Apply advanced security, encryption, sync, and services settings
This feature is available in any G Suite edition.
As an administrator, you can enforce advanced policies for security (including encryption). You can also control how users synchronize G Suite services and whether or not they can access other Google services on their mobile devices. To use the settings, you need to choose advanced management when you set up mobile device management.
Find the settings
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console dashboard, go to Device management.
To see Device management, you might have to click More controls at the bottom.
- Click Advanced Settings.
- Click a category and go to Apply the settings to make any changes:
- Google Sync
- Other Google Services
- After you make a change, click Save.
Apply the settingsApply Security settings
You can enhance security for managed mobile devices.
- Block compromised devices
Check this box to block a device when there are indications that the device has been compromised: for example, the presence of an unlocked boot loader, the use of a custom read-only memory (ROM), or the presence of a 'SU (Superuser) binary' on the device. This setting is supported only on Android devices.
- Require device encryption
Check this box to encrypt data on mobile devices whose Android operating systems accept encryption. This setting is supported only on Android 3.0+ devices. You can read more about encrypting your data.
- Allow camera
Check this box to enable camera use on iOS and Android 4.0+ devices. Also select this setting to enforce device policies on Windows Phone.
You can control Google Sync behavior on users' devices.
- Google Sync IP Whitelist
Check this box to list the IP addresses/masks from which your users can access Google Sync. You should only enable this advanced setting (turned off by default) if your organization requires it.
This feature is typically needed for organizations that need to use a Microsoft® Exchange ActiveSync® proxy to restrict how their users can access their work email, calendar, and contacts on mobile devices. These organizations may have special needs and requirements and need to route their ActiveSync connections through separate device management servers (proxy servers).
When you type IP addresses in the text box, Google Sync will allow your users to access ActiveSync only through these IP addresses. If you would like to add more than one IP address, enter an IP range in CIDR notation or separate each IP address with a comma.
- Automatically enable "Delete Email as Trash" setting on Google Sync devices
Check this box to automatically send your users' deleted mail to the trash (if your email retention policy requires email to be deleted). Uncheck this box to have Google Sync remove deleted messages from the Inbox and archive the mail (this is the default).
Turn on automatic sync when roaming
Check this box to allow the device to sync automatically when roaming. Note that this can lead to increased data costs. Uncheck this box to require users to manually sync their devices when roaming. Windows phones don't support this setting, but you need to enable it if you want to enforce policies.
You can give users permission to access and use Google services.
- Allow users to access Google Play Private Channel
Check this box to allow users to access private apps you distribute to users in your domain. This setting is supported only on Android devices. Learn more
- Allow users to update Google Play Private Channel
Check this box to allow users to create Android apps for internal use and distribute them to users in your domain. This setting is supported only on Android devices. Learn more
Allow Google Now for iOS and Android
Check this box to enable Google Now for iOS users with the Google Search app on their Apple® iPhone® or iPad®, and for Android 4.1 Jelly Bean and later users. If you leave this box unchecked, Google Now doesn't work for the G Suite managed account. This restriction doesn't affect the user’s Gmail account. This setting isn't supported on Microsoft® Windows Phone®. Learn more about Google Now
- Allow Google Glass
Check this box to allow users to sync their Google Glass with your domain. It's on by default. You can set up one account per device.
Uncheck the box to factory reset all the Google Glass units in the organizational unit you've selected. Don't uncheck this box until you’ve confirmed that no one in the organizational unit you’ve selected is using Google Glass. Doing so can erase all of the local user data, such as photos and video from their Google Glass.
The G Suite Device Policy app isn’t available for Google Glass. If a user loses their device, they can remotely wipe it at https://glass.google.com/.