Apply advanced settings

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator, you can enforce advanced policies for security, including encryption. You can also control how users synchronize corporate data and whether or not they can access other Google services on their mobile devices.

Before you begin

To use these settings, you need to Set up advanced mobile management. For details, see Set up advanced mobile device management. To enforce the settings, Android users must download the Google Apps Device Policy app on their device. Apple® iOS® users must download a device policy profile.

Find the settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Settingsand thenAdvanced Settings
  4. Select a category.
  5. (Optional) On the left, select the organization to which you want to apply the settings.
  6. Find the setting you want to change. For details about each setting, see Learn about the settings.
  7. After you make a change, click Save.

Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.

Learn about the settings

Open all   |   Close all


Compromised devices

Blocks an Android or iOS device from accessing corporate data when there are indications that the device is compromised or jailbroken.

  • Check the Block compromised Android devices box to block an Android device if there are indications that it might be compromised. For example, a device is compromised if it's rooted—a process that removes restrictions on the device.
  • Check the Block jailbroken iOS devices box to block an iOS device if there are indications that it's jailbroken—a process that removes restrictions on the device. When you check this box, iOS users are prompted to install the Google Device Policy app if it’s not already installed on the device. (Supported on iOS Sync for G Suite devices only.)
CTS Compliance

Blocks Android devices that are not compliant with the Compatibility Test Suite (CTS). For details, see Compatibility Test Suite.


Supported for Android 3.0 Honeycomb and later devices using Android Sync as well as iOS devices using iOS Sync for G Suite or Google Sync. For other devices and third-party applications, contact the device manufacturer or app developer.

Encrypts data so that it can only be read when a device is unlocked. Encryption adds protection if a device is lost or stolen. Unlocking the device decrypts the data. For more information about data encryption, see Encrypt your data.


Allows users to use the camera on their device. This setting is supported on iOS, Android 4.0 Ice Cream Sandwich and later, and Microsoft® Windows Phone® devices. 

Google Sync (G Suite only)

IP Whitelist

Allows users to only access G Suite mail, calendars, and contacts on mobile devices through the IP addresses that you list.

In the Google Sync IP Whitelist box, add the IP addresses (masks) where users can access their G Suite mail, calendars, and contacts. To add more than one IP address, enter an IP range in CIDR notation. Or, separate each IP address with a comma.

This setting is off by default. Only turn it on if your organization needs it. This setting is typically needed for organizations that need to use a Microsoft® Exchange ActiveSync® proxy to restrict how users access work data on mobile devices. These organizations might need to route their ActiveSync connections through separate device management servers (proxy servers).

Send deleted email messages to Trash

Automatically sends users' deleted emails to the trash. Use this setting if your email retention policy requires email to be deleted. When the box is unchecked, deleted messages are archived instead.

Sync while roaming

Allows Android and iOS devices to automatically synchronize when roaming. Syncing automatically can lead to increased data costs. 

When you uncheck the Turn on automatic sync when roaming box, users can still manually sync their devices when roaming.

Other Google services

Google Play private apps

Allows Android users to access and publish private apps in Google Play.

  • To allow users to access private apps you distribute, check the Allow users to access Google Play private apps box. 
  • To allow users to create and update Android apps for internal use and distribute them to users in your domain, check the Allow users to publish and update Google Play private apps box.

For more information about private apps, see Manage Google Play private apps.

Google Now

Supported for Apple iOS and Android 4.1 Jelly Bean and later devices.

Controls whether users can use Google Assistant with their corporate account on their device. Learn more about Google Assistant

Google Glass

Allows users to sync Google Glass with their G Suite account. You can set up one account per device.

To factory reset all the Google Glass units in the organization you selected, uncheck the Allow Google Glass box. Don't uncheck the box until you confirm that no one in the organization you select is using Google Glass. Doing so can erase all of their data, such as photos and videos, from their Google Glass device.

The Google Apps Device Policy app isn’t available for Google Glass. If a user loses their device, they can remotely wipe it on the Google Glass website.

Related topics

Was this helpful?
How can we improve it?