Wednesday, December 15, 2021

Best Practices for Updating your Android Enterprise apps

By Abby Starr – Program Manager | Microsoft Endpoint Manager – Intune

 

In Intune’s November release, we debuted support for high-priority app update mode for Android Enterprise. The feature introduces more speed and control over the app update experience for your corporate-owned devices. As we continue to build out our app update capabilities, it’s worth summarizing the options available to you today.

 

For corporate-owned scenarios, there are two main app update modes: default and high-priority. If default mode is set, there are two additional settings that can be configured: auto-updates/network configuration and maintenance windows. If high-priority mode is set, it will override all other app update settings.

 

The goal of this post is to provide an overview of app update features on Android Enterprise, and to help you determine which features may solve your scenarios.

 

Default Update Mode

 

An overview of app update features without using high-priority update mode and their resulting behavior on the device.An overview of app update features without using high-priority update mode and their resulting behavior on the device.

 

How it works:

Android devices are made aware of new app updates via the device’s instance of the Managed Google Play store. Devices sync with Managed Google Play around once per day, and there is no way today for IT admins to “force” a sync. From there, the update enters an update queue.

 

If no other settings are configured, the default behavior for an Android device is to wait until prerequisite conditions are met. We call this default update mode:

  1. The device is charging.
  2. The device is connected to Wi-Fi (not using cellular data).
  3. The device is “idle.” Google defines this as “not actively used,” or when the device’s screen is off and/or in sleep mode. Google does not have official documentation on what constitutes “idle.”
  4. The app that has an update isn’t running in the foreground.

 

Upon meeting the conditions, updates are installed one by one in the order presented by the update queue. The device always installs the latest/highest version available for the device. For example, consider the following scenario:

 

  1. App X releases version 2.0 available to device Y.
  2. The device syncs with MGP and add version 2.0 to the update queue. However, the default update conditions are not met, so the update remains in the queue.
  3. The next day, app X releases version 3.0 available to device Y.
  4. The device syncs again the next day and adds version 3.0 to the update queue.
  5. The default update conditions are met, so the device begins to install updates from the queue. App X will be updated to version 3.0.

    There are two settings to further customize the default update experience: network configurations and maintenance windows. Both are discussed in detail later in the article.

How to set it up:

IT admins don’t need to do anything to enable default update mode in Microsoft Intune. For more information on default update mode, see Google’s documentation.

 

How long do updates take?

The entire process can take up to 48 hours, or more if the default update conditions are continually unmet. Note that the device will not explain to the user or the admin why an update failed, and the device will not report whether conditions are actively being met in order to begin the update process.

 

On personally-owned work profile and corporate-owned work profile devices, the user can choose to update a corporate app in Google Play in their personal container. This is because only one copy of the app is installed on a device that utilizes work profiles. For example, if the user has an instance of Outlook in both their personal and corporate containers, updating Outlook to the latest version in their personal container will also update Outlook in the corporate container.

 

For more information, see Google’s documentation.

 

When to use it:

  • In the Bring-your-own-device (BYOD) space, or customers using personally-owned work profile devices. This is for two reasons:
    • Default update mode attempts to balance necessity of app updates with minimizing user disruption.
    • Other customizations of default update mode are not available on personally-owned work profile devices.
  • Scenarios where devices are corporate-owned, but do not require circumventing the existing update conditions.
    • Example: an admin has a fleet of COPE devices that are regularly connected to Wi-Fi and regularly charge.
    • Example: a fleet of devices does not run many apps, and the updates on those apps aren’t serious.

 

Network and auto-update preferences

 

How it works:

The network preferences setting overrides the Wi-Fi requirement for default update mode. There are two versions of network configurations: the user setting and the IT admin setting.

 

Assuming users have access to Google Play, they are allowed the following options:

  • Update apps over any network.
  • Update apps over Wi-Fi only (this is the default setting).
  • Do not update apps. (This is not recommended, since the user may miss security updates).

 

IT admins are allowed the following options. Note that the admin setting will replace the user setting, and users will not be notified that their preferences have been overridden. Admin settings are not available for personally-owned work profile devices.

 

  • Update apps over any network.
  • Update apps over Wi-Fi only.
  • Do not update apps. (This is not recommended, since the user may miss security updates).
  • Leave the choice to the user.

 

How does the feature affect an app’s update speed?

It depends on the way network preferences are set.

 

Auto-update setting

Effect on update speed

Auto-update apps over any network

Since the device can use both Wi-Fi and cellular networks to update, you may see updates faster than if you were only allowing Wi-Fi.

Auto-update apps over Wi-Fi only

Default

Do not auto-update apps

The user is forced to update apps manually, so app updates may apply to the device more slowly than if updates were automatic.

 

How to set it up:

Users can set their preference in Google Play.

  1. Open Google Play, tap the account circle at the top of the page, and tap Settings.

    IntuneSupportTeam_1-1639493978602.png

     

  2. Under Settings, tap Network preferences, then tap Auto-update apps.


    IntuneSupportTeam_2-1639494017424.png

     

  3. Select your auto-update preference.

    IntuneSupportTeam_3-1639494137044.png

 

IT admins can set their preference in Intune via a device restriction policy. If you have an existing device restrictions profile for fully managed, dedicated, and corporate-owned work profile, you can edit it to include app auto-updates. If you do not, you must create a new device restrictions profile under Configuration Profiles.

 

From either the edit or the create workflow, you can set your auto-update network configuration under the Applications section.

 

IntuneSupportTeam_5-1639494488417.png

 

When to use it:

  • You want to disable auto-updates.
    • Example: A worker is bringing their corporate-owned work profile device to an area with a poor, shared, or untrusted Wi-Fi network. The IT admin disables auto-updates on their device.
    • Example: You have a fleet of devices that are going through a critical business period, such as the holiday season for a retailer. You want to keep apps from updating so as not to disturb your users during this period.
  • The device may never update over Wi-Fi.
    • Example: Warehouse workers operate in a facility with limited Wi-Fi.

 

Best practices and other considerations:

  • Users must have access to Google Play to set this policy. Google Play may not be accessible on dedicated devices, depending on whether the device is using Managed Home Screen.
  • If the IT admin sets a network configuration in Intune, it will override the user network configuration setting.
  • For most devices, the default setting from the Google Play store is either “Update apps over Wi-Fi only” or “Leave the choice to the end user”.
  • On a corporate-owned work profile device, network configuration settings will only apply to the corporate profile.
  • Network configurations for IT admins are only available on fully managed, dedicated, and corporate-owned work profile devices. The setting is not available on personally-owned work profile devices.
  • Configuring updates to occur over cellular networks can potentially incur a heavy data usage bill for users.
  • Network configurations are set on a device level, not on a per-app level. There is no way to selectively configure network configurations for different apps on the device.
  • Both Google and Microsoft do not recommended disabling auto-updates because the device may miss critical security updates.
  • You cannot disable auto-updates for the Google Play app and the Google Play services app. Both apps will continue to update under default update conditions, regardless of both network configurations and maintenance windows, and will obey default update constraints.
  • On corporate-owned work profile devices, users can still manually update apps in the personal container. Also, the user can always choose to manually update apps on enrollment scenarios where the user has access to Google Play. Therefore, disabling app auto-updates does not mean that you’ve disabled all app updates.

 

Maintenance windows (fully managed, dedicated, and corporate-owned work profile devices only)

How it works:

A maintenance window will establish a daily designated period where both system and app updates occur. When a new app update is detected, the device will wait until the designated maintenance window, or will add the update to the queue if the device is currently within a maintenance window.

 

Once in a maintenance window, the device will ignore all default constraints except Wi-Fi (the Wi-Fi constraint can be modified using network configurations above). This means that the maintenance window will ignore whether the device is charging, idle, or has the updating app currently running, and it will attempt to install each update in the queue one by one. If the app is running at the time of update, it will close for the duration of the installation.

 

A maintenance window can be set between 0.5 and 23.5 hours per day. If an app installation doesn’t complete within the current window (the install is taking too long, not enough space on the device, not enough battery on the device, etc.) it is aborted. It will attempt to install again the next day. After 30 days, the user will be manually prompted to install the update.

 

How long do updates take?

Usually somewhere between 0 and 48 hours. It can take up to 24 hours for the device to check in with Managed Google Play. Maintenance windows will ignore all default constraints except network requirements, which may mean the device updates faster. However, no app updates will occur outside of the maintenance window, even if default conditions are met and the update is at the front of the queue. Therefore, there are some situations where not using a maintenance window or having the user install the update results in a faster download than using a maintenance window.

 

For more information on timing for maintenance windows, see Google’s documentation.

 

How to set it up:

Just like network configurations, IT admins can set their preference in Intune via a device restriction policy. You will find the maintenance window setting under the General section. For System update, select Maintenance window, then choose a start and end time (times are calculated based on the device’s local time).

 

Android-Blog-2.png

 

When to use it:

  • Corporate scenarios where devices aren’t in use for a predictable portion of each day.
    • Example: Workers use their corporate-owned devices on the floor of a retail store. Devices are left on the charger after the store closes for the day.
  • The device may not ever receive updates under default conditions.
    • Example: You are running a dedicated device under kiosk mode. You want to update the kiosk app, but the app is always running in the foreground and the device never reaches an idle state.
    • Example: A customer wants to update their always-on VPN app, but cannot under default update mode since the app is always running.
    • Example: Factory floor workers operate in a warehouse with limited Wi-Fi and where batteries are swapped out instead of the device being left to charge.
  • Troubleshooting
    • Example: You’re trying to fix a device on your desk or located nearby. You set a maintenance window of 23.5 hours to see if your new policy looks correct on multiple different apps.
    • Example: You want to update the OS and all assigned apps quickly regardless of whether the device is in use or not, so you set a large maintenance window.

 

Best practices and other considerations:

  • Maintenance windows are not available on personally-owned work profile devices.
  • The maintenance window is primarily a method of configuring system updates. If the admin sets system updates to “maintenance window,” the device may also attempt to install over-the-air OS updates. This may be a barrier for admins who want the latest app updates and not the latest system updates.
  • Maintenance windows ignore all previous default constraints except Wi-Fi. If the app being updated is running, the app will close until the installation is complete. If the user was using the device during the maintenance window, they may find the experience disruptive.
  • Depending on when devices sync with Managed Google Play and how large the assigned group is, maintenance windows may lead to a sudden spike in bandwidth usage for your network. If app updates are also set to occur over cellular networks, there is potential for a spike in cellular usage.
  • Maintenance windows do not require the device to be charging, but keep in mind that updates will fail if the device doesn’t have enough battery or space on the device to install an update.
  • Maintenance windows are set on a device level, not on a per-app level. There is no way to selectively choose apps to apply to the maintenance window.
  • A common practice while troubleshooting app updates is to set a maintenance window of 23.5 hours to ignore the default constraints.

 

High-Priority Update Mode

 

A flowchart of how high-priority update mode works.A flowchart of how high-priority update mode works.

 

How it works:

Newly-released in November, high-priority update mode bypasses all constraints, maintenance windows, network configurations, and the check-in with Managed Google Play to apply an update to the device as fast as possible. If high-priority update mode is configured for an app, it replaces the default update mode. Once a new update is available for the device, the device is notified. Assuming the device is on and has a stable connection to either a Wi-Fi or cellular network, the installation will begin regardless of the device state or what the user is doing on the device at the time. If the app being updated is currently being used, it will close.

 

High-priority app update mode may be disruptive to your network and users, but it can satisfy scenarios where you’re willing to sacrifice for speed of update delivery.

 

How long do updates take?

Potentially as little as a few minutes. Since the device is notified immediately of an update, it doesn’t need to wait for a sync with Managed Google Play. However, if the device runs out of battery or space before the installation is complete, the update can take longer.

 

How to set it up:

High-priority app update mode is set on a per-group basis. To set:

  1. On the All apps page, select the app you want to set to high-priority update mode. Dropbox is used in this example.

    Android-Blog-1.png
     


    Android-Blog-2.png

  2. Select Properties and next to Assignments, select Edit.

    Android-Blog-3.png

  3. Select the row of the group you’d like to configure or add a new group. You can see which priority is assigned for each group under the Update Priority column.

    Android-Blog-4.png

     

  4. In the Edit assignment window under App settings, change the update priority to High priority.

    Android-Blog-5.png

     

When to use it:

  • Troubleshooting, especially in the case of line-of-business or private Managed Google Play apps.
    • Example: Developers and IT admins are working together to test a new version of an app on a set of test devices. They would like to be able to trigger installs quickly to improve the efficiency of their testing process.
    • Example: You’re troubleshooting a private app not installing correctly, and you want to trigger immediate app updates to diagnose the problem.
    • Example: You have a fleet of devices that runs exclusively on internally-built line-of-business apps. You know when apps will update, and you want a higher degree of control over app releases reaching devices.
  • When app updates are time-critical.
    • Example: You’re an aviation customer with corporate-owned devices for cabin crew members. The plane lands, and crew members have an hour to receive app updates before the plane takes off again.
    • Example: The app development team discovers a security vulnerability in their private app. The development team releases a hotfix and admins want to get as many devices as possible on the less vulnerable version.
  • The device may never update under default conditions, and the maintenance window doesn’t satisfy the use case.
    • Example: Factory floor workers operate in a warehouse with limited Wi-Fi and where batteries are always swapped out instead of the device being left to charge. However, they don’t want to update their device OS, so they can neither use maintenance windows nor default update mode.
    • Example: You want to update an always-on VPN app for Android devices, but the device is used at all points in the day.
    • Example: You want to update an app running in single-app kiosk mode on a device enrolled as dedicated. You want immediate app updates for the kiosk app, but other app updates can wait.

Best practices and other considerations:

  • High-priority mode is set on a per-app, per-group assignment basis, not a device basis. To set multiple apps or groups to high-priority update mode, we suggest using autoUpdateMode priority in Microsoft Graph to write a script. For more information on using Microsoft Graph with Intune, please see our documentation.
  • High-priority mode is only available for fully managed, dedicated, and corporate-owned work profile devices. It is not yet available for personally-owned work profile devices.
  • High-priority mode will ignore all constraints, including whatever the user was doing on the device when the update was received. This could be disruptive for users, especially if they were using the app being updated because the app will close until the update is complete.
  • Exercise extreme consideration and caution when setting high-priority update mode on many different apps and groups. This is for multiple reasons:
    • Although many apps can be set to high-priority mode, only one app update can be installed at a time. One large app update could potentially block many smaller updates until the large app is done installing.
    • Depending on when apps release new updates, there could be a sudden spike in your network usage if app releases coincide. If Wi-Fi is not available on some devices, there could also be a spike in cellular usage.
    • Although disruptive user experiences have already been mentioned, the problem grows as more apps are set to high-priority update mode.
  • An admin cannot set high-priority app update mode for the Google Play app and the Google Play services app, since neither app is available in Managed Google Play today.

 

Summary

To recap, here’s a summary of the different Android Enterprise app update features supported on Intune, and when to use each of them:

 

How it works

 Update speed

When to use

Updates won’t occur unless the device is:

  • Charging
  • Has Wi-Fi
  • Isn’t in use

Device must check in with Managed Google Play.

             0-48+hrs

BYOD and WP scenarios

  • You want to balance security of app updates with minimization of user disruption.
  • Devices predictably fall within default update constraints.

Configures Wi-fi requirement.

updates won’t occur unless the device is:

  • Charging
  • Meets network requirements
  • Isn’t in use

Device must check in with Managed Google Play.

             0-48hrs+

  • You want to disable auto-updates for a short period of time.
  • You want to use cellular networks to update apps.
  • You want to allow users to configure whether to update over cellular or Wi-Fi networks only.

Ignores all requirements except Wi-Fi for a certain daily time. Updates won’t occur unless the device:

  • Has Wi-Fi (or meets network requirements if set).

Device must check in with Managed Google Play.

              0-48 hrs

  • You can predict when devices aren’t being used.
  • To ignore default conditions.
  • Troubleshooting.

Ignores all other constraints and configurations, including check-in with Managed Google Play, and installs updates ASAP.

          ~A few minutes

  • You value speed over everything else.
  • To ignore default conditions.
  • Troubleshooting.

 

 

If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Posted at https://sl.advdat.com/3IVE0AX