If you use Google endpoint management to manage mobile apps on your users’ devices, you might have users who can’t install or sign-in to an app, or be confused about what management options are available to you. This page provides some steps to fix your issue.
User can’t install an app
Expand section | Collapse all & go to top
The user didn't set up their device for advanced mobile managementWhen you turn on advanced mobile management, if a user hasn't set up Android Device Policy on their Android device, or installed Google Device Policy app on the iOS device, they may not be able to find and install work apps.
Android: If an Android user can't access managed Google Play , have them follow the troubleshooting instructions in About Android Device Policy.
iOS: If an iPhone or iPad user can't download apps through Google Device Policy app or doesn't have Google Device Policy app installed, have them follow the instructions in Use the iOS Google Device Policy app.
When you add a third-party app, private Android app (in the Admin console), private Android web apps, or private iOS app, you might set which organizational units and groups have access. If a user isn't in an organizational unit or group with access, they can't install the app.
To check if the app is available for the user, first make a note of the app's availability:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- In the list of apps, point to the app and click Access details.
- Make a note of which organizational units and groups the app is turned on or off for.
Now check the user's organizational units and groups:
- At the left, click DirectoryUsers.
- Locate the user in the list and click their name.
- Under their name, review the organizational units the user is in.
- In the Groups panel, review the groups the user owns, manages, or is a member of. You might need to click Groups to see the entire list.
If the app is turned off for the user's organizational unit or group, you have different options, depending on your organization's user management strategy:
- Move the user to an organizational unit the app is turned on for.
- Add the user to a group the app is turned on for.
- Turn on access for an organizational unit or group, or change the priority of groups so the app is turned on for the user's group.
If you use advanced mobile management, Google endpoint management gives you many ways to block access to an app. The following steps show you how to check the settings that might block app installation.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices.
- Click Mobile & endpointsSettings.
- To troubleshoot Android apps, click Android settingsApps and data sharing and review the following settings for the user's organizational unit:
- Available apps–When set to Only allowed apps, the app must be in the managed apps list for the user to install it. If the app isn't in the list, you can add the app to the list.
- System apps–When set to Block all or Block all except specified system apps, some system apps might be blocked on company-owned devices. If the app is a system app, you can add the app to the exceptions list.
- Unknown sources–When checked, users can't install apps from sources other than the Google Play Store. We recommend that you keep the box checked to prevent users from installing malicious apps.
- To troubleshoot iOS apps on supervised, company-owned devices, click iOS settingsApps and services and review the following settings for the user's organizational unit:
- App installation–When unchecked, users can only install managed apps (apps added to your devices list) through the Google Device Policy app. If the app isn't in the list, you can add the app to the list.
To install private iOS apps or private Android web apps, a user must have a Google Workspace license and device that supports advanced mobile management. For details, see the Device requirements for Google endpoint management.
Some apps are restricted geographically. Ask the app developer if any restrictions are in place.
User can’t sign in or open an app
Expand section | Collapse all & go to top
App use isn't allowed by iOS settings (supervised devices only)On supervised, company-owned iPhones and iPads, you have the option to turn off access to many iOS apps.
To determine if a specific app is blocked by admin settings:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
-
Review the features and apps listed in the following sections:
-
Safari–If Allow Safari is unchecked, users can't use Safari.
-
Device features–Options in this section control iOS features such as account settings, ScreenTime, and Wallpaper.
-
Apps and services–Options in this section control iOS features such as Find My Device, Find My Friends, and Notifications.
- Apple apps–Options in this section control iOS apps such as FaceTime, iTunes, Apple News, and more.
-
For details, see the iOS settings reference.
If your organization set up CAA policies on web or mobile apps, the user's device may not meet the criteria required for access.
To determine why access to an app was denied, review the CAA audit log. For instructions, see Context-Aware Access log events.
Even when you add an app to your managed devices list, the app can still be blocked by App Access Control. To check the status of an app:
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlAPI controlsManage Third-Party App Access.
You must be signed in as a super administrator for this task. - In the Accessed apps card at top right, click View list.
- Find the app in the list. If App access is set to Blocked, the user might not be able to use the app as expected.
User can’t uninstall an app
The app isn't allowed to be uninstalledIf a user can't uninstall an Android app, this might be because you force-install the app and don't allow it to be removed. Or, for company-owned devices, this might be because you prevent users from uninstalling any iOS or Android apps.
To check if an Android app was force installed and not allowed to be removed:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- In the list of apps, click the app and then Settings.
- If you control app settings by organizational unit or group, select the group or organizational unit the user is a member of.
- Review the value of Access method. If it's set to Force install, check if Prevent users from uninstalling the app is turned off.
- If it's turned off and you want to let users in that organizational unit or group uninstall the app, change the value to On and click Save.
To check if your admin settings block app removal on company-owned devices:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices.
- Click Mobile & endpointsSettings.
- For company-owned Android devices:
- Click Android settingsApps and data sharingApps settings. If it's turned off (unchecked) for the user's organizational unit, they can't uninstall or disable apps.
- For company-owned iPhones and iPads:
- Click iOS settingsApps and servicesApp removal. If it's turned off (unchecked) for the user's organizational unit, they can't uninstall apps.
- On the same page, click System app removal. If it's turned off (unchecked) for the user's organizational unit, then they can't uninstall system apps.
Admin can't use certain app management features
The options you have to manage apps on a device depend on the user's Google Workspace edition and whether they have basic or advanced mobile management turned on.
Feature | Requirements |
---|---|
Manage third-party Android apps and private Android apps |
|
Manage private Android web apps |
Both of the following conditions:
|
Manage private iOS apps |
Both of the following conditions:
|
Set app access by child organizational unit or group |
Both of the following conditions:
|
Force install Android apps |
Either of the following condition sets:
or
|
Managed configurations for Android apps |
Both of the following conditions:
|
Set Android app runtime permissions |
Both of the following conditions:
|
Block installation of unmanaged Android apps |
Both of the following conditions:
|
Block installation of unmanaged iOS apps |
All of the following conditions:
|
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.