Apply settings for iOS mobile devices
If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.
As a G Suite administrator, you can decide how people use their G Suite account on managed Apple® iOS® devices. For example, you might want to recommend work apps for users to install on their devices or control how their data is synchronized with apps.
Before you begin
To use these settings, you need to:
- Set up advanced mobile management for iOS devices.
- Turn on iOS Sync.
- Set up an Apple Push Certificate.
For details, see Set up mobile device management.
Find the settings
From the Admin console dashboard, go to Device management.
To see Device management, you might have to click More controls at the bottom.
- On the left, click iOS Settings.
- Select a category.
- (Optional) On the left, select the organization to which you want to apply the settings.
- Check the box next to the setting you want to apply. For details about each setting, see Learn about the settings.
- After you make a change, click Save.
Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.
Learn about the settings
Lock ScreenControl Center
Allows users to access and change settings in the Control Center when their device is locked. The Control Center lets users access settings and apps, such as Wi-Fi, Apple AirDrop® and their camera by swiping up from the bottom of the screen.
Allows users to see notifications and open the Notification Center on locked devices. The Notification Center lets users see recent alerts, like a calendar event or a missed call by swiping down from the top of the screen.
Allows users to see the Today view when their device is locked. The Today view shows summary information for today’s date by swiping right from the left side of the screen.
These settings control managed apps on iOS devices—with the exception of iOS Mail. Managed apps are apps that you whitelist for users to use for work. Users need to install the Google Device Policy app to get the apps. If a user installs an app from outside of the Device Policy app, the app isn't managed. To be managed, they’ll need to uninstall the app and then install it from the Device Policy app. For more information about managed apps, see Manage apps on mobile devices.Trust app authors
Controls whether users can trust enterprise apps they install from outside the Apple App Store® or Google Device Policy app. Uncheck the box to prevent users from trusting app authors.
If you decide to allow users to trust apps from unknown sources, when they first open an app from an unknown source, they see a notification that the author of the app isn't trusted on the device. They can establish trust for the app author in their device settings. If the user trusts an author, they can install other apps from the same author and open them immediately.
Any app authors a user trusts before this setting was applied to their device remain trusted. The user can install more apps from the same author and open them.
Controls which apps can be used to open a user’s personal documents and attachments. You can create a whitelist of managed apps and use this setting to allow only corporate documents and links to open in the whitelisted apps.
Uncheck the box to prevent personal documents from being opened in any managed apps.
Controls which apps can be used to open corporate documents and links. It also controls whether managed apps can share documents with Apple AirDrop®.
You can create a whitelist of managed apps and use this setting to keep corporate documents and links in the whitelisted apps. For example, you can prevent a confidential email attachment in your organization’s managed mail account from being opened in a user’s personal apps. Only apps installed by the Google Device Policy app can open the attachment.
When you allow corporate documents and links to be opened with unmanaged apps, users can also share them with AirDrop. If you choose not to allow those documents and links to be opened with unmanaged apps, you can still choose to allow them to be shared with AirDrop.
- Check Allow items created with managed apps to be opened in unmanaged apps to allow documents that were created in managed apps to be opened in apps that are not managed.
- Check Allow items created with managed apps to be shared using AirDrop to allow managed apps to share documents with AirDrop.
Allows managed apps to use Apple iCloud® to store data. Data stored in iCloud will stay there until the device user removes it.
Uncheck the box to prevent corporate app data from being stored in iCloud. Users can still use iCloud for their personal data.
Allows managed apps to use mobile data to go online. Uncheck Allow managed apps to sync using mobile data to prevent managed apps from using mobile data at any time.
If you check the box to allow managed apps to sync using mobile data, you can also decide whether or not to allow them to sync when roaming. To turn off sync for managed apps while roaming, uncheck Allow managed apps to sync while roaming.
Account ConfigurationsGoogle Account
This setting is not available when the CalDAV or CardDAV setting is on.
Automatically syncs users’ G Suite email, calendars, and contacts with the corresponding iOS apps that are on their device. Check Push Google Account configuration to:
- Sync G Suite emails with the iOS Mail app.
- Sync G Suite calendar events with the iOS Calendar app.
- Sync G Suite Suite contacts with the iOS Contacts app.
- Allow users to search your organization’s global Directory in the iOS Contacts app.
If you decide to use this setting, users can find their G Suite contacts in the iOS Contacts app. They can also search the Global Address List in the Contacts app to find other users in your organization. They have the option to view email and calendar events in Google mobile apps (recommended) or in iOS apps. For details, see Get G Suite mail, calendars, and contacts on iOS.
You can also stop users’ G Suite mail from syncing to the iOS Mail app, but still allow calendar and contacts to sync by turning off IMAP access. For details, see Turn POP and IMAP access on and off.
When you turn this setting on, users with devices that are already enrolled for management get a notification asking them to add a password for their G Suite account. Users can enroll new devices by signing in to their G Suite account with a Google mobile app, such as the Google Device Policy app.
G Suite email, calendars, and contacts are all managed on the device. Therefore, if you block the device or remove the account, the user’s G Suite email, calendar events, and contacts are removed from the device. And, they all stop syncing.
This setting is not available when the Google Account setting is on.
Automatically syncs Google Calendar to the iOS Calendar app on a user’s device.
If you decide to use this setting, G Suite calendar events are not fully managed on the device. That means if you remotely wipe the device or account, G Suite calendar events stop syncing and all existing events are removed from the device. However, if you block the device or if the device is pending approval, calendar events still sync to the device and existing events stay on the device too.
When you turn this setting on, users are asked to enter their G Suite password. If you use 2-Step Verification or set up SSO with a third party identity provider, the user needs to generate and enter an App password instead of using their G Suite password. Then, G Suite events sync to the iOS Calendar app. The user can choose to turn this syncing off. For details, see Get G Suite mail, calendars, and contacts on iOS.
When you turn this setting off, users can still add their calendars manually.
This setting is not available when the Google Account setting is on.
Automatically syncs Google Contacts to the iOS Contacts app on a user’s device. This setting also allows users to search your organization’s global Directory in the iOS Contacts app.
If you decide to use this setting, G Suite contacts are not fully managed on the device. Therefore, if you remotely wipe the device or account, the user’s contacts stop syncing and existing contacts are removed from the device. However, if you block the device or if it’s pending approval, contacts still sync to the device.
When you turn this setting on, users are asked to enter their G Suite password. If you use 2-Step Verification, or set up SSO with a third party identity provider, the user needs to generate and enter an App password instead of using their G Suite password. Then, G Suite contacts sync to the iOS Contacts app. The user can choose to turn this syncing off. For details, see Get G Suite mail, calendars, and contacts on iOS.
If you only share global Directory data that’s already visible to the public with apps and APIs, users won’t be able to search your organization’s global Directory. For details, see Let third-party apps access Directory data.
When you turn this setting off, users can still add their contacts manually.
Backup and iCloud Sync
Note: iOS device users need to give permission for automatic backup and sync using these settings.iCloud backup
Allows users to automatically back up their iOS devices to iCloud over Wi-Fi every day. The iOS device must be turned on, locked, and connected to a power source during an iCloud backup.
Forces encryption for all backups to Apple iTunes®. After you apply this setting, when users backup their iOS devices to iTunes, they can see the Encrypt backup box checked in the iTunes Device Summary screen. They can't uncheck it.
When backup encryption is first enabled, iTunes asks the user to enter a password. An encrypted backup is stored on the user’s computer and they need to enter this password to restore their iOS device.
Allows users to turn document and data syncing of their iOS devices to iCloud on or off. Data from the user’s various iOS apps is stored in iCloud and then synchronized between the user’s supported iOS devices.
Allows users to turn keychain syncing of their iOS devices to iCloud on or off. Each user's account name, password, and credit card number is stored behind 256-bit Advanced Encryption Standard (AES) on iCloud. That data is then synchronized between the user’s supported iOS devices.
Specifies whether the user can complete online forms with autofill. When the box is checked, Apple Safari® remembers information that users enter in forms, such as name, address, phone number, or email address. That information is automatically completed in online forms later.
Warns users when they use Safari to visit a website that’s suspected to be fraudulent. Uncheck the box to turn the warning off.
Allows pop-up windows to open when users visit or close a webpage in Safari. Pop-ups are often used to display ads. However, some websites use pop-up windows for essential content. Uncheck the box to turn pop-ups off.
Lets all websites, third parties, and advertisers accessed by Safari to store cookies and other data on the device. Uncheck the box to prevent cookies and other data from being stored on the device. This may prevent some websites from working properly.
PhotosMy Photo Stream
Allows the photos in a user’s camera roll to sync to My Photo Stream in iCloud. Uncheck the box to:
- Erase photos in My Photo Stream from the device.
- Stop camera roll photos syncing to My Photo Stream.
- Prevent photos and videos in shared streams from being seen on the device.
Note: If there are no other copies of these photos and videos, they might be permanently deleted.
Controls whether users can keep their photos and videos in iCloud, so they can access them from any device. Uncheck the box to turn off iCloud Photo Library on iOS devices in your organization. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from the device.
Allows users to add photos and videos to a shared album in iCloud. It also allows users to invite others to add their own photos, videos, and comments to the album. When this setting is off, users can’t subscribe to or publish shared albums.
Advanced SecurityScreen capture
Controls whether users can save a screenshot or recording of their screen.
Controls whether Siri® is on or off. If you allow users to use Siri, you can also decide if it responds to users when the device is locked.
- Check the Allow Siri box to turn Siri on or off for users.
- Check the Allow Siri on lock screen box to control if it can be used on a locked device.
Controls whether an Apple Watch® device locks automatically when it’s removed from the user’s wrist. If you uncheck the box so the watch locks automatically when it’s removed from the user’s wrist, it can be unlocked with its passcode or the paired iPhone.
Allows users to use Apple Handoff® to send an app's data between devices so they can start work on one device and continue on another. For example, a user can start reading a document in Safari on their iPad and continue reading it in Safari on their iPhone.
Want more mobile device settings?
See how to apply Android settings.