Is there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?

mattdermody
Level 2.0: Eclair

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions.

 

https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html

 

This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. 

 

GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent. 

34 REPLIES 34

karam
Level 1.6: Donut

Could just be ignorance on my part, for which I apologise, but the frustration arose when I could see an option (blue slider button style) to turn off GPP from its settings and a pop up asking whether to turn off or cancel would come up, but even if I clicked on the turn off option it just wouldn't actually do it - not even any error message to say why. What's the point of showing it as a changeable setting when it can't change was the frustration. As others have said, no problem if you want to have protection for apps through the Google Play channel, but for various reasons it is often the case where Android is used to implement a dedicated device that you don't want the risk of application instability (or becoming vapour ware) due to some unsolicited intervention

RickB
Level 1.6: Donut

This is happening to most of our enterprise apps, and Google is not at all helpful in discovering why. Regardless, enterprise apps should not be subject to Google's paranoia. All it is doing is causing enterprises like my own to have to turn the feature off, because of the numerous false positives.

Lizzie
Google Community Manager
Google Community Manager

Thanks @karam and @RickB for sharing a bit more detail.

 

I am interested to dig a little deeper into this, and I'm sorry if you haven't had much luck providing this feedback before. RichB you mention that this is happening with most of your enterprise apps, so potentially there is a common theme among them that is failing and it sounds like the notification/information provided doesn't help much to troubleshoot why this is happening? Do you think that better information/guidance at this point or before you make them available to end-users would potentially help here? 

 

Thanks again,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

RickB
Level 1.6: Donut

Every day Google Play Protect decides it doesn't like 3 or 4 more enterprise apps. This is out of control. These are Corp owned devices! Stop messing with things you knonw NOTHING about

Yes. The ideal state would be having GPP enabled for device wide app scanning but with the option of being able to configure specific Bundle IDs to be whitelisted or ignored by GPP. Enterprises do not agree with the value that Google thinks that they're providing by scanning their enterprise apps for outdated libraries or other vulnerabilities because the action taken by GPP (disabling or removing these apps that it deems to be unsafe) is ultimately more disruptive to the business operations than the possibility of the vulnerability being exposed. It is nice to have GPP for generic app scanning but please provide a mechanism to allow enterprises to whitelist their own apps from scanning or interference. Without that enterprises are left disabling GPP completely, and in some cases Google Play services completely. Many of the enterprises I help support and manage are increasingly concerned by the controls that Google is implementing in the name of "security" and many have commented that they no longer feel like they own the devices that they've purchased since Google seems to have more control over their devices than they do. Google will ultimately force these enterprises down alternative paths if proper care isn't taken by Google to provide better configurable control over the constantly increased restrictions. 

JamesKnight
Level 1.5: Cupcake

Hi Lizzie. Thanks for responding.

 

My experience relates to an in-house app and, therefore, something which Google won't have (and don't need to have) knowledge of. 

 

I appreciate Google's desire to protect consumers and I have no problem with GPP scanning apps downloaded from the Play Store (or other sources) when the device is not managed within a corporate environment.

 

However, Google should absolutely not be dictating - or even influencing - whether or not to allow a company's own app to be installed on devices which it owns and manages.

 

Our app is developed internally, exclusively for our own use. It is not available on the Play store (or any other store) and is installed via an MDM solution (Soti MobiControl). Under those circumstances, GPP should have no role, at all,  and we should be allowed to have control over our own devices and make our own decisions on risk.

 

MDM solutions should be able to switch off GPP on company-managed devices, either globally or on an app-by-app basis.

 

I hope this helps.

 

Thank you.

 

👏👏👏☝️☝️☝️

Spot on.

tbrowne
Level 1.5: Cupcake

I want to echo what has been said especially by JamesKnight and mattedermody.

 

This has started to become very disruptive to our operations recently and I would appreciate a response from Google on this.

Michel
Level 2.2: Froyo

I'm joining this discussion as well. I see a lot of issues with existing customers of us where this could cause a lot of issues. 

Lizzie
Google Community Manager
Google Community Manager

Hello everyone,

 

Thanks again to those of you who have shared your experiences and thoughts on this threads previously and more recently. I really appreciate the insight you are sharing with us and I think it is clear that this is an important area for many of you. 

 

As mentioned before I am keen to understand more of the specifics and if there are any patterns to the types of apps that are getting flagged, this way we can better highlight this back to our product team. 

 

I've tried to arrange a call with a couple of you to discuss this further and so far we haven't managed to arrange this. As there are more people in the conversation now, I wanted to open up this to others as well, to see if any of you might be able to spare the time and would be interested in speaking with me and some of my teammates to understand this a little more? (I understand you are all very busy people, so thank you, thank you).

 

Thanks,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.