On Android devices, controlling the Unknown Sources setting to prevent side-loading of applications is a critical step to securing your device fleet. On Android Enterprise, the VMware Workspace ONE UEM Console currently offers a Restriction to control this called Allow non-market app installation. When selected this restriction still appears to allow the setting in the device to be toggled but will, in the background, prevent the side-loading of applications. On Work Managed (DO) mode, this restriction will apply to the entire device, while on Work Profile (PO) it will control only the Work Profile.
In addition to the restriction setting above, it is possible to send Custom XML to a Work Profile (PO) device to control Unknown Sources across the entire device, even on the personal side, use this setting wisely and ensure your end-users are aware of the purpose of the restriction if applied.
There are three methods to control Unknown Sources and prevent side-loading of applications on Android Enterprise devices. The behavior in all cases will appear to allow the end-user to toggle Unknown Sources back and forth, but when actually attempting to side-load an application, side-loading will fail with a prompt indicating that the installation was blocked by the IT Admin for security reasons.
- On Work Managed (DO) devices, enable the restriction Allow non-market app installation to control this on the whole device
- On Work Profile (PO) devices, enable the restriction Allow non-market app installation to control this only inside the Work Profile
- On Work Profile (PO) devices, send the Custom Setting, provided below, to control this on the whole device
<characteristic type="com.airwatch.android.androidwork.app:com.android.vending" uuid="70f39b43-3df7-4845-aeea-795020609ead">
<parm name="verify_apps:device_wide_unknown_source_block" value="true" type="boolean" />
Support Contact Information
The VMware Workspace ONE Team
Other Languages: 日本語