Forum Discussion
Is there any way to disable Google Play Protect (GPP) during QR code enrollment to avoid blocking an MDM app?
I am the developer of Headwind MDM, the open source MDM for Android.
In December 2025, many of our users reported the same issue. While installing an MDM app by the QR code method, it is blocked by Play Protect: "This app can request access to sensitive data". A detailed description of the issue is here.
As per Play Protect guidelines, this may happen if an app uses sensitive permissions—RECEIVE_SMS, READ_SMS, NOTIFICATION_LISTENER, and ACCESSIBILITY. We removed these permissions in May 2025, and at that time the issue was resolved.
Unfortunately the issue re-appeared again in December, and we were unable to determine why Headwind MDM agent is blocked at the enrollment stage. Even removing all permissions from the manifest didn't resolve the issue! Looks like there is an AI which automatically blocks software in an opaque way (by signature or code similarity). Interesting - sideloading and installing the same MDM agent APK on a non-managed device doesn't trigger Google Play block!
I'm not talking about the ethics as it was already discussed in another related topic. All I know is that this behavior of Play Protect is a critical threat to our MDM project.
Technically, is there a way to bypass Play Protect, for example by adding a parameter in the enrollment QR code?
P.S. I already submitted the appeal form. If you have a similar issue, please fill and submit this form, this may speed up the issue resolution.
The issue is solved for our DPC app, apparently by manual whitelisting. Seems like there's no straightforward solution yet - the docs ends in the Play Protect appeal form, and there are multiple similar complaints on this forum, for example this one.
We asked our users to submit the appeal form, probably that makes some sense. Probably submitting a warranty case to a device manufacturer could help - let them know that devices couldn't be provisioned and used in business due to firmware issues.
I hope there will be some progress on the Android Enterprise portal and some official information soon, so it worth signing up on the portal.
15 Replies
Hey HeadwindMDM,
Nice to meet you. Thanks for submitting this via the appeal form, this is the best way to highlight this. As a side note, I've also forwarded on your post here to that team.
I would recommend regularly checking to see if there has been an update in this area.
I hope this helps.
Thanks,
Lizzie
Lizzie Thank you for your response! I found this post and I'm really disappointed by these unexpected restrictions affecting our users unable to enroll hundreds of devices (our team is getting complaints to Play Protect block from about 5 corporate users daily). I have also found this page and submitted a form using my Android Enterprise Partner account.
I would appreciate if you, or the team you mentioned, could provide me (and other banned developers of custom DPCs) with a straightforward way to be whitelisted.
Thank you for your assistance!
It looks like Google quietly introduced DPC whitelisting, but didn't do much due diligence to leave a well-established project like Headwind off the list.
For anyone else looking for the reference to this: https://share.google/C0D4J0MrVSbc9tWLf
It's unfortunate this seems to have been introduced quietly in the background and not the right way with a proper announcement and opportunity for vendors to take steps to become compliant ahead of time.
Just to mention, more information on this update can be found in the AE Partner Portal for partners and the Help Center articles have been updated. Please let me know jasonbayton if you feel we should highlight this further or in a different manner. It will be useful feedback.
HeadwindMDM do you have access to the Partner Portal?
Sure, most of the complaints I've seen aren't coming from already-approved partners.
Slipping in a help centre article and hoping folks stumble to it after whatever amount of damage this does to their business is unpleasant. There was no blog.google "tightening requirements on custom DPCs", no customer community announcement I saw.. so only those least likely to be impacted by this (existing partners) were proactively informed ahead of time I guess? If that's not the case my mistake, but Headwind here has struggled for most of the year after the change, I'm sure a pre-emptive Google play developer alert based on apps with the same flags it's using to block apps would have saved a lot of headaches (again if it did that then I'm mistaken).
Otherwise much more could have been done without impacting people's livelihoods here. Blimey Google has given Device Admin vendors 7 years and counting to migrate, PlayEMM... 5 years and counting? This feels like an overnight change by comparison
So, an Android Enterprise account is required to have a DPC whitelisted. Is there any alternative, or is anything else planned?
Looks like Headwind MDM agent (com.hmdm.launcher) isn't blocked by Play Protect any more! I am checking with affected customers.
Thank you very much Lizzie and jasonbayton for your prompt help!
Looking forward to the clarification (or better rollback!) of the new DPC app restriction policy. I believe Bharat also needs a solution.
Ok? So HeadwindMDM is this solved for you? Any clue for the rest of us?
The issue is solved for our DPC app, apparently by manual whitelisting. Seems like there's no straightforward solution yet - the docs ends in the Play Protect appeal form, and there are multiple similar complaints on this forum, for example this one.
We asked our users to submit the appeal form, probably that makes some sense. Probably submitting a warranty case to a device manufacturer could help - let them know that devices couldn't be provisioned and used in business due to firmware issues.
I hope there will be some progress on the Android Enterprise portal and some official information soon, so it worth signing up on the portal.
