Skip to main content
Matrix42 Self-Service Help Center

Enable and Disable System Apps Overview on Android Enterprise


Before or after enrolling devices on Android Enterprise, many administrators are faced with the question of which apps should and must be available for different use cases. In general, Android distinguishes between system apps and non-system apps, which are defined by the device manufacturer. Since this definition of system applications is the responsibility of the device manufacturers and this definition varies from manufacturer to manufacturer and we have maintained a custom list of applications in the past and this has always led to different feedback from our customers, we have decided to follow the standardized path within the Android Enterprise management. This results in the following status quo, which is described in this guide. 

For example, with not enabling system apps, only a few applications will be enabled on the device by default after enrollment, and most applications can then simply be distributed to the devices as Managed Play Apps and, depending on the configuration, can also be automatically installed or made available to users via the Managed Play Store. However, there are situations where some required system applications are not available or cannot be distributed via the Play Store, such as the Gallery application on Samsung Knox devices. For these special cases, this guide will show you how to create the desired state. 

Enabled vs Disabled System Apps

Before we start with guiding you how to create your desired state, we will provide you a short overview of the differences between enabling and disabling system apps. While configuring the Managed Account or the Work Profile for Android Enterprise device, you will find in both configurations the option to Enable System Apps. The default configuration for the Managed Account and for the Work Profile is that System Apps are deactivated and the two screenshots below this text illustrate the differences between the two device owner enrollment variants. In the left screenshot, the device has been enrolled with system applications disabled, so only a minimum number of applications are active after the enrollment. With system applications enabled, more applications are available after the enrollment and the same will apply to devices that are equipped with a Work Profile. 

Device Owner Enrollment with disabled System Apps option Device Owner Enrollment with enabled System Apps option
Screenshot_20230531-133627_framed.png Screenshot_20230531-132106_framed.png

Create your desired state

Since in most cases you will want something in between the two, you are probably wondering how to achieve this situation. On Samsung Knox devices, for example, an important application such as Samsung Gallery is not declared as a system application and is therefore not activated on the devices if the option to enable system applications is not enabled. Since this application is also not available from the Google Play Store, it is not possible to enable the application without enabling the Enable System Applications option. This means subsequently that unwanted applications, such as Facebook or TikTok or other applications on the device, might be enabled for the user during the enrollment. In order to improve or avoid this situation, Silverback naturally offers the option of minimizing or adjusting the list of activated applications, which we will describe below. 

If, for example, you want to have the Samsung Gallery application on the device, you can proceed with the following: 

  • Activate the Enable System Apps option in the Managed Account for Device Owner devices or in the Work Profile for personal devices

Then enroll one or more devices, and you will see that the Gallery application will be available on the device, but also a several of other applications that you might not want to allow to your users. To disable now all the unwanted applications, take the following action: 

  • Disable all unwanted applications with the following guide Enforced Blacklist Whitelist for Android and Samsung Knox
  • As an alternative, you can disable application with the Knox Service Plugin, which is especially the way to go for disabling applications in the Work Profile
    • For this way, assign a Tag with a Knox Service Plugin configuration that contains enabled Application management policies
      • Add the application(s) into the Application Blocklist by Pkg Name configuration to prevent users from installing applications
      • Add the application(s) into the  Disable Application without user interaction configuration to disable already installed applications

How to Enable System Apps for already enrolled devices

If you already have some devices under management that have been enrolled with the Enable System Applications option disabled, you are probably faced with the challenge of how to subsequently enable system applications without having to re-enroll the devices, which would result in a factory reset for device owner devices. This would be less problematic for personal devices with a Work Profile, but is not necessary in either scenario. To enable system apps for already enrolled device, perform the following:

  • Ensure to have enabled the Enable System Apps Option in your Managed Account or Work Profile configuration in the Tag that is assigned to the device(s)
  • Now open the Device Overview of a particular device
  • Scroll down to the Android Enterprise Information section
  • Press the Reset button

This action will reset the Managed Account on the device and will enable all System Apps, which means that all existing installed Managed Play applications will be uninstalled and reinstalled with the new Managed Account and within this reset, all System Apps will be activated on the device. Please note that this method only works in a positive sense. This means that the system apps can be activated via this process for devices with deactivated settings for the system apps. For devices that have been set up with the system apps setting activated, the system apps can only be deactivated via the Enforced Blacklist Whitelist for Android and Samsung Knox configuration or via the Knox Service Plugin