Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
I'd also like to add a special thanks to mattdermody for starting this topic and also for taking the time to join a call with myself and a couple of members of our team.
I know this is just a starting point, as much has been mentioned above, but I wanted to highlight Melanie's update here and also add my thanks: jasonbayton, BenMcc, ian, davidguill, Timmy, Michel, RamShear, tbrowne, benoit, JamesKnight, RickB, karam, crystal11232, davidguillaume
This is an amazing and honestly unexpected result! Thank you so much for hearing us out on the request and taking action. This is a great success story for this community.
Thank You for the update and the change in behaviour this is greatly appreciated and Thank You to Lizzie and everyone on this thread for helping to make it happen.
Great result! Thanks for listening to the feedback and looking for a solution!
melanie this applies to any sideloaded application via any means right? You're not giving any preference to DPCs specifically; if I sideload an APK locally on the device via Chrome, or ADB (shell), it'll be excluded just as if the Device Owner or application with a delegated scope has installed it?
Correct - for any package in Work Profile or Fully Managed that isn't hosted on Play / Managed Play, regardless of how the package made it on device, the user will not be asked to upload it to Google for additional scanning.
The feature request to exclude packages installed by 'trusted installers' (e.g. DPCs) from all GPP checks has been noted, and I'm exploring this now. As always, we're balancing device utility with user safety and potential for abuse.
Hi,
Can you please confirm which enrollment types are covered under "Fully Managed devices or Managed Work Profiles".
When looking at the available solution sets from the Google Developer page (Android Enterprise feature list | Google for Developers) It talks about the following four.
work profile on personally-owned device
work profile on company-owned device
fully managed device
dedicated device
If you can please clarify if "Fully Managed devices" includes both fully managed and dedicated devices?
Thanks!
