2

I'm using the Android Management API with a DEVICE_OWNER policy that has "playStoreMode": "BLACKLIST" and an application with "installType": "BLOCKED" to blacklist specific application. Here's the policy I'm using for development:

{
    "name": "enterprises/<enterprise>/policies/<policy>",
    "version": "1",
    "applications": [
        {
            "packageName": "<enterprise app id>",
            "installType": "FORCE_INSTALLED"
        },
        {
            "packageName": "<blocked app id>",
            "installType": "BLOCKED"
        }
    ],
    "alwaysOnVpnPackage": {
        "packageName": "<enterprise app id>",
        "lockdownEnabled": true
    },
    "playStoreMode": "BLACKLIST"
}

The problem I'm seeing is that the blacklisted app is only removed 'by the administrator' when the user manually syncs the policy with Google's 'Device Policy' app.

How can I make the blacklisted app remove itself automatically ?

Also of note, the device appears to be both compliant and non compliant with the policy at the same time. Using the API to inspect a device with the blocked app installed:

...
"name": "enterprises/<enterprise>/devices/<device id>",
"managementMode": "DEVICE_OWNER",
"state": "ACTIVE",
"appliedState": "ACTIVE",
"policyCompliant": true,
"nonComplianceDetails": [
    {
        "settingName": "applications",
        "nonComplianceReason": "APP_INSTALLED",
        "packageName": "<blocked app id>"
    }
],
...
Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Brian
  • 83
  • 1
  • 7
  • The policy sync should be triggered automatically when you update the policy, isn't it the case? – Fred Oct 24 '18 at 11:26
  • Yes. If I update the policy it is immediately enforced. However users are able to installed the blocked app, the app is only removed when the sync occurs. I was hoping that the device itself could enforce the policy as soon as it detects that the blocked app has been installed. – Brian Oct 24 '18 at 11:49
  • 1
    I see. This may be a bug, I reported it to the team to investigate. Thanks! – Fred Oct 26 '18 at 11:32

2 Answers2

0

The only workaround I'm finding is to allow installation of the app, but set it as a disabled app. Then the user cannot launch the app, effectively "blocking" it.

    {
        "packageName": "<blocked app id>",
        "installType": "AVAILABLE",
        "disabled": true
    }

@Fred did you confirm if this is a bug? In my case, this can easily be reproduced when user adds their own Google account to a DEVICE_OWNER mode device.

Pablo
  • 300
  • 2
  • 5
0

Use Policy Enforcement Rules.

For example, add the following item to your policy:

"policyEnforcementRules": [{
"blockAction": {
  "blockAfterDays": 0
  },
"wipeAction": {
  "wipeAfterDays": 30,
  "preserveFrp": true
  },
"settingName": "applications"
},

Then if the user installs a blocked app, the device will disable all apps until the offending one is removed. This is enforced locally, even without an internet connection.

Levy Srugo
  • 115
  • 2
  • 9