Troubleshoot mobile app management

If you use Google endpoint management to manage mobile apps on your users’ devices, you might have users who can’t install or sign-in to an app, or be confused about what management options are available to you. This page provides some steps to fix your issue. 

Expand all  |  Collapse all

User can’t install an app

Expand section  |  Collapse all & go to top

The user didn't set up their device for advanced mobile management

When you turn on advanced mobile management, if a user hasn't set up Android Device Policy on their Android device, or installed Google Device Policy app on the iOS device, they may not be able to find and install work apps.

Android: If an Android user can't access managed Google Play "", have them follow the troubleshooting instructions in About Android Device Policy.

iOS: If an iPhone or iPad user can't download apps through Google Device Policy app or doesn't have Google Device Policy app installed, have them follow the instructions in Use the iOS Google Device Policy app.

The app isn't available for the user's organizational unit or group

When you add a third-party app, private Android app (in the Admin console), private Android web apps, or private iOS app, you might set which organizational units and groups have access. If a user isn't in an organizational unit or group with access, they can't install the app.

To check if the app is available for the user, first make a note of the app's availability:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. In the list of apps, point to the app and click Access details.
  4. Make a note of which organizational units and groups the app is turned on or off for.

Now check the user's organizational units and groups:

  1. At the left, click Directoryand thenUsers.
  2. Locate the user in the list and click their name.
  3. Under their name, review the organizational units the user is in.
  4. In the Groups panel, review the groups the user owns, manages, or is a member of. You might need to click Groups to see the entire list.

If the app is turned off for the user's organizational unit or group, you have different options, depending on your organization's user management strategy:

App installation is blocked by admin settings

If you use advanced mobile management, Google endpoint management gives you many ways to block access to an app. The following steps show you how to check the settings that might block app installation.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Mobile & endpointsand thenSettings.
  4. To troubleshoot Android apps, click Android settingsand thenApps and data sharing and review the following settings for the user's organizational unit:
    1. Available apps–When set to Only allowed apps, the app must be in the managed apps list for the user to install it. If the app isn't in the list, you can add the app to the list.
    2. System apps–When set to Block all or Block all except specified system apps, some system apps might be blocked on company-owned devices. If the app is a system app, you can add the app to the exceptions list.
    3. Unknown sources–When checked, users can't install apps from sources other than the Google Play Store. We recommend that you keep the box checked to prevent users from installing malicious apps.
  5. To troubleshoot iOS apps on supervised, company-owned devices, click iOS settingsand thenApps and services and review the following settings for the user's organizational unit:
    1. App installation–When unchecked, users can only install managed apps (apps added to your devices list) through the Google Device Policy app. If the app isn't in the list, you can add the app to the list.
The user's license or device doesn't support advanced mobile management

To install private iOS apps or private Android web apps, a user must have a Google Workspace license and device that supports advanced mobile management. For details, see the Device requirements for Google endpoint management.

The app isn't available in the user's country/region

Some apps are restricted geographically. Ask the app developer if any restrictions are in place.

User can’t sign in or open an app

Expand section  |  Collapse all & go to top

App use isn't allowed by iOS settings (supervised devices only)

On supervised, company-owned iPhones and iPads, you have the option to turn off access to many iOS apps.

To determine if a specific app is blocked by admin settings:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Mobile & endpointsand thenSettingsand theniOS settings.
  4. Review the features and apps listed in the following sections:
    1. Safari–If Allow Safari is unchecked, users can't use Safari.
    2. Device features–Options in this section control iOS features such as account settings, ScreenTime, and Wallpaper.
    3. Apps and services–Options in this section control iOS features such as Find My Device, Find My Friends, and Notifications.
    4. Apple apps–Options in this section control iOS apps such as FaceTime, iTunes, Apple News, and more.

For details, see the iOS settings reference.

The app is blocked by a Context-Aware Access (CAA) policy

If your organization set up CAA policies on web or mobile apps, the user's device may not meet the criteria required for access.

To determine why access to an app was denied, review the CAA audit log. For instructions, see Context-Aware Access audit log.

The app is blocked by App Access Control settings

Even when you add an app to your managed devices list, the app can still be blocked by App Access Control. To check the status of an app:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. On the Admin console Home page, go to Securityand thenAPI controls.
  3. Under App access control, click Manage Third-party App Access.
  4. In the Accessed apps card at top right, click View list.
  5. Find the app in the list. If App access is set to Blocked, the user might not be able to use the app as expected.

User can’t uninstall an app

The app isn't allowed to be uninstalled

If a user can't uninstall an Android app, this might be because you force-install the app and don't allow it to be removed. Or, for company-owned devices, this might be because you prevent users from uninstalling any iOS or Android apps.

To check if an Android app was force installed and not allowed to be removed:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. In the list of apps, click the app and then Settings.
  4. If you control app settings by organizational unit or group, select the group or organizational unit the user is a member of.
  5. Review the value of Access method. If it's set to Force install, check if Prevent users from uninstalling the app is turned off.
  6. If it's turned off and you want to let users in that organizational unit or group uninstall the app, change the value to On and click Save.

To check if your admin settings block app removal on company-owned devices:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Mobile & endpointsand thenSettings.
  4. For company-owned Android devices:
    1. Click Android settingsand thenApps and data sharingand thenApps settings. If it's turned off (unchecked) for the user's organizational unit, they can't uninstall or disable apps.
  5. For company-owned iPhones and iPads:
    1. Click iOS settingsand thenApps and servicesand thenApp removal. If it's turned off (unchecked) for the user's organizational unit, they can't uninstall apps.
    2. On the same page, click System app removal. If it's turned off (unchecked) for the user's organizational unit, then they can't uninstall system apps.

Admin can't use certain app management features

The options you have to manage apps on a device depend on the user's Google Workspace edition and whether they have basic or advanced mobile management turned on.

Feature Requirements
Manage third-party Android apps and private Android apps
  • Supported editions for this feature: Any Google Workspace or Cloud Identity edition
  • Basic or advanced mobile management
Manage private Android web apps

Both of the following conditions:

  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only
Manage private iOS apps

Both of the following conditions:

  • Supported editions for this feature: Enterprise; Education Standard and Education Plus; Cloud Identity Premium. Compare your edition
  • Advanced mobile management only
Set app access by child organizational unit or group

Both of the following conditions:

  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Standard and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only
Force install Android apps

Either of the following condition sets:

  • Basic mobile management with Business Plus, Enterprise, G Suite Business, or Cloud Identity Premium

or

  • Advanced mobile management with Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
Managed configurations for Android apps

Both of the following conditions:

  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Standard and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only
Set Android app runtime permissions

Both of the following conditions:

  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Standard and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only
Block installation of unmanaged Android apps

Both of the following conditions:

  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only
Block installation of unmanaged iOS apps

All of the following conditions:

  • Supervised, company-owned iPhone or iPad
  • Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition
  • Advanced mobile management only


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false