Setting UntrustedAppsPolicy to DISALLOW_INSTALL does not prevent app installs

ekatz
Level 1.5: Cupcake

We have devices provisioned on an Android Enterprise policy where the AdvancedSecurityOverrides.UntrustedAppsPolicy is set to DISALLOW_INSTALL, but users are still able to download APKs via browser and install them.  Is there another setting that someone is aware of that would prevent this behavior?

 

Thanks all.

9 REPLIES 9

Moombas
Level 4.1: Jelly Bean

Hi ekatz,

have you checked on the device itself if this setting has taken place or if it's still not set?

Maybe you did something wrong when providing this setting or anything other is issuing here which needs to be troubleshooted.

ekatz
Level 1.5: Cupcake

Hi Moombas,

 

Unfortunately, the devices are half way around the world.  I have been able to confirm that the policy element is definitely getting set correctly, since it has been accepted as valid when I PUT the policy, and I'm able to retrieve the setting back when I retrieve the policy.

Moombas
Level 4.1: Jelly Bean

But there must be something going wrong. Even if I only set this in our MDM (which works fine), I would expect that this is the only setting needed.

ekatz
Level 1.5: Cupcake

Here is the policy snippet, as retrieved directly from Google:

ekatz_0-1708013877066.png

I am thoroughly stumped as to why this won't work.

Moombas
Level 4.1: Jelly Bean

I'm not a developer, so please don't blame me but in the documentation following is shown:

{
  "untrustedAppsPolicy": enum (UntrustedAppsPolicy), 
"googlePlayProtectVerifyApps": enum (GooglePlayProtectVerifyApps),
"developerSettings": enum (DeveloperSettings),
"commonCriteriaMode": enum (CommonCriteriaMode),
"personalAppsThatCanReadWorkNotifications": [ string ]
}

So, do you need to use that enum for the DISALLOW_INSTALL as there's no string expected but maybe a number instead. My assumption to that would be compared to 1 because of the order in the documentation.

But as said, I'm not a developer so maybe I'm totally wrong.

ekatz
Level 1.5: Cupcake

Hi Moombas,

 

Thanks for the input.  Actually the android mdm policy updates use the strings as the values.  I use them all over the place in the current policy, and all of the other settings work ok.

 

Eric

Lizzie
Google Community Manager
Google Community Manager

Hey @ekatz,

 

Great to meet you.

 

Oo good question, we may need to dive a little more into this, as it's hard to establish from what you've mentioned here why this isn't working. 🤔

 

I wonder if you are able to provide a bug report for this? I'll send you a direct message via your Community inbox (see the envelop in the top right corner of the page), so you don't need to post it publicly. 

 

Thanks,

Lizzie

 

(Thanks also for your help here @Moombas to troubleshoot this) 



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

ekatz
Level 1.5: Cupcake

Hi Lizzie,

 

I'm trying to get an android tablet spun up on mdm so i can reproduce it here, sadly an older tablet so it's giving me some trouble, but I'll get it done.  Then i can get some more information.

 

Eric

ekatz
Level 1.5: Cupcake

For anyone facing this in the future....

As it turns out,  that allowing a user on Android Enterprise to add a personal account seems to override the restriction preventing the user from installing apps that aren't white-listed. I am not sure if this is an Android Enterprise defect or design, but at least I've been able to prove it by testing on 2 different devices under the different conditions. 

 

Thanks much to everyone that reached out to help.