Externally hosted private apps

Because externally hosted Android Packages (APKs) aren't scanned, the safety of their content can't be guaranteed. Users are informed of this when they access an externally hosted app.

A private app with an APK hosted outside of Google Play (for example, on your own server) is known as an externally hosted app. To distribute externally hosted apps through managed Google Play, you (or the app's developer) need to upload a JSON file containing the app's metadata to the Play Console.

Restrictions on externally hosted apps

Externally hosted apps are subject to the following restrictions:

  • Externally hosted apps can only be published to production. Closed releases for externally hosted apps aren't supported.
  • IT admins can't remotely install externally hosted apps on devices with work profiles. Work profile users must install them manually from managed Play.
  • Android Auto second-screen projection is disabled. This is because all Auto-targeted apps must go through a specific review to ensure that they’re not distracting to drivers.

Generate JSON metadata file

To publish an externally hosted app, you need to upload a JSON file containing the app's metadata to the Play Console. This allows you to distribute your app to users in your organization through managed Google Play.

If your EMM provider doesn't offer a tool to generate this file, Google provides a Python script you can use to generate the file yourself. To use the script, the following must be installed on your machine and available on your system's PATH:

To generate the JSON file, execute the following command using your APK's path and URL:

python externallyhosted.py ––apk=<path/to/apk.apk> ––externallyHostedUrl=“<https://www.example.com/test.apk>” > filename.json

Publish an externally hosted app in the Play Console

After generating your app's JSON metadata file, you can use the Play Console to publish the app:

  1. Sign in to the Play Console with your organization's administrator account.
    If you haven't already, you need to associate this account with the Play Console (see Register for a Google Play Developer account for more details).
  2. Create a private app by publishing to your own organization. Ensure you add at least one organization to Private app access.
  3. Click Upload external APKs.
  4. Near the top right of the page, select Create new release.
  5. In "App signing by Google Play", click Manage preferences, then select Opt out of app signing by Google Play.
  6. Click Update, then click Opt out.
  7. In "App bundles and APKs", click Upload.
  8. Upload the app's JSON metadata file and add a Release name. Click Save.
  9. The file is uploaded and the APK details are shown.
  10. Try changing some fields to make the config file invalid in the json file, an error will be shown when it is uploaded.
  11. If no organization is selected in the Managed Google Play page or app signing by Google Play is not opted out, an error will be shown when it is uploaded.

Authenticate externally hosted APK download requests

When managed Play makes a request to download an APK from an external server, the request includes a cookie containing a JSON Web Token (JWT). We recommend decoding the JWT to authenticate the download. For more details, see Authenticating the download on the enterprise server.

Was this helpful?
How can we improve it?