Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Basic and Business; Cloud Identity Premium. Compare your edition
As an administrator, you can set set the type of mobile management and password requirements for mobile devices in your organization. You can also enforce security policies, such as data access methods, encryption, device approval, and strong passwords.
Find the settings
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
From the Admin console Home page, go to Devices.
- On the left, click Mobile & endpointsSettingsUniversal settings.
- Click a settings category and setting. Learn about the settings in the following section.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Turn on or off the setting.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Changes typically take effect in minutes, but can take up to 24 hours. For details, go to How changes propagate to Google services.Mobile management
Set the mobile management type for devices in your organization. You can set different management types for specific device platforms and for specific organizational units.
Basic mobile management is on by default.
Supported for mobile devices only
Require passwords on managed mobile devices.
For details, see Set password requirements for managed mobile devices.
Turn endpoint verification on or off. When the Monitor which devices access organization data box is checked, you can get details about those devices, such as the operating system and user. Endpoint verification is also required to use context-aware access rules.
If you turn off endpoint verification but have context-aware access rules, users might not be able to access their managed account on their device.
Learn more about endpoint verification
Allows users' work or school data to sync to managed Android devices.
To block access to work or school data on Android devices, uncheck the Allow work data to sync on Android devices box. Users won't be able to use their work or school data in Google apps such as Gmail, Calendar, or Drive. Users can still access their work or school data through web apps in a browser on their device.
Allows users' work or school data to sync to managed iPhones and iPads.
To block access to work or school data on iPhones and iPads, uncheck the Allow work data to sync on iOS devices box. Users won't be able to use their work or school data in Google apps such as Gmail, Calendar, or Drive. Users can still access their work or school data in the following ways:
- Through web apps in a browser on their device
- If you enable IMAP, through third-party apps such as built-in Apple iOS apps or Microsoft Outlook
- If you turn on Google Sync (next setting), through built-in Apple iOS apps
Supported for iPhones and iPads, Windows Phone, Windows Mobile, and BlackBerry 10 devices
Allows users to synchronize their work or school mail, contacts, and calendars to their mobile devices with Microsoft Exchange ActiveSync.
Note: Google Sync doesn’t support OAuth authentication, 2-factor authentication, or security keys. To better secure your organization's data, we recommend that you transition your organization off Google Sync.
When you turn on Google Sync, you can also set the following:
- Restrict the IP addresses where users can access Google Sync.
Allows users to only access Google Workspace mail, calendars, and contacts on mobile devices through the IP addresses that you list.
In the Google Sync IP Whitelist box, add the IP addresses (masks) where users can access their Google Workspace mail, calendars, and contacts. To add more than one IP address, enter an IP range in CIDR notation. Or, separate each IP address with a comma.
This setting is off by default. Only turn it on if your organization needs it. This setting is typically needed for organizations that need to use a Microsoft Exchange ActiveSync proxy to restrict how users access work data on mobile devices. These organizations might need to route their ActiveSync connections through separate device management servers (proxy servers).
- Automatically enable Delete Email as Trash on Google Sync devices. When this setting is turned off on devices, Gmail archives the email instead of deleting it. Learn more
Allow Android and iOS devices to automatically synchronize when roaming. Syncing automatically can increase data costs.
When you uncheck the Turn on automatic sync when roaming box, users can still manually sync their devices when roaming.
Supported for iPhones, iPads, and Android 4.1 Jelly Bean and later devices.
Allows users to use Google Assistant with their managed account on their device. Learn more about Google Assistant.
Note: Admins for Google Workspace for Education organizations must get parental consent for users under the age of 18 to enable Voice Match and Face Match. For more details, go to Manage Face Match and Voice Match.
To apply these settings to mobile devices, set up advanced mobile management.Device approvals
Supported for mobile devices under advanced mobile management, Google Sync devices, and endpoints under endpoint verification
Require an admin to approve a device before a user can access their work or school data.
For details, see Require admin approval for device access.
Supported for iPhones and iPads, Android 4.0 Ice Cream Sandwich and later devices, and Microsoft Windows Phone
Allows users to use the camera on their device.
To block all camera use, uncheck the Allow camera box. However, for Android devices with work profiles, users can still use the camera with personal apps.
Supported for Android 3.0 Honeycomb and later devices using Android Sync, and iOS devices using iOS Sync or Google Sync. For other devices and third-party apps, contact the device manufacturer or app developer.
Requires data encryption on devices so that the data can only be read when a device is unlocked. Encryption adds protection if a device is lost or stolen. Unlocking the device decrypts the data.
Supported for company-owned Android devices
When checked, sends a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. Reports are automatically sent to all super administrators in your organization. To send reports to others, enter their emails in the text box.
For details, see Get a report of inactive company owned devices.
Supported for Android devices and iPhones and iPads that sync data with iOS Sync
Blocks an Android or iOS device from syncing work or school data when there are indications that the device is compromised or jailbroken.
- Check the Block compromised Android devices box to block an Android device if there are indications that it might be compromised. For example, a device is compromised if it's rooted—a process that removes restrictions on the device.
- Check the Block jailbroken iOS devices box to block an iOS device if there are indications that it's jailbroken—a process that removes restrictions on the device. When you check this box, iOS users are prompted to install the Google Device Policy app if it’s not already installed on the device.
- Set password requirements for managed mobile devices
- Apply settings for Android devices
- Apply settings for iOS devices
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.