Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

mattdermody
Level 2.0: Eclair

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

 

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

 

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. 

 

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent. 

11 REPLIES 11

ian
Level 1.6: Donut

We also need a programatic way of disabling this.  This pop-up is invasive, and blocks applications that we have knowingly put on managed devices.  While this might be a good thing for individual users - Google taking action on behalf of fully managed devices is a problem, and we need to be able to disable this programmatically to keep those applications on the device. 

mattdermody
Level 2.0: Eclair

I wrote this post and then joined a customer call only to be faced immediately with more GPP annoyances. "To protect yourself and others...". No thanks Google. This is a fully managed corporate owned asset running a corporate developed and maintained mobile device. End users on shared devices should not be seeing this kind of prompt. 

 

mattdermody_1-1707424517818.png

 

 

Out of curiosity, how do you distribute your internally developed apps. 

- Manually adding the .apk to the deviec and installing it ?
- Uploaded it to the "Private app" section in Managed Google Play ?
- Created a Google Play Developer account and made the app "Private" and distributed it through those channels  to the organization ? 

Are you using any EMM for management of your devices ? 

Without knowing, my best guess would  be that depending on how you distribute the app you might see different results. 

mattdermody
Level 2.0: Eclair

None of the above. My EMM installs the APKs directly on the devices as it has a custom DPC. I do not want to use Managed Play for install as it’s slower, less predictable, and has horrible version control. Just like I don’t want Google scanning my apps I also don’t want them installing the apps either. 

jasonbayton
Level 3.0: Honeycomb

Honestly something that could easily* be accommodated with a flag identifying applications as EMM-installed. If GPP sees a sideloaded app come from a DPC, enterprise-hosted store, or come down as a private application, don't mess with it.

 

I'm all for protections in enterprise use cases as well as consumer, but blocking based on permissions used alone is ludicrous. 

 

@Lizzie for viz.

That would be an acceptable solution to this as well! I wouldn't mind some sort of allow list or ignore list however to tell GPP which apps it can safely ignore from scanning. That way we could still leave it enabled for its benefits while not risking accidental flagging of mission critical business owned apps on business owned devices.

ian
Level 1.6: Donut

This would be an acceptable fix. 

If we have DO permissions on the device, it seems that whatever has DO permissions should own what is on the device - including the applications. The owner should be able to see the applications on the device and flag them saying "yes, that's mine - don't touch it." 

davidguillaume
Level 1.5: Cupcake

We currently have this exact issue with 2 customers, it is a MASSIVE annoyance have to go through this on 1000's of Fully Managed devices that are being staged for a customer.  

jasonbayton
Level 3.0: Honeycomb

Hey all, scanning will become a togglable API in 15 based on docs I've found so far. 

 

Linky  

ian
Level 1.6: Donut

Seems to be what I've found as well, although I'm waiting for the AMAPI docs to show.

jasonbayton
Level 3.0: Honeycomb

Don't hold your breath, GA is many months away 😅