By default, Google Play Protect is enabled on all GMS devices. This service, managed by Google, helps protect devices from malware and other security threats. However, it can also prevent you from installing enterprise apps that are improperly signed (or not signed at all). This includes when you try to install an app through a blueprint, template, install command, or other source.
Note: This primarily affects devices on Android 11+, but you may experience these issues on other Android versions as well.
In this article:
- How do you know if an app is affected by Google Play Protect?
- Preventing Google Play Protect Issues
- Resolving Google Play Protect Issues
How do you know if an app is affected by Google Play Protect?
You might not have all the information you need before installing apps. In that case, we recommend testing out a few devices first. Check the device's event feed after provisioning and installing apps.
Apps that are installed will show a success message.
However, if you see “apk_package_name : Install Verification Failure", “INSTALL_FAILED_VERIFICATION_FAILURE”, or "INSTALL APP VERIFICATION FAILED" that may mean Google Play Protect prevented the app from installing.
You’ll need to resolve the error by either signing the app or disabling Play Protect.
Preventing Google Play Protect Issues
The best way to prevent Google Play Protect installation errors is to ensure applications are signed correctly. Even if the application won’t be in the Google Play Store, it may still be flagged by Play Protect. Once it's flagged, you won't be able to install it on GMS devices until you either disable Play Protect or sign it correctly. See Google’s Use Play App Signing, Developer Policy, and Unwanted Software Policy articles for more information.
Resolving Google Play Protect Issues
To resolve this issue, you'll need to physically disable Play Protect on the devices. We recommend creating two blueprints to resolve Google Play Protect this way.
First, create a blueprint to make the Google Play Store and Android settings app visible.
Under Esper Settings, enable the Android Settings App (Always Apply).
Under Platform Services, enable Google Play Store Visibility (Always Apply).
You won’t need to modify this blueprint in other ways, as we’ll apply the “desired state” blueprint later.
Then apply the blueprint to the device by provisioning it or changing its blueprint.
Once you've applied the blueprint, you can tap on the Google Play Store on the device and follow the prompts to disable Google Play Protect. Refer to Google’s documentation for turning Google Play Protect off.
If you're using a device that was provisioned after June 2024, you may also need to change its settings:
1. Go to Android Settings > Developer Options. Then turn off Verify Apps over USB.
2. Go to Android Settings > Security. Then turn on Uknown Sources.
You can usually access Developer Options by tapping the device's build number a few times.
Once Google Play is turned off, create your “desired state” blueprint with your chosen apps. The Play Store will no longer need to be visible. Save, publish, and converge devices to the new blueprint.
You should now be able to install apps on the device.