This is happening to most of our enterprise apps, and Google is not at all helpful in discovering why. Regardless, enterprise apps should not be subject to Google's paranoia. All it is doing is causing enterprises like my own to have to turn the feature off, because of the numerous false positives.

Thanks @karam and @RickB for sharing a bit more detail.

I am interested to dig a little deeper into this, and I'm sorry if you haven't had much luck providing this feedback before. RichB you mention that this is happening with most of your enterprise apps, so potentially there is a common theme among them that is failing and it sounds like the notification/information provided doesn't help much to troubleshoot why this is happening? Do you think that better information/guidance at this point or before you make them available to end-users would potentially help here? 

Thanks again,

Lizzie

Every day Google Play Protect decides it doesn't like 3 or 4 more enterprise apps. This is out of control. These are Corp owned devices! Stop messing with things you knonw NOTHING about

Yes. The ideal state would be having GPP enabled for device wide app scanning but with the option of being able to configure specific Bundle IDs to be whitelisted or ignored by GPP. Enterprises do not agree with the value that Google thinks that they're providing by scanning their enterprise apps for outdated libraries or other vulnerabilities because the action taken by GPP (disabling or removing these apps that it deems to be unsafe) is ultimately more disruptive to the business operations than the possibility of the vulnerability being exposed. It is nice to have GPP for generic app scanning but please provide a mechanism to allow enterprises to whitelist their own apps from scanning or interference. Without that enterprises are left disabling GPP completely, and in some cases Google Play services completely. Many of the enterprises I help support and manage are increasingly concerned by the controls that Google is implementing in the name of "security" and many have commented that they no longer feel like they own the devices that they've purchased since Google seems to have more control over their devices than they do. Google will ultimately force these enterprises down alternative paths if proper care isn't taken by Google to provide better configurable control over the constantly increased restrictions. 

Hi Lizzie. Thanks for responding.

My experience relates to an in-house app and, therefore, something which Google won't have (and don't need to have) knowledge of. 

I appreciate Google's desire to protect consumers and I have no problem with GPP scanning apps downloaded from the Play Store (or other sources) when the device is not managed within a corporate environment.

However, Google should absolutely not be dictating - or even influencing - whether or not to allow a company's own app to be installed on devices which it owns and manages.

Our app is developed internally, exclusively for our own use. It is not available on the Play store (or any other store) and is installed via an MDM solution (Soti MobiControl). Under those circumstances, GPP should have no role, at all,  and we should be allowed to have control over our own devices and make our own decisions on risk.

MDM solutions should be able to switch off GPP on company-managed devices, either globally or on an app-by-app basis.

I hope this helps.

Thank you.

👏👏👏☝️☝️☝️

Spot on.

Hi,
New to the discussion, as it is becoming the exact same challenge for our customers too.
Did you manage to have any action done to solve that issue in your private discussion?

Note in our case:
Targeting SDK higher than 32 is currently impossible due to the programmatic bluetooth restrictions that are a key feature.

Cheers

The Android team was willing to listen and was receptive to the feedback provided but we are a long way away from any changes for this being implemented. I would not count on any changes relative to GPP administration or allow listing any time soon and would figure out alternate strategies in the mean time. 

Hello, I'm new to this conversation but found it because I've having this issue with Apps being yanked off our devices.   I don't have the same chops many of the other posters have when it comes to Android, I've mostly been managing iOS devices via MDM for the past several years, but we were purchased last year and now I'm scrambling to learn both Intune and Android.

In our case, we use a third party software product that has a couple mobile apps available from within it.   Their apps are not on the Play Store because one of their customers pushed the APKs out to a private Play Store instance and Google won't let the same APK exist in different Play Store environments (this is what the software vendor tells me).

We set a policy in Intune to allow sideloading for this one group of users, and that works -- they can sideload the apps.    But the app gets deleted without fail.  It just pops a notification with the App name and says "Deleted by your admin"

We've combed through every compliance policy and conditional access policy in Intune we can find.  I've even gone so far as to exclude the user group from each policy that applies to it to see if that policy is the one causing the removal, but it always removes.   On my test device, I can look at "Play Protect settings" and the option for 'Scan apps with Play Protect' is switched off, but that app still gets removed.

Now I'm mad at everyone.  I'm mad at the software vendor because they really ought to fix the problem on their side and publish the #$%& apps to the Play Store.   I'm mad at Intune because there's nothing in their logs that tells me what on earth is initiating the removal process.   I'm mad a Google because the device does not log the process that initiates the removal either -- and frankly, we should be able to push the APKs to a private instance for ourselves but we can't.

I can certainly relate to a lot of the frustrations that you're having with the Android Enterprise system combined with your usage of Microsoft Intune. With that said, it sounds like the issues that you're experiencing with sideloading apps is not necessarily a GPP issue. This seems to be proven out by the fact that even when manually disabling the GPP feature on your test device it still gets removed. I think this may be more evidence of Intune actually removing the sideloaded app versus it being GPP preventing the app from being installed in the first place. 

While it is true (and frustrating) that only one instance of a particular app Bundle ID can exist across all Google Play servers including both Public and Private distribution channels, your app developer should still be able to compile a new version of the same app under a new Bundle ID so that it can be uploaded into Play. If I were them I would compile a new Bundle ID and then upload that into my own Developer Console of Google Play as a Private app and then grant your organization ID access to that Private Play app. This way they only have to change the Bundle ID of their app one time and be able to grant Play distribution to any approved organizations. If they otherwise build a custom compile with a new Bundle ID and provide it directly to you then you will upload it into your own Private Play store through the Google Play iFrame and effective consume that Bundle ID as well. This would translate to them having to provide you with your own custom compiled Bundle ID for every single new version of the app.  I can understand their reluctance to avoid that sort of scenario because it adds additional overhead to every single new version release as they'd potentially end up having to compile different versions for every customer that they have that is limited to only using Google Play for app distribution to their devices. By creating a new Bundle ID that they upload into their own Private Play store they can reserve that ID and only have to fork their compile process one time. This is a somewhat reasonable ask to put back on them. Note however that this will also translate to the developer having to manage the release tracks for each new version of the app that you need delivered which does still put additional overhead on them. This could be another reason that they're pushing back on your request. 

Note that your developer is likely pushing back on this because you're using an EMM (Intune) that ONLY supports installation of apps via Managed Play as a baseline lowest common denominator function of Android Enterprise Management standards. Other more capable EMMs extend beyond the capabilities of AMAPI with a custom DPC and these EMMs offer the ability to install APKs directly on fully managed Android Enterprise devices without the restrictions and limitations of having to pass your app install through Managed Google Play. For mission critical / line-of-business Android apps this is still the approach that I recommend. Google Play based app distribution is otherwise still too limited when it comes to version control, roll back, granular installation scheduling etc for mission critical apps, in my opinion. My guess is that your app developer shares a lot of these same opinions and are ultimately trying to protect you from these risks by expecting you to have an EMM capable of direct app installation with proper control. You are taking their frustrations out on them when in reality you should be frustrated that Google hasn't provided a complete set of comprehensive installation controls necessary to support line of business devices and Intune has effectively aligned their strategy completely with Google by not offering you any additional capabilities.  

The app gets removed on the device because you have not added it as an "Android Enterprise System App". When you sideload apps you need to assign that to the device and if you don't it will get removed by the system. 

https://learn.microsoft.com/en-us/mem/intune/apps/apps-ae-system

It was added to the Android Management API in the last hour 🙂 

Is this actually the same thing as an allowlist for bypassing GPP scanning? Are ON Device Abuse Detection (ODAD) and GPP equivalent? It sounds to me like two different but possibly related features.

No so this is the phishing protection specifically, general GPP is not even in the works as far as I know 

So this doesn't really help with the issue of installing corporate apps that are flagged incorrectly.  Was really hoping this would be addressed in Android 15. 

Thanks for the tip, unfortunately this won't help a lot of our customers as they have closed networks