Purpose
This article explains the new security mechanism in Android 15+ that affects platform-signed apps and provides guidance on minimizing impact.
Effective OS Version: Android 15 and above
Impacted Products: SureMDM, SureLock, and SureFox
Background
Starting with Android 15, Google now requires that platform-signed apps (apps signed with the OEM’s platform key) must also be explicitly allowlisted in the OEM firmware to access platform-level permissions.
Our applications — SureMDM, SureLock, and SureFox — rely on platform-signed agents such as EnterpriseAgent and EASystemPlugin. If these are not allowlisted in the Android 15 firmware for your device model:
- Access to certain critical system permissions will be denied.
- Features depending on those permissions may fail or behave unpredictably, especially on devices enrolled in Device Admin mode.
We are actively engaging with OEM partners to address this requirement. Until allowlisting is confirmed for your devices, we strongly recommend postponing Android 15 upgrades.
🔗 Reference Links
- Google’s Platform Signature and Permission Allowlist Policy
- Platform-Signed Shared UID and Allowlisting
Important Notice
If your devices are enrolled in Fully Managed Device (Device Owner) mode, you will experience minimal impact since most functionalities remain available in this enrollment mode.
Potentially Impacted Functionalities:
Below is a detailed breakdown of the key features that may be impacted due to missing allowlisting, along with possible workarounds via OEM SDKs, OEMConfig apps, or Device Owner mode. This is not an exhaustive list, and actual impact may vary depending on your device model, OEM, and configuration
SureMDM Agent
| Impacted Features | Alternative Solution | ||||
| Lenovo | Zebra | Honeywell | Bluebird | Datalogic | |
| Device Power Off via SureMDM Agent Settings | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| GPS Toggle | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Datalogic OEMConfig |
| SD Card Access Control | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Not available | Not available |
| Battery Saver Management | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Not available | Datalogic OEMConfig |
| Wi-Fi MAC Randomization Control | Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Datalogic OEMConfig |
| Block Mobile Data (Telecom Management) | Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Not available | Datalogic OEMConfig |
| Blocklist Applications (Compliance Job) | Lenovo OEM SDK, Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Not available | Not available |
| Device Info Collection (App Memory Info, Memory Info) | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| Remote Device Unlock | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| Set Proxy for Wi-Fi SSIDs | Not available | Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Not available |
| Get Ethernet MAC address | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| Toggle Data Usage Warning | Not available | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Not available | Not available |
| Fetch MEID of the Device | Lenovo OEM SDK | Zebra OEMAgent | Not available | Not available | Not available |
| Battery Optimization Management | Lenovo OEMConfig | Zebra OEMAgent | Not available | Not available | Not available |
| Set Default Applications | Not available | Not available | Not available | Not available | Not available |
SureLock
| Impacted Features | Alternative Solution | ||||
| Lenovo | Zebra | Honeywell | Bluebird | Datalogic | |
| Hide Bottom Bar | Not available | Zebra OEMConfig & Zebra OEMAgent | Not available | Not available | Not available |
| Disable Soft Navigation Keys | Not available | Zebra OEMAgent | Not available | Bluebird OEMConfig | Not available |
| Disable Hardware Keys | Lenovo OEMConfig | Zebra OEMAgent | Not available | Bluebird OEMConfig | Not available |
| Wi-Fi Settings | Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Not available | Not available |
| Disable Applications | Not available | Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Not available |
| Kill Unallowed Application | Not available | Not available | Not available | Not available | Not available |
| USB Access Restriction | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Datalogic OEMConfig |
| Clear Recent Apps | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| OTG / External SD Card Access Restriction | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Not available |
| GPS Settings | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Not available | Datalogic OEMConfig |
| Mobile Data Settings | Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Not available | Datalogic OEMConfig |
| Battery Saver Settings | Lenovo OEMConfig | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Not available | Datalogic OEMConfig |
| Dark Mode Control | Not available | Zebra OEMConfig & Zebra OEMAgent | Not available | Bluebird OEMConfig | Not available |
| Clear Data on Home Screen Load | Lenovo OEMConfig | Zebra OEMAgent | Not available | Not available | Not available |
| Hide Quick Settings Tiles | Not available | Zebra OEMConfig & Zebra OEMAgent | Not available | Not available | Not available |
| Unrestricted Data Usage | Lenovo OEMConfig | Zebra OEMAgent | Not available | Not available | Not available |
| Wi-Fi Center – Static IP Support | Not available | Zebra OEMAgent | Not available | Bluebird OEMConfig | Not available |
| Suppress Power Button | Lenovo OEMConfig | Zebra OEMAgent | Not available | Bluebird OEMConfig | Not available |
| Clear App Cache | Lenovo OEMConfig | Zebra OEMAgent | Not available | Not available | Not available |
| Enable Auto Power-Off on Charger Disconnect | Not available | Zebra OEMAgent | Not available | Not available | Not available |
| Block All Incoming Calls | Not available | Zebra OEMConfig & Zebra OEMAgent | Not available | Not available | Not available |
| NFC Settings Control | Not available | Zebra OEMConfig & Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Datalogic OEMConfig |
| USB Connectivity Preference | Lenovo OEMConfig | Zebra OEMAgent | Honeywell OEMConfig | Bluebird OEMConfig | Datalogic OEMConfig |
How to Implement Alternative Solutions
To enable the impacted functionalities on Android 15+ devices, use the following navigation guidance to configure the relevant alternatives already listed in the tables above.
- Configure OEMConfig Apps in SureMDM
If your device supports OEMConfig, you can deploy OEM-specific configurations directly via the SureMDM console.
Navigation Path:
Profiles > Android > New Profile > Primary Profile > OEM Config Policy > Configure
From there, select the applicable OEMConfig based on your device brand:
Lenovo → Select Lenovo OEMConfig
Zebra → Select Zebra OEMConfig Powered by MX
Honeywell → Select Honeywell UEMConnect
Bluebird → Select Bluebird OEMConfig
Datalogic → Select Datalogic OEMConfig
This method allows you to manage supported features directly without relying on platform-signed agents.
- Install Zebra OEMAgent (Zebra Devices Only)
For Zebra devices that rely on OEM-specific functionality:
- Download and install the Zebra OEMAgent on the device.
These alternatives help replicate functionalities previously managed by platform-signed agents.
What You Should Do Now:
- Defer Android 15 OS Updates – If your devices rely on EnterpriseAgent/EASystemPlugin and are not yet allowlisted: Defer OS updates by applying an Android profile in SureMDM with “System Update Policy” settings set to ‘Postpone’.
- Contact your OEM vendors to confirm whether EnterpriseAgent and EASystemPlugin apps have been allowlisted in the Android 15 firmware.
- Reach out to our team—we’re actively engaging with OEMs to help accommodate these changes.
Your Privacy, Still Protected
- This change does not affect your data privacy.
- System-level access continues to be used solely for device management and is governed by your existing IT policies and data agreements
Need Help? OEM coordination, allowlisting requests, or technical validation.