Externally hosted private apps

Because externally hosted Android Packages (APKs) aren't scanned, the safety of their content can't be guaranteed. Users are informed of this when they access an externally hosted app.

Private apps with externally hosted APKs are known as externally hosted apps. To distribute externally hosted apps through managed Google Play, you (or the app's developer) need to upload a JSON file containing the app's metadata to the Play Console.

Restrictions on externally hosted apps

Externally hosted apps are subject to the following restrictions:

  • Externally hosted apps can only be published to production. Closed releases for externally hosted apps aren't supported.
  • IT admins can't remotely install externally hosted apps on devices with work profiles. Work profile users must install them manually from managed Play.
  • Android Auto second-screen projection is disabled. This is because all Auto-targeted apps must go through a specific review to ensure that they’re not distracting to drivers.

Generate JSON metadata file

To publish an externally hosted app, you need to upload a JSON file containing the app's metadata to the Play Console. This allows you to distribute your app to users in your organization through managed Google Play.

If your EMM provider doesn't offer a tool to generate this file, Google provides a Python script you can use to generate the file yourself. To use the script, the following must be installed on your machine and available on your system's PATH:

To generate the JSON file, execute the following command using your APK's path and URL:

python externallyhosted.py ––apk=<path/to/apk.apk> ––externallyHostedUrl=“<https://www.example.com/test.apk>” > filename.json

Publish an externally hosted app in the Play Console

After generating your app's JSON metadata file, you can use the Play Console to publish the app:

  1. Sign in to the Google Play Console with your organization's administrator account.
    If you haven't already, you need to associate this account with the Play Console (see Register for a Google Play Developer account for more details).
  2. Create a private app by publishing to your own organization.
  3. Create a production release:
    1. Select I am uploading a configuration for an APK hosted outside of Google Play.
    2. Upload the app's JSON metadata file.

Authenticate externally hosted APK download requests

When managed Play makes a request to download an APK from an external server, the request includes a cookie containing a JSON Web Token (JWT). We recommend decoding the JWT to authenticate the download. For more details, see Authenticating the download on the enterprise server.

Was this helpful?
How can we improve it?