Android Enterprise DO : Disable GPP scan
- 12 September 2019
- SOTI MobiControl - Android
7 Answers- 2 Upvotes
- 4 Followers
7 Answers
I knew GPP would be a problem for Enterprises the second I found out about it. Business apps in closed environments may not be maintained frequently if they are stable and well tested. Google however is going to deem these apps as insecure if they use older libraries or target lower API levels. Unfortunately, I don’t think a mechanism exists yet for disabling GPP via EMM policy while leaving the rest of Google Play enabled. We are definitely going to need that functionality however.
Hi Matt, thanks for your answer.
Indeed, this point should be one of the important points to be put in place. Maybe, in the same way that there is the "Enroll on SafetyNet Attestation Failure" option when creating an add devices rule, there should be a "Install App despite GPP blocking" option in the feature control. IDK
Bumped into the same issue.
On Zebra TC8300 (DO Android 8.1.0)
Tried combo of feature control and following script.
writesecuresetting -glo package_verifier_user_consent -1
writeprivateprofstring DeviceFeature DisableVerifyApps 1
apply featurecontrol
And failed...
I was wondering, looking to Matt, if Zebra maybe has a work around with StageNow ?
But, if you select "Install Anyway" and "Always send unknown apps" it will not re-appear on future devices.
(Ooh yes we actually have a Line-Of-Business app called Wascos.)
This way, a new version needs to be deployed to a test device, and manually go to the process once.
(I have not tested this with different versions of same app yet)
Accepting that prompt for each version of the application is at least one way of reducing the need for manual intervention on other devices, but that does not turn Google Play Protect off. At some point in the future GPP could inadvertently quarantine your LoB app because they have determined the app to be vulnerable or a PHA for whatever reason. This is obviously incompatible with the enterprise environment where mission critical applications may be deployed for many years on end, in traditionally firewalled networks.
At this point, the only way I know how to disable GPP en masse via EMM is to disable the Play Store completely as it is a functionality of Play. There is a manual toggle switch for disabling GPP inside of Play, but I do not believe there is any way to administer it through EMM today. In the future, I am hoping either that can be remotely managed OR maybe Google could introduce some sort of whitelisting concept.
Accepting that prompt for each version of the application is at least one way of reducing the need for manual intervention on other devices, but that does not turn Google Play Protect off. At some point in the future GPP could inadvertently quarantine your LoB app because they have determined the app to be vulnerable or a PHA for whatever reason. This is obviously incompatible with the enterprise environment where mission critical applications may be deployed for many years on end, in traditionally firewalled networks.
Very good point.
One last alternative way would be Publishing it to Managed Google Play
The requirements are a lot less strict if you publish from within EMM.
But I will need to look into this myself.
I am continuing to have this issue, and its slowing down our device deployment significantly. Are there any updates as to a more automated way to turn off Google Play Protect?
Hi Kaiser,
I still haven't found a different solution.
But the "add your application to Managed Google Play" approach, works perfectly.
We have 40+ private apps deployed this way, and no more annoying messages.
Play protect is still activated.
Keep in mind you will need to update this with every update of your application.
I'm no developer myself, but we automated this from our CI/CD pipeline.
By adding a Deploy to Google Play console task at deployment.
Just give it a try.