IBM Worklight 6.2 docs recommend shutting off access from outside networks to Worklight Console and AppCenter console as a means of securing it. I did exactly that (Tomcat 7):
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
I log in to the console via an SSH tunnel (i.e. from the point of view of Tomcat from localhost). Trying to access it from the internet returns an Unauthorized error (prompting me to enter name and password, but not letting any further).
However, the installer apps within AppCenter are being accessed through /appcenterconsole/installers.html. This means in this setup the user will no longer be able to access them. Also, the installer itself uses /applicationcenter/ as its backend, i.e. it should be open. I can open access to this one, but I surely don't want to open access to appcenterconsole. As a workaround, I put a single installer at /applicationcenter/ and pointed applicationcenter/installers.html to there. The installer is now downloaded without AppCenter being involved (and thus not being managed by AppCenter for any updates).
Are there any recommended practices to both secure the appcenterconsole and to open access for users to download installers, so that they are managed by AppCenter?
Otherwise, will the installer app be managed by AppCenter if it's installed by a direct download (rather than through the AppCenter), but if it also exists in AppCenter?
Yes. All the Worklight and AppCenter console pages are generally not accessible from the outside network since it is only accessed by internal users. The only app that must be accessed externally is the AppCenter installer since it is used by the mobile devices and this page is protected.
Best practice in production is to used a Load Balancer and/or a Web Server acting as reverse proxy in front of the application server where Worklight and AppCenter are installed. The Load Balancer or the Web Proxy can be configured to disable forwarding external requests to the Worklight and the AppCenter console so only authorizing requests on the AppCenter services and the AppCenter installer.
If you don't use a Load Balancer or a proxy you have fo find a way to open external access only to the AppCenter installer page and the AppCenter services for example with firewall configuration.