Externally hosted private apps

Externally hosted Android Packages (APKs) aren't sent to Google for scanning. Because of this, the safety of their content can't be guaranteed. Users are informed of this when they access an externally hosted app.

A private app with an APK hosted outside of Google Play (for example, on your own server) is known as an externally hosted app. To distribute externally hosted apps through Managed Google Play, a JSON file containing the app’s metadata needs to be uploaded to the Play Console.

Restrictions on externally hosted apps

Externally hosted apps are subject to the following restrictions:

  • Externally hosted apps can only be published to production. Closed releases for externally hosted apps aren't supported.
  • Publishing externally hosted apps is not available through the Managed Google Play iFrame.
  • IT admins can't remotely install externally hosted apps on devices with work profiles. Work profile users must install them manually from Managed Google Play.
  • Android Auto second-screen projection is disabled. This is because all Auto-targeted apps must go through a specific review to ensure that they’re not distracting to drivers.

Generate JSON metadata file

To publish an externally hosted app, upload a JSON file containing the app's metadata to the Play Console. This allows you to distribute your app to users in your organization through Managed Google Play.

If your EMM provider doesn't offer a tool to generate this file, Google provides a Python script you can use to generate the file yourself. To use the script, the following must be installed on your machine and available on your system's PATH:

To generate the JSON file, execute the following command using your APK's path and URL:

python externallyhosted.py ––apk=<path/to/apk.apk> ––externallyHostedUrl=“<https://www.example.com/test.apk>” > filename.json

Publish an externally hosted app in the Play Console

In order to publish an externally hosted app, your Play Console developer account must also be an admin account holder for your organization. 

After generating your app's JSON metadata file, you can use the Play Console to publish the app:

  1. Sign in to the Play Console with your organization's administrator account.
    If you haven't already, you need to associate this account with the Play Console (see Register for a Google Play Developer account for more details).
  2. Create a private app by publishing to your own organization. Ensure you add at least one organization to Private app access.
  3. Click Upload external APKs.
  4. Near the top right of the page, select Create new release.
  5. In "App signing by Google Play", click Manage preferences, then select Opt out of app signing by Google Play.
  6. Click Update, then click Opt out.
  7. In "App bundles and APKs", click Upload.
  8. Upload the app's JSON metadata file and add a Release name. Click Save.
  9. The file is uploaded and the APK details are shown.
  10. Try changing some fields to make the config file invalid in the json file, an error will be shown when it is uploaded.
  11. If no organization is selected in the Managed Google Play page or app signing by Google Play is not opted out, an error will be shown when it is uploaded.

Authenticate externally hosted APK download requests

When managed Play makes a request to download an APK from an external server, the request includes a cookie containing a JSON Web Token (JWT). We recommend decoding the JWT to authenticate the download. For more details, see Authenticating the download on the enterprise server.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu