This feature is available in any G Suite edition.
As an administrator, you can control how users access and interact with their Android device by applying policy settings.
To use the settings, you need to choose advanced management when you set up mobile device management.
Some of these settings are available only for company-owned devices. You can set up management specifically for company-owned Android devices.
Find the settings
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console dashboard, go to Device management.
To see Device management, you might have to click More controls at the bottom.
- On the left, click Android Settings.
- (Optional) On the left, select the organization to which you want to apply the settings.
- Select a category and next to the setting, check the box to apply it. For details about each setting, see Learn about the settings.
- After you make a change, click Save.
Learn about the settings
Open all | Close all
You can manage user application auditing, account sync and wipe, lock screen details and widgets, and the Android Device Manager.
Auto Account Wipe
Automatically removes corporate account data when a device reaches a specified number of days of inactivity. The user is prompted to reconnect to the Internet and sync the device before the system removes the account. The Google Apps Device Policy
performs this operation. Enter the number of days allowed to elapse after the last sync operation before removing the account.
Shows notifications, such as email senders and subjects, on locked devices. Uncheck this box to prevent the device from showing notification details. This setting applies to users accessing corporate data through work profiles on their personal devices, and users using corporate devices. This setting is supported on Android 5.0 Lollipop devices and later.
Allow lock screen widgets
Shows widgets, such as email and calendar image widgets, on locked devices. Supported for Android 4.2 Jelly Bean and later with Device Policy 4.13.
Older Android devices
Accommodates older devices by enforcing only those policies supported on older devices. For example, applying this setting allows older devices to continue to sync with G Suite without encrypted storage, even when you apply the setting that requires encryption for Android 3.0 Honeycomb and later devices.
You can add work profiles to Android 5.0 Lollipop and later devices you manage. You manage the apps in the work profile space. Your users’ bring your own device (BYOD) personal space remains private and available only to them.
Work Profile Setup
Within the work profile, users see enterprise and company-specific apps and data with the briefcase badge. Devices must support the addition of a work profile. For best results, confirm that devices support managed work profiles before offering them. You can learn more about work profiles
before you offer them.
Next to Work Profile Setup, click the down arrow and choose one of these options:
||Allows device users to decide whether to add the work profile. The device enrollment process offers the work profile option, but doesn’t require the user to accept it at that time. Device users can add a work profile later, or not at all.
Requires device users to accept the addition of a work profile. Only devices supporting both Android in the enterprise and work profiles can accept this setting.
You might have some devices already enrolled in management, but without a work profile in place. In that case, when you apply this setting, the user receives a message that the administrator now requires a profile, and prompts the user to accept the work profile. Device synchronization with the corporate domain might be delayed until the work profile is in place.
If the device doesn’t support work profiles, the system doesn’t apply this setting. You can check the device details page for each enrolled device to make sure a work profile is supported on that device.
||Prevents device users from setting up a work profile. Existing work profiles set up on previously enrolled devices are not affected.
Apps and data sharing
You can give users permission to install apps. You can also control what users can share from installed apps. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
Allows users to show notifications, force stop (halt processes), uninstall updates, disable apps, and clear data, cache, or defaults. Supported for Android 6.0 Marshmallow and later company-owned devices only.
Allows users to turn off the Verify Apps setting. The setting helps prevent harmful software from being installed. It also periodically scans devices for potentially harmful apps. Supported for Android 6.0 Marshmallow and later on company-owned devices only. For details, see Protect against harmful apps
USB file transfer
Allows users to transfer files to and from their mobile devices using a USB connection. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows users to install apps from other sources in addition to the Google Play Store. Uncheck this box to offer additional security by preventing app installation from unknown sources. Supported for Android 5.0 Lollipop and later.
Allows users to use developer options on their devices. If you disable this setting, users with Android enterprise on their device can still enable developer options on their device for their personal space, but not for their work profile. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't do this in their work profile. Supported for Android 5.0 Lollipop and later.
Allows users to turn on or off Google’s location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device
from the My Devices page. Supported for Android 5.0 Lollipop and later.
Allows users to take screen captures on their mobile devices. If you turn off this setting, users are limited to screen captures with their personal applications. Supported for Android 5.0 Lollipop and later.
Sharing to other profiles
Allows users to share files, such as photos, from their work profile to their personal space, using the share option in the app. Supported for Android 5.0 Lollipop and later.
Cross Profile Copy Paste
Allows users to copy text from any app in their work profile and paste it using any app in their personal space. Supported for Android 5.0 Lollipop and later.
Allows device users to share content through Android Beam via near field communication (NFC). Uncheck the box to prevent using Android Beam.
Users and accounts
You can give users permission to add and remove additional user profiles and accounts. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
Allows the primary account user to add an additional user profile to their device. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows the primary account user to remove accounts for other user profiles on devices with multiple accounts. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows users to add or remove accounts on their mobile devices. You can decide what types of accounts your users can add to their work profile. Supported for Android 5.0 Lollipop and later.
Allows users to add Google or G Suite accounts from any of their Google apps. Before you can turn this setting on, the Accounts setting (directly above) must also be on. If you turn the Accounts setting off, users may still be able to add Google accounts in their work profile or on their device through Microsoft® Exchange®, IMAP, or POP3. This setting is turned on by default. Supported for Android 5.0 Lollipop and later.
You can manage the way users access networks. These settings are available for company-owned, Android 6.0 Marshmallow and later devices.
Allows users to change the Wi-Fi network settings on their mobile devices.
Allows users to change the Bluetooth® settings on their mobile devices. For Android 6.0 Marshmallow and later, if you want to allow Bluetooth configuration, remember to apply the Location sharing setting (under Apps and Data Sharing) to enable it to work.
Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings > Wireless & networks > More > VPN.
Allows users to configure and use Wi-Fi hotspot and USB or Bluetooth tethering services.
Allows users to change the settings for data access and roaming on their devices. This setting also allows users to choose whether or not to display the mobile network name in the status bar, to change the access point name (APN), and to choose a mobile network operator.
Allows users to receive broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.
You can give users access to hardware options. These settings are available only for company-owned Android 6.0 Marshmallow and later devices, except where noted.
Allows users to insert an SD card and move data or applications to the card, on those devices with external SD card slots. SD cards are generally used for removable storage.
Allows users to modify certificate authority (CA) forms for their work profiles in Settings > Security > Trusted credentials on their mobile device. If unchecked, users can still view CA certificates for their work profile; however, they can't modify them.
Allows the use of device microphones. Uncheck this box to mute the microphone and prevent it from being turned back on. Leaving the microphone off ensures that malicious apps can’t use the microphone's functionality to record sound near the device.
Allows the use of device speakers. Uncheck this box to mute the speaker for apps in the work profile and prevent it from being turned back on.
Administrator Restriction PIN Settings
Continues to sync the administrator restriction PIN with user devices. With this setting applied, users are asked to enter this PIN if they try to reset the phone, or to change Wi-Fi or Bluetooth settings. (The PIN needs to be numeric and have at least 5 characters.) If you uncheck this box, the previous administrator restriction PIN is recognized, and you can't change the administrator restriction PIN again until you re-apply this setting.
Allows users to perform a factory reset on their device. A factory reset removes all applications, all user information, and all settings, including any restrictions set by the administrator using device management.
Allows users to set the date and time on their devices. Uncheck the box to prevent users from setting the date and time.
Allows users to access data services while roaming (using the device outside the cell phone carrier’s operating area). Uncheck the box to prevent Internet access while roaming. This setting is only available for company-owned Android 7.0 Nougat and later devices.
Allows users to reboot their devices in safe mode, where the device reboots with only standard, pre-installed apps running, and third-party apps disabled. Uncheck the box to prevent users from rebooting in safe mode.
For Android devices where the Google Apps Device Policy app is not pre-installed, allowing the user to go into Safe Boot mode prevents the device policy app from running, which means that corporate access is eventually blocked on the device. We recommend to not allow Safe Boot access.
Want more mobile device management settings?
Consider applying Password settings and Advanced settings.
See how to apply Apple® iOS® settings.