Deploy managed configurations

Minimally, you can create an iframe that loads managed configurations and allows IT admins to configure and push app configurations to devices. This iframe is typically hosted in an MDM console and suitable for AppConfig applications like Samsung Email. For OEMConfig applications like Knox Service Plugin, you need to support additional requirements.

Set up an MDM console

Follow Google’s Quickstart to create your own MDM console. Note that you do not need to join Google’s UEM community if you are not deploying your console commercially.

If you already have an MDM console, you can skip to the next part of the process or check Android Management API documentation.

Create an HTTPS server

To allow the iframe to load managed configurations, you need to generate a web token to include in a REST API call. This web token will only work if it has an HTTPS parent URL, meaning you need to generate your web token from an HTTPS server.

You have two options:

• If you already have an HTTPS server, you can skip to the next step.
• If you do not have an existing HTTPS server, you can quickly create a new one for development purposes using ngrok.

More details

{
  "name": string,
  "value": string,
  "permissions": [
    enum(WebTokenPermission)
  ],
  "parentFrameUrl": string
}

The string in parentFrameUrl is populated based on the server URL you are generating the token from. This URL must use HTTPS, which is why you need to generate your web token from an HTTPS server.

Generate a web token

Now that you have an HTTPS server, generate a web token that can be used to pull any app’s managed configurations XML schema from Google Play.

The sample Python script that follows shows how to generate a web token. To use it, you must install Google’s API Client Library for Python.

Fill in the following script variables:

• SERVICE_ACCOUNT_FILE – Create a service account key and name the file service_account.json. Provide the full path to that file in this variable.

• ENTERPRISE NAME – Enter the name of your enterprise. The format for the enterprise name is enterprises/enterpriseId. You can find your enterpriseId through the Google Cloud Platform dashboard.

• HOST_URL – Provide the URL of your HTTPS server.

• WEB_TOKEN_FILE – Provide the full path to a file that can be written to with web token information.

from apiclient.discovery import build
from google.oauth2 import service_account
import json

SERVICE_ACCOUNT_FILE = ""
SCOPES = ['https://www.googleapis.com/auth/androidmanagement']
ENTERPRISE_NAME = ""
HOST_URL = ""
WEB_TOKEN_FILE = ""

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
android_management = build('androidmanagement', 'v1', credentials=credentials)
web_token_instance = {
    "parentFrameUrl": HOST_URL,
    "permissions": ["APPROVE_APPS"]
}

web_token = android_management.enterprises().webTokens().create(
    parent=ENTERPRISE_NAME,
    body=web_token_instance
).execute()

#post-processing
file = open(WEB_TOKEN_FILE)
file.write(str(web_token))
print('done')

After you run this script, the file referenced by WEB_TOKEN_FILE contains your web token. Copy the web token ID from name. The token ID is embedded in the ’name’ field as highlighted below:

https://androidmanagement.googleapis.com/v1/{your_enterprise_name}/webTokens/webToken

Regenerating your web token

Your web token expires after a certain amount of time. You need to regenerate it again at that time. One possible approach is to programmatically detect a 500 error code when using an expired web token, and automatically regenerating the web token at that time.

Render an iframe

With your web token, you can now render an iframe. This iframe allows IT admins to view, modify, and save managed configurations for an app. It pulls an XML schema file from the app and renders it as an HTML form that IT admins can then interact with.

To render the iframe, you need to provide two pieces of information in the iframe URL:

• Your web token ID, generated in Step 2.

• The app’s package name, found in its manifest file or embedded in the Google Play store URL. For example:

  • Samsung Email — https://play.google.com/store/apps/details?id=com.samsung.android.email.provider&hl=en_US

  • Knox Service Plugin — https://play.google.com/store/apps/details?id=com.samsung.android.knox.kpu&hl=en_US

Put the web token ID and package name in the highlighted sections of the iframe URL as below:

https://play.google.com/managed/mcm?token=web_token_ID&packageName=app_package_name

Here is sample iframe code you can use:

<script src="https://apis.google.com/js/api.js"></script>
<div id="container" style="width: 1000px; height: 1000px"></div>
<script>
    gapi.load('gapi.iframes', function() {
    var options = {
    'url': 'https://play.google.com/managed/mcm?token=web_token&packageName=app_package_name',
    'where': document.getElementById('container'),
    'attributes': { style: 'height:1000px', scrolling: 'yes'}
    }
    var iframe = gapi.iframes.getContext().openChild(options);
    });
</script>

Listen for iframe events

You need to implement logic to handle events that are created when an IT admin interacts with the iframe’s buttons.

There are two click events to handle:

{
"mcmId": The ID of the managed configurations profile.
"name": The name of the updated or newly created managed configurations profile.
}

{
"mcmId": The ID of the managed configurations profile.
}

To handle these events, you can use JavaScript code such as the following:

iframe.register('onconfigupdated', function(event) {
    console.log(event);
}, gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER);