Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

mattdermody
Level 2.0: Eclair

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

 

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

 

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. 

 

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent. 

1 ACCEPTED SOLUTION

melanie
Google Team

Hi all,

 

My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion.

 

Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this.

 

Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not.  This is what triggers the "Send app for a security check?" dialogue.

 

Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers. 

 

Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this.

 

Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles.

 

Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.)  We’ll be updating our GPP Help Centre article shortly to reflect this change.

 

This change went live across all online devices on September 6th.

 

Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie. 

 

Melanie

View solution in original post

56 REPLIES 56

ian
Level 1.6: Donut

We also need a programatic way of disabling this.  This pop-up is invasive, and blocks applications that we have knowingly put on managed devices.  While this might be a good thing for individual users - Google taking action on behalf of fully managed devices is a problem, and we need to be able to disable this programmatically to keep those applications on the device. 

mattdermody
Level 2.0: Eclair

I wrote this post and then joined a customer call only to be faced immediately with more GPP annoyances. "To protect yourself and others...". No thanks Google. This is a fully managed corporate owned asset running a corporate developed and maintained mobile device. End users on shared devices should not be seeing this kind of prompt. 

 

mattdermody_1-1707424517818.png

 

 

Timmy
Level 2.0: Eclair

Out of curiosity, how do you distribute your internally developed apps. 

- Manually adding the .apk to the deviec and installing it ?
- Uploaded it to the "Private app" section in Managed Google Play ?
- Created a Google Play Developer account and made the app "Private" and distributed it through those channels  to the organization ? 

Are you using any EMM for management of your devices ? 

Without knowing, my best guess would  be that depending on how you distribute the app you might see different results. 

mattdermody
Level 2.0: Eclair

None of the above. My EMM installs the APKs directly on the devices as it has a custom DPC. I do not want to use Managed Play for install as it’s slower, less predictable, and has horrible version control. Just like I don’t want Google scanning my apps I also don’t want them installing the apps either. 

jasonbayton
Level 4.0: Ice Cream Sandwich

Honestly something that could easily* be accommodated with a flag identifying applications as EMM-installed. If GPP sees a sideloaded app come from a DPC, enterprise-hosted store, or come down as a private application, don't mess with it.

 

I'm all for protections in enterprise use cases as well as consumer, but blocking based on permissions used alone is ludicrous. 

 

@Lizzie for viz.

That would be an acceptable solution to this as well! I wouldn't mind some sort of allow list or ignore list however to tell GPP which apps it can safely ignore from scanning. That way we could still leave it enabled for its benefits while not risking accidental flagging of mission critical business owned apps on business owned devices.

ian
Level 1.6: Donut

This would be an acceptable fix. 

If we have DO permissions on the device, it seems that whatever has DO permissions should own what is on the device - including the applications. The owner should be able to see the applications on the device and flag them saying "yes, that's mine - don't touch it." 

davidguillaume
Level 1.6: Donut

We currently have this exact issue with 2 customers, it is a MASSIVE annoyance have to go through this on 1000's of Fully Managed devices that are being staged for a customer.  

jasonbayton
Level 4.0: Ice Cream Sandwich

Hey all, scanning will become a togglable API in 15 based on docs I've found so far. 

 

Linky  

ian
Level 1.6: Donut

Seems to be what I've found as well, although I'm waiting for the AMAPI docs to show.

jasonbayton
Level 4.0: Ice Cream Sandwich

Don't hold your breath, GA is many months away 😅

crystal11232
Level 1.5: Cupcake

We also encountered a similar problem, we were not listed on Google Market. I only distribute apps on my own website, but my apps are constantly reminded by Google Play Protect. I don't know how to deal with it, can anyone help me?

There are very limited options available. You could disable Google Play Protect on the devices in order to avoid your legitimate business apps from being scanned or flagged. Doing so is unfortunately a manual operation per device as it has to be manually toggled off and is not controllable via EMM. If you're not using Google Play for any app distribution you could also disable Google Play completely. That's something that you should be able to accomplish from your EMM. With Google Play disabled you won't get updates to system components like the WebView, which your app might be reliant on. Then again, you won't get unexpected updates to these same system components which could just as easily jeopardize the stability of your apps. 

ian
Level 1.6: Donut

You might be able to file an appeal with Google to perhaps prevent your applications from being removed, however I don't think that they will tell you exactly why your app was being removed on GPP.  You will likely need to make sure you're following best practices on your application.  

You can file an appeal here: 

https://support.google.com/googleplay/android-developer/contact/protectappeals?sjid=3396504988404039...

mattdermody
Level 2.0: Eclair

Dear Google,

 

Please let me install the business apps that I develop on the business devices that I own without you interfering. 

 

Thank you 

 

(What a joke!)

Lizzie
Google Community Manager
Google Community Manager

Hey everyone,

 

Thanks for starting this discussion here. 

 

Obviously at a high level there is a security aspect to this all and personally speaking here Android has a level of responsible to ensure that apps are protected against Malware. Having said this, it appears to be clearly impacting the end-user experience and I can understand your point on why should these apps be scanned when they are internal. So personally, I feel there is a balance to be found. 

 

I think it would be interesting to learn more about the cases where this is particularly happening. I wonder if it might be worth exploring a few examples back with the team. Would this be of interest? (just a thought)

 

As I say I think it's a really good discussion you've all raised and I actually think the back and forth between different community members helps to think of ideas, provide different use cases/perspectives and surface that multiple members feel passionately about this. So thank you for this. As a gentle reminder, we are a group of community members here, so let's keep the comments respectful and constructive, this way it makes it easier for me to convey your ideas and requests shared. 

 

On this point, I want you to know I am highlighting this conversation internally and exploring if there are existing feature requests/current work around this. So your voices aren't going into the ether. 😀

 

Thank you again and let's keep discussing this. 

 

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

I'm sorry. I will focus on maintaining the professional decorum moving forward. 

 

What you're seeing here is just mounting frustration with the rise in consumer protection features in Android that are constantly imposing on the fully-managed business owned device use case. I absolutely understand why features like GPP exist. Android struggled with an early bad reputation of being "insecure" and "fragmented" and as a result there has been a constant push to dispel those perspectives. Every year there are more and more consumer protection features added into the base OS and that is generally a good thing for the ecosystem. The issue is when these features do not properly account for all of the management use cases. It is my opinion that when we have a device enrolled under Device Owner management that we have properly declared that the device is owned by the business which therefore should have every right to manage and utilize the devices how they see fit. Despite that, these consumer protection features also bleed into the Device Owner world, leaving enterprises to deal with figuring out how to disable them or work around them. There are many examples that come to mind:

 

- GPP app scanning of legitimate business apps. In the absence of being able to disable GPP we should be provided a mechanism to whitelist specific apps from scanning. 

- Scoped storage file restrictions also impacting Device Owner DPCs. Device Owner DPCs should have been able to manage files under scoped storage.  

- Doze Mode, Green Mode, Battery Optimization. Great for consumers, terrible for line-of-business devices

- Google Assistant accessible from a long press of the home button, even with a lockdown applied

- Uncontrollable updates to critical system components like the System WebView. 

- Managed Play updates requiring criteria like the device having to be in a charging state, when many line-of-business devices utilize hot swappable batteries so the devices may never be in a "charging state"

 

My end customers have now gone through numerous annual Android OS migrations on their devices and with each new version its like were playing a game of "whac-a-mole", figuring out which new consumer grade features have to be suppressed, disabled, or otherwise worked around. I regularly get the question of what new features they can expect when they are inevitably forced to upgrade and the list of pain points often is much longer than the list of benefits. My clients are going tired of these annual Android OS upgrades because they take a stable, mission critical, device environment and disrupt them, sometimes for several months until all of the new issues are taken care of. We then get some period of relief and stability before the next Android OS upgrade disrupts it all over again but even the periods of stability are often interrupted by uncontrolled updates to system components that break business app functionality. It's incredibly painful to tell a CIO that his production was shut down by a forced update to Chrome or WebView from Google Play that we otherwise could not have controlled, don't have version lock in, and can't easily roll back. 

 

I am not naive however, and completely understand the fully managed / Device Owner use case is the smallest use case for Android. We however feel constantly neglected. I had a large customer with 10k+ Android devices that migrated off of Windows CE recently tell me that they weren't sure if they owned their devices, or Google did, in reaction to numerous issues that they regularly experienced. It's not great when customers are thinking back about how great they had it in comparison on Windows CE. Sure Android is more secure now, and you'd be crazy to actually want to go back Windows CE, but there is something to be said about stability, predictability, and comprehensive control, etc and in many cases the end customers of the devices would likely stack rank those above security.

 

Why are security measures put in place in the first place? To prevent bad actors from performing malicious activities that could jeopardize the stability or functionality of the technology in the environment. It's therefore a bit ironic when these very security measures are what are resulting in instability and the breaking of production level functionality. 

ian
Level 1.6: Donut

Hi Lizzie, thanks for replying. 

I'd like to echo Matt's comments.

Whenever Android rolls out a new operating system update, it is a scramble to comprehend its implications for both us and our customers. The introduction of features outside the regular yearly OS release schedule are an even bigger scramble, as we're tasked with managing all our tablets deployed in the field that will receive these updates. I would love to go to our Android Enterprise settings to manage new features that come out of the new Android OS, but it feels like we’re stuck with no way to modify new Android features or settings.

While I acknowledge Google's responsibility to safeguard end-users, these very features can sometimes have adverse effects on companies utilizing managed devices, leaving businesses unable to programmatically enable or disable certain functionalities. Consider two examples:

1. Special permissions granting: Tasks such as granting accessibility or enabling "appear-on-top" functionality necessitate manual intervention on the device to approve permissions. Guiding an end-user through this process on a tablet can be cumbersome, prone to errors, and frustrating. Oftentimes, conversations with customers reveal their realization that an app requires special permissions, which we are unable to grant automatically. This dilemma usually results in either the company deciding against deploying the application or doing so at a sluggish pace, involving hands-on devices to manually grant those permissions. Neither of these options offers an optimal user experience.

2. Google Play Protect (GPP): Pop-ups displaying "Unsafe App Blocked" for mission-critical applications, even if bypassing the block is permitted, sometimes raise concerns among our end-users. The current workaround involves manually disabling GPP on each device, a less-than-ideal solution due to the number of manual steps (eight) required for every single tablet. Moreover, this approach is reactive, triggered only after the GPP pop-up occurs. Consequently, we find ourselves in a position where we must either proactively inform our customers about the significant impact of the latest Android version on their environment, lag behind in supporting the newest Android versions, or devise engineering workarounds to address the features introduced by Google.

Lizzie
Google Community Manager
Google Community Manager

Hey @mattdermody  and @ian - I hope you are both doing well. I've sent you a couple of messages about a possible call, via you community inbox. Hopefully we can find a suitable time. 😀 Thanks so much.



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

RickB
Level 1.6: Donut

I whole-heartedly agree with all these comments as it applies to Company owned fully managed devices. We have had to turn off Play protect for years due to Google illegitimately blocking business applications and/or displaying warnings at install time. There is also no reason to force allowing users to remove permissions from enterprise apps like "Draw on top" and "Usage access" on Corporate owned, fully managed devices.

JamesKnight
Level 1.5: Cupcake

Completely agree with Matt - we use MDM to deploy an internally developed app on about 60 Android devices in our business. Recently we’ve had updates blocked by GPP for no reason that we know and it’s hugely impacting our ability to function - negating any advantage of having an MDM because I end having to find ways of tricking each individual device into submission. 

I’m all in favour of Google protecting consumers. But I do not need or want Google interfering in my business model, or having its algorithms decide whether they want to allow me to install my app on my devices in my business. It’s essential to have a means of turning off GPP for business-developed apps on their own devices. 

karam
Level 1.6: Donut

Couldn't agree more. Got a bunch of Lenovo's, couldn't turn GPP off even though the option appears. Waste of time, all being returned, will turn to Chinese products instead

karam
Level 1.6: Donut

On the other hand force stop and disable google play seems to have resolved. Just tired of seeing the same trend symptoms that MS and others have gone through over the years of eroding our supposed freedoms under the guise of it is better for us ... 🙂 

Lizzie
Google Community Manager
Google Community Manager

Hello @karam@JamesKnight and @RickB,

 

Great to meet you. Thanks for your comments and feedback. 

 

As you may have seen from you comment above, I'd love to learn a little more about what you and others are experiencing. ie. are there particular apps that this issue happens with? Also, do you have any suggestions on how you'd like to improve this, whilst also keeping that balance between security and user experience.

 

Thanks again,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.