Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
Hey everyone,
Thanks for starting this discussion here.
Obviously at a high level there is a security aspect to this all and personally speaking here Android has a level of responsible to ensure that apps are protected against Malware. Having said this, it appears to be clearly impacting the end-user experience and I can understand your point on why should these apps be scanned when they are internal. So personally, I feel there is a balance to be found.
I think it would be interesting to learn more about the cases where this is particularly happening. I wonder if it might be worth exploring a few examples back with the team. Would this be of interest? (just a thought)
As I say I think it's a really good discussion you've all raised and I actually think the back and forth between different community members helps to think of ideas, provide different use cases/perspectives and surface that multiple members feel passionately about this. So thank you for this. As a gentle reminder, we are a group of community members here, so let's keep the comments respectful and constructive, this way it makes it easier for me to convey your ideas and requests shared.
On this point, I want you to know I am highlighting this conversation internally and exploring if there are existing feature requests/current work around this. So your voices aren't going into the ether. 😀
Thank you again and let's keep discussing this.
Lizzie
Hi Lizzie, thanks for replying.
I'd like to echo Matt's comments.
Whenever Android rolls out a new operating system update, it is a scramble to comprehend its implications for both us and our customers. The introduction of features outside the regular yearly OS release schedule are an even bigger scramble, as we're tasked with managing all our tablets deployed in the field that will receive these updates. I would love to go to our Android Enterprise settings to manage new features that come out of the new Android OS, but it feels like we’re stuck with no way to modify new Android features or settings.
While I acknowledge Google's responsibility to safeguard end-users, these very features can sometimes have adverse effects on companies utilizing managed devices, leaving businesses unable to programmatically enable or disable certain functionalities. Consider two examples:
1. Special permissions granting: Tasks such as granting accessibility or enabling "appear-on-top" functionality necessitate manual intervention on the device to approve permissions. Guiding an end-user through this process on a tablet can be cumbersome, prone to errors, and frustrating. Oftentimes, conversations with customers reveal their realization that an app requires special permissions, which we are unable to grant automatically. This dilemma usually results in either the company deciding against deploying the application or doing so at a sluggish pace, involving hands-on devices to manually grant those permissions. Neither of these options offers an optimal user experience.
2. Google Play Protect (GPP): Pop-ups displaying "Unsafe App Blocked" for mission-critical applications, even if bypassing the block is permitted, sometimes raise concerns among our end-users. The current workaround involves manually disabling GPP on each device, a less-than-ideal solution due to the number of manual steps (eight) required for every single tablet. Moreover, this approach is reactive, triggered only after the GPP pop-up occurs. Consequently, we find ourselves in a position where we must either proactively inform our customers about the significant impact of the latest Android version on their environment, lag behind in supporting the newest Android versions, or devise engineering workarounds to address the features introduced by Google.
Hey mattdermody and ian - I hope you are both doing well. I've sent you a couple of messages about a possible call, via you community inbox. Hopefully we can find a suitable time. 😀 Thanks so much.
