Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

Could you share a screen-print or the text of the warning please?

To clarify, GPP is still running on these devices - so high risk apps will still be flagged as such with a block or warning.

Hi,

Can you please confirm which enrollment types are covered under "Fully Managed devices or Managed Work Profiles".

When looking at the available solution sets from the Google Developer page (Android Enterprise feature list  |  Google for Developers) It talks about the following four. 

work profile on personally-owned device
work profile on company-owned device
fully managed device
dedicated device

If you can please clarify if "Fully Managed devices" includes both fully managed and dedicated devices? 
Thanks! 

melanie this applies to any sideloaded application via any means right? You're not giving any preference to DPCs specifically; if I sideload an APK locally on the device via Chrome, or ADB (shell), it'll be excluded just as if the Device Owner or application with a delegated scope has installed it?

Great result! Thanks for listening to the feedback and looking for a solution! 

Thanks for the tip, unfortunately this won't help a lot of our customers as they have closed networks

It was added to the Android Management API in the last hour 🙂 

Hello, I'm new to this conversation but found it because I've having this issue with Apps being yanked off our devices.   I don't have the same chops many of the other posters have when it comes to Android, I've mostly been managing iOS devices via MDM for the past several years, but we were purchased last year and now I'm scrambling to learn both Intune and Android.

In our case, we use a third party software product that has a couple mobile apps available from within it.   Their apps are not on the Play Store because one of their customers pushed the APKs out to a private Play Store instance and Google won't let the same APK exist in different Play Store environments (this is what the software vendor tells me).

We set a policy in Intune to allow sideloading for this one group of users, and that works -- they can sideload the apps.    But the app gets deleted without fail.  It just pops a notification with the App name and says "Deleted by your admin"

We've combed through every compliance policy and conditional access policy in Intune we can find.  I've even gone so far as to exclude the user group from each policy that applies to it to see if that policy is the one causing the removal, but it always removes.   On my test device, I can look at "Play Protect settings" and the option for 'Scan apps with Play Protect' is switched off, but that app still gets removed.

Now I'm mad at everyone.  I'm mad at the software vendor because they really ought to fix the problem on their side and publish the #$%& apps to the Play Store.   I'm mad at Intune because there's nothing in their logs that tells me what on earth is initiating the removal process.   I'm mad a Google because the device does not log the process that initiates the removal either -- and frankly, we should be able to push the APKs to a private instance for ourselves but we can't.

Hi,
New to the discussion, as it is becoming the exact same challenge for our customers too.
Did you manage to have any action done to solve that issue in your private discussion?

Note in our case:
Targeting SDK higher than 32 is currently impossible due to the programmatic bluetooth restrictions that are a key feature.

Cheers

Hi Lizzie. Thanks for responding.

My experience relates to an in-house app and, therefore, something which Google won't have (and don't need to have) knowledge of. 

I appreciate Google's desire to protect consumers and I have no problem with GPP scanning apps downloaded from the Play Store (or other sources) when the device is not managed within a corporate environment.

However, Google should absolutely not be dictating - or even influencing - whether or not to allow a company's own app to be installed on devices which it owns and manages.

Our app is developed internally, exclusively for our own use. It is not available on the Play store (or any other store) and is installed via an MDM solution (Soti MobiControl). Under those circumstances, GPP should have no role, at all,  and we should be allowed to have control over our own devices and make our own decisions on risk.

MDM solutions should be able to switch off GPP on company-managed devices, either globally or on an app-by-app basis.

I hope this helps.

Thank you.

Yes. The ideal state would be having GPP enabled for device wide app scanning but with the option of being able to configure specific Bundle IDs to be whitelisted or ignored by GPP. Enterprises do not agree with the value that Google thinks that they're providing by scanning their enterprise apps for outdated libraries or other vulnerabilities because the action taken by GPP (disabling or removing these apps that it deems to be unsafe) is ultimately more disruptive to the business operations than the possibility of the vulnerability being exposed. It is nice to have GPP for generic app scanning but please provide a mechanism to allow enterprises to whitelist their own apps from scanning or interference. Without that enterprises are left disabling GPP completely, and in some cases Google Play services completely. Many of the enterprises I help support and manage are increasingly concerned by the controls that Google is implementing in the name of "security" and many have commented that they no longer feel like they own the devices that they've purchased since Google seems to have more control over their devices than they do. Google will ultimately force these enterprises down alternative paths if proper care isn't taken by Google to provide better configurable control over the constantly increased restrictions.