Purpose
The purpose of this article is to provide information on a new security mechanism that affects platform-signed apps on devices running Android 15 and Above.
Effective OS Version: Android 15 and above
Impacted Products: SureMDM, SureLock, and SureFox
Prerequisites
N/A
Steps
N/A
What’s Changing?
With the release of Android 15, Google has implemented a new security mechanism that affects platform-signed apps (apps signed with the OEM’s platform key).
Going forward, even if an app is platform-signed, it must also be explicitly allowlisted by the OEM in the system configuration for access to platform-level permissions.
This applies to all production builds and impacts device admin–enrolled devices having platform-signed EnterpriseAgent/EASystemPlugin installed.
If the EnterpriseAgent or EASystemPlugin is not allowlisted by the OEM, Android will deny access to certain critical system-level permissions.
What Does This Mean for You?
If you’re using SureMDM, SureLock, or SureFox along with EnterpriseAgent or EASystemPlugin on Android 15+ devices:
- EnterpriseAgent–dependent features may not function as expected on OEM-signed builds.
- This limitation is due to the missing allowlisting of EnterpriseAgent and EASystemPlugin in the device firmware.
- Any features that rely on platform-level permissions could fail or behave unpredictably.
🔗 Reference Links
- Google’s Platform Signature and Permission Allowlist Policy
- Platform-Signed Shared UID and Allowlisting
Potentially Impacted Functionalities:
Below is a detailed breakdown of the important features that may be impacted due to missing allowlisting, along with possible workarounds via OEM SDKs, OEMConfig apps, or Device Owner mode:
SureMDM Agent
| Sr. No. | Impacted Features | Alternative Solution |
| 1 | Application Permission Job | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, Device Owner (Partial) |
| 2 | Silent App Installation & Uninstallation | Zebra OEMAgent, Bluebird OEMConfig, Device Owner |
| 3 | Device Reboot via SureMDM Agent Settings | Zebra OEMAgent, Device Owner |
| 4 | Device Power Off via SureMDM Agent Settings | Zebra OEMAgent |
| 5 | Airplane Mode Control | Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, Datalogic OEMConfig, Device Owner |
| 6 | GPS Toggle | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, Datalogic OEMConfig, Bluebird OEMConfig |
| 7 | Private DNS Toggle | Zebra OEMAgent, Honeywell OEMConfig, Bluebird OEMConfig, Device Owner |
| 8 | SD Card Access Control | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig |
| 9 | Battery Saver Management | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, Datalogic OEMConfig |
| 10 | Wi-Fi MAC Randomization Control (For Android 10 and above) | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig, Datalogic OEMConfig, Bluebird OEMConfig |
| 11 | Block Mobile Data (Telecom Management Policy) | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig, Datalogic OEMConfig |
| 12 | Blocklist Applications (Compliance Job) | Lenovo OEM SDK, Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig |
| 13 | Device Info Collection (App Memory Info, Memory Info) | Zebra OEMAgent |
| 14 | Remote Device Unlock | Zebra OEMAgent |
| 15 | Set Proxy for Wi-Fi SSIDs | Zebra OEMAgent, Honeywell OEMConfig, Bluebird OEMConfig |
| 16 | Get Ethernet MAC address | Zebra OEMAgent |
| 17 | Toggle Data Usage Warning | Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig |
| 18 | Fetch MEID of the Device | Lenovo OEM SDK, Zebra OEMAgent |
| 19 | Clear App Data / Wipe Option | Lenovo OEMConfig, Zebra OEMAgent, Device Owner |
| 20 | Set APN (Access Point Name) | Lenovo OEMConfig, Zebra OEMConfig, Honeywell OEMConfig, Datalogic OEMConfig, Bluebird OEMConfig, Device Owner |
| 21 | Disable Location Permission for SureMDM Agent | Zebra OEMAgent, Device Owner |
| 22 | Disable Lock Screen Notifications for All Apps Except Third-Party Apps | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig, Bluebird OEMConfig, Device Owner |
| 23 | Battery Optimization Management | Lenovo OEMConfig, Zebra OEMAgent |
| 24 | Remote Control | Device Owner, Zebra OEMConfig |
| 25 | Set Default Applications | No alternative |
SureLock
| Sr. No. | Impacted Features | Other Alternatives |
| 1 | Hide Bottom Bar | Zebra OEMAgent, Zebra OEMConfig |
| 2 | Disable Soft Navigation Keys | Zebra OEMAgent, Bluebird OEMConfig |
| 3 | Disable Hardware Keys | Lenovo OEMConfig, Zebra OEMAgent, Bluebird OEMConfig |
| 4 | WiFi Settings | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig |
| 5 | Clear Data on App Launch | Lenovo OEMConfig, Zebra OEMAgent, Device Owner |
| 6 | Disable Applications | Zebra OEMAgent, Honeywell OEMConfig, Bluebird OEMConfig |
| 7 | Kill Unallowed Application | No alternative |
| 8 | USB Access Restriction | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, DataLogic OEMConfig, Bluebird OEMConfig |
| 9 | Clear Recent Apps | Zebra OEMAgent |
| 10 | Schedule Reboot | Zebra OEMAgent, Device Owner |
| 11 | OTG / External SD Card Access Restriction | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, Bluebird OEMConfig |
| 12 | Airplane Mode | Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, DataLogic OEMConfig, Device Owner |
| 13 | GPS Settings | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, DataLogic OEMConfig |
| 14 | Mobile Data Settings | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig, DataLogic OEMConfig |
| 15 | Battery Saver Settings | Lenovo OEMConfig, Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, DataLogic OEMConfig |
| 16 | Dark Mode Control | Zebra OEMAgent, Zebra OEMConfig, Bluebird OEMConfig |
| 17 | Clear Data on Home Screen Load | Lenovo OEMConfig, Zebra OEMAgent |
| 18 | Hide Quick Settings Tiles | Zebra OEMAgent, Zebra OEMConfig |
| 19 | Unrestricted Data Usage | Lenovo OEMConfig, Zebra OEMAgent |
| 20 | WiFi Center – Static IP support | Zebra OEMAgent, Bluebird OEMConfig |
| 21 | Suppress Power Button | Lenovo OEMConfig, Zebra OEMAgent, Bluebird OEMConfig |
| 22 | Clear App Cache | Lenovo OEMConfig, Zebra OEMAgent |
| 23 | Enable Auto Power-Off on Charger Disconnect | Zebra OEMAgent |
| 24 | Block All Incoming Calls | Zebra OEMAgent, Zebra OEMConfig |
| 25 | NFC Settings Control | Zebra OEMAgent, Zebra OEMConfig, Honeywell OEMConfig, DataLogic OEMConfig, Bluebird OEMConfig |
| 26 | USB Connectivity Preference | Lenovo OEMConfig, Zebra OEMAgent, Honeywell OEMConfig, DataLogic OEMConfig, Bluebird OEMConfig |
What You Can Do
- Hold off on Android 15 OS updates for managed devices using EnterpriseAgent or EASystemPlugin.
- Contact your OEM vendors to confirm whether EnterpriseAgent and EASystemPlugin apps have been allowlisted in the Android 15 firmware.
- Reach out to our team—we’re actively engaging with OEMs to help accommodate these changes.
Your Privacy, Still Protected
This change does not affect your data privacy.
System-level access continues to be used solely for device management and is governed by your existing IT policies and data agreements.
Need Help? OEM coordination, allowlisting requests, or technical validation.