There have been a couple of other threads on this topic and despite the discussions, there is not a great solution at the moment. GPP, and the inability to administer it, is a prime example of Google missing the mark for the Android Enterprise dedicated device use cases. Yes we understand the Line of Business enterprise app that we're deploying may have a vulnerability because it was developed 5+ years ago but its in a completely controlled environment where we are the Device Owner, not some end user that needs to be protected. It's quite ironic really as Google touts GPP as one of the primary advantages of moving to Android Enterprise. Google is trying to get rid of the stigma that Android isn't secure by forcing things like GPP and more frequent OS upgrades and API level targeting for developers and they're getting increasingly like Apple as a result. 

If you have a mission critical app that is being blocked you may have to disable Google Play completely. Otherwise if you're just concerned about the pop up that comes up when a new version is deployed I believe you can just accept that on one device for it to be accepted everywhere, but I'm not 100% on that. 

https://discussions.soti.net/thread/android-enterprise-do-disable-gpp-scan/

https://discussions.soti.net/thread/enable-app-disabled-by-google-play-protect/

Thanks, Matt!

Well, at least this validates that both my findings and my line of thinking were not incorrect.

It has not been my experience that clicking "Install Anyway" on the pop-up will then validate the app for all other devices.  That would be beneficial, but I've not seen that happen.  I have not even seen the pop-up itself come up 100% of the time.  In many cases, the package just sits in Pending status for a long time, then finally fails with what SOTI flags as a file I/O error.  Especially if attempting to install an apk while the device is under a lockdown profile -- that GPP pop-up, if it even does come up behind the lockdown screen rather than simply being suppressed by the lockdown profile, is of course not seen, so I get the same result:  the package simply fails with a "File I/O error."

Unfortunately, disabling Google Play is frequently not an option, as other apps are being brought down to the device under an Application Catalog Rule that authenticates under Managed Google Play Store (AE binding) and gets apps as "Mandatory" installations.  I'm pretty sure that disabling Google Play Services or GMS would disable that or mess it up in some way.

Especially if attempting to install an apk while the device is under a lockdown profile -- that GPP pop-up, if it even does come up behind the lockdown screen rather than simply being suppressed by the lockdown profile, is of course not seen, so I get the same result:  the package simply fails with a "File I/O error."

This might explain some odd behaviors I've been seeing as well. I had not considered that the GPP pop-up might be behind or suppressed (but obviously not accepted) by being in a lockdown state. Good find. 

Unfortunately, disabling Google Play is frequently not an option, as other apps are being brought down to the device under an Application Catalog Rule that authenticates under Managed Google Play Store (AE binding) and gets apps as "Mandatory" installations.  I'm pretty sure that disabling Google Play Services or GMS would disable that or mess it up in some way"

I figured this was the case, but it may be the only option right now if you have a mission critical app that GPP is interfering with. 

In what version was "Disable Verify Apps Enforcement" introduced?