Is there any way to disable Google Play Protect (GPP) during QR code enrollment to avoid blocking an MDM app?
I am the developer of Headwind MDM, the open source MDM for Android. In December 2025, many of our users reported the same issue. While installing an MDM app by the QR code method, it is blocked by Play Protect: "This app can request access to sensitive data". A detailed description of the issue is here. As per Play Protect guidelines, this may happen if an app uses sensitive permissions—RECEIVE_SMS, READ_SMS, NOTIFICATION_LISTENER, and ACCESSIBILITY. We removed these permissions in May 2025, and at that time the issue was resolved. Unfortunately the issue re-appeared again in December, and we were unable to determine why Headwind MDM agent is blocked at the enrollment stage. Even removing all permissions from the manifest didn't resolve the issue! Looks like there is an AI which automatically blocks software in an opaque way (by signature or code similarity). Interesting - sideloading and installing the same MDM agent APK on a non-managed device doesn't trigger Google Play block! I'm not talking about the ethics as it was already discussed in another related topic. All I know is that this behavior of Play Protect is a critical threat to our MDM project. Technically, is there a way to bypass Play Protect, for example by adding a parameter in the enrollment QR code? P.S. I already submitted the appeal form. If you have a similar issue, please fill and submit this form, this may speed up the issue resolution.
Device Owner Enrollment Error: “Organization Has Reached Its Usage Limits” Even With Zero Devices
Hi everyone, I’m trying to enroll a fully managed Android device using the Android Management API. I generate an enrollment token, create the QR code, factory reset the device, and start the QR-based provisioning process. Everything works until the Android Device Policy step, where I get the following error: “Since your organization has reached its usage limits, this device can’t be set up.” I am unable to get past this point. Here is what I have already checked: Listing devices through the API returns an empty list. There are no enrolled devices at all. Billing is active on the cloud project and the Android Management API is enabled. Enterprise creation works, policies return correctly, and I can generate enrollment tokens without any issues. The device is correctly factory reset and the QR scan is working as expected. I tested with both a Workspace-based enterprise and a Gmail-based enterprise. The same limit error appears on both, even though both enterprises have zero devices. I moved the cloud project under my organization in Google Cloud to avoid any project-level quota problems. Based on everything I have checked, it appears that the enterprise (or account) has been automatically restricted to a device quota of zero, and the restriction has not lifted even after several days. I would like to understand the following: Is this quota lock normal for new enterprises, and how long does it usually take to lift? Is this quota tied to AMAPI commercial approval? Is it expected that zero devices can be enrolled before approval? Is there any way to request a quota review so that at least one test device can be enrolled? I am building a commercial EMM solution and simply need to test device-owner provisioning on a physical device, but I am currently blocked by this limit. Any guidance from the community or anyone who has dealt with the same situation would be greatly appreciated. Thank you.
Chrome OS + Crostini: The Missing Bridge to Android Development
Hello Community, I recently read an article about connecting a Windows PC to an Android phone, which got me thinking: we need a similar focus on connecting Chrome OS (via Crostini) to Android devices. Since both Android and Chrome OS are Google products, the integration should be seamless. If Google wants to grow Chrome OS adoption, developers are the ideal first target. However, making it easy for developers to build Android apps on Chrome OS must be a priority, and currently, there are significant friction points. The Technical Blockers My Android development on Chrome OS has been halted for over a month due to persistent issues: ADB Debugging on Managed Devices: My managed Chromebook (I am the admin) has the "Enable ADB debugging" toggle locked. Despite a month of searching, I haven't found a fix. Connection Instability: Both USB and Wi-Fi debugging work intermittently and then fail. I have tested this with a modern Android 15 phone and an older Lollipop tablet; the connection fails on both, pointing to an issue on the Chromebook side. USB File Transfer: There is a known issue transferring files from Crostini to USB devices (requiring a workaround of copying to the Chrome OS files app first). The Strategic Picture Google should not depend on Microsoft Windows for Android development. Chrome OS is already a high-quality product—I use it daily. For example, upgrading my Crostini VM from Debian 12 (Bookworm) to Debian 13 (Trixie) was a pleasure and required no reinstallation. This stability proves Chrome OS is a serious development platform, not just a "cheap" alternative. Addressing the "Aluminum OS" Rumors There is a current campaign discrediting Chrome OS, citing rumors about a new "Aluminum OS." I believe these rumors are misinterpreted. Rather than dropping Chrome OS, it appears Google is aiming for the high-quality device segment. Regardless of naming conventions, Google is walking securely, step-by-step, from a browser to a full OS. Conclusion I strongly advise Google to continue its efforts in making Chrome OS a high-end development platform. The community is involved and patient (a major quality of developers!), but we need these bridge issues—specifically ADB debugging and USB file transfers—solved to fully unlock the potential of the ecosystem.Google Play Protect's new policy for custom DPC
Apparently, Google has a new policy that only approved DPCs can be installed through QR Provisioning; otherwise, their installation will be blocked. Link: https://developers.google.com/android/play-protect/warning-dev-guidance#android_enterprise_dpc_enrollment The problem is that I am not able to understand how to apply for DPC approval. I found this page, but still not able to find out where to apply. Your help is appreciated. Thanks
Forced Auto Install Issues
Since mid-November '25, forced auto install is not functional for our organization. Apps are loaded and installable as work apps but do not progress as an auto install from our policy. Has anyone experienced a similar issue? No policy changes, no SW updates on the MDM client. Functionality just stopped working.
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/Common identifier between AMAPI & Require for setup app for validation
We are enrolling devices using AMAPI by generating a QR code with an assigned policy either for work profile or fully managed enrollment. During enrollment, the device prompts for a require for setup app, which, after configuration, returns RESULT_OK, marking the setup as complete and finalizing the device enrollment. Before returning RESULT_OK, To identify the enrolling device, the backend gets the device ID and enterprise ID from the Pub/Sub provisioning notification. The device ID (which matches the GSF ID) is then sent by the require for setup app to the backend for validation. This identifier is also used to enforce enrollment limits based on the enterprise license count. The Issue: Up to Android 14, retrieving the GSF ID was possible. However, in Android 15, it now returns null. Question: Is there an alternative identifier that can be used to identify the enrolling device—one that the backend can retrieve and that the setup app can also access during enrollment? Below is the information we receive from Pub/Sub when a device is enrolled: { "name": [*Hidden for privacy reasons] "managementMode": "PROFILE_OWNER", "state": "PROVISIONING", "enrollmentTime": "2025-04-04T06:17:02.751Z", "lastPolicySyncTime": "2025-04-04T06:17:02.817Z", "softwareInfo": { "androidVersion": "15", "androidDevicePolicyVersionCode": 10323580, "androidDevicePolicyVersionName": "128.32.3 (10323580)", "androidBuildNumber": "AP3A.240905.015.A2", "deviceKernelVersion": "5.15.149-android13-8-00010-gc2e0ba41ba85-ab12040008", "bootloaderVersion": "unknown", "androidBuildTime": "2025-03-11T13:26:50Z", "securityPatchLevel": "2025-03-01", "primaryLanguageCode": "en-IN", "deviceBuildSignature": "c9009d01ebf9f5d0302bc71b2fe9aa9a47a432bba17308a3111b75d7b2143456", "systemUpdateInfo": { "updateStatus": "UP_TO_DATE" } }, "hardwareInfo": { "brand": "Redmi", "hardware": "mt6835", "deviceBasebandVersion": "MOLY.NR17.R1.TC8.PR2.SP.V1.P51,MOLY.NR17.R1.TC8.PR2.SP.V1.P51", "manufacturer": "Xiaomi", "serialNumber": [*Hidden for privacy reasons] "model": "23124RN87I", "enterpriseSpecificId": [*Hidden for privacy reasons] }, "policyName": [*Hidden for privacy reasons] "memoryInfo": { "totalRam": "5865836544", "totalInternalStorage": "806965248" }, "userName": [*Hidden for privacy reasons] "enrollmentTokenName": [*Hidden for privacy reasons] "securityPosture": { }, "ownership": "PERSONALLY_OWNED" } *Updated by Community admin - removed due to privacy reasons 4 AprilEnable ADB debugging is grayed out - This setting is managed by your administrator
This issue was documented in 2021 but with no solution. My Chromebook is managed by my company and I am the manager. But Google tries to find the managed option to unlock for this to work in the administration interface for more than 15 days without success. By the way there are thousands of options in the admin interface it could be a clever feature to number them. If you are in front of the same issue please add your comments to this post. I hope that Google support will succeed to solve the issue soon because I developed my first app for Android on my Chromebook with Android Studio and I was able to download it to my phone before these 15 days.
