3

We are testing the Android Management API for our organization,and we found a workaround to the managed play store: If a user adds his personal account to the device (to access Gmail, for example), he can switch to that account in the Play Store and download apps which are not allowed by the policy.

Although the DPC (Android Device Policy) deletes the app on the next policy sync, for some reason that sync does not happen automatically whenever an app is installed. The Device Policy app only syncs if either: 1) the admin pushes a change to the policy through the API, or 2) the user manually syncs through the app.

Which means that the user can install any app he wants, and use it until the policy syncs.

Is there any way to prevent the user from downloading apps from outside the managed play store account, or to make the Device Policy app auto-sync whenever an app is installed?

This is the policy that I applied to the test devices and the patch code:

import json

test_policy_name = enterprise_name + '/policies/test'

test_policy_json = '''
{
  "applications": [
    {
      "packageName": <app_package_name>,
      "installType": "BLOCKED"
    },
    {
      "packageName": <app_package_name>,
      "installType": "AVAILABLE"
    }
  ],
  "installAppsDisabled": false,
  "playStoreMode": "WHITELIST",
  "installUnknownSourcesAllowed": false
}
'''

androidmanagement.enterprises().policies().patch(
    name=test_policy_name,
    body=json.loads(test_policy_json)
).execute()
Levy Srugo
  • 115
  • 2
  • 9

1 Answers1

1

Indeed it's possible to install any app from the Google Play Store by using a different Google account than the one configured by the Android Management API.

You have two options to address this:

  1. Block the device until the apps that are not in the policy are uninstalled
  2. Disable adding additional Google accounts, so the user can't install apps that are not in the policy

At the moment it's not possible to prevent installing any app from the Google Play Store while allowing additional Google accounts. We are working on a feature that will allow to do that, but don't have a precise timeline at the moment.

Option 1: Block the device until the apps that are not in the policy are uninstalled

You can set a policyEnforcementRules in the policy to block the device until the disallowed apps are uninstalled:

{
  "policyEnforcementRules": [
    {
      "blockAction": {
        "blockAfterDays": 0
      },
      "wipeAction": {
        "wipeAfterDays": 30,
        "preserveFrp": true
      },
      "settingName": "playStoreMode"
    }
  ]
}

Option 2: Disable adding additional Google accounts, so the user can't install apps that are not in the policy

You can disable adding additional Google accounts in the policy:

  • set accountTypesWithManagementDisabled to ["com.google"],
  • or alternatively, set modifyAccountsDisabled to true.

This will prevent using additional Google accounts in all Google apps (including Gmail, Google Calendar, Google Drive, etc), not just in the Google Play Store.

Fred
  • 2,191
  • 1
  • 12
  • 14