Once the app is uploaded and you have obtained the IDs for the policies and profiles, you can secure the app by calling POST app-market/policy. Use the policyIds parameter to pass the per-app policy GUIDs for each policy that you want to apply.
After you have secured an app with SIGN_EXTERNALLY to be signed outside the policy console, download a zip file that includes:
A copy of the secured app
All information required to sign the app
A simple script (sign.sh) to run on a signing server
The SIGN_EXTERNALLY option requires a signing profile to include with the secured app. Applying the signing profile when you secure requires the policy console to validate the signing parameters for use with your app, even though it does not sign the app.