Android Enterprise Agent Update
You can have all approved apps and their update downloaded DIRECTLY from Managed Google-Play store simply by creating a Managed Google Play Account (MGPA) with MDM software such as MobiControl. This approach saves the hassle of integrating corporate domain name with the alternative Managed Google Account (MGA) that also support apps download/upgrade from Managed Google-Play store.
Once your MGPA account has been set up and integrated with your MDM server, you can select at Google's Portal what free app(s) (and buy paid apps for some countries at the moment) that can be available on your Managed Google Play store for your devices. Then, add app-catalogue rule(s) to select which apps from the above set in your own Managed Google Play store will be mandatory( =>pushed automatically to the device) or suggested (installed on-demand by device end-user) for each target group(s) of devices.
You can of course include the free MobiControl Android Enterprise device agent in your Managed Google-Play store. Also, there are options on Google's portal to configure if the updated version of an app needs approval from the administrator for deployment. This approval can optionally be made automatic if new app version only used the same set of permissions as the old version.
I did not added the MobiControl Agent to the Enterprise Store. it looks like the Agent is included by default.
Google Play Store for Work
Play Store on the Device
And by Default Auto Update is enabled:
I cant find an option to disable auto upate. Only auto approvment for new permissions:
Also in the Application Catalog i coudnt find an option.
Then i think the only way is to disable the automatic updates on the devices..
But I dont know how, because writesecuresetting is not working anymore on android enterprise
MobiControl device agent is not included by default for all brands/models. We don't have that for Samsung Huawei, Sony, etc. I'm not sure if that will be changed for all brands/models in the future.
In principle, if you have already deployed the versions of device agent and system apps from Managed Google Play store onto the devices, you can disable the corresponding app-catalogue rule and updated version of the associated apps will not be updated to the device. Unapproving the app at Google's portal MAY also make further update not possible, but I am not sure whether or not the deployed app will be uninstalled. This is extremely unlikely for the device agent and sys apps, but normal non-sys apps may be vulnerable. You have to test it out on your device brand/model to confirm.
As Google seems to be still evolving/tuning the app deployment mechanism, be prepared to see changes in the near future. E.g. there might be new API for MDM software to provide more control to the administrator; and paid or B2B apps will probably be supported for more countries/regions.