Workspace ONE Unified Endpoint Management

Gain more control over Android app updates with Workspace ONE UEM 2209

Organizations managing Android devices deploy most applications through the Managed Play Store. Controlling when these apps should update to newer versions is critical. In 2018, Workspace ONE UEM gave organizations the ability to set a global auto-update policy for all apps distributed through the Managed Play Store. However, not all applications on a device should update at the same pace. A patch that fixes critical vulnerabilities may require an immediate rollout. On the same device, updates to a business-critical third-party app may need to be postponed until the organization can test them.  

For this reason, we are excited to announce that Workspace ONE UEM 2209 supports setting a per-app Auto Update Priority for applications distributed through the Managed Play Store. This setting overrides the global policy defined in the Android Public App Auto Update Profile for a given app. By combining global and per-app policies, organizations gain unprecedented flexibility and can quickly respond to changing situations for specific apps.  

Auto Update Priority offers three settings: 

  • High Priority: App updates are installed as soon as possible after the developer publishes the new version and it has been reviewed by Google Play. 
  • Postpone: Apps will not be automatically updated for 90 days after they first became out of date on any device. If enabled continuously, this will prevent any device from updating the app more often than once every 90 days.  
  • Default: If the organization has pushed a Public App Auto Update Profile, the app follows this global policy. If no such profile is pushed, app updates follow default Play Store behavior. 

For more detailed information on these modes, please see Google’s article on managing app updates. 

Auto Update Priority for per-app behavior
Figure 1. Use Auto Update Priority to set per-app behavior for automatic updates through Managed Google Play

Administrators can set the Auto Update Priority of public Android apps while assigning them through the Workspace ONE UEM Console. For more information, please see “Deploy Application on Your Android Devices Through Managed Google Play Store.” 

Figure 2. Auto Update Priority while assigning Android Public Apps
Figure 2. Set Auto Update Priority while assigning Android Public Apps in the Workspace ONE UEM Console 

Unlocking powerful auto update controls 

Let us explore how a hypothetical organization, ACME Corp, can benefit from the Auto Update Priority feature. 

1. Ensure timely delivery of critical app updates 

For most users, ACME Corp wants applications distributed through the Managed Play Store to be updated automatically. They configure a Public App Auto Update Profile that: 

  • Allows app updates over cellular data at any time (always auto update) 
  • From 9 p.m. to 6 a.m., allows automatic app updates regardless of device state (maintenance window) 

ACME Corp has just learned of a critical security vulnerability with a browser app used to access sensitive data on internal corporate sites. A new version of the browser that addresses the vulnerability is available. ACME can set the Auto Update Priority of this app to High Priority to immediately deploy the update. ACME can later set the Auto Update Priority back to Default once the security vulnerability is addressed. 

In addition, ACME Corp develops a business-critical application and distributes it to their end users through the Managed Play Store. ACME does not want to wait for the app to update during the maintenance window in the Public App Auto Update Profile, so they also set this app to High Priority. Now, as soon as they publish a new version to the Managed Play Store, it is installed as soon as possible on their devices.  

For more details on how High Priority mode works, please see Google’s article on how to manage app updates. For best practices for using High Priority mode, see our article on this feature. 

Figure 3. High Priority Mode
Figure 3. Use High Priority mode to accelerate delivery of updates for specific apps 

2. Postpone or pause updates to specific apps 

Now, say that a third-party app vendor develops the VPN client used by ACME Corp, and the vendor announces significant changes in an upcoming version. ACME Corp wishes to test this new version before distributing it to their end users. Before the new version is released, they can set Auto Update Priority to Postpone. When that version is released and devices become out of date, a 90-day window will begin in which ACME can test changes in new versions.  

For more details on how Postpone mode works, please see Google’s article on how to manage app updates. For best practices for using Postpone mode, see our article on this feature.

Figure 4. Postpone mode to delay updates
Figure 4. Use Postpone mode to delay an upcoming update for an application

3. Allow automatic updates for some apps only 

Going further, what if some of ACME Corp’s employees operate in roles where they are subject to stringent security standards? To ensure that applications developed by third parties comply, ACME needs to test new versions before deploying them to these end users. In this case, ACME could set the global policy in the Public App Auto Update Profile to never auto update to prevent automatic updates for all Managed Play Store applications. In the past, applying this global policy may not have been feasible as it would affect apps that should update automatically, such as those developed internally or by compliant vendors. ACME can now set such a global policy while creating exceptions for apps that should update automatically by setting Auto Update Priority to High Priority or Postpone. 

Figure 5. Never auto-update
Figure 5. Combine a global policy of blocking automatic updates and Auto Update Priority to allow auto update for only certain apps

Conclusion 

These are the main use cases for Auto Update Priority, but combinations of global and per-app policies can be used to respond to many other challenges. With Workspace ONE UEM, organizations now have an even greater array of tools to effectively manage mobile applications for their Android device fleet. For more information, please see: