Supported editions for this feature: Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition
Use App access protection to warn or block your users on unsafe mobile devices from accessing core Workspace apps like Drive or Gmail. Depending on device type (Android or iOS), you can control access from these types of unsafe devices:
- Devices with outdated OS (operating system).
- iOS devices—any OS more than a year old is considered outdated.
- Android devices—any device at or below Android 10.
- Devices with missing security updates (Android only). A device is considered unsafe if it hasn’t had a security patch applied within the last 3 years.
- Devices with potentially harmful apps (Android only).
- Compromised devices—for example, rooted or jailbroken device.
Users who try to access Google apps on a risky device get a message that explains the device risk and how to eliminate it:
You can protect access to these Google core apps: Gmail, Drive, Calendar, Hangouts, Chat, Keep, and Tasks.
Admin privileges needed
Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:
- Data Security > Access level management
- Data Security > Rule management
Note that you must enable both Access level and Rule management permissions to have complete access for viewing and editing app access protection settings. We recommend you create a custom role that has both privileges.
Default settings
- For existing customers, app access protection is off by default. See Edit app access protection settings for instructions on turning protection on.
- For upgraded and new customers, app protection is on by default, with all settings in Warn mode.
Potential settings conflicts
Enterprise editions only
If you’re already using Context-Aware Access, actions assigned to access levels that use Device OS (iOS, Android) attributes may conflict with your app access protection settings.
As a general rule, if a setting to Warn users conflicts with a setting to Block users, the Block setting will be in effect. For example, if an Access level blocks users with outdated iOS when accessing Drive, and an App access protection setting warns these users, the block action will be enforced. However users may still get a warning, due to the App access protection setting.
Edit app access protection settings
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Do one of the following, depending on your Workspace edition:
- (Business Plus) Go to SecurityOverviewContext-Aware Access.
- (Enterprise) Go to SecurityAccess and data controlContext-Aware Access.
- In the Security advisor section, click Go to security advisor for app access protection.
The app access protections settings window shows available settings for Android and iOS devices:
- Outdated OS (operating system)
- Missing security updates
- Potentially harmful apps
- Compromised devices
- (Optional) Settings are shown for the top level of your organization. To see or edit settings for specific organizational units, click View another org unit.
- If you change the settings for an organizational unit from the settings of its parent org unit, the settings page will show Parent settings overridden.
- To reset the org unit back to the parent unit settings, click Inherit.
- To change a setting, click the dropdown menu at right and choose an option:
- Warn users—users get a warning message, but can still access apps.
- Block users—users get a message that app access is blocked.
For either warn or block, the message explains why the user’s device is considered risky, with links that help them address the issue (for example, upgrading their OS version).
-
Off
- If you change a setting, you’re prompted with a message after the setting is updated.
View logs of access from unsafe devices
To get detailed information about app access from unsafe mobile devices in your organization, you can run a search of Device log events directly from Security advisor.
- Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Do one of the following, depending on your Workspace edition:
- (Business Plus) Go to SecurityOverviewContext-Aware Access.
- (Enterprise) Go to SecurityAccess and data controlContext-Aware Access.
- In the Security advisor section, click Go to security advisor for app access protection.
- Click View logs for access from unsafe mobile devices.
This searches the Device log and returns a list of devices that meet the risk criteria: outdated OS, outdated security patch, harmful apps, or compromised device. The results include the device owner, model, and OS version.
Note: Device log information is available for the past 180 days.