merill.net

Publishing private enterprise apps to the managed Google Play Store

Merill Fernando — Thu, 07 Feb 2019 21:57:12 +0000

Here’s a quick how to guide for publishing a private app to the managed Google Play store using the Custom App Publishing API and then surfacing it to your enterprise users through your EMM/MDM solution. When you use this API your apps are;

permanently private, meaning they can’t be made public
not subject to the public Google Play Store policies such as API target levels, application permission restrictions, etc
going through a streamlined verification process and appear in the managed Google Play Store in as little as five minutes, compared to over two hours via the Play Console
The only store listing details required to publish an app are its title and default listing language.

Before you can run the code below you need to set up a service account that has permissions to publish private apps. You can follow the guide here to set it up.

Enable the Google Play Custom App Publishing API
Create a service account
Obtain private app publishing rights
Retrieve the developer account id

At the end of this step you will have created a service account (eg myappname@turnkey-crowbar-123456.iam.gserviceaccount.com) and retreieved your developer account id (eg 1234567890123456789). Next you need to generate the private key that will be used to authenticate against the API. To do this click on the Create Key button in the Service Account details page and save the json file to your local disk (keep this key very secure).

Create private key for service account

Next fire up your favourite code editor, reference one of the pre-built Google API libraries (or directly use the REST API) to publish the app. Here’s how I did it with Visual Studio. Start a new console project and add a nuget reference to Google.Apis.Playcustomapp.v1. Update the devAccountId, apkPath and clientSecretsJson variables in the code below and hit run. If all goes well the response returned is ‘Complete’. If you receive a ‘Failed’ response take a look in the exception message for why it could have failed.

    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                new Program().Run().Wait();
            }
            catch (AggregateException ex)
            {
                foreach (var e in ex.InnerExceptions)
                {
                    Console.WriteLine("ERROR: " + e.Message);
                }
            }
            Console.WriteLine("Press any key to continue...");
            Console.ReadKey();
        }

        private async Task Run()
        {
            long devAccountId = 1234567890123456789;
            var apkPath = @"C:\apps\MyPrivateApp.apk";
            var clientSecretsJson = @"C:\secrets\apppublishkey.json";

            var appMetaDda = new CustomApp
            {
                Title = "My Private Company App",
                LanguageCode = "en_AU"
            };

            GoogleCredential credential;
            using (var stream = new FileStream(clientSecretsJson, FileMode.Open, FileAccess.Read))
            {
                credential = GoogleCredential.FromStream(stream)
                    .CreateScoped("https://www.googleapis.com/auth/androidpublisher");
            }
          
            var svc = new Google.Apis.Playcustomapp.v1.PlaycustomappService(new Google.Apis.Services.BaseClientService.Initializer { HttpClientInitializer = credential });
            var request = svc.Accounts.CustomApps.Create(appMetaDda, devAccountId, File.OpenRead(apkPath), "application/octet-stream");
            var response = request.Upload();
            Console.WriteLine("Status = " + response.Status);
        }
    }

Remove the ms-outlook attribute added to your contacts

Merill Fernando — Thu, 31 May 2018 10:27:52 +0000

Like me if you had the unfortunate luck of using the Outlook app’s feature to sync your Gmail contacts to iOS and then used a sync app like Google Contacts sync you might have ended up with a whole bunch of contacts having an attribute called outlook with a value that says ms-outlook.

The fix is quite easy really. Using the awesome Script editor at https://script.google.com you can run this simple function to get rid of the stuff you don’t want.


function myFunction() {
  var contacts = ContactsApp.getContacts();
  for (var c = 0; c < contacts.length; c++) {
    var cnt = contacts[c];
    var fields = cnt.getUrls();
    for (var i = 0; i < fields.length; i++) {
      if(fields[i].getLabel() == "Outlook"){
        fields[i].deleteUrlField();
      }
    }
  }
}

Intune Data Centers

Merill Fernando — Fri, 13 Apr 2018 11:44:18 +0000

Want to know where all the Intune Data Centers are located? Here’s a handy link http://intunedatacentermap.azurewebsites.net

PayID

Merill Fernando — Tue, 27 Feb 2018 20:49:59 +0000

Have you tried PayID yet? Given that you can only have one PayID identifier for each account and bank it doesn’t seem to make much sense to use your telephone number. Instead I’ve opted to use bankname@myemail.net (eg nab@myemail.net) thanks to the domain catch all feature in Google Apps. With gmail you could use the + alias (eg. nab+merill@gmail.com) or use the Outlook Alias feature where you can have multiple email addresses mapped to each account.
Thanks to PayID I can now keep all of my income in the offset account and only transfer to my checking account at the very last minute. I tried transferring from my NAB account to ING and it come through even before I could switch between the two banking apps.
Looking forward to shaving a few years off my mortgage.
What approach have you come up with for PayID?

Setting up WordPress as your micro blogging platform

Merill Fernando — Tue, 02 Jan 2018 03:32:50 +0000

Deciding on WordPress as your source of truth for your micro blog is all good but how do you avoid spamming your RSS readers with your status updates meant for micro.blog, twitter, linked in et al?

The simplest way to target WordPress posts for micro blogs is to use a specific category (I call mine status). You can then configure WordPress to not include posts from this category in the default feed.

One way to exclude a category from the default feed is using a re-write rule in your .htaccess file as shared by Manton in this gist https://gist.github.com/manton/f8b6f8b391a2f3d9b419

I wanted something a bit more robust that wouldn’t break when the url format changed. Instead I wrote a custom filter that would hide the category from the default feed. To get this set up you can use the excellent ‘My Custom Functions’ plug in https://wordpress.org/plugins/my-custom-functions/

Once you have this set up you can now use the url to your feed as the feed source at https://micro.blog using the following format http://<>/category/<>/feed/

In my case this is my feed url http://merill.net/category/status/feed/

Fix for MacOS Jittery Dock

Merill Fernando — Wed, 13 Dec 2017 11:04:53 +0000

Is your MacOS dock jittering and driving you nuts? In my case this was being caused by some apps that were ShareMouse and/or Synergy. Removing all the unnecessary apps from System Preferences > Security & Privacy > Accessibility should fix the issue.

The issue is most probably being caused by the last app you added to the list (in my case it was Synergy).

Azure + iPad = Productivity

Merill Fernando — Sun, 13 Aug 2017 23:01:02 +0000

I don’t spend much timing writing code these days but when I do I want it to be productive as possible. Whether it is at my desk, in a meeting room or in bed in the middle of the night.

So this weekend I went about setting up a workflow that would let me access a powerful machine in the cloud with the latest version of Visual Studio and get access to it in a secure manner. Here is what I used to get it all going.

Azure DevTest Labs

The DevTest Labs is a neat Azure service that gives you a virtual machine running the greatest and latest version of Visual Studio. You can save yourself a ton of time by not having to deal with downloading and waiting through a Visual Studio install.

IFTT

The dollars can add up quickly when you leave a high end virtual machine running on Azure. Using a combo of Azure Runbooks, web hooks and IFTT buttons, I was able to set up a nice widget that would let me quickly start up and shut down my VM. Using iOS widgets and IFTT, it was just a swipe away from the home screen on my iPad/iPhone to start up my VM.

Jump Desktop Connect

The last piece of the puzzle was to get into my VM. When you are working in a corporate environment behind firewalls and proxies that only allow http traffic to flow through, RDP is simply not going to cut it. Plus you open up your surface area by exposing your VM to the public internet. Jump Desktop to the rescue to solve both the issues. The Jump Desktop Connect is a free app that you install on the PC/Mac that you need remote access to. You can then use the awesome Jump Desktop apps on iOS, Android, Mac or Windows and punch through any firewall to get to your remote machine.

Oh and by the way did I tell you that Jump Desktop is one of the few RDP apps that will let you use a mouse on your remote machine? Productivity FTW!

Blocking Microsoft Flow’s access to your Office 365 tenant

Merill Fernando — Wed, 25 Jan 2017 04:33:26 +0000

Did you know that any user in your organisation can sign into Microsoft Flow with their personal account and create a flow that connects to your organisation’s Office 365 tenant?
This means that an employee can (even accidentally) create a flow that monitors a SharePoint site (obviously they need to have access to the site) and posts the contents to Twitter, Dropbox or any other external service.
The bad news is that as the Office 365 tenant admin we have no way of blocking this in the UI. The good news is that Microsoft can. So raise a service request with them and ask them to disable ‘Cross tenant Flow creation’. This will force all of your data to stay within your tenant and prevents data loss.

Allowing third party applications in your Office 365 tenant

Merill Fernando — Thu, 11 Aug 2016 13:09:13 +0000

When managing Office 365 (and it’s related Azure Active Directory) in a large enterprise your security team is wary about allowing third party applications to access enterprise data.

Take for example the list of options that you have available in the ‘configure’ tab in Azure AD under the ‘integrated applications’ section. If you turn on the ‘Users may add integrated applications’ you will start seeing a number of applications showing up in Azure AD under the applications section. What this means is that users are accessing third party applications and using their work account as the identity.

Where this gets a little scary is with the option that says ‘Users may give applications permission to access their data’. Depending on the type of permission requested by the application the user consents to in the consent page of the app (shown during the sign on process), they can potentially give third party applications access to their email, content in SharePoint Online etc. as shown by Roger from BestForTheKids.

Where I come from this is a big fat no from security. We typically require the security team vetting every SaaS application where the checks include performing vendor assessments, finding out what information is stored and how secure it is, whether the content is stored in Australia (data sovereignty).

Fine, let’s say we disable all this to prevent end users willy nilly giving third party applications access to corporate data. You will be faced with a dilemma when you have an application that has been approved (eg Microsoft’s own Fast Track portal http://fasttrack.microsoft.com) by your security team your users will still not be able to sign in to the third party app because of the above settings where we disabled users adding apps.

When a user tries to sign into the portal they will be shown an error message saying ‘Sorry but we’re having trouble signing you in. We received a bad request’.

So how do you go about whitelisting only certain apps on your Office 365 / Azure Active Directory tenant? I reached out to my friends at Microsoft and this time they had an answer that made me happy.

Today the only way for an admin to consent to an application for his entire tenant is to send an interactive sign-in request with the query parameter ?prompt=admin_consent. We usually ask the app developer to invoke this request in their app somehow. But you can actually craft the request as a link yourself and have an admin click on it. There’s documentation on http://aka.ms/aaddev on how to craft a sign in request. We are working on adding this capability to our portal directly so you dont have to do this.

So the trick is to open a browser session in private/incognito mode and navigate to the target application (e.g. Fast Track) and try to sign in. This will redirect you to Microsoft’s login page. When you are at this page insert the ?prompt=admin_consent parameter to the query string in the the address bar and hit enter to reload the sign in page. Now sign in as a global administrator for the tenant and you will be taken to the admin consent page. Review the settings that you are approving and click on Accept. Viola you’ve now approved the app in your tenant. Now any user in your organisation can sign into the third party app without login errors and won’t even see the consent screen.

Fix: Windows 10 (Technical Preview) OneDrive Sync Issues with Office 2016 Preview

Merill Fernando — Wed, 13 May 2015 11:37:17 +0000

After installing the Office 2016 Preview on build 10074 of the Windows 10 Technical Preview I came across a recurring sync issue with OneDrive. All the Office documents would show up with the following error ‘Files can’t be synced. Open the document in Office for more info.’
It didn’t make any difference if you opened the document in Word, Excel and saved them back they would still show up with sync errors.

To fix the issue I turned off the ‘Use Office to sync files faster and work on files with other people at the same time’ from the Settings tab (right click the OneDrive icon on the status bar). An Exit and restart of OneDrive fixed the issue and everything comes up green again.

I’m guessing this is something to do with the Office 2016 preview since I’ve been running Windows 10 TP for a few months now and didn’t have any sync issues.

This not only fixed the sync issue but also made Office use the local files instead of taking a few seconds connecting to OneDrive each time I saved.

I know you can buy Microsoft Office for Mac now, but after all these years, I’m going to stick to what I know.