My school is currently closed and we have loaned out a batch of Lenovo Android tablets, that I felt confident were sufficiently locked down to prevent the children installing their own apps on them.
I was, of course, proven wrong within a week. I have a small number of devices that have had games installed by the pupils. The first step will be the relevant staff following up with families, regarding signed agreements etc.
However, I am curious about what I have got wrong, so that I can learn from it. The devices were enrolled in Meraki using EMM. At first boot, in the email address box we entered something like 'eem@meraki' or similar. Then they have had the settings attached applied. During my testing, the end users couldn't download apps using the Play Store. I'm thinking that either:
* They have removed some of the settings / management profiles (I think less likely as they are listed in Meraki as being installed.
* They have downloaded .apk files from a website
(Only settings I didn't screenshot was the wallpaper.)
Do the tablets by chance allow adding a personal account (I see modify account is enabled)? If you add a personal account, does that allow you to access the play store and install apps under that account?
ADB is disabled, so they should not be able to install a downloaded APK.