Internal apps are company-specific apps developed by your organization that you might not necessarily want to be searchable in the public app store, but you want your users to have access to this application from their device.

There are two options for deploying internal applications:
  • Add it to Google Play as a private application. These applications are added as public applications in the Workspace ONE UEM console after publishing in Google Play.
  • Host the application .apk file as a local file. For Android 6.0+ devices only.

If you are deploying internal apps on Android Work profile devices, add internal apps to Managed Google Play Store so that they are available to the Android-specific users. Upload your application by logging into the Google Play Developer Console with your enterprise credentials. There is an option to enable, Restrict Distribution, which only allows users of your domain to view this application on Managed Google Play Store (the badged play store). Once you have added your internal application to the developer console, these apps are treated as public applications.

Note: There are a few changes to Corporate Owned Personally Enabled (COPE) in Android 11. For more information, see Changes to Corporate Owned Personally Enabled (COPE) in Android 11.
  • Internal applications that are hosted by Workspace ONE UEM can no longer be pushed on the personal side of the device. Both internal apps that are pushed as private apps and public apps must be deployed to the work profile only.
  • Any other functionality such as Compliance Rules that rely on the internal application is no longer supported.

Add Assignments and Exclusions to your Android Applications

Adding assignments and exlusions provides you flexible deployment process and let's you schedule multiple deployment scenarios for a single application. After you approve the application from the Google Play Store, you will be redirected to the Workspace ONE UEM console to assign the applications to smart groups on the assignment tab. You can add a single assignment or multiple assignments to control your application deployment and prioritize the importance of the assignment by moving its place in the list up for most important or down for least important. Also,you can also exclude groups from receiving the assignment.

  1. Navigate to Resources > Apps > Native > Internal or Public.
  2. Upload an application and select Save & Assign or select the application and select Assign from the actions menu.
  3. On the Assignments tab, select Add Assignment and complete the following options.
    1. In the Distribution tab, enter the following information:
      Setting Description
      Name Enter the assignment name.
      Description Enter the assignment description.
      Assignment Groups Enter a smart group name to select the groups of devices to receive the assignment.
      Deployment Begins On Deployment Begins On is available only for internal applications.Set a day of the month and a time of day for the deployment to start.

      For successful deployment consider traffic patterns of your network before you set a beginning date with bandwidth.

      App Delivery Method
      • On Demand – Deploys content to a catalog or other deployment agent and lets the device user decide if and when to install the content.

        This option is the best choice for content that is not critical to the organization. Allowing users to download the content when they want helps conserve the bandwidth and limits unnecessary traffic.

      • Automatic – Deploys content to a catalog or other deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the content on their devices.

        This option is the best choice for content that is critical to your organization and its mobile users

    2. In the Restrictions tab, enter the following information:
      Settings Descrption
      Managed Access Enable adaptive management to set Workspace ONE UEM to manage the device so that the device can access the application.

      Workspace ONE controls this feature and is not supported by the AirWatch Catalog.

    3. In the Tunnel tab, enter the following information:
      Setting Description
      Android Legacy Select the Per-App VPN Profile you like to use for the application and configure a VPN at the application level.
    4. In the Application Configurations tab, activate the following setting.
      Setting Description
      Send Configuration Send application configurations to devices.
  4. Select Create.

    Few important points regarding application configuration:

    • The app assignment for pre-existing apps must be modified. A new assignment may be required if a custom configuration was previously included.
    • When new versions of the app are uploaded to the console, the available configurations are automatically updated.
    • To modify a configuration, edit the assignment and make the changes to the application configuration. Save and Publish the app again.
    • To receive the managed application configuration for the internal applications, the devices require Workspace ONE Intelligent Hub 22.04 or later.
  5. Select Add Assignment to add new app assignments for your application.
  6. Configure flexible deployment settings for your application by editing the schedules and priority for your deployments. Options that are displayed on this window are platform-specific.
    1. Setting Description
      Copy From the ellipses-vertical, you can click copy if you choose to duplicate the assignment configurations.
      Delete From the ellipses-vertical, you can delete to remove the selected assignment from the application deployment.

      You can modify the priority of the assignment you configured from the drop-down menu while placing the selected assignment in the list of assignments. Priority 0 is the most important assignment and takes precedence over all other deployments. Your devices receive all the restrictions distribution policies and the app configuration policies from the assignment group which has the highest priority.

      If a device belongs to more than one smart group and you assign these smart groups to an application with several flexible deployments, the device receives the scheduled flexible deployment with the most immediate Priority. As you assign smart groups to flexible deployments, remember that a single device can belong to more than one smart group. In turn, one device can be assigned to more than one flexible deployment for the same application.

      For example, if Device 01 belongs to Smart Group HR and Smart Group Training. You configure and assign two flexible deployments for application X, which include both Smart Groups. Device 01 now has two assignments for application X.

      • Priority 0 = Smart Group HR, to deploy in 10 days with On Demand
      • Priority 1 = Smart Group Training, to deploy now with Auto

      Device 01 receives the priority 0 assignment and gets the application in 10 days because of the assignments priority rating. Device 01 does not receive the priority 1 assignment.

      Assignment Name View the assignment name.
      Description View the assignment description.
      Smart Groups View the assigned smart group.
      App Delivery Method View how the application pushes to devices. Auto pushes immediately through the AirWatch Catalog with no user interaction. On Demand pushes to devices when the user initiates an installation from a catalog.
      EMM Managed Access View whether the application has adaptive management enabled.
  7. Select the Exclusions tab and enter smart groups, organization groups, and user groups to exclude from receiving this application.
    • The system applies exclusions from application assignments at the application level.
    • Consider the organization group (OG) hierarchy when adding exclusions. Exclusions at a parent OG do not apply to the devices at the child OG. Exclusions at a child OG do not apply to the devices at the parent OG. Add exclusions at the desired OG.
  8. Select Save & Publish.