If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature.
As an administrator, you can control how users access and interact with their Android device by applying policy settings.
To use the settings, you need to choose advanced management when you set up mobile device management.
Some of these settings are available only for company-owned devices. You can set up management specifically for company-owned Android devices.
Find the settings
From the Admin console dashboard, go to Device management.
To see Device management, you might have to click More controls at the bottom.
- On the left, click Android Settings.
- (Optional) On the left, select the organization to which you want to apply the settings.
- Select a category and next to the setting, check the box to apply it. For details about each setting, see Learn about the settings.
- After you make a change, click Save.
Learn about the settings
Open all | Close all
You can manage user application auditing, account sync and wipe, lock screen details and widgets, and the Android Device Manager.
Auto Account Wipe
Automatically removes corporate account data when a device reaches a specified number of days of inactivity. The user is prompted to reconnect to the Internet and sync the device before the system removes the account. The Google Apps Device Policy
performs this operation. Enter the number of days allowed to elapse after the last sync operation before removing the account.
Shows notifications, such as email senders and subjects, on locked devices. Uncheck this box to prevent the device from showing notification details. This setting applies to users accessing corporate data through work profiles on their personal devices, and users using corporate devices. This setting is supported on Android 5.0 Lollipop devices and later.
Allow lock screen widgets
Controls whether users can add widgets, such as email and calendar widgets, to the lock screen on their devices. Lock screen widgets are supported on Android versions 4.2 Jelly Bean to 4.4 KitKat.
Older Android devices
Accommodates older devices by enforcing only those policies supported on older devices. For example, applying this setting allows older devices to continue to sync with G Suite without encrypted storage, even when you apply the setting that requires encryption for Android 3.0 Honeycomb and later devices.
You can add work profiles to Android 5.0 Lollipop and later devices you manage. You manage the apps in the work profile space. Your users’ bring your own device (BYOD) personal space remains private and available only to them.
Work profiles separate your organization’s apps from personal apps, adding Android enterprise to each corporate G Suite app to indicate the difference between the two types of app. Within the work profile, users access the Android apps you offer and manage through your whitelist. Users can choose to accept creation of a work profile on enrollment (the default), or to not accept it, to add it later, or not at all. You can adjust this setting when you apply Android policies.
Work Profile Setup
Within the work profile, users see enterprise and company-specific apps and data indicated with Android enterprise
. Devices must support the addition of a work profile. For best results, confirm that devices support managed work profiles before offering them. You can learn more about work profiles
before you offer them.
Next to Work Profile Setup
, click the down arrow
and choose one of these options:
- User opt-in
The default setting when you set up mobile device management. This setting prompts your device users to create a work profile when they register a device for management. Device users can choose not to accept the work profile when they are enrolling in management. (They see a message that not adding a work profile allows their organization to make changes that affect their entire device.)
Requires device users to accept the creation of a work profile. Users don’t have the option to opt-out. Only devices supporting both Android enterprise and work profiles can accept this setting.
You might have some devices already enrolled in management, but without a work profile in place. In that case, when you apply this setting, the user receives a message that the administrator now requires a profile, and prompts the user to allow the system to create it. Device synchronization halts until the work profile is in place.
If the device doesn’t support work profiles, the system doesn’t apply this setting. You can check the details page for each enrolled device to make sure a work profile is supported.
Prevents device users from setting up a work profile. Existing work profiles set up on previously enrolled devices are not affected
Apps and data sharing
You can give users permission to install apps. You can also control what users can share from installed apps. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
Allows users to show notifications, force stop (halt processes), uninstall updates, disable apps, and clear data, cache, or defaults. Supported for Android 6.0 Marshmallow and later company-owned devices only.
Allows users to turn off the Verify Apps setting. The setting helps prevent harmful software from being installed. It also periodically scans devices for potentially harmful apps. Supported for Android 6.0 Marshmallow and later on company-owned devices only. For details, see Protect against harmful apps
USB file transfer
Allows users to transfer files to and from their mobile devices using a USB connection. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows users to install apps from other sources in addition to the Google Play Store. Uncheck this box to offer additional security by preventing app installation from unknown sources. Supported for Android 5.0 Lollipop and later.
Allows users to use developer options on their devices. If you disable this setting, users with Android enterprise on their device can still enable developer options on their device for their personal space, but not for their work profile. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't do this in their work profile. Supported for Android 5.0 Lollipop and later.
Allows users to turn on or off Google’s location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device
from the My Devices page. Supported for Android 5.0 Lollipop and later.
Allows users to take screen captures on their mobile devices. If you turn off this setting, users are limited to screen captures with their personal applications. Supported for Android 5.0 Lollipop and later.
Sharing to other profiles
This setting is supported for Android 5.0 Lollipop and later devices, except where noted.
Controls whether users can share data and files, such as photos, from their work profile to the personal space on their device.
When you check the Allow content sharing from Work Profile to personal space box:
- Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
- Caller ID information from the work profile is shown in the personal space for incoming calls.
- Users can search for G Suite contacts from their personal space (Android 7.0 Nougat and later only).
- URLs are opened in the personal space if there’s no browser in the work profile.
- A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Cross Profile Copy Paste
Allows users to copy text from any app in their work profile and paste it using any app in their personal space. Supported for Android 5.0 Lollipop and later.
Allows device users to share content through Android Beam via near field communication (NFC). Uncheck the box to prevent using Android Beam.
Users and accounts
You can give users permission to add and remove additional user profiles and accounts. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
Allows the primary account user to add an additional user profile to their device. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows the primary account user to remove accounts for other user profiles on devices with multiple accounts. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows users to add or remove accounts on their mobile devices. You can decide what types of accounts your users can add to their work profile. Supported for Android 5.0 Lollipop and later.
Allows users to add Google or G Suite accounts from any of their Google apps. Before you can turn this setting on, the Accounts setting (directly above) must also be on. If you turn the Accounts setting off, users may still be able to add Google accounts in their work profile or on their device through Microsoft® Exchange®, IMAP, or POP3. This setting is turned on by default. Supported for Android 5.0 Lollipop and later.
You can manage the way users access networks. These settings are available for company-owned, Android 6.0 Marshmallow and later devices.
Allows users to change the Wi-Fi network settings on their mobile devices.
Allows users to change the Bluetooth® settings on their mobile devices. For Android 6.0 Marshmallow and later, if you want to allow Bluetooth configuration, remember to apply the Location sharing setting (under Apps and Data Sharing) to enable it to work.
Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings > Wireless & networks > More > VPN.
Allows users to configure and use Wi-Fi hotspot and USB or Bluetooth tethering services.
Allows users to change the settings for data access and roaming on their devices. This setting also allows users to choose whether or not to display the mobile network name in the status bar, to change the access point name (APN), and to choose a mobile network operator.
Allows users to receive broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.
You can give users access to hardware options. These settings are available only for company-owned Android 6.0 Marshmallow and later devices, except where noted.
Allows users to insert an SD card and move data or applications to the card, on those devices with external SD card slots. SD cards are generally used for removable storage.
Allows users to modify certificate authority (CA) forms for their work profiles in Settings > Security > Trusted credentials on their mobile device. If unchecked, users can still view CA certificates for their work profile; however, they can't modify them.
Allows the use of device microphones. Uncheck this box to mute the microphone and prevent it from being turned back on. Leaving the microphone off ensures that malicious apps can’t use the microphone's functionality to record sound near the device.
Allows the use of device speakers. Uncheck this box to mute the speaker for apps in the work profile and prevent it from being turned back on.
Administrator Restriction PIN Settings
Continues to sync the administrator restriction PIN with user devices. With this setting applied, users are asked to enter this PIN if they try to reset the phone, or to change Wi-Fi or Bluetooth settings. (The PIN needs to be numeric and have at least 5 characters.) If you uncheck this box, the previous administrator restriction PIN is recognized, and you can't change the administrator restriction PIN again until you re-apply this setting.
Controls whether users can reset the device to its factory settings. A factory reset removes all apps, data, and settings from the device. The settings that are removed include those that are set by a G Suite administrator using device management.
If you turn this setting on, consider using the Factory Reset Protection Setting to allow administrators to access a reset device. This can help to prevent locked devices if the user is unable to access their account after the device is reset.
Factory Reset Protection Setting
Allows specific administrator accounts to access a device after it’s been reset to its factory settings. For company-owned devices (those that you add to your Admin console by serial number), only the accounts you list can access the device after a factory reset. For personal devices in device owner mode, the user can access the device, too. For details, see Know the differences between personal and company-owned devices.
Click Add an account and enter the email addresses of the admins who you want to allow to access the device after a factory reset.
Note: If you use this setting and need to reset a device to factory settings, make sure you can access any associated admin accounts before you reset the device. (See Tips below.) G Suite support can’t remotely unlock a reset device or restore it. If you have problems unlocking a reset device, contact the device manufacturer for help.
- You can enter up to 10 email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses you enter.
- Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account has been restored.
- Don’t enter any group email addresses—they can’t access a device that’s been factory reset.
- Before you reset a device:
- Sign out and remove the user’s G Suite account.
- If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Allows users to set the date and time on their devices. Uncheck the box to prevent users from setting the date and time.
Allows users to access data services while roaming (using the device outside the cell phone carrier’s operating area). Uncheck the box to prevent Internet access while roaming. This setting is only available for company-owned Android 7.0 Nougat and later devices.
Allows users to reboot their devices in safe mode, where the device reboots with only standard, pre-installed apps running, and third-party apps disabled. Uncheck the box to prevent users from rebooting in safe mode.
For Android devices where the Google Apps Device Policy app is not pre-installed, allowing the user to go into Safe Boot mode prevents the device policy app from running, which means that corporate access is eventually blocked on the device. We recommend to not allow Safe Boot access.
Want more mobile device management settings?
Consider applying Password settings and Advanced settings.
See how to apply Apple® iOS® settings.