SOTI Pulse Logo

Android work profile not allowing app to be installed

JK
James Knight

I have an in-house app which we deploy as an apk via a profile.

I have 2 profiles - one for work managed devices and one for work profile devices.

The managed device profile works fine, always installs the app without a hitch.

But for the BYOD (work profile) devices, the app usually doesn't install. I have one successful deployment (after agreeing to the installation of an app from an unknown source) but two other phones refuse.

The devices have a feature control policy in place with "Allow Installation From Unknown Sources" turned on, and, on the devices, I have also allowed apps from unknown sources to be installed by MobiControl.

Nothing seems to work - the app installation request sits in a 'pending state' on the portal for 15 minutes or more, before finally reporting 'failed'.

The log merely states "Package (name) version (version) failed to install. File IO error on device. Check Storage/Permissions.

As a test, I tried downloading the apk using a browser - I then get the message about installing unknown applications and have to authorise the browser to install. This does work, but only helps me a bit, because I won't easily be able to deploy updates using that method.

I'm certain this is a permission issue, but can't figure out what needs changing. These are new device enrolments by the way.

Hope someone can help.

Thank you

James

(Mobi Control Cloud 15.6.3.1018)

2 years ago
SOTI MobiControl
ANSWERS
RS
Rafael Schäfer
2 years ago

Did you ever try to provide the app as Enterprise app (app policy) instead of profile?

JK
James Knight
2 years ago

I did - annoyingly, I was guided to alter this by Soti's support agent when we were trouble-shooting another issue, as he said that the profile method was a more reliable method of pushing mandatory apps to devices than using an app policy.

If can't change it now without uninstalling the app from 60 devices and pushing it back again using an app policy. As I discovered the hard way that, when deploying a new package version, you get errors if you install an app using an application policy and then try to update it using a profile (or vice versa).

I've now managed successfully to push the app to 2 additional 'work profile' devices but I had to jump through some undocumented hoops:

1. In device settings, you have to find the 'install apps from unknown sources' permission and 'allow' Mobi Control to install such apps. You have to take care to ensure that you set the permission for the Mobi Control instance in the work profile (as you also start with a Mobi Control instance in the personal profile which I think can be deleted after configuration of the work profile is complete). This caught me out as I had set the permission in the personal version, but the work version is the one trying to install the app.

2. Force re-install the package from MobiControl and then watch out for notifications on the lock screen of the device asking for permission to install the app. These notifications do not appear as formal notifications - you have to keep reviewing the list of notifications until it silently turns up. MobiControl never actually pops up a notification/request.

By following the above, I've managed to install on 3 out of 5 devices now and will try the other 2 when I can get my hands on the devices.

I hope this helps someone else!

RC
Raymond Chan Diamond Contributor
2 years ago

Hi James,

Please note that the steps you mentioned in your first point, namely granting permission for MobiControl device agent app and "install apps from unknown sources" in Settings are both needed even for AE devices in Device-Owner/Managed-Device mode.   They are of course needed for the less secure "Work Profile" device mode on BYOD/CYOD devices.

JK
James Knight
2 years ago

Well, of course, I know that now. But I couldn't find anything in the documentation to tell me that, and the Premium support team at Soti didn't seem to know this either. Trial and error gave me the solution.

Of more concern is the fact that I cannot get any work profile device to give me a notification so that I can authorise the installation. It's hidden away in the list of previous notifications, and never pops up on the screen even when the device is awake. The device sits there awaiting permission, without ever actually requesting it, and the server eventually gives up.

Thank you.

G
GPMOD@SOTI
2 years ago

Hi James,

Thanks for posting on SOTI Pulse and thanks Rafael and Raymond for responding to the post.

My recommendation will be to check an ADB log for the device while the app installation, it may give you more information on app installation failure. 

Thank you. 


Kind regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

JK
James Knight
2 years ago

I am still struggling with this, and Soti have yet to find a resolution. I feel as though I am missing some obvious piece of information which everyone else knows.

To summarise, we have a mixture of Android Enterprise fully managed, and work profile devices and we push an in-house application to them as an apk file. Deployment works perfectly for fully managed devices, but hardly at all for work profile devices. We have the same experience using a profile, and an application policy.

For work profile devices, Soti attempts to deploy the app and awaits permission from the user, but the device does not actually ask for the user's permission, and after 15-30 minutes the server times out with an error. On further investigation, I discovered a notification in the notification list, but the notification *never* pops up. So, if you don't know to look for it, you never see it - which defeats the purpose of notifications.

Worse, when I have subsequently deployed an update, there is no notification even in the notifications list. So there is literally no way of deploying an update other than deleting the app and re-deploying it. Which is obviously not practical and renders the MDM useless for these devices.

Has anyone had any similar experience and figured out how to resolve it?

Is there some restriction with notifications in work profile mode? I have checked all the settings that I can find, and have notifications for MobiControl (in work profile) enabled.

The devices are running a mixture of Android 10, 11 and 12, and MobiControl is cloud-based, version  15.6.3.1018.

Thank you.

JK
James Knight
2 years ago

Is anyone successfully managing to deploy an in-house app to a work profile?

Using the app profile method (which puts the app into the "In-house" section of the Application catalog) I can see the app and I can click "install" or "upgrade" but - again - MobiControl then waits for permission which is never requested. If I swipe down to get the notifications list, the permission request is there, and if I click to accept then the app installs.

There seem to be two issues here:

1. When doing the initial enrolment, MobiControl does not request permission for Installing apps from unknown sources. This seems like an oversight, as it does request other permissions (display over other apps, etc).

2. Even with this permission enabled, the install/upgrade notification never appears other than in the silent list. So you have to look for it, which means that the only way of upgrading is to do it manually on the device.

Has anyone found a way of making this work? I do have an open support ticket but no joy yet.

Thank you. 

A
AMMOD@SOTI
a year ago

Hi James,

I appreciate your post on SOTI Pulse, and I extend a special thank you to Rafael and Raymond for their prompt responses. Your expertise and willingness to assist are greatly appreciated!

Regarding your inquiry, you mentioned that your in-house application deploys successfully on work-managed devices, but on work profile devices, it takes approximately 10 to 15 minutes, sometimes longer, and occasionally gets stuck without installation. Additionally, you noted that during troubleshooting, when pushing the in-house application to BYOD devices, it requires certain permissions. Although a notification typically appears in the background, it does not display on the device's front end, requiring you to locate and enable the permission manually for installation.

Currently, I have not encountered a situation where an in-house application behaves similarly to yours. Regarding the mentioned permissions, specifically granting permission for the MobiControl device agent app like "install apps from unknown sources," as Raymond mentioned, this permission is required for both work-managed and work-profile devices.

It was also suggested to review the ADB logs to understand the device's current state. I recommend doing so, as ADB logs provide detailed information about why the application may not be installed and what permissions it requires for installation, potentially blocked by MobiControl itself.

You mentioned previously raising a support ticket without any resolution. Therefore, I kindly request an update on the situation. Are you still encountering the same issues with your specific BYOD devices and the in-house application? If possible, please provide the ticket number so that we can resume an investigation into the issue for your devices.

Thank you for your cooperation.

Kind regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

JK
James Knight
a year ago

Hi, thanks for replying. This was raised under case C00668680 last July, and was closed without resolution in November.

It was concluded that it was not possible to push an app update notification to an Android device with a work profile.

To be clear, I have not said that there is a 10-15 minute delay and that it occasionally does not install. Quite the contrary. I have said that it *never* pushes the app update to a work profile device and that, after 15-30 min, Mobi Control gives up. This is not a delay, it's a fail.

Essentially, the device receives a notification but it does not inform the user. The user only sees the notification if they look for it - it *never* pops up on their screen. So I have to push the update, and then contact each user to ask them to swipe for notifications and look for the one relating to the app update. If this doesn't happen within a short time window, the update fails.

This is in addition to the fact that additional permissions for installing apps have to be set after the profile is installed, which I discovered by trial & error. Without those permissions, the app can't be installed at all, even if the user seeks out a notification - even though the app is installed ok when the profile is first deployed. The problem is with updates. 

I have been unable to install an app update to *any* work profile device (BYOD) without manually deploying the update on each device. It works perfectly on managed devices.

I've also been unable to install a COPE profile and this is currently under investigation in case C00733849.

I hope you can help.

Thank you.

MG
Michael Gaither
a year ago

Hi 

I have been doing some testing of my own on the COWP devices and was unable to get the app to install on the work profile.

After going through the settings in the feature control i changed the allow install from unknown sources options to the following.

personal is off

Work profile is on

Once i did this i was able to install the app via enterprise app policy.

I hope this is able to resolve your issue.

regards

Mike

C
CKMOD@SOTI
a year ago

Hi James,
 
Thanks for posting on SOTI Pulse, Thanks Raymond and Rafael
for responding to the post, your expertise and willingness to help are greatly appreciated!
 
Have you had an opportunity to test the suggested solutions by Michael Gaither and has it successfully addressed your query?
 
If not, or If you have any additional questions or concerns, please don't hesitate to reach out. We're dedicated to providing assistance and support.

Similar Discussions