Google has always controlled which devices ship with its proprietary GApps—a package that includes such necessities as the Play Store and Google Play Services. Until now, they've even been pretty lenient about allowing custom ROM users to flash the necessary payload on top of their modified OS. Unfortunately, some OEMs used that loophole to their advantage, ignoring Google's CTS certification process while shipping devices with GApps or shamelessly encouraging users to sideload them.

According to XDA Developers, that loophole has now been closed. Google Play Services will soon check the build date for a given system image, and if that date is after March 16th, it will be blocked from completing the sign-in process—though custom ROM users can manually register their devices for an exemption. 

We don't know if this will affect otherwise stock bootloader-unlocked devices since they also report as "uncertified" in the Play Store, but it will likely impact those who ROM. So far as we can tell right now, the block only applies during the sign-in process, so it is possible that existing/already setup devices may be grandfathered in. Furthermore, you will be able to register up to 100 Android IDs to your personal Google account for exemptions. (The page to register errors out when submitting an ID at the time of writing.)

Since you have to actually pull that ID manually to submit it, it does complicate an otherwise simple setup process, but at least it's an option. That ID is also new each time you factory reset, so unless Google changes things, you're limited to 100 wipes across every phone you might ROM in the future, just slightly less annoying than Play Music's ridiculous device authorization limit.

Looking up that Android Device ID isn't as simple as finding your serial number or IMEI, which will probably be a future point of annoyance for many. Additionally, most devices shipping with uncertified/sideloaded Play Store installations are probably cheaper phones, purchasers of which are less likely to have the time or resources required to pull the ID and fix the problem.

Image of the warning as reported by liam_davenport of the XDA Forums

It's not a stretch to think that less technically-minded people searching for workaround access to GApps might install whatever random apps claim to fix it, exposing themselves to malware in the process. Let's just hope that Play Protect continues to work on uncertified installations, or Google might be accidentally driving amateurs into the arms of malicious software.

There are already workarounds, though. Magisk is able to trick the Play Store's device certification, which has long been required to install Netflix. And if Play Services is merely checking against a build date, that could easily be spoofed by unscrupulous OEMs.

Device certification in Play Store -> Settings on a OnePlus One (left) and Nextbit Robin (center), both running Lineage OS. The discrepancy is due to Magisk. 

By drawing attention to the issue, customers purchasing uncertified devices or sideloading GApps at a manufacturer's urging might harass those OEMs into compliance. Given the full text of the warning, which even encourages consumers to reach out to manufacturers to "ask for a certified device," that's almost definitely Google's goal. It's just too bad that has to result in an increased inconvenience for ROM users—and, potentially, anyone with an unlocked bootloader.

2016 Pixel XL with an unlocked bootloader on the Android P DP1

The latter is a concern because bootloader-unlocked devices can have technically passed Google's CTS, but they may report as "uncertified" by the Play Store. That potentially puts everyone that has unlocked a bootloader to flash developer previews at risk. Without more information about the precise mechanism for detection, we don't know how all the various legitimate circumstances for Google's draconian device-reported noncompliance might be handled.

Some users have seen this warning appear previously, but there were workarounds like clearing Play Services app data. Even now, it doesn't seem that everyone is triggering this new warning, so it's tough to say exactly when this might go live (or if it already has). As noted before, although the new ID registration page is live, it doesn't actually work yet.

We've reached out to Google for comment, and we'll update this story if we hear more.