Citrix Endpoint Management

Distribute Android Enterprise apps

Endpoint Management manages apps deployed to devices. You can organize and deploy the following types of Android Enterprise apps.

  • Managed app store apps: These apps include free or paid apps available in the managed Google Play Store. For example, GoToMeeting.
  • MDX: Apps prepared with the MAM SDK or wrapped with the MDX Toolkit. These apps include MDX policies. You get MDX apps from internal sources and public stores. Deploy Citrix mobile productivity apps as MDX apps.
  • Enterprise: Private apps you develop or obtain from another source. You provide these apps to your users through the managed Google Play Store. The managed Google Play Store is the Google enterprise app store.
  • MDX-enabled private apps: Enterprise apps prepared with the MAM SDK or wrapped with the MDX Toolkit.

You can add enterprise apps and MDX-enabled private apps two different ways.

  • Add the apps to the Endpoint Management console as enterprise apps, as described in the Enterprise apps and MDX-enabled private apps sections in this article.
  • Publish the apps directly to the managed Google Play Store using your Google developer account. Then add the apps to the Endpoint Management console as managed app store apps. See Managed app store apps.

If you publish apps using your Google developer account and then switch to using the Endpoint Management console, the ownership of the apps differs. You need to manage your apps in both locations, in this case. Citrix recommends adding your apps using one method or the other.

The following sections provide more in depth information for Android Enterprise app configuration. For information about distributing apps, see Add Apps. That article includes:

  • The general workflows for adding web and SaaS apps or web links
  • The required app workflow for enterprise and public store apps
  • How to delivery enterprise apps from the Citrix Content Delivery Network (CDN) for Enterprise Apps

Managed app store apps

You can add free and paid apps available on the managed Google Play Store to Citrix Endpoint Management.

Step 1: Add and configure apps

  1. In the Endpoint Management console, navigate to Configure > Apps. Click Add.

  2. Click Public App Store.

    Add managed app store app

  3. In the App Information pane, type the following information:

    • Name: Type a descriptive name for the app. The name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  4. Select Android Enterprise as the platform.

  5. Type the app name or package ID in the search box and click Search. You can locate the package ID in the Google Play store. The ID is in the URL of the app. For example, com.Slack is the package ID in https://play.google.com/store/apps/details?id=com.Slack&hl=en_US.

    Android Enterprise app search

  6. Apps matching the search criteria appear. Click the desired app then click Approve.

    Android Enterprise app approval

  7. Click Approve again.

  8. Select Keep approved when app requests new permissions. Click Save.

    Google Play approval settings

  9. Click the app icon and configure the app Name and Description.

    Android Enterprise app configuration

  10. Assign any delivery groups to the app and click Save. For information, see Deploy resources.

Step 2: Configure app deployment

  1. Navigate to Configure > Delivery Groups and select the delivery group you configured. Click Edit.
  2. In the Apps section, drag the desired apps to the Required Apps box. Mark the app as required
  3. On the Summary page, click Save.
  4. On the Delivery Groups page, select the delivery group and click Deploy.

MDX apps

Add MDX files to Endpoint Management and configure app details and policy settings. To configure Citrix mobile productivity apps for Android Enterprise, add them as MDX apps. For information about the app policies that are available for each device platform type, see:

Step 1: Add and configure apps

  1. For Citrix mobile productivity apps, download the public-store MDX files: Go to https://www.citrix.com/downloads. Navigate to Citrix Endpoint Management (XenMobile) > Citrix Endpoint Management Productivity Apps.

  2. For other types of MDX apps, obtain the MDX file.

  3. In the Endpoint Management console, click Configure > Apps. Click Add. The Add App dialog box appears.

    Apps configuration screen

  4. Click MDX. The MDX App Information page appears. In the App Information pane, type the following information:

    • Name: Type a descriptive name for the app. The name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  5. Select Android Enterprise as the platform.

  6. Click Upload and navigate to the MDX file. Android Enterprise only supports apps wrapped with the MDX Toolkit. Do not wrap apps using the MDX Service.

    • The UI notifies you if the attached application requires approval from the managed Google Play Store. To approve the application without leaving the Citrix Endpoint Management console, click Yes.

      Add an MDX app

      After the managed Google Play Store opens, follow the instructions to approve and save the app.

      Approve an MDX app

      When you successfully add the app, the App details page appears.

  7. Configure these settings:

    • File name: Type the file name associated with the app.
    • App Description: Type a description for the app.
    • App version: Optionally, type the app version number.
    • Package ID: Type the package ID for the app, obtained from the managed Google Play Store.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  8. Configure the MDX Policies. MDX policies vary by platform and include options for policy areas, including Authentication, Device Security, and App Restrictions. In the console, each of the policies has a tooltip that describes the policy. For information about the app policies that are available for each device platform type, see:

  9. Configure the deployment rules and store configuration.

  10. Assign any delivery groups to the app and click Save. For information, see Deploy resources.

Step 2: Configure app deployment

  1. Navigate to Configure > Delivery Groups and select the delivery group you configured. Click Edit.

  2. In the Apps section, drag the desired apps to the Required Apps box.

    Mark the app as required

  3. On the Summary page, click Save.

  4. On the Delivery Groups page, select the delivery group and click Deploy.

Enterprise apps

Enterprise apps represent private apps that are not prepared with the MAM SDK or MDX Toolkit. You develop these apps yourself or obtain them directly from other sources. To add an enterprise app, you need the APK file associated with the app. Ensure that you follow Google Best practices for private apps.

Step 1: Add and configure apps

Add the app one of two ways:

  • Publish the app directly to the managed Google Play Store and add it to the Endpoint Management console as a Managed play store app. Follow the Google documentation on how to Publish private apps, and then follow the steps in the Managed app store apps section.
  • Add the app to the Endpoint Management console as an enterprise app. Perform the following steps:
  1. In the Endpoint Management console, click Configure > Apps. Click Add. The Add App dialog box appears.

    Apps configuration screen

  2. Click Enterprise. In the App Information pane, type the following information:

    • Name: Type a descriptive name for the app. This name is listed under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  3. Select Android Enterprise as the platform.

  4. The Upload button opens the managed Google Play Store. You do not need to register for a developer account to publish a private app. Click the Plus icon in the lower right corner to continue.

    Upload private apps

    1. Type the name for your app and upload the .apk file. When finished, click Create. It might take up to 10 minutes for your private app to publish.

      Add an apk file

    2. Enter an email address to get updates about your apps.

      Add an email address

    3. After your application is published, click a private app’s icon. If you want to add an app description, change the app icon, and other actions, click Make advanced edits. Otherwise, click Select to open the app information page.

      Publish enterprise apps

  5. Click Next. The app information page for the platform appears.

  6. Configure the settings for the platform type, such as:

    • File name: Optionally, type a new name for the app.
    • App description: Optionally, type a new description for the app.
    • App version: You can’t change this field.
    • Package ID: Unique identifier of your app.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  7. Configure the deployment rules and store configuration.

  8. Assign any delivery groups to the app and click Save. For information, see Deploy resources.

Step 2: Configure app deployment

  1. Navigate to Configure > Delivery Groups and select the delivery group you configured. Click Edit.

  2. In the Apps section, drag the desired apps to the Required Apps box.

    Mark the app as required

  3. On the Summary page, click Save.

  4. On the Delivery Groups page, select the delivery group and click Deploy.

MDX-enabled private apps

To add Android Enterprise apps as MDX-enabled enterprise apps, create a private Android Enterprise app, MDX-enable the app, and add the resulting MDX files to Endpoint Management.

  • Host and publish apps on the managed Google Play Store
  • Add Android Enterprise apps to the Endpoint Management console as Enterprise apps

If you decide to host and publish apps through the Google Play Store, don’t opt in for Google certificate signing. Sign the app with the same certificate used to MDX-enable the app. For more information on publishing apps, see Google documentation on Publishing your app and Signing your app. The MAM SDK doesn’t wrap apps, so it doesn’t require a certificate other than the one used to develop the app.

For more information about publishing private apps through the Google Play Console, see the Google documentation on how to Publish private apps from the Play Console.

To publish an app through Endpoint Management, see the following sections.

Prepare a private Android Enterprise app

When you create a private Android Enterprise app, ensure that you follow Google Best practices for private apps.

After you create a private Android Enterprise app:

  • Integrate the MAM SDK with the app or wrap the app by using the MDX Toolkit. The MDX Service is not supported for wrapping private Android Enterprise apps.
  • Then, add the resulting files to Endpoint Management.

You can update the app by uploading an updated.apk file. The following steps cover app wrapping with the MDX Toolkit.

  1. Create your private Android Enterprise app and generate a signed .apk file.

  2. The following sample file contains all known policies, some of which may not be applicable for your environment. Any unusable settings are ignored. Create an XML file with the following parameters:

    <?xml version="1.0" encoding="UTF-8"?>
    <MobileAppPolicies>
        <PolicySchemaVersion>
            1.0
        </PolicySchemaVersion>
        <Policies>
            <DevicePasscode>false</DevicePasscode>
            <AppPasscode>false</AppPasscode>
            <MaxOfflinePeriod>72</MaxOfflinePeriod>
            <StepupAuthAddress/>
            <RequireUserEntropy>false</RequireUserEntropy>
            <BlockRootedDevices>true</BlockRootedDevices>
            <BlockDebuggerAccess>false</BlockDebuggerAccess>
            <RequireDeviceLock>false</RequireDeviceLock>
            <RequireDeviceEncryption>false</RequireDeviceEncryption>
            <WifiOnly>false</WifiOnly>
            <RequireInternalNetwork>false</RequireInternalNetwork>
            <InternalWifiNetworks/>
            <AllowedWifiNetworks/>
            <UpgradeGracePeriod>168</UpgradeGracePeriod>
            <WipeDataOnAppLock>false</WipeDataOnAppLock>
            <ActivePollPeriod>60</ActivePollPeriod>
            <EncryptionKeys>Offline</EncryptionKeys>
            <PrivateFileEncryptionEnum>Disabled</PrivateFileEncryptionEnum>
            <PrivateFileEncryptionExcludeList/>
            <PublicFileAccessLimitsList/>
            <PublicFileEncryptionEnum>Disabled</PublicFileEncryptionEnum>
            <PublicFileEncryptionExcludeList/>
            <PublicFileEncryptionMigrationEnum>Disabled</PublicFileEncryptionMigrationEnum>
            <CutAndCopy>Unrestricted</CutAndCopy>
            <Paste>Unrestricted</Paste>
            <DocumentExchange>Unrestricted</DocumentExchange>
            <OpenInExclusionList/>
            <InboundDocumentExchange>Unrestricted</InboundDocumentExchange>
            <InboundDocumentExchangeWhitelist/>
            <connectionSecurityLevel>TLS</connectionSecurityLevel>
            <DisableCamera>false</DisableCamera>
            <DisableGallery>false</DisableGallery>
            <DisableMicrophone>false</DisableMicrophone>
            <DisableLocation>false</DisableLocation>
            <DisableSms>false</DisableSms>
            <DisableScreenCapture>false</DisableScreenCapture>
            <DisableSensor>false</DisableSensor>
            <DisableNFC>false</DisableNFC>
            <BlockLogs>false</BlockLogs>
            <DisablePrinting>false</DisablePrinting>
            <MvpnNetworkAccess>MvpnNetworkAccessUnrestricted</MvpnNetworkAccess>
            <MvpnSessionRequired>False</MvpnSessionRequired>
            <NetworkAccess>NetworkAccessUnrestricted</NetworkAccess>
            <DisableLocalhostConnections>false</DisableLocalhostConnections>
            <CertificateLabel/>
            <DefaultLoggerOutput>file,console</DefaultLoggerOutput>
            <DefaultLoggerLevel>15</DefaultLoggerLevel>
            <MaxLogFiles>2</MaxLogFiles>
            <MaxLogFileSize>2</MaxLogFileSize>
            <RedirectSystemLogs>false</RedirectSystemLogs>
            <EncryptLogs>false</EncryptLogs>
            <GeofenceLongitude>0</GeofenceLongitude>
            <GeofenceLatitude>0</GeofenceLatitude>
            <GeofenceRadius>0</GeofenceRadius>
            <EnableGoogleAnalytics>false</EnableGoogleAnalytics>
            <Authentication>OfflineAccessOnly</Authentication>
            <ReauthenticationPeriod>480</ReauthenticationPeriod>
            <AuthFailuresBeforeLock>5</AuthFailuresBeforeLock>
            <EncryptionVersionEnum>2</EncryptionVersionEnum>
        </Policies>
    </MobileAppPolicies>
    
  3. Wrap the app using the MDX Toolkit. For information about using the MDX Toolkit, see Wrapping Android mobile apps.

    If you MDX-wrap the app, set the apptype parameter to Premium. Use the XML file from the previous step in the command described next.

    If you know the store URL for the app, set the storeURL parameter to the store URL. Users download the app from the store URL after you publish the app.

    Here is an example of an MDX Toolkit command used to wrap an app called SampleAEapp:

    ```
     java -Dfile.encoding=UTF-8 -Duser.country=US -Duser.language=en -Duser.variant
     -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar wrap
     -in ~/Desktop/AEAppFiles/SampleAEApp-input.apk
     -out ~/Desktop/AEAppFiles/SampleAEApp.mdx
     -MinPlatform 5.0
     -keystore /MyKeystore
     -storepass mystorepwd123
     -keyalias key0
     -keypass mykeypwd123
     -storeURL “https://play.google.com/store/apps/details?id=SampleAEappPackage”
     -appType Premium
     -premiumMdxPolicies <Path to Premium policy XML>
    ```
    

    Wrapping the app generates a wrapped .apk file and a .mdx file.

Add the wrapped .apk file

Add the app one of two ways:

  • Publish the app directly to the managed Google Play Store and add it to the Endpoint Management console as a Managed play store app. Follow the Google documentation on how to Publish private apps, and then follow the steps in the Managed app store apps section.
  • Add the app to the Endpoint Management console as an enterprise app. Perform the following steps:
  1. In the Endpoint Management console, click Configure > Apps. The Apps page opens.

  2. Click Add. The Add App dialog box appears.

    Apps configuration screen

  3. Click Enterprise. In the App Information pane, type the following information:

    • Name: Type a descriptive name for the app. This name is listed under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  4. Select Android Enterprise as the platform.

  5. The Upload button opens the managed Google Play Store. You do not need to register for a developer account to publish a private app. Click the Plus icon in the lower right corner to continue.

    Upload private apps

    1. Type the name for your app and upload the .apk file. When finished, click Create. It might take up to 10 minutes for your private app to publish.

      Add an apk file

    2. Enter an email address to get updates about your apps.

      Add an email address

    3. After your application is published, click a private app’s icon and click Select to open the app information page.

      Publish enterprise apps

  6. Click Next. The app information page for the platform appears.

  7. Configure the settings for the platform type, such as:

    • File name: Optionally, type a new name for the app.
    • App description: Optionally, type a new description for the app.
    • App version: You can’t change this field.
    • Package ID: Unique identifier of your app.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  8. Configure the deployment rules and store configuration.

  9. In the Android Enterprise Enterprise App page, click Next. The Approvals page appears.

    To use workflows to require approval before allowing users to access the app, see Apply workflows. If you don’t need an approval workflow, you can skip to Step 13.

  10. Click Next.

  11. The Delivery Group Assignment page appears. No action is needed on this page. You configure the delivery groups and deployment schedule for this app when you add the .mdx file. Click Save.

Optional: Add or change the store URL

If you didn’t know the store URL when you wrapped the app, add the store URL now.

  1. View the app in the managed Google Play Store. When you select the app, the store URL appears in the address bar of your browser. Copy the package name of the app from the URL form. For example: https://play.google.com/store/apps/details?id=SampleAEappPackage. The URL you copy may begin with https://play.google.com/work/. Ensure that you change work to store.

  2. Use the MDX Toolkit to add the store URL to the .mdx file:

    java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar \
    setinfo \
    -in ~/Desktop/SampleApps/Sample.mdx \
    -out ~/Desktop/SampleApps/wrapped/Sample.mdx \
    -storeURL \
    “https://play.google.com/store/apps/details?id=SampleAEappPackage”
    

Add the .mdx file

  1. In the Endpoint Management console, click Configure > Apps. Click Add. The Add App dialog box appears.

    Apps configuration screen

  2. Click MDX. The MDX App Information page appears. In the App Information pane, type the following information:

    • Name: Type a descriptive name for the app. The name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see About app categories.
  3. Select Android Enterprise as the platform.

  4. Click Upload and navigate to the MDX file. Android Enterprise only supports apps wrapped with the MDX Toolkit. Do not wrap apps using the MDX Service.

    • The UI notifies you if the attached application requires approval from the managed Google Play Store. To approve the application without leaving the Citrix Endpoint Management console, click Yes.

      Add an MDX app

      After the managed Google Play Store opens, follow the instructions to approve and save the app.

      Approve an MDX app

      When you successfully add the app, the App details page appears.

  5. Configure these settings:

    • File name: Type the file name associated with the app.
    • App Description: Type a description for the app.
    • App version: Optionally, type the app version number.
    • Package ID: Type the package ID for the app, obtained from the managed Google Play Store.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  6. Configure the MDX Policies. MDX policies vary by platform and include options for policy areas, including Authentication, Device Security, and App Restrictions. In the console, each of the policies has a tooltip that describes the policy. For information about the app policies that are available for each device platform type, see:

  7. Configure the deployment rules and store configuration.

    The Deploy for always-on connection applies when you have configured the scheduling background deployment key in Settings > Server Properties.

    The always-on option:

    • Is not available for iOS devices
    • Is not available for Android, Android Enterprise, and Chrome OS customers who began using Endpoint Management with version 10.18.19 or later
    • Is not recommended for Android, Android Enterprise, and Chrome OS customers who began using Endpoint Management before version 10.18.19

    The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always-on connection.

  8. Assign any delivery groups to the app and click Save. For information, see Deploy resources.

Update the app

To update the Android Enterprise app, wrap and upload an updated .apk file:

  1. Wrap the .apk file for the updated app using the MAM SDK or MDX Toolkit.

  2. In the Endpoint Management console, click Configure > Apps. The Apps page opens.

  3. Click Add. The Add App dialog box appears.

  4. Click Enterprise.

  5. On the Enterprise pane, select Android Enterprise only.

  6. On the App Information pane, type a name in the Name field. The other fields are not required.

  7. Click Next. The Android Enterprise Enterprise App page appears.

  8. Click Upload.

  9. In the managed Google Play Store page, select the app you want to update.

  10. In the app information page, click edit next to the .apk file name.

  11. Navigate to the new .apk file and upload it.

  12. In the managed Google Play Store page, click Save.

Distribute Android Enterprise apps