Managing and monitoring App Update Policies in MDM
Setting up policies which cater to organization-wide regulations and compliance, while simultaneously ensuring that employees' user experience isn't compromised can be a tough process. A series of practical workflows (wrt updates) can be achieved when devices, apps, users are properly planned and categorized to avoid device crashes, bandwidth choking and compatibility issues.
After creating the required app update policies, it is also equally important to regularly monitor policy settings and verify what the ideal options for your enterprise are.
Best practices to manage app updates and their policies
- Review current processes followed to update apps
- Identify areas which need a turnaround
- Analyze existing devices, end-users, managed apps
- Structure and categorize the criticality of devices- Production, Testers, Signage, under maintenance, etc.
- Understand the impact of updates based on the category and importance - High impact, Moderate, Low, None
- Set up policies with schedules that update apps conveniently, but also in a way that security remains unaffected.
- Frequently revisit existing policies and modify as and when requirements change
Handling conflicts between different app update policies
What is considered a 'conflict' in terms of policies?
When multiple policies are applied to a Group or different Groups, the variations in the options/configurations selected in the policies are referred to as conflicts, ie, an overlap in similar or different policy settings.
Here's an example of how a policy conflict can occur:
John, a day shift sysadmin sets up App Update Policy - A, and associates it with the Sales Group. And Sally, a night shift sysadmin sets up App Update Policy - B, and associates it with the WFH Group.
However, there are a few devices which are part of both the Groups. Now these devices should receive updates based on one of the policy's only. This can be considered as an example of a conflict in app update policies.
How does Mobile Device Manager Plus handle such variations in different policies that are associated with the same or different Groups?
When there are differences in configurations between policies, MDM applies the most stringent, secure, and convenient of the policies. For example, if the Preferred Time differs in two policies applied to a Group, the most recent 'Preferred Time' will be considered while pushing app updates.
Below is a table with an example of two policies associated with a Group, and the outcome of these policies' combined settings.
Policy A | Policy B | Outcome |
---|---|---|
The policy is configured to update 'All Apps' | The policy is configured to update 'All Store Apps' | MDM will rollout app updates for 'All Apps', and not only Store apps. This ensures that all apps managed by the product receive due updates as and when approved and available. |
Apps are selected to be Automatically approved | Apps need to be manually approved during distribution | Apps will have to be manually approved during the distribution process. This gives the organization time to test, decide and then deploy the app updates to devices. |
Immediate update deployment | Update deployment via the Scheduled Window | Scheduled Window will be followed to update apps based on the specified time span, frequency and date. |
Associating multiple or similar app update policies
If multiple app update policies are associated with a Group, MDM> permits this; however with a few constraints to handle any variations in these policies. If there are differences in configurations between policies, MDM applies the most stringent of the policies.
For example, if the Preferred Time differs in two policies applied to the same Group, the most recent 'Preferred Time' will be considered while pushing app updates.
MDM decides which is the most ideal and efficient policy out of the different policies associated for different Groups. If one policy is configured such that All Apps (except few excluded) should be updated on a Weekly basis, and the other policy is for Specific Apps on a Daily basis, MDM will prefer the first policy, since this ensures that all apps receive updates and not specific apps only. (This eases out the repetitive tasks of an IT admin since the policy covers All Apps.)
It is recommended to set up app policies after revisiting the existing workflows, users' schedules, and also after analyzing the impact of each option on the production environment.
Consider this: A policy to update 'All Store Apps' is already associated with a Group.
- After this 'All Store Apps' update policy is associated, another policy with the 'All Apps' option selected is applied.
Outcome: MDM will permit the second policy to be associated with the Group , but a message will be displayed, to keep the admin informed. - A policy with the 'Specific Apps' option is associated to the same Group.
Outcome: MDM will permit the second policy to be associated with the Group. A message will be displayed, to keep the admin informed that the previous app update policy has the 'Store Apps' option selected. - You try to associate a policy with the same 'All Store Apps' option.
Outcome: MDM will not permit proceeding with this policy's association.
Possible cases with policies
Below is a list of all possible status' and the corresponding remarks that will be displayed on the product console, to indicate the current progress of app updates.
Status | Remark | Resolution/Reason |
---|---|---|
Install Pending | Device is offline. App will be distributed once it comes online. MDM has initiated the update installation, but the device may not be connected to the Internet. | Verify and ensure proper connectivity so that MDM can distribute the app update. |
Install In-Progress | Installing the app on the device. | The app update is getting installed and will soon be available on your user's device. |
Published to catalog | User should install the app from the App Catalog | The app update is successfully distributed to the App Catalog. The user needs to click on the 'Update' button to install it. |
Installed | Successfully installed the app update on the device | You're all set, the update is available on devices. |
Install Failed | Failed to download the app due to unknown reasons. Re-try scheduling the policy. | Set a different schedule for the update to occur at, or re-try saving the same policy again. If there are still issues with installing the updates, contact support for further assistance. |
Removal Pending | Device is offline. App will be removed once it comes online. | Make sure that the device is connected to a stable Internet connection, and re-try. |
Removal Failed | Uninstallation failed | Check network connectivity on the device, and re-try removing the app |
Update Scheduled | Update is scheduled for [date/time] or Update is scheduled for future distribution | The app update will be distributed later. The update will be distributed at the date and time mentioned in the policy. |
Update Pending | Update pending from Play Store. Learn more. | MDM can only deploy store updates as and when Play Store makes them available. Wait for a few days and re-try. |
Update In-Progress | App update in progress on the device | The update is taking place on the device, based on the settings in the policy. |
Update Published to catalog | Update distributed to App Catalog. User should install the update. | In this case, the app installation type would have been selected as 'Distribute to App Catalog'. Hence, as per the app update policy, the update is distributed to the App Catalog, and the user is yet to download it. |
Updated | Successfully updated the app on the device | The app update is successfully deployed to the device based on the policy's settings. |
Update Failed | Unable to update the app. MDM will retry updating the app in the next scheduled window. | The next attempt to update the app will take place in the upcoming scheduled window. Ex: If the update didn't take place today at 4:30 PM (as per schedule)then MDM will re-try distributing the tomorrow at 4:30 PM. |
Not applicable | App cannot be installed as the device is incompatible with the app. | Try upgrading the device to the latest OS version, to check app-device compatibility. |
Some examples of the above mentioned remarks:
Points to note/Troubleshooting
- Availability of Store updates is reliant on when app developers make the updates available on the respective app stores. MDM can only fetch these updates when they are available. Once in every 24 hours, the MDM server contacts the app stores to collect available apps and their updates. To manually sync and fetch apps and their updates, use the Sync Apps button on the App Repository.
- Enterprise app updates are considered 'available' when they are uploaded to the App Repository. To learn how to upload enterprise app updates, refer to this.