Skip to main content

The Easy Way to Approve Managed Google Play Apps

· loading ·
Intune Android Google Apps Graph API PowerShell
Author
Nick Benton
Principal Modern Device Management Consultant and Intune Blogger
Table of Contents

Introduction
#

We’ve all had to add Managed Google Play Apps in bulk to Microsoft Intune for your Android Enterprise enrolled devices, whether this is just the raft of Microsoft Apps now that all your data is in Office 365, or the hundreds you have in a rival MDM (Mobile Device Management) solution that you’re looking to migrate away from.

Anyone fancy doing this one by one with lots of mouse clicks and early onset repetitive strain injury? Didn’t think so.

This will be a quick one, and annoyingly does require a bit of effort to get the app details…more on that later though. Onto the fun part.

Managed Google Play Apps
#

As always we’re leaning on Graph again, as with everything in Microsoft Intune, and knowing we’ve setup our Managed Google Play account already, we can leverage this to add some Android Enterprise Apps into our tenant.

Android Enterprise apps can’t be added to Microsoft Intune in the same way as iOS Store Apps or even Play Store Apps, so we can’t use POST /deviceAppManagement/mobileApps for creating these in the tenant. All the work is done at the Google side, so luckily we have a way to call this via the Graph API.

Approving and Syncing Applications
#

We’re not actually creating anything here, all the Apps and the associated data exists within the Managed Play Store, what we need to do is approve an app. We can use the POST /deviceManagement/androidManagedStoreAccountEnterpriseSettings/approveApps action to our advantage.

We can make a POST call to the below URI with some JSON to approve the applications we need.

https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/approveApps

The JSON format we need to pass through using this call is in the format below.

{
  "packageIds": [
    "Package Ids value"
  ],
  "approveAllPermissions": true
}
What Microsoft don’t tell you in the documentation is that the “Package Ids value” actually needs to be in the format “app:PackageId”, i.e. “app:com.microsoft.emmx”, thanks Microsoft.

So we’ve got the bare bones of an idea, so what we need to do is get our App Package Ids together for all the Mobile Apps we want. What? You don’t have these to hand? Well sadly there isn’t a ‘scripty’ way of getting these, not for free at least, so I’ll do you a solid and provide a list of some of the common Microsoft ones.

Mobile App Name Package ID
Microsoft Authenticator com.azure.authenticator
Microsoft Edge com.microsoft.emmx
Microsoft Excel com.microsoft.office.excel
Microsoft OneDrive com.microsoft.skydrive
Microsoft OneNote com.microsoft.office.onenote
Microsoft Outlook com.microsoft.office.outlook
Microsoft Planner com.microsoft.planner
Microsoft PowerPoint com.microsoft.office.powerpoint
Microsoft SharePoint com.microsoft.sharepoint
Microsoft Stream com.microsoft.stream
Microsoft Teams com.microsoft.teams
Microsoft To Do com.microsoft.todos
Microsoft Word com.microsoft.office.word
Microsoft Yammer com.yammer.v1

For any others, maybe your existing MDM has them listed next the App Name, otherwise you can find an app’s package name in the URL of the app’s Google Play Store listing.

For example, the URL of an app page is play.google.com/store/apps/details?id=com.example.app123. The app’s package name is com.example.app123.

As we’re using PowerShell, we could do with throwing these Package Ids into an array of some sort, just so we can loop through them later on.

$AndroidAppIds = New-Object -TypeName System.Collections.ArrayList
$AndroidAppIds.AddRange(@(
        'com.azure.authenticator',
        'com.microsoft.emmx',
        'com.microsoft.office.excel',
        'com.microsoft.skydrive',
        'com.microsoft.office.onenote',
        'com.microsoft.office.outlook',
        'com.microsoft.planner',
        'com.microsoft.office.powerpoint',
        'com.microsoft.sharepoint',
        'com.microsoft.stream',
        'com.microsoft.teams',
        'com.microsoft.todos',
        'com.microsoft.office.word',
        'com.yammer.v1'
    )
)

We could have also prefixed the Package Id with the required ‘app:’ but that’s one for later me.

The Functions
#

Now we have our list of Package Ids for the Mobile Apps in a nice format, we need to build a couple of functions (obviously) to approve the Mobile Apps and then synchronise the Apps to the Microsoft Intune tenant.

Approving Managed Google Apps
#

You would have seen this format for Graph functions a lot on this site, but the important thing here is how we’re building the JSON object and adding in the required prefix.

Function Add-GoogleApplication() {

    param
    (
        $PackageID
    )

    $graphApiVersion = 'Beta'
    $App_resource = 'deviceManagement/androidManagedStoreAccountEnterpriseSettings/approveApps'

    try {
        if (!$PackageID) {}
            Write-Host 'No PackageID was passed to the function, provide a valid PackageID variable' -f Red
            break
        }

        $PackageID = 'app:' + $PackageID
        $Packages = New-Object -TypeName psobject
        $Packages | Add-Member -MemberType NoteProperty -Name 'approveAllPermissions' -Value 'true'
        $Packages | Add-Member -MemberType NoteProperty -Name 'packageIds' -Value @($PackageID)
        $JSON = $Packages | ConvertTo-Json -Depth 3
        $uri = "https://graph.microsoft.com/$graphApiVersion/$($App_resource)"
        Invoke-RestMethod -Uri $uri -Method Post -ContentType 'application/json' -Body $JSON -Headers $authToken
        write-host "Successfully added $PackageID from Managed Google Store" -ForegroundColor Green
    }
    catch {
        $exs = $Error.ErrorDetails
        $ex = $exs[0]
        Write-Host "Response content:`n$ex" -f Red
        Write-Host
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Message)"
        Write-Host
        break
    }
}

Synchronising Managed Google Apps
#

Now that we have a way to Approve the apps, we need a way to sync them…bring on the POST /deviceManagement/androidManagedStoreAccountEnterpriseSettings/syncApps the below function, and a POST call to the below URI

https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/syncApps
Function Invoke-SyncGoogleApplication() {

    [cmdletbinding()]

    param
    (
        $PackageID
    )

    $graphApiVersion = 'Beta'
    $App_resource = 'deviceManagement/androidManagedStoreAccountEnterpriseSettings/syncApps'

    try {
        $uri = "https://graph.microsoft.com/$graphApiVersion/$($App_resource)"
        Invoke-RestMethod -Uri $uri -Method Post -ContentType 'application/json' -Body $JSON -Headers $authToken
        Write-Host "Successfully synchronised Google Apps" -ForegroundColor Green
    }
    catch {
        $exs = $Error.ErrorDetails
        $ex = $exs[0]
        Write-Host "Response content:`n$ex" -f Red
        Write-Host
        Write-Error "Request to $Uri failed with HTTP Status $($ex.Message)"
        Write-Host
        break
    }

}

Running the Script
#

Throwing in the Get-AuthTokenMSAL function we know and love to the above functions, the authentication section to Graph API, the array variable we created, and the below little snippet of a foreach loop, we can happily run through each of the Mobile App Package Ids and approve them, rounding it off with a quick sync.

foreach($AndroidAppId in $AndroidAppIds) {
    Add-GoogleApplication -PackageID $AndroidAppId
}
Invoke-SyncGoogleApplication

The full Script can be found in my GitHub Repo and as always, please test this before adding hundreds of apps to the variable, you’ll thank me later.

Running the script gives us the following output:

Script Output
Screenshot of the PowerShell script output

After a little while, we’ll see the Mobile Apps in the Microsoft Intune Android Apps Portal

Mobile Apps
Screenshot of the Microsoft Intune approved android apps

With the Mobile Apps now in the tenant, you can go ahead and assign them to your hearts content…or maybe script something to do this for you?

Summary
#

Even if grabbing the packageId for each mobile app you want to approve and synchronise to Microsoft Intune is a a bit of a pain, and trust me, I looked at free ways to query the Play Store, this at least cuts the time down for synchronising Managed Google Play apps, especially as part of a migration to Intune.

Related

Creating and Assigning App Categories the Smart Way
· loading
Intune Android Apple Windows 10 and later iOS/iPadOS macOS Apps Graph API PowerShell
What about assigning App Categories, do you want to be manually updating hundreds of Apps with categories? Let’s make one laborious task, less laborious, with a hacky PowerShell script.
Updating Enrolled Device Ownership Status
· loading
Intune Enrolment Administration Graph API PowerShell
What happens if you’ve allowed Windows, iOS, Android, and macOS devices to enrol into Microsoft Microsoft Intune in all kinds of ways, and now you’re in a situation where devices that should be marked as corporate are marked as personal or unknown?
Configuring Dell BIOS Settings with Microsoft Intune
· loading
Intune Windows 10 and later Dell Apps BIOS Hardware PowerShell
What if you’ve only got Microsoft Intune to configure your Dell BIOS settings and not the glory that is Configuration Manager? How much do you like PowerShell, Win32 Apps and passwords in plain text?