.png)
App management is the most hands-on part of Android MDM. It's how you control what software runs on your managed devices — which apps are installed, which are blocked, how they're configured, and how they're updated. Everything else in Android device management (enrollment, security policies, compliance monitoring) sets the stage. App management is where the rubber meets the road, because the apps are what employees actually use. Get this right and devices work the way they're supposed to. Get it wrong and you're fielding helpdesk tickets about missing apps, broken configurations, and unapproved software showing up on managed devices.
On managed Android devices, app management runs through Managed Google Play — Google's enterprise version of the Play Store. Managed Google Play is the distribution layer that makes everything else in this article possible. If your MDM platform doesn't integrate with Managed Google Play, you're stuck side-loading APKs manually, which doesn't scale and creates security risks.
Managed Google Play
Managed Google Play is a curated version of the Play Store that IT controls. Instead of the full Play Store catalog (3+ million apps), employees see only the apps IT has approved. IT selects apps in the MDM console, and those apps — and only those apps — appear in the employee's work Play Store.
The workflow is simple. IT admin opens the MDM platform, searches the Play Store catalog, and approves apps. Those approved apps become available to devices in the target group. The employee opens their work Play Store and sees only approved apps. No random games, no unapproved messaging apps, no VPN apps you've never heard of.
You can approve apps and leave them optional (the employee can install them if they want) or make them required (the MDM platform installs them automatically). Required apps are deployed silently — the app installs on the device without the user doing anything. They open their phone and the app is there, ready to go.
Silent installation is a game-changer for large deployments. When you need to roll out a new security agent to 500 devices, or deploy an updated version of your internal field service app, you push it from the MDM console and it lands on every device. No email asking users to install it. No follow-up for the 30% who didn't read the email. No Slack thread asking "where do I download this?"
App Configuration
Many enterprise apps support managed app configurations — a set of key-value pairs that IT can pre-fill through the MDM platform. Think of it as remote configuration injection. You set the values in the MDM console, and when the app installs on the device, it reads those values automatically.
Common examples: a VPN app that needs a server address and authentication certificate. An email client that needs the Exchange server URL, domain, and username pattern. A CRM app that needs an API endpoint and feature flags. A browser that needs a homepage URL and a list of bookmarked internal sites.
Without managed configurations, each employee would need to manually enter this information — or IT would send a setup email with step-by-step instructions that 40% of people would get wrong. With managed configurations, the app opens pre-configured. Zero tickets. Zero misconfiguration.
The app developer decides which configuration keys to support. Most enterprise Android apps list their supported managed configurations in their Play Store entry. Some common frameworks (like AppConfig) standardize the key-value schema across vendors.
App Blocking and Whitelisting
Controlling which apps are allowed is as important as deploying the right ones. On fully managed devices, you have complete control — only apps you've explicitly approved can exist on the device. On work profile devices, you control what's in the work container, while the personal side is the employee's business.
For kiosk mode deployments, app control is absolute. The device runs only the specified app or apps. Everything else is hidden and inaccessible.
For standard corporate devices, the approach is usually a combination: push required apps (VPN, email, security agent), allow a set of optional approved apps (productivity tools, note-taking apps, communication apps), and block everything else. The block list prevents apps that create security or compliance risks — file-sharing apps that could leak data, VPN apps that could bypass network controls, social media apps on devices used for patient intake.
Some MDM platforms support runtime app blocking as well — an app that was previously allowed can be blocked by policy change, and it's disabled or removed on every affected device without manual intervention. This is useful when a previously approved app gets flagged for security vulnerabilities or data privacy concerns.
Private Apps and Internal Distribution
Most companies have internal Android apps — field service tools, internal communication apps, custom business apps — that aren't on the public Play Store. Managed Google Play supports private app distribution for exactly this scenario.
You upload your APK to Managed Google Play as a private app. Google hosts it, handles delivery, and manages updates. The app only appears for your organization's devices — it's invisible on the public Play Store. When you release a new version, you upload the updated APK and devices receive the update through the standard Play Store update mechanism.
This replaces the old approach of hosting APKs on an internal server and side-loading them onto devices manually or through scripts. Side-loading requires enabling "unknown sources" on the device, which is a security risk. Managed Google Play distribution keeps "unknown sources" disabled while still deploying your internal apps.
For organizations that build apps internally and release frequently, some MDM platforms also support web app deployment — adding web URLs as app icons on the device that open in a managed browser. This is useful for internal tools that are web-based and don't need a native Android app.
App Updates
Keeping apps updated across a fleet is one of those operational tasks that's simple in concept but painful in practice without automation. Managed Google Play handles updates through the standard Play Store mechanism, but MDM gives you control over the timing.
Auto-update is the default — apps update automatically when a new version is available on Managed Google Play. For most apps, this is fine. You want security patches and bug fixes deployed as quickly as possible.
But for some apps — especially business-critical line-of-business apps — you might want to control the rollout. A broken update to the POS app at 200 retail locations during peak hours is a bad day. MDM platforms that support staged rollouts let you push updates to a test group first, validate that everything works, and then release to the full fleet. Some platforms support automatic rollback if the update causes increased crash rates.
For OS-level apps and system updates, that's a separate topic. Android patch management covers OS and security updates. App updates through Managed Google Play are the application layer.
App Inventory and Compliance
MDM gives you a live inventory of which apps are installed on every managed device. Not just the apps you pushed — all apps. On fully managed devices, you see everything. On work profile devices, you see what's in the work container (and optionally, a list of personal app names on company-owned devices — never the data).
This inventory serves two purposes. First, compliance: you can set policies that flag or block devices with apps that shouldn't be there. A remote management dashboard that shows one device with an unauthorized file-sharing app installed is an investigation you handle in five minutes. Finding that same problem six months later during an audit is a finding that goes on the report.
Second, software asset management: knowing which apps are deployed, which are actually being used, and which are sitting unused helps you make decisions about licensing and app strategy. If you're paying for 500 licenses of an app that only 200 devices are actually using, that's visible in the app inventory data.
Web Apps and Web Clips
Not every business tool needs a native Android app. Internal dashboards, reporting tools, wikis, and lightweight utilities are often web-based. MDM platforms support deploying web apps — essentially bookmarks that appear as icons on the device and open in a managed browser.
Web apps are created in the MDM console with a URL, an icon, and a display mode (full screen, standalone, or in-browser). They deploy to devices through Managed Google Play, appearing alongside native apps with no visible difference to the user. The user taps the icon and the web app opens.
This is useful for organizations with internal tools that are web-first. Rather than building and maintaining native Android versions of every internal tool, deploy them as web apps. The managed browser enforces security policies (certificate validation, URL filtering, authentication), and the web app gets the same deployment and management workflow as native apps.
For devices in kiosk mode, web apps can be the primary interface. A visitor check-in kiosk might run a web app in full-screen mode. An information display might show a dashboard URL. The MDM locks the device to the managed browser with the web app URL, and the device functions as a purpose-built terminal.
Handling App Permissions
Android apps request permissions — camera, location, storage, contacts, microphone. On unmanaged devices, the user decides whether to grant each permission. On managed devices, MDM can pre-configure permission grants.
MDM can set app permissions to one of three states: grant automatically (the user is never prompted), deny automatically (the user can't override), or let the user decide (the default Android behavior). For enterprise apps, automatically granting required permissions eliminates a common deployment friction — users declining a critical permission and then reporting that the app doesn't work.
For security-sensitive permissions (camera, microphone, location), auto-deny prevents apps from accessing capabilities they shouldn't have. A field service app that needs camera access for photo documentation gets camera permission granted. A productivity app that doesn't need the microphone gets microphone permission denied. The user never sees the permission prompt, and the device is configured correctly from the start.
Permission management is especially important for remote device management scenarios where IT can't walk users through permission prompts. When an app deploys silently with the correct permissions pre-granted, it works immediately. No support tickets about "the app asked for camera access and I said no."
App management is the daily operational work of Android MDM. Enrollment happens once. Security policies are set and mostly stable. But apps change constantly — new deployments, updates, configuration changes, access decisions. The MDM platform that makes app management easy is the one your IT team will actually use well.
.webp)
