Android Enterprise DO : Disable GPP scan

Android Enterprise DO : Disable GPP scan

Hello everyone,

 

I encounter some issue (as some of you I have seen!) regarding the deployment of an APK on a AEDO device.

The profile stay in a "Install Failed" status (Failed to Install (File I/O Error)).

On the device I have the following message from the Google Play Protect :

If I click on "INSTALL ANYWAY" the app is correctly installed.

If I deploy a FC profile with the "Disable verivy apps enforcement" feature :

 

 

I am able to manually disable the GPP Scan :

 

 

This is the same thing / result as if I sent the following script on the device :

 

writesecureprofstring DeviceFeature DisableVerifyApps 1
apply featurecontrol

 

If I manually disable the "Scan device for security threats" option, I can deploy my APK via my profile without any problems.

Also, I am able to install my APK directly on the device from a USB driver for example.

 

Question : Is there a way to disable the "Scan device for security threats" with a script or a trick ?

 

For now, the solution is to blacklist Google Play via an App run control profile. But I use a managed Google Play store and I need Google Play on the device... The complete solution would therefore be :

 

1/ Deploy App Run Control profile

2/ Deploy APK

3/ Revoke App Run Control profile

 

Quite tedious....

 

Thank you !

7 Answers

Order By:   Standard | Newest | Votes
Matt Dermody | posted this 12 September 2019

I knew GPP would be a problem for Enterprises the second I found out about it. Business apps in closed environments may not be maintained frequently if they are stable and well tested. Google however is going to deem these apps as insecure if they use older libraries or target lower API levels. Unfortunately, I don’t think a mechanism exists yet for disabling GPP via EMM policy while leaving the rest of Google Play enabled. We are definitely going to need that functionality however.

  • 0
  • 0
Yoan R | posted this 12 September 2019

Hi Matt, thanks for your answer.

Indeed, this point should be one of the important points to be put in place. Maybe, in the same way that there is the "Enroll on SafetyNet Attestation Failure" option when creating an add devices rule, there should be a "Install App despite GPP blocking" option in the feature control. IDK

  • 1
  • 0
Dennis Vdh | posted this 28 October 2019

Bumped into the same issue.

On Zebra TC8300 (DO Android 8.1.0)

Tried combo of feature control and following script. 

   writesecuresetting -glo package_verifier_user_consent -1
   writeprivateprofstring DeviceFeature DisableVerifyApps 1

   apply featurecontrol


And failed...

I was wondering, looking to Matt, if Zebra maybe has a work around with StageNow ?



But, if you select "Install Anyway" and "Always send unknown apps" it will not re-appear on future devices.
(Ooh yes we actually have a Line-Of-Business app called Wascos.) 

This way, a new version needs to be deployed to a test device, and manually go to the process once. 
(I have not tested this with different versions of same app yet)






  • 0
  • 0
Matt Dermody | posted this 28 October 2019

Accepting that prompt for each version of the application is at least one way of reducing the need for manual intervention on other devices, but that does not turn Google Play Protect off. At some point in the future GPP could inadvertently quarantine your LoB app because they have determined the app to be vulnerable or a PHA for whatever reason. This is obviously incompatible with the enterprise environment where mission critical applications may be deployed for many years on end, in traditionally firewalled networks.

 

At this point, the only way I know how to disable GPP en masse via EMM is to disable the Play Store completely as it is a functionality of Play. There is a manual toggle switch for disabling GPP inside of Play, but I do not believe there is any way to administer it through EMM today. In the future, I am hoping either that can be remotely managed OR maybe Google could introduce some sort of whitelisting concept. 

  • 0
  • 0
Dennis Vdh | posted this 28 October 2019

Accepting that prompt for each version of the application is at least one way of reducing the need for manual intervention on other devices, but that does not turn Google Play Protect off. At some point in the future GPP could inadvertently quarantine your LoB app because they have determined the app to be vulnerable or a PHA for whatever reason. This is obviously incompatible with the enterprise environment where mission critical applications may be deployed for many years on end, in traditionally firewalled networks.

 

Very good point. 


One last alternative way would be Publishing it to Managed Google Play
The requirements are a lot less strict if you publish from within EMM. 
 



But I will need to look into this myself.

  • 0
  • 0
Margaret Kaiser | posted this 05 November 2020

I am continuing to have this issue, and its slowing down our device deployment significantly. Are there any updates as to a more automated way to turn off Google Play Protect? 

  • 0
  • 0
Dennis Vdh | posted this 06 November 2020

Hi Kaiser, 

I still haven't found a different solution.

But the "add your application to Managed Google Play" approach, works perfectly. 
We have 40+ private apps deployed this way, and no more annoying messages.
Play protect is still activated.

Keep in mind you will need to update this with every update of your application. 
I'm no developer myself, but we automated this from our CI/CD pipeline.
By adding a Deploy to Google Play console task at deployment. 

Just give it a try.

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback