Skip to main content
H
HeadwindMDM
Level 2.0: Eclair
December 10, 2025
Solved

Is there any way to disable Google Play Protect (GPP) during QR code enrollment to avoid blocking an MDM app?

  • December 10, 2025
  • 5 replies
  • 0 views

I am the developer of Headwind MDM, the open source MDM for Android.

 

In December 2025, many of our users reported the same issue. While installing an MDM app by the QR code method, it is blocked by Play Protect: "This app can request access to sensitive data". A detailed description of the issue is here.

 

As per Play Protect guidelines, this may happen if an app uses sensitive permissions—RECEIVE_SMS, READ_SMS, NOTIFICATION_LISTENER, and ACCESSIBILITY. We removed these permissions in May 2025, and at that time the issue was resolved.

 

Unfortunately the issue re-appeared again in December, and we were unable to determine why Headwind MDM agent is blocked at the enrollment stage. Even removing all permissions from the manifest didn't resolve the issue! Looks like there is an AI which automatically blocks software in an opaque way (by signature or code similarity). Interesting - sideloading and installing the same MDM agent APK on a non-managed device doesn't trigger Google Play block!

 

I'm not talking about the ethics as it was already discussed in another related topic. All I know is that this behavior of Play Protect is a critical threat to our MDM project.

 

Technically, is there a way to bypass Play Protect, for example by adding a parameter in the enrollment QR code?

 

P.S. I already submitted the appeal form. If you have a similar issue, please fill and submit this form, this may speed up the issue resolution.

    Best answer by HeadwindMDM

    The issue is solved for our DPC app, apparently by manual whitelisting. Seems like there's no straightforward solution yet - the docs ends in the Play Protect appeal form, and there are multiple similar complaints on this forum, for example this one

     

    We asked our users to submit the appeal form, probably that makes some sense. Probably submitting a warranty case to a device manufacturer could help - let them know that devices couldn't be provisioned and used in business due to firmware issues.

     

    I hope there will be some progress on the Android Enterprise portal and some official information soon, so it worth signing up on the portal.

    5 replies

    Lizzie
    Lizzie
    Community Manager
    December 10, 2025

    Hey @HeadwindMDM,

     

    Nice to meet you. Thanks for submitting this via the appeal form, this is the best way to highlight this. As a side note, I've also forwarded on your post here to that team. 

     

    I would recommend regularly checking to see if there has been an update in this area. 

     

    I hope this helps. 

     

    Thanks,

    Lizzie

    Welcome to the Community everyone!Have a question or want to start a conversation, click here.
      H
      HeadwindMDMAuthor
      Level 2.0: Eclair
      December 10, 2025

      @Lizzie Thank you for your response! I found this post and I'm really disappointed by these unexpected restrictions affecting our users unable to enroll hundreds of devices (our team is getting complaints to Play Protect block from about 5 corporate users daily). I have also found this page and submitted a form using my Android Enterprise Partner account.

       

      I would appreciate if you, or the team you mentioned, could provide me (and other banned developers of custom DPCs) with a straightforward way to be whitelisted.

       

      Thank you for your assistance!

        J
        jasonbayton
        Level: 4.1: Jelly bean
        December 10, 2025

        It looks like Google quietly introduced DPC whitelisting, but didn't do much due diligence to leave a well-established project like Headwind off the list. 

         

        For anyone else looking for the reference to this:  https://share.google/C0D4J0MrVSbc9tWLf

         

        It's unfortunate this seems to have been introduced quietly in the background and not the right way with a proper announcement and opportunity for vendors to take steps to become compliant ahead of time. 

          Lizzie
          Lizzie
          Community Manager
          December 10, 2025

          Just to mention, more information on this update can be found in the AE Partner Portal for partners and the Help Center articles have been updated. Please let me know @jasonbayton if you feel we should highlight this further or in a different manner. It will be useful feedback. 

           

          @HeadwindMDM do you have access to the Partner Portal? 

          Welcome to the Community everyone!Have a question or want to start a conversation, click here.
            J
            jasonbayton
            Level: 4.1: Jelly bean
            December 10, 2025

            Sure, most of the complaints I've seen aren't coming from already-approved partners.

            Slipping in a help centre article and hoping folks stumble to it after whatever amount of damage this does to their business is unpleasant. There was no blog.google "tightening requirements on custom DPCs", no customer community announcement I saw.. so only those least likely to be impacted by this (existing partners) were proactively informed ahead of time I guess? If that's not the case my mistake, but Headwind here has struggled for most of the year after the change, I'm sure a pre-emptive Google play developer alert based on apps with the same flags it's using to block apps would have saved a lot of headaches (again if it did that then I'm mistaken).

             

            Otherwise much more could have been done without impacting people's livelihoods here. Blimey Google has given Device Admin vendors 7 years and counting to migrate, PlayEMM... 5 years and counting? This feels like an overnight change by comparison 

              B
              Bharat
              New Member
              December 11, 2025

              So, an Android Enterprise account is required to have a DPC whitelisted. Is there any alternative, or is anything else planned?

              H
              HeadwindMDMAuthor
              Level 2.0: Eclair
              December 11, 2025

              Looks like Headwind MDM agent (com.hmdm.launcher) isn't blocked by Play Protect any more! I am checking with affected customers.

               

              Thank you very much @Lizzie  and @jasonbayton for your prompt help!

               

              Looking forward to the clarification (or better rollback!) of the new DPC app restriction policy. I believe @Bharat also needs a solution.

                G
                guaregua
                New Member
                December 16, 2025

                Ok? So @HeadwindMDM is this solved for you? Any clue for the rest of us?

                H
                HeadwindMDMAuthorAnswer
                Level 2.0: Eclair
                December 18, 2025

                The issue is solved for our DPC app, apparently by manual whitelisting. Seems like there's no straightforward solution yet - the docs ends in the Play Protect appeal form, and there are multiple similar complaints on this forum, for example this one

                 

                We asked our users to submit the appeal form, probably that makes some sense. Probably submitting a warranty case to a device manufacturer could help - let them know that devices couldn't be provisioned and used in business due to firmware issues.

                 

                I hope there will be some progress on the Android Enterprise portal and some official information soon, so it worth signing up on the portal.

                  Terms & ConditionsCookie settingsAccessibility statement