Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

mattdermody
Level 2.2: Froyo

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

 

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

 

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. 

 

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent. 

1 ACCEPTED SOLUTION

melanie
Google

Hi all,

 

My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.

 

Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.

 

Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not.  This is what triggers the "Send app for a security check?" dialogue.

 

Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers. 

 

Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.

 

Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.

 

Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.)  We’ll be updating our GPP Help Centre article shortly to reflect this change.

 

This change went live across all online devices on September 6th.

 

Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie. 

 

Melanie

View solution in original post

57 REPLIES 57

Lizzie
Google Community Manager
Google Community Manager

Hello @karam@JamesKnight and @RickB,

 

Great to meet you. Thanks for your comments and feedback. 

 

As you may have seen from you comment above, I'd love to learn a little more about what you and others are experiencing. ie. are there particular apps that this issue happens with? Also, do you have any suggestions on how you'd like to improve this, whilst also keeping that balance between security and user experience.

 

Thanks again,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

benoit
Level 1.5: Cupcake

Hi,
New to the discussion, as it is becoming the exact same challenge for our customers too.
Did you manage to have any action done to solve that issue in your private discussion?

Note in our case:
Targeting SDK higher than 32 is currently impossible due to the programmatic bluetooth restrictions that are a key feature.

Cheers

The Android team was willing to listen and was receptive to the feedback provided but we are a long way away from any changes for this being implemented. I would not count on any changes relative to GPP administration or allow listing any time soon and would figure out alternate strategies in the mean time. 

JamesKnight
Level 1.5: Cupcake

Hi Lizzie. Thanks for responding.

 

My experience relates to an in-house app and, therefore, something which Google won't have (and don't need to have) knowledge of. 

 

I appreciate Google's desire to protect consumers and I have no problem with GPP scanning apps downloaded from the Play Store (or other sources) when the device is not managed within a corporate environment.

 

However, Google should absolutely not be dictating - or even influencing - whether or not to allow a company's own app to be installed on devices which it owns and manages.

 

Our app is developed internally, exclusively for our own use. It is not available on the Play store (or any other store) and is installed via an MDM solution (Soti MobiControl). Under those circumstances, GPP should have no role, at all,  and we should be allowed to have control over our own devices and make our own decisions on risk.

 

MDM solutions should be able to switch off GPP on company-managed devices, either globally or on an app-by-app basis.

 

I hope this helps.

 

Thank you.

 

👏👏👏☝️☝️☝️

Spot on.

RickB
Level 1.6: Donut

This is happening to most of our enterprise apps, and Google is not at all helpful in discovering why. Regardless, enterprise apps should not be subject to Google's paranoia. All it is doing is causing enterprises like my own to have to turn the feature off, because of the numerous false positives.

Lizzie
Google Community Manager
Google Community Manager

Thanks @karam and @RickB for sharing a bit more detail.

 

I am interested to dig a little deeper into this, and I'm sorry if you haven't had much luck providing this feedback before. RichB you mention that this is happening with most of your enterprise apps, so potentially there is a common theme among them that is failing and it sounds like the notification/information provided doesn't help much to troubleshoot why this is happening? Do you think that better information/guidance at this point or before you make them available to end-users would potentially help here? 

 

Thanks again,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

RickB
Level 1.6: Donut

Every day Google Play Protect decides it doesn't like 3 or 4 more enterprise apps. This is out of control. These are Corp owned devices! Stop messing with things you knonw NOTHING about

karam
Level 1.6: Donut

Could just be ignorance on my part, for which I apologise, but the frustration arose when I could see an option (blue slider button style) to turn off GPP from its settings and a pop up asking whether to turn off or cancel would come up, but even if I clicked on the turn off option it just wouldn't actually do it - not even any error message to say why. What's the point of showing it as a changeable setting when it can't change was the frustration. As others have said, no problem if you want to have protection for apps through the Google Play channel, but for various reasons it is often the case where Android is used to implement a dedicated device that you don't want the risk of application instability (or becoming vapour ware) due to some unsolicited intervention

karam
Level 1.6: Donut

On the other hand force stop and disable google play seems to have resolved. Just tired of seeing the same trend symptoms that MS and others have gone through over the years of eroding our supposed freedoms under the guise of it is better for us ... 🙂 

karam
Level 1.6: Donut

Couldn't agree more. Got a bunch of Lenovo's, couldn't turn GPP off even though the option appears. Waste of time, all being returned, will turn to Chinese products instead

JamesKnight
Level 1.5: Cupcake

Completely agree with Matt - we use MDM to deploy an internally developed app on about 60 Android devices in our business. Recently we’ve had updates blocked by GPP for no reason that we know and it’s hugely impacting our ability to function - negating any advantage of having an MDM because I end having to find ways of tricking each individual device into submission. 

I’m all in favour of Google protecting consumers. But I do not need or want Google interfering in my business model, or having its algorithms decide whether they want to allow me to install my app on my devices in my business. It’s essential to have a means of turning off GPP for business-developed apps on their own devices. 

RickB
Level 1.6: Donut

I whole-heartedly agree with all these comments as it applies to Company owned fully managed devices. We have had to turn off Play protect for years due to Google illegitimately blocking business applications and/or displaying warnings at install time. There is also no reason to force allowing users to remove permissions from enterprise apps like "Draw on top" and "Usage access" on Corporate owned, fully managed devices.

Lizzie
Google Community Manager
Google Community Manager

Hey everyone,

 

Thanks for starting this discussion here. 

 

Obviously at a high level there is a security aspect to this all and personally speaking here Android has a level of responsible to ensure that apps are protected against Malware. Having said this, it appears to be clearly impacting the end-user experience and I can understand your point on why should these apps be scanned when they are internal. So personally, I feel there is a balance to be found. 

 

I think it would be interesting to learn more about the cases where this is particularly happening. I wonder if it might be worth exploring a few examples back with the team. Would this be of interest? (just a thought)

 

As I say I think it's a really good discussion you've all raised and I actually think the back and forth between different community members helps to think of ideas, provide different use cases/perspectives and surface that multiple members feel passionately about this. So thank you for this. As a gentle reminder, we are a group of community members here, so let's keep the comments respectful and constructive, this way it makes it easier for me to convey your ideas and requests shared. 

 

On this point, I want you to know I am highlighting this conversation internally and exploring if there are existing feature requests/current work around this. So your voices aren't going into the ether. 😀

 

Thank you again and let's keep discussing this. 

 

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

ian
Level 1.6: Donut

Hi Lizzie, thanks for replying. 

I'd like to echo Matt's comments.

Whenever Android rolls out a new operating system update, it is a scramble to comprehend its implications for both us and our customers. The introduction of features outside the regular yearly OS release schedule are an even bigger scramble, as we're tasked with managing all our tablets deployed in the field that will receive these updates. I would love to go to our Android Enterprise settings to manage new features that come out of the new Android OS, but it feels like we’re stuck with no way to modify new Android features or settings.

While I acknowledge Google's responsibility to safeguard end-users, these very features can sometimes have adverse effects on companies utilizing managed devices, leaving businesses unable to programmatically enable or disable certain functionalities. Consider two examples:

1. Special permissions granting: Tasks such as granting accessibility or enabling "appear-on-top" functionality necessitate manual intervention on the device to approve permissions. Guiding an end-user through this process on a tablet can be cumbersome, prone to errors, and frustrating. Oftentimes, conversations with customers reveal their realization that an app requires special permissions, which we are unable to grant automatically. This dilemma usually results in either the company deciding against deploying the application or doing so at a sluggish pace, involving hands-on devices to manually grant those permissions. Neither of these options offers an optimal user experience.

2. Google Play Protect (GPP): Pop-ups displaying "Unsafe App Blocked" for mission-critical applications, even if bypassing the block is permitted, sometimes raise concerns among our end-users. The current workaround involves manually disabling GPP on each device, a less-than-ideal solution due to the number of manual steps (eight) required for every single tablet. Moreover, this approach is reactive, triggered only after the GPP pop-up occurs. Consequently, we find ourselves in a position where we must either proactively inform our customers about the significant impact of the latest Android version on their environment, lag behind in supporting the newest Android versions, or devise engineering workarounds to address the features introduced by Google.

Lizzie
Google Community Manager
Google Community Manager

Hey @mattdermody  and @ian - I hope you are both doing well. I've sent you a couple of messages about a possible call, via you community inbox. Hopefully we can find a suitable time. 😀 Thanks so much.



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

I'm sorry. I will focus on maintaining the professional decorum moving forward. 

 

What you're seeing here is just mounting frustration with the rise in consumer protection features in Android that are constantly imposing on the fully-managed business owned device use case. I absolutely understand why features like GPP exist. Android struggled with an early bad reputation of being "insecure" and "fragmented" and as a result there has been a constant push to dispel those perspectives. Every year there are more and more consumer protection features added into the base OS and that is generally a good thing for the ecosystem. The issue is when these features do not properly account for all of the management use cases. It is my opinion that when we have a device enrolled under Device Owner management that we have properly declared that the device is owned by the business which therefore should have every right to manage and utilize the devices how they see fit. Despite that, these consumer protection features also bleed into the Device Owner world, leaving enterprises to deal with figuring out how to disable them or work around them. There are many examples that come to mind:

 

- GPP app scanning of legitimate business apps. In the absence of being able to disable GPP we should be provided a mechanism to whitelist specific apps from scanning. 

- Scoped storage file restrictions also impacting Device Owner DPCs. Device Owner DPCs should have been able to manage files under scoped storage.  

- Doze Mode, Green Mode, Battery Optimization. Great for consumers, terrible for line-of-business devices

- Google Assistant accessible from a long press of the home button, even with a lockdown applied

- Uncontrollable updates to critical system components like the System WebView. 

- Managed Play updates requiring criteria like the device having to be in a charging state, when many line-of-business devices utilize hot swappable batteries so the devices may never be in a "charging state"

 

My end customers have now gone through numerous annual Android OS migrations on their devices and with each new version its like were playing a game of "whac-a-mole", figuring out which new consumer grade features have to be suppressed, disabled, or otherwise worked around. I regularly get the question of what new features they can expect when they are inevitably forced to upgrade and the list of pain points often is much longer than the list of benefits. My clients are going tired of these annual Android OS upgrades because they take a stable, mission critical, device environment and disrupt them, sometimes for several months until all of the new issues are taken care of. We then get some period of relief and stability before the next Android OS upgrade disrupts it all over again but even the periods of stability are often interrupted by uncontrolled updates to system components that break business app functionality. It's incredibly painful to tell a CIO that his production was shut down by a forced update to Chrome or WebView from Google Play that we otherwise could not have controlled, don't have version lock in, and can't easily roll back. 

 

I am not naive however, and completely understand the fully managed / Device Owner use case is the smallest use case for Android. We however feel constantly neglected. I had a large customer with 10k+ Android devices that migrated off of Windows CE recently tell me that they weren't sure if they owned their devices, or Google did, in reaction to numerous issues that they regularly experienced. It's not great when customers are thinking back about how great they had it in comparison on Windows CE. Sure Android is more secure now, and you'd be crazy to actually want to go back Windows CE, but there is something to be said about stability, predictability, and comprehensive control, etc and in many cases the end customers of the devices would likely stack rank those above security.

 

Why are security measures put in place in the first place? To prevent bad actors from performing malicious activities that could jeopardize the stability or functionality of the technology in the environment. It's therefore a bit ironic when these very security measures are what are resulting in instability and the breaking of production level functionality. 

crystal11232
Level 1.5: Cupcake

We also encountered a similar problem, we were not listed on Google Market. I only distribute apps on my own website, but my apps are constantly reminded by Google Play Protect. I don't know how to deal with it, can anyone help me?

ian
Level 1.6: Donut

You might be able to file an appeal with Google to perhaps prevent your applications from being removed, however I don't think that they will tell you exactly why your app was being removed on GPP.  You will likely need to make sure you're following best practices on your application.  

You can file an appeal here: 

https://support.google.com/googleplay/android-developer/contact/protectappeals?sjid=3396504988404039...

mattdermody
Level 2.2: Froyo

Dear Google,

 

Please let me install the business apps that I develop on the business devices that I own without you interfering. 

 

Thank you 

 

(What a joke!)

There are very limited options available. You could disable Google Play Protect on the devices in order to avoid your legitimate business apps from being scanned or flagged. Doing so is unfortunately a manual operation per device as it has to be manually toggled off and is not controllable via EMM. If you're not using Google Play for any app distribution you could also disable Google Play completely. That's something that you should be able to accomplish from your EMM. With Google Play disabled you won't get updates to system components like the WebView, which your app might be reliant on. Then again, you won't get unexpected updates to these same system components which could just as easily jeopardize the stability of your apps. 

ian
Level 1.6: Donut

Seems to be what I've found as well, although I'm waiting for the AMAPI docs to show.

jasonbayton
Level 4.0: Ice Cream Sandwich

Don't hold your breath, GA is many months away 😅

jasonbayton
Level 4.0: Ice Cream Sandwich

Hey all, scanning will become a togglable API in 15 based on docs I've found so far. 

 

Linky  

davidguillaume
Level 1.6: Donut

We currently have this exact issue with 2 customers, it is a MASSIVE annoyance have to go through this on 1000's of Fully Managed devices that are being staged for a customer.