Setting UntrustedAppsPolicy to DISALLOW_INSTALL does not prevent app installs

ekatz
Level 1.5: Cupcake

‎02-15-2024 05:13 AM

We have devices provisioned on an Android Enterprise policy where the AdvancedSecurityOverrides.UntrustedAppsPolicy is set to DISALLOW_INSTALL, but users are still able to download APKs via browser and install them.  Is there another setting that someone is aware of that would prevent this behavior?

 

Thanks all.

Labels:
0 Kudos
9 REPLIES 9

Moombas
Level 4.1: Jelly Bean

‎02-15-2024 06:12 AM

Hi ekatz,

have you checked on the device itself if this setting has taken place or if it's still not set?

Maybe you did something wrong when providing this setting or anything other is issuing here which needs to be troubleshooted.

0 Kudos

ekatz
Level 1.5: Cupcake

‎02-15-2024 06:15 AM

Hi Moombas,

 

Unfortunately, the devices are half way around the world.  I have been able to confirm that the policy element is definitely getting set correctly, since it has been accepted as valid when I PUT the policy, and I'm able to retrieve the setting back when I retrieve the policy.

0 Kudos

Moombas
Level 4.1: Jelly Bean
In response to ekatz

‎02-15-2024 06:28 AM

But there must be something going wrong. Even if I only set this in our MDM (which works fine), I would expect that this is the only setting needed.

0 Kudos

ekatz
Level 1.5: Cupcake

‎02-15-2024 08:18 AM

Here is the policy snippet, as retrieved directly from Google:

ekatz_0-1708013877066.png

I am thoroughly stumped as to why this won't work.

0 Kudos

Moombas
Level 4.1: Jelly Bean
In response to ekatz

‎02-16-2024 12:07 AM - edited ‎02-16-2024 12:09 AM

I'm not a developer, so please don't blame me but in the documentation following is shown:

{
  "untrustedAppsPolicy": enum (UntrustedAppsPolicy), 
 "googlePlayProtectVerifyApps": enum (GooglePlayProtectVerifyApps), 
 "developerSettings": enum (DeveloperSettings), 
 "commonCriteriaMode": enum (CommonCriteriaMode),
 "personalAppsThatCanReadWorkNotifications": [ string ] 
}

So, do you need to use that enum for the DISALLOW_INSTALL as there's no string expected but maybe a number instead. My assumption to that would be compared to 1 because of the order in the documentation.

But as said, I'm not a developer so maybe I'm totally wrong.

0 Kudos

ekatz
Level 1.5: Cupcake
In response to Moombas

‎02-16-2024 04:03 AM

Hi Moombas,

 

Thanks for the input.  Actually the android mdm policy updates use the strings as the values.  I use them all over the place in the current policy, and all of the other settings work ok.

 

Eric

0 Kudos

Lizzie
Google Community Manager
Google Community Manager

‎02-15-2024 08:54 AM

Hey @ekatz,

 

Great to meet you.

 

Oo good question, we may need to dive a little more into this, as it's hard to establish from what you've mentioned here why this isn't working. 🤔

 

I wonder if you are able to provide a bug report for this? I'll send you a direct message via your Community inbox (see the envelop in the top right corner of the page), so you don't need to post it publicly. 

 

Thanks,

Lizzie

 

(Thanks also for your help here @Moombas to troubleshoot this) 


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

0 Kudos

ekatz
Level 1.5: Cupcake
In response to Lizzie

‎02-16-2024 04:04 AM

Hi Lizzie,

 

I'm trying to get an android tablet spun up on mdm so i can reproduce it here, sadly an older tablet so it's giving me some trouble, but I'll get it done.  Then i can get some more information.

 

Eric

0 Kudos

ekatz
Level 1.5: Cupcake

‎02-18-2024 07:20 PM

For anyone facing this in the future....

As it turns out,  that allowing a user on Android Enterprise to add a personal account seems to override the restriction preventing the user from installing apps that aren't white-listed. I am not sure if this is an Android Enterprise defect or design, but at least I've been able to prove it by testing on 2 different devices under the different conditions. 

 

Thanks much to everyone that reached out to help.

0 Kudos