Forum Discussion

mattdermody's avatar
mattdermody
Level 2.2: Froyo
2 years ago
Solved

Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.   https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.h...
Security
  • melanie's avatar
    melanie
    6 months ago

    Hi all,

     

    My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.

     

    Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.

     

    Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not.  This is what triggers the "Send app for a security check?" dialogue.

     

    Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers. 

     

    Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.

     

    Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.

     

    Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.)  We’ll be updating our GPP Help Centre article shortly to reflect this change.

     

    This change went live across all online devices on September 6th.

     

    Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie. 

     

    Melanie

RamShear's avatar
RamShear
Level 1.5: Cupcake
8 months ago

Hello, I'm new to this conversation but found it because I've having this issue with Apps being yanked off our devices.   I don't have the same chops many of the other posters have when it comes to Android, I've mostly been managing iOS devices via MDM for the past several years, but we were purchased last year and now I'm scrambling to learn both Intune and Android.

In our case, we use a third party software product that has a couple mobile apps available from within it.   Their apps are not on the Play Store because one of their customers pushed the APKs out to a private Play Store instance and Google won't let the same APK exist in different Play Store environments (this is what the software vendor tells me).

We set a policy in Intune to allow sideloading for this one group of users, and that works -- they can sideload the apps.    But the app gets deleted without fail.  It just pops a notification with the App name and says "Deleted by your admin"

We've combed through every compliance policy and conditional access policy in Intune we can find.  I've even gone so far as to exclude the user group from each policy that applies to it to see if that policy is the one causing the removal, but it always removes.   On my test device, I can look at "Play Protect settings" and the option for 'Scan apps with Play Protect' is switched off, but that app still gets removed.

Now I'm mad at everyone.  I'm mad at the software vendor because they really ought to fix the problem on their side and publish the #$%& apps to the Play Store.   I'm mad at Intune because there's nothing in their logs that tells me what on earth is initiating the removal process.   I'm mad a Google because the device does not log the process that initiates the removal either -- and frankly, we should be able to push the APKs to a private instance for ourselves but we can't.