Apps Documentation & Support
Editions Supported: Available only for Google Apps for Business, Education, and Government.
As an administrator, you can choose settings for mobile devices and optionally apply them to different groups of users. To access these settings:
- Sign in to the Google Admin console.
- Do one of the following:
- In the classic Admin console, click Settings > Mobile > Org Settings.
- In the new Admin console, click Google Apps > Mobile > Device management settings.
Where is it? Which Admin console do I have?
You can enforce the same mobile settings for your entire organization, or enforce specific mobile settings for different organizational units.
In the following example, different settings were applied to organizational units for Contractors and employees in Finance.
| Setting | What it does |
|---|---|
|
Android Enable Android Sync for users |
Allows Android users to sync to your domain (recommended). If you only select this setting and not "Enforce policies on Android devices", Android devices will sync without the need to install Google Apps Device Policy, and the settings below (like requiring a password or encryption) will not be enforced on your users' devices. |
| Enforce policies on Android devices | Enabling this setting will require your Android users using 2.2+ to install and configure Google Apps Device Policy. Send this sample email to your users before enabling this setting. If the device doesn't meet your mobile settings, only Android Notification, Google Play, and Google Talk will work. Learn more about Device Policy Administration |
| Only enforce available policies on Android devices |
Older Android devices that don't have all of the configured policies available for their version of the Android OS will only have the available policies enforced. For example, if you enable this setting and the encryption setting, then Android 3.0+ devices are required to have encrypted storage, while older devices will continue to sync with Google Apps without encrypted storage. |
|
Google Sync Enable Google Sync for users |
Allows users using iOS, Windows Phones and other devices using Google Sync to sync to your domain (recommended). Note: If your user gets an error message saying "Invalid Password" when setting up Google Sync, they may have a weak password and are required to solve a CAPTCHA to sync their device with Google Apps. Learn more about Google Sync Known Issues. |
| Enforce policies on Google Sync devices | Enabling this setting will require that Google Sync devices meet your security policies before syncing with your domain. Learn more about Google Sync |
Under settings in the left column, locally applied means that the settings are not inherited from the parent organizational unit. Inherited means that the settings for that organizational unit are taken from the parent organizational unit.
The following password settings are supported for Android users using the latest version of Device Policy, iOS, and Windows Phone devices.
| Setting | Android support | iOS support | Windows Phone support |
|---|---|---|---|
| Require users to set passwords on their devices | Yes | Yes | Yes |
|
Password strength (Note: Windows Phone 7 and 7.5 support 'Standard' but not 'Strong') |
Yes | Yes | Yes |
| Minimum number of characters | Yes | Yes | Yes |
| Number of days before password expires | 3.0+ | Yes | Yes |
| Number of expired passwords that are blocked | 3.0+ | Yes | Yes |
| Automatically lock the device after: | Yes | Yes | Yes |
| Number of invalid passwords to allow before the device is wiped | Yes | Yes | Yes |
Check the following table to determine which settings work with your users' devices.
| Setting | About this setting | Android support | iOS support | Windows Phone support |
|---|---|---|---|---|
| Encrypt data on device | Encryption setting varies by mobile operating systems. Read Device Encryption below before enabling this setting | 3.0+ | Yes | No. See Encryption on Windows Phone below |
| Allow automatic sync when roaming | Allowing the device to sync automatically when roaming can lead to increased data costs. When unselected, syncing must be done manually when roaming. | No | Yes | Windows Phones don’t support this setting, but it needs to be enabled if you want to enforce policies on Windows Phones. |
| Allow camera | Works for iOS and Android 4.0+ | 4.0+ | Yes | No, but "Allow Camera" needs to be enabled in order to enforce device policies on Windows Phones. |
Check the following table to determine which settings work with your users' devices. Android users must install the Google Apps Device Policy app for these settings to apply.
| Setting | What it does | Android support | iOS support | Windows Phone support |
|---|---|---|---|---|
| Enable application auditing | Android users must install the Device Policy app to audit their apps in the Devices tab. Information is available for Android apps that access your user's Google Apps data. | Yes | No | No |
| Allow user to remote wipe device | Enabling this setting will allow your Android users with the Device Policy app installed to wipe their own device from their My Devices page. | Yes | No | No |
| Enable device activation | Enabling device activation will force the user to install the Device Policy app to sync with Google Apps. Devices needing approval will appear in the Activation tab. | Yes | Yes | Yes |
| Email address for sending device activation notifications: (optional) | Enter an email address to receive notification emails when users first sync devices. If you don't enter an address, you won't receive an email, but their device will still appear in the Activation tab if you've checked Enable device activation. | Yes | Yes | Yes |
| Setting | What is does | Supported devices |
|---|---|---|
| Allow users to access Google Play Private Channel. | Allows users to access the Google Play channel that’s restricted to your organization. Learn more | Android devices only |
| Allow users to update Google Play Private Channel. | Allows users to create Android apps for internal use and publish them to your organization’s Google Play Private Channel. Learn more | Android devices only |
| Setting | What is does | Supported devices |
|---|---|---|
| Enable Google Now | This setting enables Google Now for your users on both Android and iOS devices. Currently, the setting is located under Android settings. Learn more about Google Now. | Android 4.1+ and iOS |
| Google Sync IP Whitelist | It's a list of IP addresses/masks from which your users can access Google Sync. This advanced setting (turned off by default) should only be enabled if your organization requires it. Read more below. | Google Sync devices only: iOS and Windows Phone. |
| Enforce Delete as Trash | By default, Google Sync handles deletes by removing messages from the Inbox and archives the mail. However, if your email retention policy requires email to be deleted, turning on this feature will put your user's mail into the trash. | Google Sync devices only: iOS and Windows Phone. |
Learn more about Google Sync IP Whitelist
This feature is typically needed for organizations which need to use a Microsoft® Exchange ActiveSync® proxy to restrict how their users can access their work email, calendar, and contacts on mobile devices. These organizations may have special needs and requirements and need to route their ActiveSync connections through separate device management servers (proxy servers).
When you type in IP addresses in the text box, Google Sync will only allow your users to access ActiveSync through these IP addresses. If you would like to add more than one IP address, enter an IP range in CIDR notation or separate each IP address with a comma.
| Setting | What it does | Android support | iOS support | Windows Phone support |
|---|---|---|---|---|
| Enable Google Now | This setting enables Google Now for iOS users who have the Google Search app on their iPhone or iPad, and for Android 4.1+ users. Learn more about Google Now. | 4.1+ | Yes | No |
| Enable Lock Screen Widgets |
Enabling this setting will allow Lock Screen Widgets (such as email and calendar widgets) to appear on your users' locked Android 4.2+ devices. By default in the Admin console, Lock Screen Widgets are disabled. In order for this policy setting to be enforced, your Android 4.2+ users need to install Device Policy 4.13 or higher. |
4.2+ | No | No |
Android 3.0+ (Honeycomb and Ice Cream Sandwich devices) are currently the only Android devices that support device-based encryption. If you have a mixed mobile environment that includes pre-3.0 Android devices, we recommend that you do not enable both Enforce policies on Android devices and Encrypt data on device.
If you enable both of these settings, users with Android 2.3, 2.2, and earlier devices won't be able to synchronize their Google Apps data.
Enable these settings only if you want just Android 3.0+ devices to synchronize Google Apps data. See encryption in Android 3.0 for more technical information on how encryption works in Android.
Encrypt data on device sends a Microsoft® Exchange ActiveSync® policy to these devices. See the table below to determine if your users' devices will sync to Google Apps when this setting is enabled.
| Device | Will my device sync when "Encrypt data on device" is selected? |
|---|---|
|
Yes |
|
These devices do not support encryption.
|
iOS Frequently Asked Questions
| Device | Will my device sync when "Encrypt data on device" is selected? |
|---|---|
|
Yes |
|
Yes, provided Enforce policies on Google Sync devices is NOT selected. |
