Forum Discussion
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning.
Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup.
Issues observed
1. afw#identifier enrollment
When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment.
This previously worked and now fails consistently, even though the DPC remains published on Google Play.
2. QR code–based provisioning
When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC.
The DPC app is Play-approved and not sideloaded by end users.
We have already submitted a Play Protect appeal through the official appeal form.
3. Distribution method
For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes:
Device Admin component
SHA-256 signature checksum
Secure download location
Despite this, Play Protect flags the app after provisioning.
Clarifications we are seeking
Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors?
Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps?
Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required?
Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning?
Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment?
We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward.
Any guidance or clarification from the community or product experts would be appreciated.
4 Replies
Hello virenbisht1995 and welcome to the Customer Community!
I've found a similar query posted in the community in 2024 which I think could be useful.
Have you contacted your third-party MDM already? Raising a ticket with them might be a good first step; if you already have raised this issue with them, could you let us know what they said?
Thanks and chat soon,
Emilie
Good luck we are in the same boat.
Read
https://developers.google.com/android/management/permissible-usage
and
https://support.google.com/work/android/answer/16694822
If you think your app is allowed then apply for the EMM - https://www.androidenterprise.dev/s/
Once you are approved you will have access
Hi @rrivenrriven ,
Yes, I understand the frustration—especially with Google closing all options without providing clear direction. As a private company, you have contractual obligations with multiple partners that are now being impacted, so this situation is understandably difficult. It has been almost two months with little to no meaningful support.That said, thank you very much for taking the time to reply. I also had a chance to look at your product, and it’s genuinely impressive with strong potential.
Emilie_B , thank you as well for your response. I truly appreciate hearing back—it’s reassuring to have some guidance on where to begin.
