Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

Go to solution
mattdermody
Level 2.0: Eclair

‎02-08-2024 10:58 AM

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

 

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

 

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. 

 

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent. 

Labels:
1 ACCEPTED SOLUTION

Go to solution
melanie
Google Team

Monday

Hi all,

 

My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.

 

Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.

 

Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not.  This is what triggers the "Send app for a security check?" dialogue.

 

Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers. 

 

Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.

 

Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.

 

Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.)  We’ll be updating our GPP Help Centre article shortly to reflect this change.

 

This change went live across all online devices on September 6th.

 

Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie. 

 

Melanie

View solution in original post

54 REPLIES 54

Go to solution
mattdermody
Level 2.0: Eclair
In response to Lizzie

Monday

This is an amazing and honestly unexpected result! Thank you so much for hearing us out on the request and taking action. This is a great success story for this community.

Go to solution
davidguill
Level 1.6: Donut
In response to melanie

Monday

Thank You for the update and the change in behaviour this is greatly appreciated and Thank You to @Lizzie and everyone on this thread for helping to make it happen.  

Go to solution
Michel
Level 2.2: Froyo
In response to melanie

Monday

Great result! Thanks for listening to the feedback and looking for a solution! 

Go to solution
RickB
Level 1.6: Donut

Monday

I can confirm that apps already flagged previously are unaffected and still receive warnings. Just in case someone was curious. Look forward to new verisons not having these issues for sure. Thanks all!

0 Kudos

Go to solution
melanie
Google Team
In response to RickB

yesterday

Could you share a screen-print or the text of the warning please?

 

To clarify, GPP is still running on these devices - so high risk apps will still be flagged as such with a block or warning.