Update apps automatically on Android+ devices and MobiControl upgrades
(1) If the active MDM API of your enrolled device does not include "Android for Work Managed Device" or "Android for Work Work Profile", then it is not an Android-Enterprise device, and mandatory apps from Managed Google Play store will not be deployed/upgraded automatically to such device.
For device using OEM specific Android+ device agent, a Google account must be added before apps from Google Play store (but NOT from Managed Google Play store) can be installed/upgraded. One possible way to disallow end-user from installing arbitrary Google Play apps on the device is to use application-run-control whitelist to restrict what can be installed/run on the device.
(2) For MobiControl cloud upgrade, the following are based on experience for many of my commercial/governmental customers using Soti Cloud instance:
- Do I have to specify which version I want to upgrade to or do they always upgrade to the latest version? Yes, you have to specify which version and build number to use. Actually, you should be requested to fill in a 1-page upgrade request form to give all necessary details.
- How long does the upgrade take? Unless your cloud instance is a big one with complicated architecture, an upgrade usually takes no more than 2 hours
- Is there any downtime or lost data to worry about? Can I take a backup? You can specify which time slot to perform the upgrade. The database will be backed up, just in case there is a need to fall back. In principle, you could request Soti to give you a zipped image of the back-up database, but all of my corporate/governmental customers (except one) didn't bother to get theirs in the past few years.
- How will users be affected by the upgrade? In general, all pushed policies on the device will still be operational when the server is down, and the end-user should not notice any difference. However, any policies that need server to be on-line (e.g. alert rule, enterprise resource gateway, etc.) will not work while the server is down and being upgraded.
(3) Neither MobiControl agent itself nor any of its operations require root access. This has been field proven for many tens of my commerical/governmental customers deploying thousands of Samsung devices in the last few years. From our device tests for different customers ever since AFW/AE has been launched , virtually all Samsung devices running Android 5+ support Android Enterprise without any problem. If your Samsung device has its Knox warranty bit set, then it is very likely that it has been rooted using customized ROM or some kind of rooting app in the past. This warranty bit is actually a hardware fuse that can't be cleared once it is blown, and such compromised device cannot be configured to run Google's Android-Enterprise due to security reasons. There is nothing anyone can do except to replace the circuit board.
The active MDM API on the enrolled devices are Samsung MDM 5.7, Samsung RC1, & Samsung KNOX v2.4 so I guess that means we can't have auto updates for the apps since the devices I checked all have their .
Is there a script that can be used to have the device update a specific app from the Play Store in the background? (preferably without requiring user input).
I know the Play Store allows me to specify which apps to auto update but since the default option is to allow apps to auto updates, that means I'd have to open each app from the Play Store and uncheck the auto update option. If this is a one time thing that will be reflected on all devices then I wouldn't mind doing it but, correct me if I'm wrong from what I can tell these options are on the device itself only so I'd have to uncheck each app I don't want updates for on every device.
Thanks for the upgrade info, it gave me an idea of what to expect when Soti support get back to me and I can look into the different versions/builds while waiting for them. It's reassuring that none of the users will be affected during the upgrade.
As for the root access question, I just checked some more devices and found one that some of them don't have the Knox warranty bit triggered even though they also have MobiControl installed, so like you said it's not Soti related.
I used the shell script below using the legacy plugin for remote access to get the status remotely
This script didn't work when sending the script using the "Send Script" option for devices, so is there a way to send shell scripts through here and have the results displayed in the logs tab of the device somehow?