matthuisman · matthuisman · Jun 6, 2025 · Jul 4, 2025 · Aug 19, 2025
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -33,5 +33,10 @@ jobs:
       - name: Build APKs
         run: make tailscale-debug.apk
 
+      - uses: actions/upload-artifact@v4
+        with:
+          name: tailscale-debug.apk
+          path: tailscale-debug.apk
+
       - name: Run tests
         run: make test
diff --git a/android/src/main/java/com/tailscale/ipn/App.kt b/android/src/main/java/com/tailscale/ipn/App.kt
@@ -513,15 +513,19 @@ open class UninitializedApp : Application() {
     this.restartVPN()
   }
   fun disallowedPackageNames(): List<String> {
+    val userAllowed =
+        getUnencryptedPrefs().getStringSet(DISALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
+    return userAllowed
+  }
+
+  fun actualDisallowedPackageNames(): List<String> {
     val mdmDisallowed =
         MDMSettings.excludedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
     if (mdmDisallowed.isNotEmpty()) {
       TSLog.d(TAG, "Excluded application packages were set via MDM: $mdmDisallowed")
       return builtInDisallowedPackageNames + mdmDisallowed
     }
-    val userDisallowed =
-        getUnencryptedPrefs().getStringSet(DISALLOWED_APPS_KEY, emptySet())?.toList() ?: emptyList()
-    return builtInDisallowedPackageNames + userDisallowed
+    return builtInDisallowedPackageNames
   }
 
   fun getAppScopedViewModel(): AppViewModel {

diff --git a/android/src/main/java/com/tailscale/ipn/IPNService.kt b/android/src/main/java/com/tailscale/ipn/IPNService.kt
@@ -161,8 +161,11 @@ open class IPNService : VpnService(), libtailscale.IPNService {
     b.setUnderlyingNetworks(null) // Use all available networks.
 
     val includedPackages: List<String> =
-        MDMSettings.includedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()
+      (MDMSettings.includedPackages.flow.value.value?.split(",")?.map { it.trim() } ?: emptyList()) +
+      UninitializedApp.get().disallowedPackageNames()
+
     if (includedPackages.isNotEmpty()) {
+      b.addAllowedApplication("com.tailscale.ipn")
       // If an admin defined a list of packages that are exclusively allowed to be used via
       // Tailscale,
       // then only allow those apps.
@@ -174,7 +177,7 @@ open class IPNService : VpnService(), libtailscale.IPNService {
       // Otherwise, prevent certain apps from getting their traffic + DNS routed via Tailscale:
       // - any app that the user manually disallowed in the GUI
       // - any app that we disallowed via hard-coding
-      for (disallowedPackageName in UninitializedApp.get().disallowedPackageNames()) {
+      for (disallowedPackageName in UninitializedApp.get().actualDisallowedPackageNames()) {
         TSLog.d(TAG, "Disallowing app: $disallowedPackageName")
         disallowApp(b, disallowedPackageName)
       }

diff --git a/android/src/main/res/values/strings.xml b/android/src/main/res/values/strings.xml
@@ -308,9 +308,9 @@
     <string name="an_unknown_error_occurred_please_try_again">An unknown error occurred. Please try again.</string>
     <string name="request_timed_out_make_sure_that_is_online">Request timed out. Make sure that \'%1$s\' is online.</string>
     <string name="split_tunneling">App split tunneling</string>
-    <string name="exclude_certain_apps_from_using_tailscale">Exclude certain apps from using Tailscale</string>
-    <string name="selected_apps_will_access_the_internet_directly_without_using_tailscale">Apps selected here will access the Internet directly, without using Tailscale.</string>
-    <string name="count_excluded_apps">Excluded apps (%1$s)</string>
+    <string name="exclude_certain_apps_from_using_tailscale">Include certain apps to use Tailscale</string>
+    <string name="selected_apps_will_access_the_internet_directly_without_using_tailscale">Apps selected here will use Tailscale.</string>
+    <string name="count_excluded_apps">Included apps (%1$s)</string>
     <string name="certain_apps_are_not_routed_via_tailscale">Certain apps are not routed via Tailscale on this device. This setting is managed by your organization and cannot be changed by you. For more information, contact your network administrator.</string>
     <string name="only_specific_apps_are_routed_via_tailscale">Only specific apps are routed via Tailscale on this device. This setting is managed by your organization and cannot be changed by you. For more information, contact your network administrator.</string>
     <string name="specifies_a_list_of_apps_that_will_be_excluded_from_tailscale_routes_and_dns_even_when_tailscale_is_running_all_other_apps_will_use_tailscale">Specifies a list of apps that will be excluded from Tailscale routes and DNS even when Tailscale is running. All other apps will use Tailscale.</string>