Recent discussions
Issue: Play Protect Blocks DPC Installation During QR Provisioning on Android 14 / One UI 6.1
Hello, We use QR code provisioning to install our custom Device Policy Controller (DPC) app from a custom download URL (not Google Play). The exact same APK + QR configuration: Works on: Samsung Galaxy S20 — Android 13 / One UI 5.0 Blocked on: Samsung Galaxy S21 — Android 14 / One UI 6.1 Play Protect stops installation with the message: "App blocked to protect your device. This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud." Provisioning QR: { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "<DeviceAdmin component>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM": "<Package checksum>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "<S3 bucket url>", "android.app.extra.PROVISIONING_LOCALE": "en_US", "android.app.extra.PROVISIONING_TIME_ZONE": "Europe/Helsinki", "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": false, "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME": "<Package name>", "android.app.extra.PROVISIONING_WIFI_HIDDEN": true, "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE": "WPA", "android.app.extra.PROVISIONING_WIFI_SSID": "<WiFi SSID>", "android.app.extra.PROVISIONING_WIFI_PASSWORD": "<WiFi Password>" } Questions: Question 1: What changed in Android 14 or One UI 6.1 related to: - Sideloading DPCs during provisioning - Play Protect enforcement during QR setup Question 2: What is the new required approach to ensure the DPC installation is allowed? (e.g., signature checksum requirement, Play signing, allow list, new provisioning extras) Question 3: Is there updated documentation that describes the new DPC provisioning security rules? We need to understand the change and how to properly support Android 14+ devices in enterprise deployments. Thank you!
Play EMM API: Devices.get / Devices.list unavailable for extended duration
Issue Description : After device enrollment, Devices.get() and Devices.list() intermittently return “No Device was found”/an empty list for the same device for an extended duration greater than 15 mins. This behavior persists beyond the propagation delay described in the documentation, which is 2 mins. Impact: App Distribution affected Our EMM supports incremental app distribution: Fetch current device policy Merge additional apps Re-apply policy using Devices.update() When devices.get() / devices.list() are unavailable: We cannot retrieve the current device policy --> Incremental app distribution fails Detailed Reproduction Steps: Enroll device (afw#DPC_IDENTIFIER managed accounts method) Call Devices.update() to distribute apps that were pre-configured for installation during the enrollment process. Call succeeds Custom DPC adds managed Google Play account on Device Call Devices.List(enterpriseId, userId) → Returns empty for 15+ mins Call Devices.get(enterpriseId, userId, deviceId) → Returns 404 "No device was found" during this time Queries: What is the expected propagation delay for custom DPCs? How long should we poll and check if the deviceId is listed in devices.list()? Any workflow changes needed from our side? How do other EMMs handle incremental app distribution?
Initial Android Management API device limit is 0 after enterprise creation – how can we test during quota review period?
Hello Android Enterprise Community, We are currently building a custom MDM solution based on Android Management API and have completed the full end-to-end workflow, including enterprise creation, policy creation and assignment, enrollment token (QR) generation, device command lifecycle testing, Pub/Sub notifications, and admin panel and backend integration. The enterprise is created successfully, however the initial device limit shows as 0, so we are unable to enroll any test devices at the moment. We have already submitted the Android Management API initial quota request form with a detailed business use case and supporting architecture documentation. Due to the holiday period from December 19 to January 5, we understand there may be delays in review. I would like to ask: Is there any recommended way to test device enrollment while the initial quota request is under review? Is a temporary or development test quota ever enabled for validation purposes? Are there any best practices to validate an MDM implementation before quota approval? We want to ensure our implementation fully follows Android Enterprise and Android Management API best practices. Any guidance from the community or Google team would be greatly appreciated. We are currently building a custom MDM solution based on Android Management API and have completed the full end-to-end workflow, including: Enterprise creation using Android Management API Policy creation and assignment Enrollment token (QR) generation Device command lifecycle (lock, wipe, compliance) Pub/Sub notifications for device status updates Admin panel + backend integration The enterprise is created successfully, however the initial device limit shows as 0, so we’re unable to enroll any test devices at the moment. We have already submitted the Android Management API initial quota request form (500 devices) with detailed business use case and supporting architecture documentation. Since there is a holiday period (Dec 19 – Jan 5), we understand review responses may be delayed. Questions Is there any recommended way to test device enrollment while the initial quota request is under review? Is a temporary test quota ever enabled for development or internal validation? Are there any best practices to validate an MDM implementation before quota approval?12 deliveries of AE-mas (What shipped in Android Enterprise in 2025)
2025 was a big year for Android Enterprise. This was the year several long-missed features finally landed, Device Trust became a thing, zero-touch got a compliance and audit boost, provisioning saw a revamp, and the Android Management API quietly kept adding the sort of controls that make admins' lives easier. So, in the spirit of celebrating a strong year for the platform, here are 12 Features of AE-mas (let's not worry about the title.. I was strugglin'), in no particular order, chosen somewhat at random as - would you believe - the list could have been longer should I have chosen not to follow the 12 days of Christmas as the theme.. 12. APN overrides via AMAPI APN management finally arrived. In May 2025, AMAPI gained apnPolicy, allowing admins to define and enforce APNs directly through policy. This closes a long-standing gap for cellular deployments where “just set the APN” has historically been anything but. It's great to see this functionality pulled out of OEM config and into the AMAPI layer, giving admins access to on-device APIs that have been effectively off-limits for years. Read about APN here. 11. Developer verification for Android Developer verification isn't coming until next year, but we're talking about it already, and work is in progress to bring it to fruition now. Developer verification raises the bar for Play publishers by requiring stronger identity verification. For enterprise, it’s a supply-chain win: fewer convincing lookalikes, higher friction for malicious publishers, and a clearer answer when security teams ask “who made this app, exactly?”. There’s pushback in the community, there's a lot of misunderstandings about the requirements and ramifications, but hopefully as time goes on this will settle on both sides through further transparency and discussion. Organisations deploying private apps to their own tenants are currently exempt, but it remains a big change nonetheless, and organisations benefit from the wider boost in authenticity of apps and developers. I covered off more about developer approval here. 10. Device Trust from Android Enterprise This was the year Device Trust arrived. Device Trust enables real-time posture and integrity signals (Play Integrity verdicts, boot state, security patch recency, lock-screen presence, strong auth age, OS tamper signals) that can be evaluated continuously rather than only at enrolment, and on both managed and unmanaged devices. It's a huge boost for MAM-type deployments, security solutions, and allows traditionally EMM-dependent vendors the freedom to operate independently. This isn’t a small feature. It fundamentally changes how Android Enterprise fits into modern security architectures. I wrote more about Device Trust here. 9. Custom app management via AMAPI (CUSTOM install type) One of the most consequential releases of the year, perhaps even since AMAPI began half a decade ago. AMAPI introduced first-class support for installing and managing custom applications using installType: CUSTOM, backed by signing certificate validation (appSigningKeyFingerprints) and explicit install and uninstall commands. It allows organisations reliant on line-of-business (LOB) internal applications to ditch any and all wild-west sideloading for a policy-driven, verifiable deployment, which is exactly what enterprise actually needs. All without the need for uploading apps to Google Play. I wrote more about custom apps here. 8. Zero-touch portal audit logs and admin roles The zero-touch portal became auditable and permission-scoped in 2025. Google rolled out audit logs to the zero-touch customer portal, capturing all admin actions needed to ensure the platform is no longer a black hole of who did what. Alongside this came clearer admin role separation, reducing the blast radius of operational mistakes. For regulated environments, this turned zero-touch from a black box into something governance teams could actually trust. 7. Android 16 provisioning improvements One of the greatest improvements to the enrolment flow happened in 2025, and it was so long overdue! Android 16 brought a clear push toward more reliable setup flows, fewer steps, and the ability to update it on the fly, as opposed to being stuck adjusting it only on major version releases. I put out a video nearer the start of the year, while 16 was still in beta, which you can see on LinkedIn here. With this newer approach, Google is beginning to leave behind the old managed provisioning flows baked into AOSP, though they're still there as a fallback today. It'll be interesting to see how this evolves. 6. Application roles in Android Management API This was unexpected. Application Roles formalised entire classes of enterprise apps, including: COMPANION_APP KIOSK MOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSE SYSTEM_HEALTH_MONITORING Apps assigned these roles can be exempt from background execution limits, power management, suspension, and hibernation on modern Android versions, with user control restricted by default. This isn’t just about companion apps - it’s about enterprise software finally being treated as first-class by the OS, and adds much-needed flexibility with far less configuration and overhead. 5. Default application management policy Admins finally gained control over default apps. AMAPI added a policy allowing admins to define a prioritised list of default applications per app type (browser, dialler, etc), setting the first qualifying app as default and preventing user changes. For compliance-sensitive fleets - browsers, diallers, PDF viewers - this is the sort of boring control that saves hours. It's predominantly Android 16+, but there's a few that go back a few versions of Android. Read more about default applications here. 4. RCS archival RCS has long been the compliance blind spot for Android Enterprise fleets, with SMS/MMS archiving handled by legacy tools while RCS was left out in the cold. In December, Google release a supported way to archive RCS/SMS/MMS on fully managed devices, with Google Messages as the mandated client. Once those prerequisites are met, admins can configure Messages to forward message bodies, metadata, and attachments to a SIEM/service/archival tool on a schedule or trigger with no needed workarounds or limitations of legacy solutions. It’s - to reiterate - Google Messages only for now (OEM messaging apps remain out of scope unless they add their own support), but it gives regulated orgs a sanctioned retention path for rich messaging at last. It has been met with quite a bit of mixed feelings, and even more FUD. I go into more detail about RCS archiving here. 3. App functions and cross-profile controls Android 16 brought app-to-app interaction under policy control. New settings allow admins to govern whether apps can expose app functions, and whether personal-profile apps can invoke functions exposed by work-profile apps, bringing finer control to cross-profile linking scenarios. Niche, but powerful for when this functionality takes off in enterprise workflows. 2. Android App Bundle (AAB) support in the Managed Play iframe This finally removed a long-standing enterprise limitation. In March 2025, Android App Bundle uploads became supported in the Managed Google Play iframe. Private apps finally gained parity with public Play distribution, including split APK delivery and more efficient installs. I wrote more about AAB here. 1. Android’s accelerated platform release cadence The change that underpins everything above. Android is shifting toward more frequent platform releases, with Android 16 landing far earlier than usual and signalling a broader move away from a single annual cadence. Harder to track? Maybe. I'm having a lot more fun poking around the Android Canary builds looking for unreleased functionality than I do sleuthing around AOSP code, though! Better for shipping enterprise capability without waiting a full year? Also yes. Signing off Android Enterprise levelled up across the board in 2025. From trust and supply-chain integrity to app management and provisioning improvements, the team set the bar really high this year. Let's hope the momentum continues in 2026! Which of these made the biggest difference for you this year, and what are you hoping lands in 2026? Happy holidays and here’s to a wonderful New Year!2025 Community Highlights: Thank you!
Hello everyone! As we look back on a fantastic year, we wanted to say a huge thank you. From lively forum debates and problem solving to in-person meetups; your energy, collaboration and expertise has made this community more vibrant than ever. To celebrate, we've gathered some of the best moments into one recap: A special thanks to our most active contributors: Moombas , Michel, jasonbayton, Kris, Yann_ROLAND, turquet, Alex_Muc, mattdermody, BenMcc, jarmo_akkanen, Rakib, Flo, jeremy, westd, Magcho, davidtse916, weberda Since we couldn't fit everything in, please share your own highlights below! (And, if you have 5 minutes, we would love to get your feedback on the community programs in this short community survey.) With 2026 already heating up with lots of exciting things, we look forward to driving the future of this community together. Thanks for a great year and we wish you a very happy festive season filled with food, fun and rest. AE Community Team [P.S - shoutout to Rose for creating this video 🤩]
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning. Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup. Issues observed 1. afw#identifier enrollment When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment. This previously worked and now fails consistently, even though the DPC remains published on Google Play. 2. QR code–based provisioning When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC. The DPC app is Play-approved and not sideloaded by end users. We have already submitted a Play Protect appeal through the official appeal form. 3. Distribution method For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes: Device Admin component SHA-256 signature checksum Secure download location Despite this, Play Protect flags the app after provisioning. Clarifications we are seeking Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors? Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps? Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required? Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning? Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment? We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward. Any guidance or clarification from the community or product experts would be appreciated.
Play Protect is blocking our DPC app — appeal already submitted, looking for guidance
Hello everyone, We are currently facing an issue where Google Play Protect is blocking our Android application during device provisioning. Context: - It is not distributed via Google Play (but is already published); it is hosted externally and installed during provisioning via QR code. - The app is properly signed, and provisioning works at the system level, but Play Protect blocks the app with the message “App blocked to protect your device.” - This started happening recently on new devices / factory reset devices. We have already submitted the official Play Protect appeal form as recommended in the documentation: The form was completed with all required information (APK, package name, signing certificate, use case, etc.). At this point, we are looking for guidance from the community: - How long does it usually take for the Play Protect appeal form to receive a response or decision? - Is there any additional step or channel recommended for Android Enterprise DPC apps in this situation? Any insights or shared experiences would be greatly appreciated. Thank you in advance for your time and support. Best regardsAMAPI requests for enterprises.applications.get and enterprises.policies.patch are failing intermittently
Is anyone observing AMAPI requests for GetApplication and PatchPolicies failing intermittently ? I am observing intermittent failures with the log - "googleapi: Error 503: The service is currently unavailable., backendError".
Does the bluetoothSharing setting override the bluetoothContactSharingDisabled setting?
If a policy is configured with: DeviceConnectivityManagement > bluetoothSharing=BLUETOOTH_SHARING_DISALLOWED and bluetoothContactSharingDisabled=FALSE will the first setting override the second, thereby preventing contact sharing via bluetooth? If so, it could be good to have that documented like it's done in other places (e.g. "This setting is ignored if {SettingName} is set to X"
Outlook and Teams with PSTN calling in work profile
Hi today we raised a case with Microsoft for a specific work profile issue with their current Outlook and MS Teams implementation. I wanted to share this here, maybe there are some other customers/admins facing this issue. Our org started to move from Cisco to MS Teams PSTN calling some month ago and everything was fine, but I assume an update to either Outlook or Teams app was published and the issue started. Scenario: COPE or BYOD MS Teams and MS Outlook in work profile MS Teams has a PSTN line configured (either mobile or landline) Open Outlook, search for any contact and try to start a call to a mobile or desk number. The OS does not ask whether you like to use the phone on personal profile (as it did the last couple of years 😅) - it will hand over the call request to MS teams! You cannot decide to make the phone call with your Phone app :-( This breaks almost all use cases for our users. Even worse: A phone number like +49 123 828282 is transfered to MS teams app in a broken format and the call is made to +492492012320828282 💥😔 Compared to Google contacts in the work profile: The app is always handling the call request to the phone app on the personal profile and incorporate the MS Teams app. 🤔 Anyone else here in the community experiencing this issue? Thanks! Daniel
