Forum Discussion
Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
- 2 years agoHi all, My name is Melanie and I am a Product Manager on the Android Enterprise team. Lizzie highlighted your discussion here back to our team. Thank you for your feedback and the useful discussion. Reading through your feedback, we’ve picked up on a point that was consistently mentioned around private company apps being scanned, so we wanted to provide you with some additional information around this. Google Play Protect (GPP) is designed to help protect against malware. By default, GPP asks users to send unknown applications to Google for scanning. This is because apps installed via Google Play or Managed Google Play are already scanned, but applications side-loaded (including installed through EMM installers) are not. This is what triggers the "Send app for a security check?" dialogue. Several of you mentioned you would prefer not to send private company apps, especially on company-owned devices, externally to Google servers. The servers involved in this processing are kept isolated and protected within Google, but we still acknowledge that some organizations may prefer not to upload any data to external servers. Additionally, we acknowledge that the “Send app for a security check” message can be confusing to device users, especially as they may not be the app or device owners and are therefore unable to make a decision on this. Based on all of your feedback you’ve provided, last week we made a change preventing unknown applications (e.g. private side-loaded apps) from being uploaded to Google servers on Fully Managed devices or Managed Work Profiles. Please note that GPP is still running on these devices as usual, and is still comparing these apps to known PHAs. (So if an app is highly likely to be a PHA, users will still see the "Harmful app blocked" dialogue.) We’ll be updating our GPP Help Centre article shortly to reflect this change. This change went live across all online devices on September 6th. Thank you once again for your feedback and we look forward to hearing more across the community conversations. If you have any additional questions on this, please do feed them via Lizzie. Melanie 
Honestly something that could easily* be accommodated with a flag identifying applications as EMM-installed. If GPP sees a sideloaded app come from a DPC, enterprise-hosted store, or come down as a private application, don't mess with it.
I'm all for protections in enterprise use cases as well as consumer, but blocking based on permissions used alone is ludicrous.
Lizzie for viz.
That would be an acceptable solution to this as well! I wouldn't mind some sort of allow list or ignore list however to tell GPP which apps it can safely ignore from scanning. That way we could still leave it enabled for its benefits while not risking accidental flagging of mission critical business owned apps on business owned devices.
Related Content
- Hi, I try to enroll an andorid 12 aosp (raw and also with a shell, two versions). currently during provision, it is always stuck with the intune client screen(fetching intune authentic information) after scan QR code(generated for userless enrollment). MS is also help troubleshooting but it seems the broadcasting command was consumed somewhere and no trace on my device side(which they said it is weird). Anyone has experience with aosp Intune side can help? With compensation.7 months ago