Add Android Enterprise MDX app

[Chris Tyson1709156276]

We are in the process of setting up Android Enterprise and are trying to add an MDX wrapped app.

According to https://docs.citrix.com/en-us/xenmobile/server/apps.html#add-an-mdx-app  we should get a prompt "App is not approved" with the option to go to Google Play Store and approve it.

Instead we are getting the prompt "Error - App is not a managed Google Play Store app. Try another file." - Which is true as it's a locally MDX wrapped app.

 

Have I missed a step somewhere?

[Alex Rubio]

If you are adding a private app (not public app store), then follow these directions on the same page:

https://docs.citrix.com/en-us/citrix-endpoint-management/apps.html#add-private-android-enterprise-apps-as-mdx-wrapped-enterprise-apps

 

[Chris Tyson1709156276]

Hi Alex,

Thanks for the link, it looks like is the ISV wrapping section I need. 

[Chris Tyson1709156276]

Hi,

Tried following the instructions, wrapping via the MDX service doesn't have the option to add "apptype" parameter.

 

Wrapping via the command line errors with "Failed to find required assets/mdx/premium_mdx_policies.xml"

 

 

 

[Fabian Sauer]

Hi,

we had the same issue at our site.

For me the follwing steps were needed:

1. Wrap the application via command line

java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar wrap -in /Users/xxx/Downloads/xxx.apk -out /Users/xxx/Downloads/xxx_wrapped.mdx -keystore /Users/xxx/Downloads/Keystore\ Android/dsa.keystore -storepass dsa.keystore -keyalias wrapkey -keypass dsa.keystore -apptype General

2. Upload the app via XMS under "Add Application" "Enterprise". The app gets now uploaded to Google Work Store. (If app is already avaliable in Public Store you need to change bundle name via apktool)

3. Wait until upload is complete and avaliable and check if idenfifier matches: https://play.google.com/work/apps/details?id=###yourappid###

4. Add Url to MDX

java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar setinfo -in /Users/xxx/Downloads/xxx_wrapped.mdx -out /Users/xxx/Downloads/xxx_wrapped_withstoreurl.mdx -storeURL "https://play.google.com/store/apps/details?id=###yourappid###"

5. Upload MDX file as Android enterprise MDX.

This will let me download the App from AFW App Store.

The problem for me now is, that if the app starts it asks me if this ist personal or company app. If I choose company, it loads policies from MDX file. Then the app needs to be restarted and comes then with the error that the encryption policy has changed and the app needs to be reinstalled.

Wrapping with -apptype Premium will not work for me also with the issue "Failed to find required assets/mdx/premium_mdx_policies.xml".  @Chris Tyson1709156276: Wrapping via MDX Service is not supported for Android Enterprise (https://docs.citrix.com/en-us/citrix-endpoint-management/apps.html?&_ga=2.153764792.1469195250.1594047235-705138465.1592841597#add-private-android-enterprise-apps-as-mdx-wrapped-enterprise-apps)

Anyone facing the same issue ?

Thanks
Fabian

 

[Fabian Sauer]

I opened the case #79855501 for that now

Cheers

Fabian

[Fabian Sauer]

Hi,

so my issue with the app got resolved now and I am able to wrap the application for Android Enterprise with the following command.

It seems to be important to add the -MinPlatform 5.0 parameter and the premium_mdx_policies.xml and -apptype Premium. The Content of the premium_mdx_policies.xml is attached. This will create two files one app_wrapped.mdx and one app_wrapped.apk file. The .apk file needs to be uploaded to Google via XMS and the .mdx file needs to be uploaded directly to XMS Server. 

Cheers

Fabian

 

 

java -jar /Applications/Citrix/MDXToolkit/ManagedAppUtility.jar wrap -in /Users/xxx/Downloads/app.apk -out /Users/xxx/Downloads/app_wrapped.mdx -keystore /Users/xxx/Downloads/Keystore\ Android/dsa.keystore -storepass xxx -keyalias wrapkey -keypass xxx -apptype Premium -premiumMdxPolicies /Users/xxx/Downloads/premium_mdx_policies.xml -MinPlatform 5.0  -storeURL "https://play.google.com/store/apps/details?id=xxx"

 

 

premium_mdx_policies.xml

 

<?xml version="1.0" encoding="UTF-8"?>
<MobileAppPolicies>
    <PolicySchemaVersion>
        1.0
    </PolicySchemaVersion>
    <Policies>
        <DevicePasscode>false</DevicePasscode>
        <AppPasscode>false</AppPasscode>
        <MaxOfflinePeriod>72</MaxOfflinePeriod>
        <StepupAuthAddress/>
        <RequireUserEntropy>false</RequireUserEntropy>
        <BlockRootedDevices>true</BlockRootedDevices>
        <BlockDebuggerAccess>false</BlockDebuggerAccess>
        <RequireDeviceLock>false</RequireDeviceLock>
        <RequireDeviceEncryption>false</RequireDeviceEncryption>
        <WifiOnly>false</WifiOnly>
        <RequireInternalNetwork>false</RequireInternalNetwork>
        <InternalWifiNetworks/>
        <AllowedWifiNetworks/>
        <UpgradeGracePeriod>168</UpgradeGracePeriod>
        <WipeDataOnAppLock>false</WipeDataOnAppLock>
        <ActivePollPeriod>60</ActivePollPeriod>
        <EncryptionKeys>Offline</EncryptionKeys>
        <PrivateFileEncryptionEnum>Disabled</PrivateFileEncryptionEnum>
        <PrivateFileEncryptionExcludeList/>
        <PublicFileAccessLimitsList/>
        <PublicFileEncryptionEnum>Disabled</PublicFileEncryptionEnum>
        <PublicFileEncryptionExcludeList/>
        <PublicFileEncryptionMigrationEnum>Disabled</PublicFileEncryptionMigrationEnum>
        <CutAndCopy>Unrestricted</CutAndCopy>
        <Paste>Unrestricted</Paste>
        <DocumentExchange>Unrestricted</DocumentExchange>
        <OpenInExclusionList/>
        <InboundDocumentExchange>Unrestricted</InboundDocumentExchange>
        <InboundDocumentExchangeWhitelist/>
        <connectionSecurityLevel>TLS</connectionSecurityLevel>
        <DisableCamera>false</DisableCamera>
        <DisableGallery>false</DisableGallery>
        <DisableMicrophone>false</DisableMicrophone>
        <DisableLocation>false</DisableLocation>
        <DisableSms>false</DisableSms>
        <DisableScreenCapture>false</DisableScreenCapture>
        <DisableSensor>false</DisableSensor>
        <DisableNFC>false</DisableNFC>
        <BlockLogs>false</BlockLogs>
        <DisablePrinting>false</DisablePrinting>
        <EnableSharefile>true</EnableSharefile>
           <MvpnNetworkAccess>MvpnNetworkAccessUnrestricted</MvpnNetworkAccess>
        <MvpnSessionRequired>False</MvpnSessionRequired>
        <NetworkAccess>NetworkAccessUnrestricted</NetworkAccess>
        <DisableLocalhostConnections>false</DisableLocalhostConnections>
        <CertificateLabel/>
        <DefaultLoggerOutput>file</DefaultLoggerOutput>
        <DefaultLoggerLevel>15</DefaultLoggerLevel>
        <MaxLogFiles>2</MaxLogFiles>
        <MaxLogFileSize>2</MaxLogFileSize>
        <RedirectSystemLogs>false</RedirectSystemLogs>
        <EncryptLogs>false</EncryptLogs>
        <GeofenceLongitude>0</GeofenceLongitude>
        <GeofenceLatitude>0</GeofenceLatitude>
        <GeofenceRadius>0</GeofenceRadius>
        <EnableGoogleAnalytics>false</EnableGoogleAnalytics>
        <AcceptAllSSLCerts>true</AcceptAllSSLCerts>
        <UseSecureConnection>true</UseSecureConnection>
        <LockScreenNotifications>Allow</LockScreenNotifications>
        <Authentication>OfflineAccessOnly</Authentication>
        <ReauthenticationPeriod>480</ReauthenticationPeriod>
        <AuthFailuresBeforeLock>5</AuthFailuresBeforeLock>
        <EncryptionVersionEnum>2</EncryptionVersionEnum>
        <AnalyticsDetail>AnalyticsDetailComplete</AnalyticsDetail>
    </Policies>
</MobileAppPolicies>
 

 

 

[Chris Tyson1709156276]

Hi Fabian,

 

Many thanks for the information, I'll give the above a go.

 

[Chetan Thakker]

Sorry for the delayed response: We have documented this here: https://docs.citrix.com/en-us/citrix-endpoint-management/apps.html#add-private-android-enterprise-apps-as-mdx-enabled-enterprise-apps

 

And tech zone doc for AE migration : https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/android-device-administrator-to-android-enterprise.html#introduction