Sunday, 30 August 2020

Block apps from running on fully managed Android devices

My customer is using Microsoft Intune to manage Android devices (Samsung A51) which have been enrolled as "fully managed" devices. We have a device configuration profile in place to manage the device restriction settings. The customer also wants to block consumer and system apps that are pre-installed by the OEM and gave us a list of apps.

First I looked at a restricted apps policy. This is used to allow or prevent specific apps on devices. It is supported on Android and Samsung Knox Standard devices but is only available for "device administrator" management.


Next I decided to look at uninstall packages for the apps. I created packages for some of the apps based on their URL in the Google Play Store. Then I assigned the packages as Uninstall to the Android device group. This worked well but unfortunately, not all the apps were available in the Play Store, so this was an incomplete solution.

I found the answer with Android Enterprise system apps.


This allowed me to create the app packages using the Package Name, with no reference to the Play Store. Every Android app has a registered package name. You just have to be able to find it.

This search link will give you details on package names for all system apps pre-installed on many Samsung models. I found everything I needed and was able to create the uninstall packages.
  • Navigate to the Endpoint Manager admin center to create the apps.
  • Click Apps > All Apps > Add
  • For the App Type, look at the bottom option and choose Android Enterprise system app.

  • Click Select to commence the Add App wizard.

  • This is where you enter the app details. Pay particular attention to the Package name. It must be entered correctly. The tooltip tells us to contact the device manufacturer to get the system apps package name of the format com.example.app. Click Next to continue.
  • You only have two options on the Assignments page. To enable an app, assign the system app as Required. To disable an app, assign the system app as Uninstall. System apps cannot be assigned as available. Select the assignment groups and click Next.
  • Review and create the app.
I was able to prevent the apps in the table below from running and satisfy the customer requirement.

App

Package Name

Netflix

com.netflix.mediaclient

Galaxy Store

com.sec.android.app.samsungapps

Verizon Call Filter

com.vzw.ecid

Verizon Cloud

com.vcast.mediamanager

Verizon Digital Secure (Safe)

com.securityandprivacy.android.verizon.vms

My Verizon

com.vzw.hss.myverizon

AR Zone

com.ARZone.arzone

Bixby Voice 

com.samsung.android.bixby.agent

Bixby Voice Stub

com.samsung.android.bixby.agent.dummy

Bixby Home

com.samsung.android.app.spage

Bixby Service

com.samsung.android.bixby.service

Bixby Vision Framework

com.samsung.android.bixbyvision.framework

Game Launcher

com.yujimny.android.gamelauncher

Samsung Internet

com.sec.android.app.sbrowser


I hope this helps. Until next time....

2 comments:

  1. Great post. Just one suggestion that you could use an app such as "Package Name Viewer" from the Google Play Store which allows you to search & display the package ID's of installed apps.

    ReplyDelete