Back to top
Home / Knox SDK / Features / MDM Providers / App management /

Google Play

This topic covers how to enable Google play with the Knox SDK.

Enable Google play inside Knox Workspace

  1. Create a Knox container.

  2. Create the EnterpriseDeviceManager and KnoxContainerManager objects.

  3. Create ApplicationPolicy object.

  4. Use setEnableApplication, and enable the following Google Play packages inside the container — com.android.vending, google.android.gms, google.android.gsf, google.android.gsf.login.

  5. Use addPackageToInstallWhiteList to add Google store package as an approved installer inside the container — com.android.vending

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
KnoxContainerManager kmcm = ekm.getKnoxContainerManager(mContext, containerID);
ApplicationPolicy appPolicy = kmcm.getApplicationPolicy();
try {
boolean result = appPolicy.setEnableApplication("com.android.vending"); 
boolean result = appPolicy.setEnableApplication("com.google.android.gms"); 
boolean result = appPolicy.setEnableApplication("com.google.android.gsf"); 
boolean result = appPolicy.setEnableApplication("com.google.android.gsf.login"); 
// To grant installation permission inside container.
boolean result = ccp.addPackageToInstallWhiteList("com.android.vending");
if (true == result) {
Log.d(TAG, " Enabling an application package has been successful!");
} else {
Log.w(TAG, " Enabling an application package has failed.");
}
} catch (SecurityException e) {
Log.w(TAG, "SecurityException: " + e);
}

Enable Google play for work

Android’s Work Profile (AWP; formerly known as Android for Work) offers Play for Work as a mechanism to deploy work apps to managed profiles. IT admins can navigate to the Google Play store Admin Console and silently deploy applications on the target employee devices. You can find details here.

Prerequisites

  • EMM vendor has done server side integration for AWP as described by Android’s Work Profile.
  • EMM vendor has registered an app with AWP that is used to create and manage a Knox container.
  • EMM vendor has registered a second app with AWP that is used as proxy owner app inside the Knox Workspace container.

Implementation

  1. Create a Knox container.

  2. Use installApplication API and install the Proxy app.

  3. Use container API, setAfwProxy and provide required app details.

    //Create the EnterpriseDeviceManager and Knox ContainerManager
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID);

//Get application policy
ApplicationPolicy appPolicy = kcm.getApplicationPolicy();

//Install proxy app
appPolicy.installApplication(com.proxyapp.packagename);

AppIdentity proxyAdminIdentity = new AppIdentity("com.abc.xyz", signatureBytes);
Bundle dataBundle = new Bundle();
dataBundle.putInt(PROXY_FLAGS, FLAG_ALLOW_PROXY_FOR_PFW);

appPolicy.setAfWProxy(true, proxyAdminIdentity, dataBundle);

When the user signs-in using the enterprise account, the Play for Work interface is populated.

This option is useful for EMM vendors that have multiple internal apps and services for each OEM. They can create a small proxy app and install it inside Knox and at the same time keep the main EMM app unaltered.

Blocking unauthorized account inside Google Play store

One of the limitation of current Google Play for Work is that it allows the user to add any account inside the Play store. If the user signs in with a consumer account, then a consumer version of the UI is displayed to the user and if the account is corporate then the work version of the UI is displayed to the user. In order to block the user from adding an unauthorized account into the Knox container, we recommend IT admins use container account management policies. IT admins can perform following steps to set a blocklist or allowlist:

  1. Add all accounts inside container to Blocklist using addAccountsToAdditionBlackList API.

  2. Add only the authorized accounts with an allowlist.

    • Supported account types can be retrieved from getSupportedAccountTypes(), for example, supported Google account is “com.google”.
    KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID);
blackList.add(".*@gmail.com"); 
kcm.getDeviceAccountPolicy().addAccountsToAdditionWhiteList("com.google");

This ensures that only allowed accounts can be used to sign in to Play for Work.

On this page

Is this page helpful?