Forum Discussion

virenbisht1995's avatar
virenbisht1995
Level 1.5: Cupcake
3 days ago

Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment

We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning.

Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup.

Issues observed

1. afw#identifier enrollment

When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment.
This previously worked and now fails consistently, even though the DPC remains published on Google Play.

2. QR code–based provisioning

When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC.
The DPC app is Play-approved and not sideloaded by end users.
We have already submitted a Play Protect appeal through the official appeal form.

3. Distribution method

For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes:
Device Admin component
SHA-256 signature checksum
Secure download location

Despite this, Play Protect flags the app after provisioning.

 

Clarifications we are seeking

Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors?

Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps?

Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required?

Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning?

Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment?

We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward.

Any guidance or clarification from the community or product experts would be appreciated.

App Management
Apps
Devices
EMM
Enrolment
fully managed
Management
No RepliesBe the first to reply