Search
Clear search
Close search
Google apps
Main menu

Manage apps on mobile devices

If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.

mdm apps As a G Suite administrator, you can securely manage work apps on a user’s device and leave personal apps under the user’s control. You can automatically install preferred work apps on Android devices. On Android and Apple® iOS® devices, you can create a whitelist of recommended apps to make them available for users to install. For company-owned Android devices, you can also manage system apps that are preinstalled on the device.

How whitelisting works

You select apps from Google Play or the Apple App Store® and add them to a whitelist. Users see a catalog of those apps on their device. When a user installs a whitelisted app, it’s managed by your organization. That means if someone leaves your organization, the app is removed when the user’s G Suite account is removed from their device. You can also remove managed apps if a device is lost or stolen. Some Google mobile apps are already whitelisted for you, such as Gmail and Google Drive.

Before you begin

Before you can manage apps for mobile device users, you need to set up advanced mobile management. For details, see Set up mobile device management.

Open all   |   Close all

Build your whitelist

Whitelist Android apps

You can whitelist Android apps in the Google Admin console. If their device supports it, encourage users to set up a work profile to keep work and personal apps separate. Then, they can get managed apps from the managed Google Play store. Once installed, managed apps are marked with Android enterprise Android enterprise so they’re easy to distinguish from personal apps. If a device doesn’t support work profiles, users can get apps from the Play Store (on the Work Apps tab). For details, see Using Google Play in your organization.

Note: If a user installs an app from outside of the managed Google Play store or the Work Apps tab, the app isn't managed.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices.
  4. Click the link to manage Android apps.
  5. At the bottom right, click Add Add. The Google Play store opens.
  6. At the top right, search for the app you want to whitelist. When you find the app, click it.
  7. Click Approve, read the app permissions, and click Approve again.
  8. Decide how you want to handle new app permission requests (for example, access to in-app purchases or identity information). If you previously approved the app, click Approval Preferences first:

    • To automatically reapprove an app when it requests new permissions, select Keep approved when app requests new permissions. The app will be automatically reapproved, regardless of the new permissions being requested.
    • To remove an app from your whitelist until you reapprove it, select Revoke app approval when this app requests new permissions.

    For more details about app permissions, see Manage app permissions.

  9. Click Save. If you previously approved the app, click Select.
  10. To whitelist the app for all users in your organization, select All users and click Continue. If you’re a G Suite Business or Enterprise customer, you can whitelist the app for a specific group of users. Select A specific organizational unit (OU) or group(s) and then select the organization or group that the users belong to. For details, see Distribute an app to a specific group of users.

  11. Specify your app preferences. You can:
    • Automatically install the app on users’ devices now.
    • Prevent users from uninstalling the app.
    • Allow users to add an app widget (when available) for a home screen shortcut.
  12. Click Save.
  13. (Optional) To view more information about any of your whitelisted apps, next to the app, click More More and then Open in Play Store.

The app appears in the whitelist almost immediately. It will be available for users to install from managed Google Play or the Work Apps tab of the Play Store the next time their device synchronizes with Google Mobile Management.

Whitelist iOS apps

You whitelist iOS apps in your Admin console. Users need to install the Google Device Policy app to get the apps. Once installed, managed iOS app icons have a green checkmark to distinguish them from personal apps. Apps that have a gray checkmark were not installed from the Google Device Policy app and aren’t managed. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App Management and then  Manage Applications for iOS devices.
  4. Click the link to manage iOS apps.
  5. At the bottom right, click Add Add.
  6. Enter either the app name (or the app URL from Apple iTunes®) and click Search.
  7. (Optional) To see more information about an app, click the app's link.
  8. Select the correct app and click Whitelist.
  9. To whitelist the app for all users in your organization, select All users and click Continue. If you’re a G Suite Business or Enterprise customer, you can whitelist the app for a specific group of users. Select A specific organizational unit (OU) or group(s) and then select the organization or group that the users belong to. For details, see Distribute an app to a specific group of users.

  10. (Optional) To view information about any of your whitelisted apps, next to the app, click More More and then Open in App Store.
  11. Have users install the Google Device Policy app to get whitelisted apps.

The app appears in the whitelist almost immediately. It might take up to an hour for the app to appear in the Google Device Policy app on users' devices.

Remove an app from your whitelist

When you remove an Android app from your whitelist, it’s no longer available for users to install from the managed Google Play store or the Work Apps tab in the Play Store. If a user already installed the app, it won’t be removed from their device. Users who haven’t installed the app can still install it from the Play Store, but it won’t be managed.

When you remove an iOS app from your whitelist, it won’t be available for users to install from the Google Device Policy app. It will be uninstalled the next time the device synchronizes. However, users can still install the app from the Apple App Store®.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices or Manage applications for iOS devices.
  4. Click the link to manage Android or iOS apps.
  5. Choose an option:
    • Find the app you want to remove and click More  More and then Remove.
    • Hover over the app's icon to display a checkbox. Check the box (you can check multiple apps at once). In the top-right corner, click Trash Trash .
  6. Click Remove.

You see a message that the selected app has been removed from the whitelist.

Note: You can't remove the Google Apps Device Policy app from the Android whitelist.

Manage your whitelist

You can distribute an app to users in a specific organizational unit or group in Google Groups. For Android, you can also specify app preferences for different groups of users. For example, you can automatically install a sales app for users in a sales group, but not for users in a customer-services group.

Distribute an app to a specific group of users
This feature is available with G Suite Business and Enterprise editions. Compare editions
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices or Manage Applications for iOS devices.
  4. Click the link to manage Android or iOS apps.
  5. Click the app you want to distribute.
    Tip: To only see the apps that are whitelisted for a specific user or group of users, use the filters on the left. You can select an organizational unit, a group, or user. For Android, you can also choose to view only public or private apps.
  6. On the App Distribution screen, you see the organizations and groups the app is currently distributed to. To distribute the app to another group of users click Add More.
  7. Choose an option: 
    • To distribute the app to users in an organizational unit, on the left, select Organizational Unit, and then select the name of the organizational unit from the list.
    • To distribute the app to users in a group, on the left, select Group, and start entering the name of the group. Select the group from the list.

    For more information, see Selectively distribute mobile apps.

  8. Click Continue

  9. (Android only) Specify your app preferences for the organization or group and click Save. You can:
    • Automatically install the app on users’ devices now.
    • Prevent users from uninstalling the app.
    • Allow users to add an app widget (when available) for a home screen shortcut.

Note: The change typically takes effect in minutes, but it might take up to 24 hours to be reflected across all of your users’ devices. If you don’t select a specific organization or group, the app is distributed to all users in your top-level organization.

Remove a group of users from an app's distribution list
This feature is available with G Suite Business and Enterprise editions. Compare editions
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices or Manage Applications for iOS devices.
  4. Click the link to manage Android or iOS apps.
  5. Click the app whose distribution you want to change. 
    Tip: To only see the apps that are whitelisted for a specific user or group of users, use the filters on the left. You can select an organizational unit, a group, or user. For Android, you can also choose to view only public or private apps.
  6. On the App Distribution screen, you see the organizations and groups the app is currently distributed to. Next to the organization or group you want to remove, click More More and then Remove OU or Remove group.
  7. Click Remove to confirm.

Note: The change typically takes effect in minutes, but it might take up to 24 hours to be reflected across all of your users’ devices. If you don’t select a specific organization or group, the app is distributed to all users in your top-level organization.

Manage preferences for Android apps
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices.
  4. Click the link to manage Android apps.
  5. Click the app you want to manage.
    Tip: To only see the apps that are whitelisted for a specific user or group of users, use the filters on the left. You can select an organizational unit, Google Group, or user. You can also choose to only view public or private apps.
  6. Next to the group or organizational unit you want to change app preferences for, click More More and then Edit configuration.
  7. Specify your app preferences. You can:
    • Automatically install the app on users’ devices now.
    • Prevent users from uninstalling the app if you automatically install it.
    • Allow users to add an app widget (when available) to their home screen.
  8. Click Update.

Note: The change typically take effect in minutes, but it might take up to 24 hours to be reflected across all of your users’ devices.

Approve permission updates for Android apps

When you whitelist an Android app, you control what the app can access on behalf of users in your organization—also known as permissions. For example, an app might want permission to see a device’s contacts or location. No matter which permissions you grant, users can still change those permissions after the app installs on their device.

The permissions for a whitelisted app might change when the app updates. Apps that have permission updates that need your approval are marked with Exception Exception in your Admin console. To approve permission-update requests:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then Manage Applications for Android devices.
  4. Click the link to manage Android apps.
  5. Next to the app with the Exception Exception, click More More and then Open in Play Store.
  6. Click Approve, read the permissions, and click Approve again.
  7. (Optional) Decide how you want to handle new app permission requests (for example, access to in-app purchases or identity information):
    • To automatically reapprove an app when it requests new permissions, select Keep approved when app requests new permissions. The app will be automatically reapproved, regardless of the new permissions being requested.
    • To remove an app from your whitelist until you reapprove it, select Revoke app approval when this app requests new permissions.
    For more details about app permissions, see Manage app permissions.
    Note: If you previously approved the app, click Approval Preferences to decide how you’d like to handle new app permission requests and click Save. Then, click Select.
  8. Click Save.

Manage Android system apps

System apps, such as Clock and Calculator, are preinstalled on Android devices. Many of these apps can’t be uninstalled, and they aren’t available in managed Google Play for whitelisting. However, you can manage access to them on company-owned Android devices. 

You can allow or disable all system apps. You can also specify a custom list of apps to allow or disallow. If you disable system apps, the apps aren’t uninstalled, but users and other apps can’t access them. 

Manage system apps

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click App management and then System applications on Android.
  4. (Optional) On the left, select an organization. If you don’t select an organization, the settings are applied to all users.
  5. Choose an option:
    • To make all system apps available, select Allow all.
    • To remove access to all system apps, select Disable all.
      Note: This setting doesn’t remove access to apps you whitelist for Android devices. For details, see Whitelist Android apps.
    • To customize access, select Allow custom system apps and then enter the app package name.
  6. (Optional) Under Disallow system apps, click Add system app package name and then enter the app package name. 
  7. Click Save.

If you don’t know the package name of an app, check the mobile device details in your Admin console. If the app isn’t listed, contact the device manufacturer or reseller.

The change typically takes effect in minutes, but it might take up to 24 hours to be reflected across all of your users’ devices.

Critical system apps

Some system apps are critical for a device to function correctly. You can’t disallow these critical system apps:

  • com.google.android.apps.enterprise.dmagent
  • android
  • com.android.systemui
  • com.android.launcher
  • com.android.providers.downloads
  • com.android.keychain
  • com.android.keyguard
  • com.google.android.inputmethod.latin
  • com.google.android.gsf.login
  • com.google.android.gsf
  • com.google.android.nfcprovision
  • com.android.nfc
  • com.android.bluetooth
  • com.google.android.setupwizard
  • com.android.settings
  • com.google.android.gms
  • com.android.vending
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.