remove.

**Figure 19**: Managed Applications → Remove (click to enlarge)

Additional Resources

Refer to the following resources to learn more about working with Android policies:

Android Policy Management
MDM: Enable the Android Enterprise Device Management
Create web apps - Android Enterprise Help (external link)
Android Management API: Google for Developers (external link)