Level 3.0: Honeycomb

Solved

Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

Forum|Forum|2 years ago
February 8, 2024
20 replies
278 views

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations.

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent.

Best answer by melanie

Hi all,

My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.

Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.

Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.

Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.

Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.

Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.

Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.

This change went live across all online devices on September 6th.

Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.

Melanie

Show previous replies

K

karam

Level 1.5: Cupcake

Couldn't agree more. Got a bunch of Lenovo's, couldn't turn GPP off even though the option appears. Waste of time, all being returned, will turn to Chinese products instead

K

karam

Level 1.5: Cupcake

On the other hand force stop and disable google play seems to have resolved. Just tired of seeing the same trend symptoms that MS and others have gone through over the years of eroding our supposed freedoms under the guise of it is better for us ... 🙂

Lizzie

Community Manager

Hello @karam, @JamesKnight and @RickB,

Great to meet you. Thanks for your comments and feedback.

As you may have seen from you comment above, I'd love to learn a little more about what you and others are experiencing. ie. are there particular apps that this issue happens with? Also, do you have any suggestions on how you'd like to improve this, whilst also keeping that balance between security and user experience.

Thanks again,

Lizzie

Welcome to the Community everyone!

K

karam

Level 1.5: Cupcake

Could just be ignorance on my part, for which I apologise, but the frustration arose when I could see an option (blue slider button style) to turn off GPP from its settings and a pop up asking whether to turn off or cancel would come up, but even if I clicked on the turn off option it just wouldn't actually do it - not even any error message to say why. What's the point of showing it as a changeable setting when it can't change was the frustration. As others have said, no problem if you want to have protection for apps through the Google Play channel, but for various reasons it is often the case where Android is used to implement a dedicated device that you don't want the risk of application instability (or becoming vapour ware) due to some unsolicited intervention

T

tbrowne

New Member

I want to echo what has been said especially by JamesKnight and mattedermody.

This has started to become very disruptive to our operations recently and I would appreciate a response from Google on this.

Michel

Level 4.0: Ice cream sandwich

I'm joining this discussion as well. I see a lot of issues with existing customers of us where this could cause a lot of issues.

Lizzie

Community Manager

Hello everyone,

Thanks again to those of you who have shared your experiences and thoughts on this threads previously and more recently. I really appreciate the insight you are sharing with us and I think it is clear that this is an important area for many of you.

As mentioned before I am keen to understand more of the specifics and if there are any patterns to the types of apps that are getting flagged, this way we can better highlight this back to our product team.

I've tried to arrange a call with a couple of you to discuss this further and so far we haven't managed to arrange this. As there are more people in the conversation now, I wanted to open up this to others as well, to see if any of you might be able to spare the time and would be interested in speaking with me and some of my teammates to understand this a little more? (I understand you are all very busy people, so thank you, thank you).

Thanks,

Lizzie

Welcome to the Community everyone!

R

RamShear

New Member

Hello, I'm new to this conversation but found it because I've having this issue with Apps being yanked off our devices. I don't have the same chops many of the other posters have when it comes to Android, I've mostly been managing iOS devices via MDM for the past several years, but we were purchased last year and now I'm scrambling to learn both Intune and Android.

In our case, we use a third party software product that has a couple mobile apps available from within it. Their apps are not on the Play Store because one of their customers pushed the APKs out to a private Play Store instance and Google won't let the same APK exist in different Play Store environments (this is what the software vendor tells me).

We set a policy in Intune to allow sideloading for this one group of users, and that works -- they can sideload the apps. But the app gets deleted without fail. It just pops a notification with the App name and says "Deleted by your admin"

We've combed through every compliance policy and conditional access policy in Intune we can find. I've even gone so far as to exclude the user group from each policy that applies to it to see if that policy is the one causing the removal, but it always removes. On my test device, I can look at "Play Protect settings" and the option for 'Scan apps with Play Protect' is switched off, but that app still gets removed.

Now I'm mad at everyone. I'm mad at the software vendor because they really ought to fix the problem on their side and publish the #$%& apps to the Play Store. I'm mad at Intune because there's nothing in their logs that tells me what on earth is initiating the removal process. I'm mad a Google because the device does not log the process that initiates the removal either -- and frankly, we should be able to push the APKs to a private instance for ourselves but we can't.

T

Timmy

Level 2.0: Eclair

The app gets removed on the device because you have not added it as an "Android Enterprise System App". When you sideload apps you need to assign that to the device and if you don't it will get removed by the system.

https://learn.microsoft.com/en-us/mem/intune/apps/apps-ae-system

D

davidguill

Level 1.6: Donut

Hi @Lizzie,

Has anything been officially announced on this yet by Google? I am being asked for this control by several customers but being told by the EMM developers that it's still not possible in Android 15 even after sharing the links provided by @jasonbayton.

Thanks All

David

jasonbayton

Level: 4.1: Jelly bean

It was added to the Android Management API in the last hour 🙂

mattdermodyAuthor

Level 3.0: Honeycomb

Is this actually the same thing as an allowlist for bypassing GPP scanning? Are ON Device Abuse Detection (ODAD) and GPP equivalent? It sounds to me like two different but possibly related features.

BenMcc

Level 2.0: Eclair

Sorry if this has been posted already (did look but didn't see) but you can prevent the apps from being flagged by Play Services/Play Protect by filling in this form: https://support.google.com/googleplay/android-developer/contact/protectappeals even if the app isn't on Play.

Not ideal but it will get around the issue partly.

Ben

D

davidguill

Level 1.6: Donut

Thanks for the tip, unfortunately this won't help a lot of our customers as they have closed networks

M

melanie

Answer

Google Team