Supported editions for these features (except as noted): Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition
As an admin, you can control which apps Android and iOS device users can find and install for work or school by adding them to the Web and mobile app list in the Google Admin console. You can add public apps—such as third-party apps for security, business, and document management—and private apps. Though you can add a paid public app to the list, you can't bulk purchase the app for your users through Google endpoint management.
- Learn how the apps list works
- Add an app to the list
- Configure app settings
- Manage the apps list
- Monitor apps on managed devices
- Respond to app security incidents
Before you begin: Learn how the apps list works
RequirementsFeatures require advanced mobile management except where noted.
- Make Android apps managed*
- Make iOS apps managed†
- Force install Android apps‡#
- Block installation of unmanaged Android apps
- Prevent users from uninstalling an Android app
- Allow Android app shortcut widgets
- Set an Android app as the VPN service
- Configure app settings by group or child organizational unit#
*Also supported for basic mobile management
†All iPhone and iPad users in your organization must install the Google Device Policy app if you manage any iOS apps.
‡ Also supported for basic mobile management with Business Plus, Enterprise, G Suite Business, and Cloud Identity Premium editions Note: You can't distribute apps to user's personal devices when the user enrolled their device as user owned and didn't create a work profile. This set up mode (Device Admin mode) is available only on Android 9.0 and earlier, and is deprecated.
#Not available for Education Fundamentals
Admin experience
When you add an app to the list, the app is automatically managed. When a user installs a managed app, you have more control over the app:
- You can control some managed app settings, such as if the app is automatically installed on devices and if users can uninstall it.
- Managed apps are automatically removed from a device when the user removes their work or school account.
- If a user leaves your organization or their device is lost or stolen, you can remove only the user's work account and managed apps instead of wiping the entire device. Learn more
- If you use advanced mobile management, you can restrict the apps that users can use with their work or school account to only managed apps.
Some Google mobile apps are already added to the list for you, such as Gmail and Google Drive.
User experience
Users get apps from the managed Google Play store, on the Work Apps tab. For details, go to Using Google Play in your organization.
On the device, managed apps are marked with a briefcase so they’re easy to distinguish from personal apps.
If their device supports it and you use advanced mobile management, encourage users to set up a Work Profile to keep work and personal apps separate.
Admin experience
When you add a public iOS app to the apps list and check Make this a managed app, you enforce app management and have more control over the app. Private iOS apps are automatically set to managed.
For managed apps:
- If a user leaves your organization or their device is lost or stolen, you can remove only the user's work account and managed apps instead of wiping the entire device. Learn more
- You can manage the apps on the device until the user uninstalls the management configuration profile for the Google mobile device. You can set managed iOS apps to automatically uninstall from the device when the user removes the configuration profile.
If you don't check Make this a managed app when you add a public app, app management is unenforced. Users can install it from the App Store, and you don't have control over it. You can manage the app only if they download the app through the Google Device Policy app.
Note: When you remove a public app from the app list, the app might be automatically uninstalled from the users' devices or users can still use it. The result depends on when the user installed the app:
- Installed before November 30, 2020—The app is uninstalled when you remove the app from the list.
- Installed on or after November 30, 2020—The app remains on the device and the user can use it.
To review when an app was installed on a device, go to the Device log events and filter by Event nameDevice application changeInstall.
User experience
When you set an app as managed:
- If the app is installed on the device, users must accept app management.
- If the app is installed from the App Store, it is unmanaged. When this policy violation is detected, users lose access to Google Workspace on native iOS apps from this device:
- In 24 hours—If the admin has set the app as managed within the last 24 hours and the app was installed after device enrollment
- Immediately—If the admin has set the app as managed more than 24 hours ago or the app was installed before device enrollment
Users will still be able to open the unmanaged app in question.
Users will be prompted in the Device Policy app to allow their organization to manage the apps. If a user accepts, the app becomes managed, and the user's access to Google Workspace is restored after a successful sync.
To avoid the disruption of users' workflow, users should install the app as managed from the Device Policy app instead of from the App Store.
Users can review which apps are managed in the Google Device Policy app:
- Green checkmark—Managed
- Gray checkmark—Unmanaged
- Red exclamation mark—App management status needs attention. The red exclamation mark appears in the following situations:
- The app is set as managed, but the user hasn’t allowed your organization to manage it yet.
- The user installed the app, and then you add it to the app list as managed.
- The user accepted app management, and then you make the app unmanaged. They can update the app to unmanaged. If they don't update the app, they can still use it and access their work or school data, and the app is treated as a managed app.
You can control which users in your organization can find and install a managed app by turning user access on or off. If your edition supports it, you can turn user access on or off for specific organizational units, or turn it on for specific groups.
Turn user access on
For most app types, you turn on user access during set up. When you add a private iOS app to the list, user access is turned off for everyone in your organization. You need to turn on access for users to get the app.
Turn user access off
To make an Android or public iOS app unmanaged but retain its managed settings, you can turn user access off for an organizational unit. This setup prevents users from installing the app from the managed Google Play store or the Google Device Policy app for iOS. You might turn user access off for the following reasons:
- To make the app managed for most of your organization or select groups, but make it unmanaged for select child organizational units (if supported by your edition)
- To apply a managed configuration to an Android app before you make it available as a managed app
Turning user access off doesn't affect users who already installed the app. They can still use the app and your app settings are still enforced.
Note: Groups settings are applied at the top organizational unit level and override organizational unit settings. If a user belongs to multiple groups with conflicting configurations, the settings are applied in order of group precedence, which you can set after you add the app.
You can use Google endpoint management settings to block access to all unmanaged apps. For company-owned mobile devices, you can also disable many system apps. You can also block or limit app access to Google services.
Block unmanaged Android apps
You can configure the Available apps setting to allow users to install only the apps you add to the Web and mobile app list. This setup prevents users from installing apps that aren't allowed, but apps already on their device aren't removed. Learn more
Block unmanaged iOS apps
Supervised company-owned devices only
You can configure the App installation setting to prevent users from installing apps from the App Store. This setup allows users to download and install apps only through the Google Device Policy app. Apps downloaded through the Google Device Policy app are automatically set up as managed. Apps already on their device aren't removed. Learn more
Disable system apps
Company-owned devices only
You can enable or disable many system apps. For details, go to Manage system apps on company-owned mobile devices.
Block or limit managed app access
Mobile apps added to the Web and mobile app list are automatically given trusted access, which gives them access to all Google services, including services set to restricted.
To manage an app but not give it access to restricted Google services, block or limit access.
Block or limit unmanaged app access
Users can allow apps that aren't in your app list to access data in unrestricted Google services.
You can prevent unmanaged apps from accessing Google services in two ways:
- For individual apps of concern, block or limit access.
- For Google services that you want to hide from any app you don't explicitly trust (by adding to your Web and mobile app list), you can set the service as restricted.
Note: If you want to let iOS device users sync work data to Apple apps such as Apple Mail or Calendar, and any Google services required by the iOS apps have restricted access, you must explicitly trust iOS apps.
The Web and mobile app list lets you control which apps users can install and use with their work or school account. To block access to Google apps for devices based on the OS version, security status, IP address, geographic location, or device ownership, you can use Context-Aware access levels. Learn more
To set an app as the VPN service for app traffic from a work profile or managed device, turn on Use as Always on VPN when you add the app to the list. This setting creates a more secure network connection for work profile traffic because all traffic must pass through the app and can't leak to the web.
Important: Turn on Use as Always on VPN for only one app. If you turn it on for multiple apps, one of the apps is arbitrarily used as the always on VPN app.
Requires Android 7.0 or later
Step 1: Add an app to the list
Expand section | Collapse all & go to top
Add a third-party app-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click Add appSearch for apps.
- Click Enter app name and enter some or all of the name of the app you want to add. For iOS apps, you can enter the apps.apple.com URL, such as https://apps.apple.com/us/app/gmail-email-by-google/id422689480 for the Gmail app for iOS. Search begins as you enter the name.
- If your search returns many results, enter more information in the search box, such as the app developer or a keyword in the description.
- If an app is already added to the list, it's labeled as "Installed," and you can click View app details to review the app's settings and user access.
- To get more information about an Android app, click View in Google Play.
- To get more information about an iOS app, click View in App Store.
- When you identify the app you want to add, point to the app and click Select.
- Select which users can install the managed app from the managed Google Play store or the Google Device Policy app for iOS.
- To let all users in your organization install the app, select Entire organization.
- To allow only certain users to install the app, click Select groups or Select organizational units. You can add both groups and organizational units. Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
Groups settings are applied at the top organizational unit level and override organizational unit settings. If a user belongs to multiple groups with conflicting configurations, the settings are applied in order of group precedence, which you can set after you add the app.
- Click Continue.
- Configure app options based on the app platform (requires advanced mobile management, except as noted):
Platform App options Android - Access method–Choose how users get the app. To apply a managed configuration before you force install an app, select Available, complete app setup, apply the managed configuration, then edit the app settings to force install the app.
- Available—Let users install the app themselves. Users who don’t need the app don’t have to download it.
- Force install—Automatically install the app on all managed devices with no option to opt out. Optionally, you can prevent users from uninstalling a force-installed app.
Force install is also supported for basic mobile management with Business Plus, Enterprise, G Suite Business, and Cloud Identity Premium editions.
- Allow users to add widgets to home screen–Let users create a home screen shortcut when a widget is available.
- Use as the always-on VPN app–When turned on, app traffic from a work profile or managed device must pass through this app. Requires Android 7.0 or later. This setting creates a more secure network connection for work profile traffic.
- App auto-update timing—Choose when app updates should be installed:
- Default—Update the app automatically when the device is connected to a Wi-Fi network, is charging, is not actively in use, and the app is not running in the foreground.
- High priority—Update the app as soon as the developer publishes a new version and Google Play reviews it. If the device is offline at that time, the app immediately updates the next time the device connects to the internet.
- Postpone—Postpone app updates for 90 days after the update first becomes available. After 90 days, automatically install the latest available version of the app. For details, see Support app updates.
- Testing tracks (optional)—Select prerelease test versions of the app that you want to make available to users. Selecting multiple tracks makes the highest version code available. To learn how to make an app available to organizations, see Closed test: manage testers by organization.
Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
iOS - Make this a managed app–For more control over the app and its data, turn on this setting. For details, go to How managed iOS apps work.
- Remove this app when the configuration profile is removed–For managed apps, turn on this setting to automatically remove the app when the user’s management profile is removed from a device. If you don't turn on this setting, managed apps stay on a user's device.
- Allow this app to receive work data from the iOS share sheet–Turn on this setting to allow the app to receive work data even when sharing data to non-Google workspace apps is restricted. For details, go to Data actions.
- Access method–Choose how users get the app. To apply a managed configuration before you force install an app, select Available, complete app setup, apply the managed configuration, then edit the app settings to force install the app.
- Click Finish. The app's detail page opens. When you return to the Web and mobile apps list, the app is listed almost immediately after you add it.
Android apps are available for users to install from managed Google Play or the Work Apps tab of the Play Store the next time their device syncs with Google endpoint management. If a user installs an app from outside of the managed Google Play store or the Work Apps tab, the app isn't managed.
iOS apps might take up to an hour to appear in the Google Device Policy app on users' devices. If you set the app as managed, the user must install it from the Google Device Policy app or, if they install it from the iOS App Store, they must open the Google Device Policy app and accept management of the app.
- If you added Microsoft Outlook for Android or iOS (not recommended), ensure that it respects your endpoint management settings:
- From the Admin console home page, click SecurityAPI controlsApp access controlManage Google services.
- Locate Gmail and Drive in the list of services. If Access is set to Unrestricted, change the value to Restricted. This setting prevents untrusted apps from accessing the services. When you add the app in the preceding steps, the app is automatically trusted and can access Gmail and Drive.
To add an Android app that is only for your organization's private use, publish it in managed Google Play and it's automatically added to the app list. For details, go to Manage private Android apps in Google Play.
To add a web app that is only for your organization's private use, publish it in managed Google Play and it's added to the app list. For details, go to Publish private Android web apps.
To add an iOS app that is only for your organization's private use, upload it in your Admin console. For details, go to Manage private iOS apps.
Step 2: Configure app settings
Expand section | Collapse all & go to top
Change who can install a managed app and set group precedenceAfter you add an app to the list, you can hide it from users in the managed Google Play store (for Android apps) or the Google Device Policy app for iOS (for iOS apps) by turning user access off. When you turn user access off, users who already installed the app can still use it and your app settings still apply.
To turn user access on or off for certain users, put their accounts in an organizational unit (to control access by department) or add them to an access group (to allow access for users across or within departments). Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
Requires advanced mobile management
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to change the user access for. To review the current user access settings across all organizational units and groups, for User access, click View details.
- Click User access.
- At the left, click the group or organizational unit you want to change user access for. By default, the top organizational unit is selected and the change applies to your entire organization.
- Turn user access off or on, as required. For example:
- To hide the managed app for all users while you finish app configuration, turn user access off for the top organizational unit.
- To make the managed app available for only some users, turn user access off for the top organizational unit, and turn user access on for child organizational units or groups.
Note: When user access is turned on for a group, this setting overrides organizational unit settings. However, you can't explicitly turn off user access for a group. When you uncheck On, users in that group inherit the setting from higher-ranked groups or the user's organizational unit.
- If you set user access for multiple groups, review the order of the groups and set their precedence:
- Click the app and click User access.
- At the left, click Groups.
- Drag the groups into the order you want their settings to apply to a user who belongs to more than one group. Put the group with the highest precedence at the top.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Changes can take up to 24 hours but typically happen more quickly. Learn more
Supported editions for this feature: Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; G Suite Business; Cloud Identity Premium. Compare your edition
Requires advanced mobile management
Some Android apps have settings that you can save as managed configurations. For example, an app may allow you to only sync data when a device is connected to Wi-Fi. The default managed configuration assigned to an app is set by the app’s developer. You can check if an app supports managed configurations in managed Google Play. Learn more
Managed configurations let you automatically configure apps for a group or organizational unit without any user interaction. You can create multiple managed configurations for the same app and apply different configurations to different groups or organizational units.
Create a managed configuration
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
Tip: To only see the apps that are allowed for a specific organizational unit or group, click Add a filter and select the organizational unit or group.
- Click Managed configurationsAdd managed configuration.
If the app doesn’t support managed configurations, this option isn't available. - Enter a configuration name and set your preferred configuration.
Note: The developer of the app defines the configuration options available to you. If you have questions about these settings, contact the developer. - Click Save.
- Assign the managed configuration to an organizational unit or group, as described in the next section.
Assign a managed configuration to an organizational unit or group
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
- Click Settings.
- At the left, click the organizational unit or group that you want to assign a managed configuration to.
- For Managed configuration, click the menu and select the managed configuration you want to apply.
- Click Save.
To remove a managed configuration from an organizational unit or group, follow the same steps and select Default.
Edit or delete a managed configuration
Before you can delete a managed configuration, you must remove it from any organizational units or groups. When you remove a configuration, the app reverts to the default configuration defined by the developer unless you assign a different managed configuration.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
- Click Managed configurations.
- Click the managed configuration you want to edit or delete.
- To edit, edit the configuration and click Save.
- To delete, click Delete.
Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
Requires advanced mobile management
Many iOS app developers use Managed App Configuration (AppConfig) to customize apps and allow administrators to remotely deliver settings to managed devices.
You create a managed configuration by entering a configuration dictionary in the form of XML data consisting of key-value pairs that are relevant to the app. You can create multiple managed configurations for the same app and apply different configurations to different groups or organizational units. Unlike Android apps, there are no default app configurations.
Configuration dictionary example
You can use the AppConfig Generator tool to generate a configuration dictionary for the app, as in the following example.
<dict>
<key>DisplayName</key>
<string>Sample Enterprise LLC</string>
<key>AllowGoogleSSO</key>
<true/>
<key>MaxAllowedAttempts</key>
<integer>5</integer>
<key>EnrolledToken</key>
<string>7DBB314C-7ABA-4BD4-866C-7BD613AFCBC4</string>
</dict>
Create a managed configuration
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
Tip: To only see the apps that are allowed for a specific organizational unit or group, click Add a filter and select the organizational unit or group.
- Click Managed configurationsAdd configuration.
- Enter a configuration name.
- Enter the configuration dictionary for the app (go to example).
Note: The app developer defines the configuration options and values available to you. If you have questions about the options, contact the developer. Google endpoint management validates the XML format in the configuration dictionary, but does not check that it works with the app. - Click Save.
- Assign the managed configuration to an organizational unit or group, as described in the next section.
Assign a managed configuration to an organizational unit or group
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
- Click Managed configurations.
- Click the managed configuration you want to edit or delete.
- To edit, make your changes and click Save.
- To delete, click Delete.
To remove a managed configuration from an organizational unit or group, follow the same steps and select Select configuration from the Managed app configuration list.
Edit or delete a managed configuration
Before you can delete a managed configuration, you must remove it from any organizational units or groups. When you remove a configuration, the app reverts to the default state defined by the developer unless you assign a different managed configuration.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
- Click Managed configurations.
- To delete a managed configuration, next to the configuration name, click Delete.
- To edit a managed configuration, click the configuration name, make your changes and click Save.
Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
Requires advanced mobile management
Before you begin: If needed, learn how to apply the setting to a department or group.
Some Android apps request permissions from the user while the app is running. For example, an app might request access to a device’s calendar or location. You can manage how permission requests from an individual app are handled. These app settings take priority over any runtime permissions preferences specified for the device.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to manage.
- Click Runtime permissions. If the app doesn’t support runtime permissions, the option isn't available.
-
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- For each runtime permission:
- To automatically allow the permission, select Allow.
- To automatically deny the permission, select Deny.
- To prompt the user to allow or deny the permission, select Prompt user.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Before you begin: If needed, learn how to apply the setting to a department or group.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the app you want to edit.
Tip: To see only the apps that are turned on for a specific organizational unit or group, click Add a filter. - Click Settings.
-
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- Edit the settings. Available settings depend on the platform and management type:
Platform App options Android - Access method–Choose how users get the app. To apply a managed configuration before you force install an app, select Available, complete app setup, apply the managed configuration, then edit the app settings to force install the app.
- Available—Let users install the app themselves. Users who don’t need the app don’t have to download it.
- Force install—Automatically install the app on all managed devices with no option to opt out. Optionally, you can prevent users from uninstalling a force-installed app.
Force install is also supported for basic mobile management with Business Plus, Enterprise, G Suite Business, and Cloud Identity Premium editions.
- Allow users to add widgets to home screen–Let users create a home screen shortcut when a widget is available.
- Use as the always-on VPN app–When turned on, app traffic from a work profile or managed device must pass through this app. Requires Android 7.0 or later. This setting creates a more secure network connection for work profile traffic.
- App auto-update timing—Choose when app updates should be installed:
- Default—Update the app automatically when the device is connected to a Wi-Fi network, is charging, is not actively in use, and the app is not running in the foreground.
- High priority—Update the app as soon as the developer publishes a new version and Google Play reviews it. If the device is offline at that time, the app immediately updates the next time the device connects to the internet.
- Postpone—Postpone app updates for 90 days after the update first becomes available. After 90 days, automatically install the latest available version of the app. For details, see Support app updates.
- Testing tracks (optional)—Select prerelease test versions of the app that you want to make available to users. Selecting multiple tracks makes the highest version code available. To learn how to make an app available to organizations, see Closed test: manage testers by organization.
Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
iOS - Make this a managed app–For more control over the app and its data, turn on this setting. For details, go to How managed iOS apps work.
- Remove this app when the configuration profile is removed–For managed apps, turn on this setting to automatically remove the app when the user’s management profile is removed from a device. If you don't turn on this setting, managed apps stay on a user's device.
- Allow this app to receive work data from the iOS share sheet–Turn on this setting to allow the app to receive work data even when sharing data to non-Google workspace apps is restricted. For details, go to Data actions.
For iOS apps, if you uncheck Make this a managed app, the app is still managed on devices where it's already installed. However, users will see a red exclamation mark on the app in the Google Apps Device Policy app list and can change the app to unmanaged.
- Access method–Choose how users get the app. To apply a managed configuration before you force install an app, select Available, complete app setup, apply the managed configuration, then edit the app settings to force install the app.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Changes can take up to 24 hours but typically happen more quickly. Learn more
Requires advanced mobile management
For apps that support it, you can allow users to see their personal data and work data in an app. For example, when this setting is turned on for Google Calendar, users can choose to see their personal calendars in their work profile. Because this setting allows cross-profile communication (between personal and work spaces), it should be turned on only for trusted apps.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- Click the Android app you want to update.
- Click Connected apps configuration.
- At the left, click the organizational unit or group that you want to allow or block.
- To allow users to use this feature, check the box.
- Click Save.
Step 3: Manage the apps list
Expand section | Collapse all & go to top
Remove an appWhen you remove an Android app from your list, the app isn't available for users to install from the managed Google Play store or the Work Apps tab in the Play Store. If a user already installed the app, the app stays on the device but it's no longer managed. If you allow users to install any app in Google Play, they can still install the app but you can't manage it.
When you remove an iOS app from your list, the app isn't available for users to install from the Google Device Policy app. If a user already installed the app and the app is managed, the app stays on the device as managed until the user removes the Device Policy profile from their device. Other users can still install the app from the App Store, but you can't manage it.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- You can delete individual apps or many apps at once:
- To delete one app, find it in the list and click MoreDelete.
- To delete many apps, next to each app, check the box. At the top, click Delete.
Step 4: Monitor apps on managed devices
Expand section | Collapse all & go to top
See how apps are distributed-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
-
To review the apps that a specific organizational unit or group can access:
-
Click Add a filter.
-
Click Organizational unit or Group.
-
Select the organizational unit or group.
-
-
To review the distribution of a specific app, point to the row of the app you want to review and click Access details. A panel opens that lists the groups and organizational units and their app access status.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
Go to Menu DevicesOverview.
- Click the Mobile devices card.
- Click the row of the device you want to view the details for.
Tip: If your organization has many mobile devices, click Add a filter to narrow your search. For details, go to Find specific mobile devices. - Click Installed apps. The table lists the app, its version, and its App ID. For Android apps, you also get the SHA-256 hash value.
In the Device log events, filter the log for Event nameDevice application change. You can filter the list further by specific device types, device application change events, the application package name, and more.
After you create your filter, you can export your log event data.
Respond to app security incidents
If a user's account could be compromised through an app (because the device is lost or stolen) or you discover a malicious app on users' devices, you have several ways to respond.
To stop unauthorized access:
- Revoke access to Google services.
- Block a device (requires advanced mobile management).
- Lock a company-owned Android device and reset its password.
To block an app's access to Google services, in App Access Control, set the app as limited or blocked. For details, go to Add a new app.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.