Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
Hello karam, JamesKnight and RickB,
Great to meet you. Thanks for your comments and feedback.
As you may have seen from you comment above, I'd love to learn a little more about what you and others are experiencing. ie. are there particular apps that this issue happens with? Also, do you have any suggestions on how you'd like to improve this, whilst also keeping that balance between security and user experience.
Thanks again,
Lizzie
Could just be ignorance on my part, for which I apologise, but the frustration arose when I could see an option (blue slider button style) to turn off GPP from its settings and a pop up asking whether to turn off or cancel would come up, but even if I clicked on the turn off option it just wouldn't actually do it - not even any error message to say why. What's the point of showing it as a changeable setting when it can't change was the frustration. As others have said, no problem if you want to have protection for apps through the Google Play channel, but for various reasons it is often the case where Android is used to implement a dedicated device that you don't want the risk of application instability (or becoming vapour ware) due to some unsolicited intervention
This is happening to most of our enterprise apps, and Google is not at all helpful in discovering why. Regardless, enterprise apps should not be subject to Google's paranoia. All it is doing is causing enterprises like my own to have to turn the feature off, because of the numerous false positives.
Thanks karam and RickB for sharing a bit more detail.
I am interested to dig a little deeper into this, and I'm sorry if you haven't had much luck providing this feedback before. RichB you mention that this is happening with most of your enterprise apps, so potentially there is a common theme among them that is failing and it sounds like the notification/information provided doesn't help much to troubleshoot why this is happening? Do you think that better information/guidance at this point or before you make them available to end-users would potentially help here?
Thanks again,
Lizzie
Every day Google Play Protect decides it doesn't like 3 or 4 more enterprise apps. This is out of control. These are Corp owned devices! Stop messing with things you knonw NOTHING about
Yes. The ideal state would be having GPP enabled for device wide app scanning but with the option of being able to configure specific Bundle IDs to be whitelisted or ignored by GPP. Enterprises do not agree with the value that Google thinks that they're providing by scanning their enterprise apps for outdated libraries or other vulnerabilities because the action taken by GPP (disabling or removing these apps that it deems to be unsafe) is ultimately more disruptive to the business operations than the possibility of the vulnerability being exposed. It is nice to have GPP for generic app scanning but please provide a mechanism to allow enterprises to whitelist their own apps from scanning or interference. Without that enterprises are left disabling GPP completely, and in some cases Google Play services completely. Many of the enterprises I help support and manage are increasingly concerned by the controls that Google is implementing in the name of "security" and many have commented that they no longer feel like they own the devices that they've purchased since Google seems to have more control over their devices than they do. Google will ultimately force these enterprises down alternative paths if proper care isn't taken by Google to provide better configurable control over the constantly increased restrictions.
Hi Lizzie. Thanks for responding.
My experience relates to an in-house app and, therefore, something which Google won't have (and don't need to have) knowledge of.
I appreciate Google's desire to protect consumers and I have no problem with GPP scanning apps downloaded from the Play Store (or other sources) when the device is not managed within a corporate environment.
However, Google should absolutely not be dictating - or even influencing - whether or not to allow a company's own app to be installed on devices which it owns and manages.
Our app is developed internally, exclusively for our own use. It is not available on the Play store (or any other store) and is installed via an MDM solution (Soti MobiControl). Under those circumstances, GPP should have no role, at all, and we should be allowed to have control over our own devices and make our own decisions on risk.
MDM solutions should be able to switch off GPP on company-managed devices, either globally or on an app-by-app basis.
I hope this helps.
Thank you.
👏👏👏☝️☝️☝️
Spot on.
Hi,
New to the discussion, as it is becoming the exact same challenge for our customers too.
Did you manage to have any action done to solve that issue in your private discussion?
Note in our case:
Targeting SDK higher than 32 is currently impossible due to the programmatic bluetooth restrictions that are a key feature.
CheersThe Android team was willing to listen and was receptive to the feedback provided but we are a long way away from any changes for this being implemented. I would not count on any changes relative to GPP administration or allow listing any time soon and would figure out alternate strategies in the mean time.
