DEVELOPERS BLOG
  1. Developers Blog
  2. Deploying Applications into Android for Work Using BES12

Deploying Applications into Android for Work Using BES12

ENTERPRISE SOLUTIONS / 09.23.16 / Mark Sohm

deploy_apps_afw_1

Are you an Android developer who’s creating an application to be deployed internally within your organization?  Or are you a BES admin who’s deployed many BlackBerry 10 applications, but are preparing to roll out Android for Work (AFW) on the new BlackBerry DTEK50 (or any other Android device)?  Or maybe you are just curious to know how to deploy applications into AFW using BES12?  If you answered yes to any of these questions, this blog post is for you.

To help future proof this article (the process may change in the future), here are the details of the environment used to capture this process and screenshots.

  • BES12 version 12.5
  • Android Marshmallow (6.0.1)

The Google Play Factor

Those familiar with deploying BlackBerry 10 applications using BES12 will know that you can choose public applications from BlackBerry World and make them available to your users.  You can also take private, internally developed applications (BAR files) and deploy them to users directly from BES12.  Things are a little different with AFW, in that all applications must have an entry in Google Play.  That means creating a Google Play Developer account and posting the application on Google Play.  Does that mean you have to expose your application for the entire world to see?  Not at all, applications can be restricted to be visible to your internal users only.  You don’t even need to post the APK file itself to Google Play, allowing it to remain on your internal infrastructure.

Where Does the APK File Go?

There are actually two options here.  You can upload the APK file to Google Play, but still restrict it to be deployed to your internal users.  Users outside of your Google Domain won’t be able to see the application.  However, some organization may wish to avoid submitting the APK file to Google Play.  Maybe the APK file includes highly confidential information that you wish to keep internal.  For that scenario, the APK file can be uploaded to your BES12 server.  Regardless of which option you choose; you still need to create an entry in Google Play that contains application meta-data, such as name, description and icon.

Step 1: Create the Google Play Developer Account

Assuming you already have BES12 up and running, the first thing you’ll need to set up is a Google Play Developer account, which will cost $25 US.  One very important detail for this step, is that the account must be created using an administrator account from your organization’s Google Domain.  If you do not use a Google Domain, the Google Play Developer account must be created using the Google account used to set up Android Enterprise on BlackBerry UEM.  This will tie ownership to your domain, allowing the publication of private applications.  If you have set up BlackBerry UEM with a Google Domain, you cannot use a non-Google Domain account (such as a @gmail.com account) and connect to your Google Domain after.  If you do create this using a non-Google Domain account, you won’t see any options to publish private apps.  After creation, you can invite any Google user to be an administrator in the Google Play Developer Console.

No special permissions need to be set up if you are not using a Google Domain. The Google Domain user needs to have the “Manage Google Play for work Store” and one or both of “Manage uploading private applications to Google Play for Work Store” or “Manage uploading private applications with APKs hosted outside of Google Play for work” permissions on their account.  The last permission is required if you want to host the APK file internally using BES12.  The Super Admin role has this by default, or you can grant this permission explicitly to another account.  To give private app upload privileges to a user:

  1. Sign in to the Google Admin console.
  2. Go to the user’s account page.
  3. Click Admin roles and privileges. You may need to click Show more to access this section.
  4. Click Manage Roles.
  5. Select a custom administrator role with the appropriate Google Play for Work privileges, as follows:
    • Manage Google Play for Work Store
    • Manage uploading private applications to Google Play for Work Store
    • Manage uploading private applications with APKs hosted outside of Google Play for Work
      The last permission listed is only required for hosting the APK file from BES12.
  6. Click Update Roles.

After applying the required permissions, proceed to the Google Play Developer Console to create the developer account.

Step 2:  Add New Application to Google Play

Once logged into the Google Play Developer Console, click on the “Add new application” button located on the top right.

deploy_apps_afw_2

Enter the title for your application and then click “Prepare Store Listing”.  This will bring you to the Store Listing page where you can fill out the application’s description, rating and add screenshots.  Fill in all the required items on this page.

Once complete, click on “Pricing and Distribution”.  There are a few things you’ll need to fill out on this page, such as countries to make the application available in.  The key setting in this section is the “RESTRICT DISTRIBUTION” checkbox.  Checking this will restrict the application from being publicly visible and only allow it to be installed by users in your Google Domain that you assign it to using BES12.  If you don’t see the “RESTRICT DISTRIBUTION” option, you likely created the Google Play Developer account using an account that isn’t on your Google Domain, or has insufficient privileges.  Go back to Step 1: Create the Google Play Developer Account in this guide for more information on those requirements.

deploy_apps_afw_3

Once you’ve saved these changes, continue on to either step Step 3A – Uploading the APK to Google Play or Step 3B – Uploading the APK to BES12, depending on where you want to host the actual APK file.

Step 3A – Uploading the APK to Google Play

To have the APK file hosted on Google Play, click on APK in the menu and then click on the “Upload your first APK to Production” button.  Do not check the “I am uploading a configuration for an APK hosted outside of Google Play.” option.

The application is now ready to be added to BES12.  Log into your BES12 server and choose Apps from the menu along the left and then click on the  button to add a new application.  This button will be in the top center of your screen.  BES12 will prompt you to choose the type of application you wish to add.  Choose Google Play.

deploy_apps_afw_4

BES12 now prompts for the URL of the application on Google Play.  There are two ways to get this URL.  From within the Google Play Developer Console, click on “All Applications”, select your application and use the “View in Play store” link.  This opens a link to your application in Google Play, which is what BES12 is requesting.  You can also search for your application on Google Play web site.  Note that you’ll need to be logged into your Google Domain account in order to find the application by searching on Google Play.  Take that URL, paste it into BES12 and press Search.

deploy_apps_afw_5

The application should appear in the search results, where you can press Add to add it to BES12.

deploy_apps_afw_6

On the next screen you can customize the description, add additional screenshots and choose a category.  You can also choose whether to make the application available to all Android users, only Android for Work users or only Samsung KNOX users.  Note that if you are deploying to Samsung KNOX users only, there is no requirement for a Google Play Developer account.  The APK file can be configured and deployed directly from BES12 to Samsung KNOX users without Google Play.

deploy_apps_afw_7

Step 3B – Uploading the APK to BES12

Security updates to Android require the BES12/UEM CA certificate to be pushed to all users to use this method.  Failure to do so will result in your APK file failing to download within the Google Play app. Complete the following steps deploy this CA certificate before continuing.

NEW STEPS

  1. Open an Android for Work enrollment email sent from BES12.
  2. Look for the URL under the “Certificate server URL:” heading.
  3. Open the URL and save the .cer or .crt file.
  4. In BES12 go to Policies and Profiles -> CA Certificate and add the cert.
  5. In UEM, select Groups -> User -> All User
  6. Add the CA certificate to the all users group using the + button

To host the APK file on BES12, begin this step in the BES12 console.  Log into your BES12 server and choose Apps from the menu along the left and then click on the deploy_apps_afw_button   button to add a new application.  This button will be in the top center of your screen.  BES12 will prompt you to choose the type of application you wish to add.  Choose “Internal apps” as shown below.

deploy_apps_afw_8

You will now be prompted to upload the APK file.  Browse for the file on your computer and press the Add button to initiate the upload process.

deploy_apps_afw_9

Click the “Enable the app for Android for Work” checkbox and optionally fill in the vendor and application description and click Add.

deploy_apps_afw_10

You’ll now see a window that explains a 3 steps process to take to populate the appropriate application details in Google Play.  You don’t need to upload the APK to Google Play, but still need to create a private entry for this application.  In the first step you’ll need to generate a JSON file, which has details both about your BES12 server and the application.  Google has created a Python script that can be used to generate the JSON file.  That script can be downloaded here:  Externally-Hosted APK Definition File Generator

The script requires the following be installed available in your path environment variable:

  • OpenSSL
  • JDK
  • Python 2.x
  • Android Asset Packaging Tool (aapt) – Included in the Android SDK Build Tools

Here are the paths I used.  Adjust these as appropriate based on where you installed these items.

  • C:openssl-1.0.2h-i386-win32
  • C:Program FilesJavajdk1.8.0_92in
  • C:Python27
  • C:UsersmsohmAppDataLocalAndroidsdkuild-tools24.0.0

The script requires the APK file that was just uploaded to BES12 and the URL currently shown in the BES12 console in Step 1 (don’t try to open that URL in a browser, it won’t work).  Running the command as follows will display the JSON file to your console screen.  You can use this method and copy it, or redirect the output to a file by appending “ > filename.json” to the end of the command (without the quotes) as shown in the second example.  Or you can do both to see what it looks like first and then save it to a file.  There isn’t any limit on the number of times you can run it.

Command Displays Output to Console
python externallyhosted.py –apk=<path/to/apk.apk>
–externallyHostedUrl=”https://www.example.com/test.apk

Command Saves Output to File
python externallyhosted.py –apk=<path/to/apk.apk>
–externallyHostedUrl=”https://www.example.com/test.apk” > filename.json

The JSON file created may not be complete.  I found when running the script (available as of Sept 12, 2016) a required parameter was not populated.  The entry for application_label was missing, so you may need to manually add that to the generated JSON file using your favourite text editor.  If any values are missing, they’ll be pointed out when you try to upload to Google Play.

When the JSON file is ready to be uploaded to Google Play log into the Google Play developer console, select “All Applications” on the left menu and choose the application that was prepared in Step 2:  Add New Application to Google Play.  Click on the APK menu within your application entry and then click the “Upload your first APK to Production”.  Instead of uploading an APK file, upload the JSON file.  Check off the “I am uploading a configuration for an APK hosted outside of Google Play.” Checkbox and browse and upload the JSON file.

deploy_apps_afw_11

Assuming you filled out all the required details, you can now publish the application in Google Play.  This process will take several hours to complete.  Once it’s published, return to the BES12 console and open the application details by choosing Apps on the left menu and clicking on the application in the list.

You’ll see a note similar to the one below explaining that the application is not ready to install because a license key must first be retrieved from Google Play.  Click on Publish App bring up the “3 step” screen.

deploy_apps_afw_12

Click on “Check Status” to obtain a license key.  If the application publication has not yet been approved on Google Play, clicking “Check Status” will give an error of: “The app is not published in Google Play yet. It may take several hours for the app to be published. “

If the application is published on Google Play, you’ll see the following success message with additional instructions after pressing “Check Status”.

deploy_apps_afw_13

As instructed in the screenshot above, you now need to go back to the Google Play Developer console to obtain the license key for your application.  Paste that into the box shown above and press next.  BES12 will verify the key with Google Play and show you a success message once complete.  The application is now ready to deploy to users.

Step 4 – Assign the Application to Users

The application is now ready to be deployed to your Android for Work users!

This can be done by adding the application to an app group or to individual users.  App groups allow you to create a collection of apps that can be assigned to users, user groups, or device groups. Grouping apps helps to increase efficiency and consistency when managing apps. For example, you can use app groups to group the same app for multiple device types, or to group apps for users with the same role in your organization.

On BES12, the process of choosing users or groups to assign the app too is the same regardless of whether you are deploying to AFW, BlackBerry 10, Samsung KNOX or iOS.  If you need a refresher on these steps, the following sections of the BES12 Admin Guide explain how applications can be assigned to users or app groups.

Mark Sohm

About Mark Sohm

Senior Technical Solutions Manager on the Solution Architects team.

Mark Sohm joined BlackBerry in 2003 and currently works as a Senior Technical Solutions Manager on the Solutions Architects team. Mark Sohm has been helping developers create applications using BlackBerry technologies for over 15 years, starting way back with the very first BlackBerry JDK on BlackBerry OS 3.6 through to BlackBerry 10 and now Android with BlackBerry Dynamics and Android Enterprise.

Back