Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
Hey everyone,
Thanks for starting this discussion here.
Obviously at a high level there is a security aspect to this all and personally speaking here Android has a level of responsible to ensure that apps are protected against Malware. Having said this, it appears to be clearly impacting the end-user experience and I can understand your point on why should these apps be scanned when they are internal. So personally, I feel there is a balance to be found.
I think it would be interesting to learn more about the cases where this is particularly happening. I wonder if it might be worth exploring a few examples back with the team. Would this be of interest? (just a thought)
As I say I think it's a really good discussion you've all raised and I actually think the back and forth between different community members helps to think of ideas, provide different use cases/perspectives and surface that multiple members feel passionately about this. So thank you for this. As a gentle reminder, we are a group of community members here, so let's keep the comments respectful and constructive, this way it makes it easier for me to convey your ideas and requests shared.
On this point, I want you to know I am highlighting this conversation internally and exploring if there are existing feature requests/current work around this. So your voices aren't going into the ether. 😀
Thank you again and let's keep discussing this.
Lizzie
I'm sorry. I will focus on maintaining the professional decorum moving forward.
What you're seeing here is just mounting frustration with the rise in consumer protection features in Android that are constantly imposing on the fully-managed business owned device use case. I absolutely understand why features like GPP exist. Android struggled with an early bad reputation of being "insecure" and "fragmented" and as a result there has been a constant push to dispel those perspectives. Every year there are more and more consumer protection features added into the base OS and that is generally a good thing for the ecosystem. The issue is when these features do not properly account for all of the management use cases. It is my opinion that when we have a device enrolled under Device Owner management that we have properly declared that the device is owned by the business which therefore should have every right to manage and utilize the devices how they see fit. Despite that, these consumer protection features also bleed into the Device Owner world, leaving enterprises to deal with figuring out how to disable them or work around them. There are many examples that come to mind:
- GPP app scanning of legitimate business apps. In the absence of being able to disable GPP we should be provided a mechanism to whitelist specific apps from scanning.
- Scoped storage file restrictions also impacting Device Owner DPCs. Device Owner DPCs should have been able to manage files under scoped storage.
- Doze Mode, Green Mode, Battery Optimization. Great for consumers, terrible for line-of-business devices
- Google Assistant accessible from a long press of the home button, even with a lockdown applied
- Uncontrollable updates to critical system components like the System WebView.
- Managed Play updates requiring criteria like the device having to be in a charging state, when many line-of-business devices utilize hot swappable batteries so the devices may never be in a "charging state"
My end customers have now gone through numerous annual Android OS migrations on their devices and with each new version its like were playing a game of "whac-a-mole", figuring out which new consumer grade features have to be suppressed, disabled, or otherwise worked around. I regularly get the question of what new features they can expect when they are inevitably forced to upgrade and the list of pain points often is much longer than the list of benefits. My clients are going tired of these annual Android OS upgrades because they take a stable, mission critical, device environment and disrupt them, sometimes for several months until all of the new issues are taken care of. We then get some period of relief and stability before the next Android OS upgrade disrupts it all over again but even the periods of stability are often interrupted by uncontrolled updates to system components that break business app functionality. It's incredibly painful to tell a CIO that his production was shut down by a forced update to Chrome or WebView from Google Play that we otherwise could not have controlled, don't have version lock in, and can't easily roll back.
I am not naive however, and completely understand the fully managed / Device Owner use case is the smallest use case for Android. We however feel constantly neglected. I had a large customer with 10k+ Android devices that migrated off of Windows CE recently tell me that they weren't sure if they owned their devices, or Google did, in reaction to numerous issues that they regularly experienced. It's not great when customers are thinking back about how great they had it in comparison on Windows CE. Sure Android is more secure now, and you'd be crazy to actually want to go back Windows CE, but there is something to be said about stability, predictability, and comprehensive control, etc and in many cases the end customers of the devices would likely stack rank those above security.
Why are security measures put in place in the first place? To prevent bad actors from performing malicious activities that could jeopardize the stability or functionality of the technology in the environment. It's therefore a bit ironic when these very security measures are what are resulting in instability and the breaking of production level functionality.
