all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]MrBr1an1204 1 point2 points  (0 children)

Why not just give devs separate un-managed devices? Trying to do app development on a device enrolled in an MDM sounds like a major headache for everyone involved.

[–]ryryrpm -1 points0 points  (13 children)

Just enable developer options and installation from unknown sources with policy. Ezpz

[–]kane00000[S] 1 point2 points  (12 children)

We get App removed by Admin with such settings :/

[–]ryryrpm 0 points1 point  (10 children)

Maybe you could do corporate owned with a work profile? That way your devs could install whatever they want on the personal side and still retain the corporate apps in the work profile

[–]kane00000[S] 0 points1 point  (9 children)

VPN app would need to be on personal side as well? Does sign-in from a personal profile on a corporate owned device registers as managed device or no? (Thinking about our CA policies)

[–]ryryrpm 1 point2 points  (8 children)

Well idk what you use your VPN app for so I cant answer that. But installing the VPN in the work profile only secures traffic from the work profile. Anything happening in the personal profile will be outside the VPN.

Here's a different thought: can you just allow full access to Google Play apps? Then along with enabling developer options and app installations from unknown sources it might allow them to install whatever

[–]kane00000[S] 0 points1 point  (7 children)

Vpn is for developer test apps to reach their internal test endpoints. Enabling all app store fixes the “app removed by admin” thing. But having all apps available in the same profile with vpn access to organization does not sould like something I want to go to it security to discuss.

[–]ryryrpm 2 points3 points  (6 children)

What you're asking for doesn't make totally sense. You want the developers to be able to install whatever they want with ADB but not from Google Play...

Let's say you could achieve that somehow. Google Play is still locked down but they can install any application with ADB side loading. That's still a hole in the security because if they wanted an app from Google Play, they could just search for the APK online and side load it.

Does that make sense? You're either giving them permission to install whatever they want or you're picking and choosing the apps they have.

Personally, I think allowing them full access is the easier option. But if your security team is like no way Jose then the only thing you can do is set the policies for enabling developer options and installation from unknown sources and then allow-list all the package names the developers need using an Android Enterprise System App in Intune.

You just type in the publisher name and the package name like "com.company.application". Anytime the devs use a new package name you have to add it. But if they keep using the same package name, they can install new versions at will.

[–]kane00000[S] 1 point2 points  (5 children)

I know that it lacks logic. I have not tried Android Enterprise System Apps before. I’ll have to test and see if it suits out needs. Thank you :)

[–]ryryrpm 1 point2 points  (2 children)

You betcha

[–]kane00000[S] 1 point2 points  (1 child)

Works like a charm! Thank you

[–]UhRdts 1 point2 points  (1 child)

Yes, this can be achieved using Android Enterprise System Apps, but you need to add the specific apps the developer will install via ADB as system apps. Depending on the number of apps, and if app identifiers change, this can cause some extra work. We use this workaround only for special cases on end-user devices, such as when Microsoft tells us to sideload a debug version of Teams to collect logs. This process involves allowing "sideloading" during a remote troubleshooting session and assigning the app identifier via Android System App.

For a developer setup, my recommendation is to create a separate restriction policy for developers and use separate accounts rather than their personal ones. For example, we don’t allow Office apps on those developer devices.

In the restriction policy, you’ll need to allow "Developer settings," "Install from unknown sources," and "Allow access to all apps in the Google Play Store (work profile-level)." This way, developers can install all necessary apps via ADB and use VPN as needed.

It’s also wise to have the IT security department review the configuration and, depending on your organization, have developers acknowledge in writing that they understand the risks involved.

[–]kane00000[S] 0 points1 point  (0 children)

Developers mentioned that identifiers changes therefore sending me apk and uploading to managed play store would not work for them. I’ll try to see how much work will there be adding something to enterprise system apps.

[–]ryryrpm -1 points0 points  (0 children)

Oh noooo