Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
Hi all,
My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.
Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.
Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue.
Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers.
Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.
Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.
Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change.
This change went live across all online devices on September 6th.
Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie.
Melanie
Hi Lizzie, thanks for replying.
I'd like to echo Matt's comments.
Whenever Android rolls out a new operating system update, it is a scramble to comprehend its implications for both us and our customers. The introduction of features outside the regular yearly OS release schedule are an even bigger scramble, as we're tasked with managing all our tablets deployed in the field that will receive these updates. I would love to go to our Android Enterprise settings to manage new features that come out of the new Android OS, but it feels like we’re stuck with no way to modify new Android features or settings.
While I acknowledge Google's responsibility to safeguard end-users, these very features can sometimes have adverse effects on companies utilizing managed devices, leaving businesses unable to programmatically enable or disable certain functionalities. Consider two examples:
1. Special permissions granting: Tasks such as granting accessibility or enabling "appear-on-top" functionality necessitate manual intervention on the device to approve permissions. Guiding an end-user through this process on a tablet can be cumbersome, prone to errors, and frustrating. Oftentimes, conversations with customers reveal their realization that an app requires special permissions, which we are unable to grant automatically. This dilemma usually results in either the company deciding against deploying the application or doing so at a sluggish pace, involving hands-on devices to manually grant those permissions. Neither of these options offers an optimal user experience.
2. Google Play Protect (GPP): Pop-ups displaying "Unsafe App Blocked" for mission-critical applications, even if bypassing the block is permitted, sometimes raise concerns among our end-users. The current workaround involves manually disabling GPP on each device, a less-than-ideal solution due to the number of manual steps (eight) required for every single tablet. Moreover, this approach is reactive, triggered only after the GPP pop-up occurs. Consequently, we find ourselves in a position where we must either proactively inform our customers about the significant impact of the latest Android version on their environment, lag behind in supporting the newest Android versions, or devise engineering workarounds to address the features introduced by Google.
Hey mattdermody and ian - I hope you are both doing well. I've sent you a couple of messages about a possible call, via you community inbox. Hopefully we can find a suitable time. 😀 Thanks so much.
