Blocking app installations from unknown sources (Android Enterprise PO mode)

You can enforce separate security policies to block app installations from unknown sources in the personal profile and the work profile in Profile Owner (PO) mode.

Profile Owner (PO) and Device Owner (DO) modes

You can use the following policy settings to restrict app installations to Google Play in both Profile Owner (PO) and Device Owner (DO) modes:
Path Policy Description
Security > Policies > Android policy > Android Enterprise Settings > Security > App Security Allow installation of non-Google Play applications The device allows apps that are not Google Play apps to be installed on the device.

To install apps that are not Google Play apps on the device, make sure that this setting is also enabled on the device.
Note: In Profile Owner (PO) devices, the policy blocks app installations from unknown sources in the work profile, but users can still install apps in the personal profile.

Profile Owner (PO) mode

You can use the following policy settings to restrict app installations to Google Play in Profile Owner (PO) mode:

Path Policy Description
Security > Policies > Android policy > Android Enterprise Settings > Security > App Security Allow device wide installation from unknown sources The device allows apps from sources other than Google Play to be installed on the device. If this setting is disabled, the app installations through sources other than Google Play are blocked on the device both in personal and work profiles.
Note:
  • When this setting is disabled, the system settings remain active on the device, but the system blocks app installation.
  • The system settings remain active on the device, but the system blocks app installation.
  • This policy only affects future app installations. The apps that are already installed through unknown sources remain on the device.
  • Device users can continue to install apps into the personal profile by using the Android Debug Bridge (ADB) at https://developer.android.com/studio/command-line/adb.

Device behavior matrix

Allow device wide installation from unknown sources Allow installation of non-Google Play applications Enforce App verification Device behavior
Yes No Yes
  • Allow device wide installation from unknown sources - Yes
  • Allow Installation of Non-Google Play Applications - No
  • Enforce App Verification - Yes
Yes No No
  • Allow device wide installation from unknown sources - Yes
  • Allow Installation of Non-Google Play Applications - No
  • Enforce App Verification - No
No No Yes
  • Allow device wide installation from unknown sources - No
  • Allow Installation of Non-Google Play Applications - No
  • Enforce App Verification - Yes
No No No
  • Allow device wide installation from unknown sources - No
  • Allow Installation of Non-Google Play Applications - No
  • Enforce App Verification - Yes
Yes Yes Yes
  • Allow device wide installation from unknown sources - Yes
  • Allow Installation of Non-Google Play Applications - Yes
  • Enforce App Verification - Yes
Yes Yes No
  • Allow device wide installation from unknown sources - Yes
  • Allow Installation of Non-Google Play Applications - Yes
  • Enforce App Verification - No
No Yes Yes
  • Allow device wide installation from unknown sources - Yes
  • Allow Installation of Non-Google Play Applications - No
  • Enforce App Verification - No
No Yes No
  • Allow device wide installation from unknown sources - No
  • Allow Installation of Non-Google Play Applications - Yes
  • Enforce App Verification - No