Back to top

Deploy managed configurations

Minimally, you can create an iframe that loads managed configurations and allows IT admins to configure and push app configurations to devices. This iframe is typically hosted in an MDM console and suitable for AppConfig applications like Samsung Email. For OEMConfig applications like Knox Service Plugin, you need to support additional requirements.

Set up an MDM console

Follow Google’s Quickstart to create your own MDM console. Note that you do not need to join Google’s UEM community if you are not deploying your console commercially.

If you already have an MDM console, you can skip to the next part of the process or check Android Management API documentation.

This developer guide focuses on using the Android Management API. If you would prefer to use the Google Play UEM API, follow the Google Play UEM API documentation. You will need to register for their UEM Community if you have not already.

Create an HTTPS server

To allow the iframe to load managed configurations, you need to generate a web token to include in a REST API call. This web token will only work if it has an HTTPS parent URL, meaning you need to generate your web token from an HTTPS server.

You have two options:

  • If you already have an HTTPS server, you can skip to the next step.
  • If you do not have an existing HTTPS server, you can quickly create a new one for development purposes using ngrok.

More details

  "name": string,
  "value": string,
  "permissions": [
  "parentFrameUrl": string

The string in parentFrameUrl is populated based on the server URL you are generating the token from. This URL must use HTTPS, which is why you need to generate your web token from an HTTPS server.

Generate a web token

Now that you have an HTTPS server, generate a web token that can be used to pull any app’s managed configurations XML schema from Google Play.

The sample Python script that follows shows how to generate a web token. To use it, you must install Google’s API Client Library for Python.

Fill in the following script variables:

  • SERVICE_ACCOUNT_FILECreate a service account key and name the file service_account.json. Provide the full path to that file in this variable.

  • ENTERPRISE NAME – Enter the name of your enterprise. The format for the enterprise name is enterprises/enterpriseId. You can find your enterpriseId through the Google Cloud Platform dashboard.

  • HOST_URL – Provide the URL of your HTTPS server.

  • WEB_TOKEN_FILE – Provide the full path to a file that can be written to with web token information.

from apiclient.discovery import build
from google.oauth2 import service_account
import json

SCOPES = ['']

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)
android_management = build('androidmanagement', 'v1', credentials=credentials)
web_token_instance = {
    "parentFrameUrl": HOST_URL,
    "permissions": ["APPROVE_APPS"]

web_token =

file = open(WEB_TOKEN_FILE)

After you run this script, the file referenced by WEB_TOKEN_FILE contains your web token. Copy the web token ID from name. The token ID is embedded in the ’name’ field as highlighted below:{your_enterprise_name}/webTokens/webToken

Regenerating your web token

Your web token expires after a certain amount of time. You need to regenerate it again at that time. One possible approach is to programmatically detect a 500 error code when using an expired web token, and automatically regenerating the web token at that time.

Render an iframe

With your web token, you can now render an iframe. This iframe allows IT admins to view, modify, and save managed configurations for an app. It pulls an XML schema file from the app and renders it as an HTML form that IT admins can then interact with.

To render the iframe, you need to provide two pieces of information in the iframe URL:

  • Your web token ID, generated in Step 2.

  • The app’s package name, found in its manifest file or embedded in the Google Play store URL. For example:

    • Samsung Email —

    • Knox Service Plugin —

Put the web token ID and package name in the highlighted sections of the iframe URL as below:

Here is sample iframe code you can use:

<script src=""></script>
<div id="container" style="width: 1000px; height: 1000px"></div>
    gapi.load('gapi.iframes', function() {
    var options = {
    'url': '',
    'where': document.getElementById('container'),
    'attributes': { style: 'height:1000px', scrolling: 'yes'}
    var iframe = gapi.iframes.getContext().openChild(options);

Not all apps support managed configurations. If they do not, the iframe will load a blank page.

Listen for iframe events

You need to implement logic to handle events that are created when an IT admin interacts with the iframe’s buttons.

There are two click events to handle:

Event Description

Occurs when a user clicks the 'Save' button on the iframe and updates an existing managed configurations profile or creates a new one. This event returns an object with the following data:

"mcmId": The ID of the managed configurations profile.
"name": The name of the updated or newly created managed configurations profile.

In your event handler, define a way to create or update configuration profiles.


Occurs when a user clicks the Delete button on the iframe and deletes an existing managed configurations profile. This event returns an object with the following data:

"mcmId": The ID of the managed configurations profile.

In your event handler, define a way to delete configuration profiles.

To handle these events, you can use JavaScript code such as the following:

iframe.register('onconfigupdated', function(event) {

Is this page helpful?