Apply settings for Android mobile devices

Supported editions for this feature: Business Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; Cloud Identity Premium.  Compare your edition

As an administrator, you can control how users access and interact with their Android device by applying policy settings.

Requirements

Find and set Android settings

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click  Settingsand thenAndroid settings.
  4. (Optional) On the left, select the organizational unit you want to apply the settings to.
  5. Click a settings category and a setting. Learn about the settings in the following section.
  6. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  7. To apply a setting, check the box or enter the required information.
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Android settings index

Open all   |   Close all

General settings

Open all   |   Back to index

Auto wipe

Automatically removes a user's work or school data from their device when any of the following occur and the user doesn't address the problem:

Before the wipe, the user gets a notification and time to fix the problem.

To turn off auto wipe, uncheck the Wipe device if it doesn't sync or falls out of compliance box.

What data is wiped

The data that’s removed depends on the management agent on the device and how the device is set up:

Android Device Policy:

  • For company-owned devices or personal devices that the user set as use for work only (your organization's management privilege is Device owner), devices are factory reset.
  • For personal devices with a work profile (your organization's management privilege is Profile owner), only the work profile is wiped. Personal data and apps remain on the devices.

Google Apps Device Policy:

The work or school account is removed. Personal data and apps remain on the device. However, if the device is in fully-managed mode and the work account is added back, all apps are removed from the device.

CTS Compliance

Supported for Android 6.0 Marshmallow or later devices running Android Device Policy

Blocks Android devices that aren't compliant with the Compatibility Test Suite (CTS). For details, see Compatibility Test Suite.

Application auditing

Allows admins to get details about apps installed on personal devices that don't have a work profile. Note: Apps are automatically audited on company-owned devices and devices with a work profile.

When you check the Audit apps on personal devices with no work profile box, devices report the following information to the Admin console:

User device wipe

Allows users with Android devices to access the Android Device Manager.

When you check the Allow users to wipe their devices from Find My Device box, a user can use Android Device Manager to find a lost device. They can also remotely ring, lock, or erase data from the device. For details, see Android Device Manager.

Older Android devices

Accommodates older devices by enforcing only those policies supported on older devices.

When turned on, older devices can continue to sync corporate data without encrypted storage. These devices can sync data even when you require encryption.

Work profile

Use work profiles to separate your organization’s apps from personal apps. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, see What is a work profile?

Open all   |   Back to index

Work profile setup

Supported for Android 5.0 Lollipop and later devices running Google Device Policy app only. This setting doesn't apply to devices running Android Device Policy, which automatically requires a work profile on personal devices.

Controls the creation of work profiles on personal Android devices that are used in your organization.

Users can add one managed account to a device with a work profile. Within the work profile, you offer and manage corporate apps from the mobile apps list. Once installed, managed apps are marked with Android enterprise "" so they’re easy for users to distinguish from personal apps. Learn more about whitelisting Android apps.

Next to Work Profile Setup, click the Down arrow "" and choose an option:

  • User opt-in—Prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still protect the work or school data on the device. For example, if a device is lost, you can wipe all data from the device.
  • Enforce—Require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they can't opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. To find out if a device supports a work profile, check the device properties in your Admin console. For details, see View mobile device details.
  • Disable—Prevent device users from setting up a work profile. Existing work profiles set up on registered devices aren't affected.
Work profile password

Supported for Android 7.0 Nougat and later devices.

Enforces password settings only on apps running in a user’s work profile, and allows users to configure their own lock screen settings for their device.

To enforce password settings on the entire device, uncheck the Apply password requirements only on work profile apps box.

Note: For devices older than Android 7.0, password settings are always enforced on the entire device.

Apps and data sharing

Supported for company-owned devices and BYOD devices with work profiles, except where noted

Open all   |   Back to index

Available apps

Allows users to find and install all apps in the Google Play store or only allowed apps.

Note:

  • This setting overrides User access settings for apps in the Web and mobile app list.
  • If you select All apps, users can install any app in the Google Play store, including apps that have User access set to Off and unmanaged apps.
  • If you select Only allowed apps, users can install only apps in the Web and mobile app list. However, unmanaged apps already installed on devices stay on devices.
System apps

Supported for company-owned devices only

Allows users to install all or select system apps. System apps are preinstalled apps such as Clock and Calculator. You can allow all, block all, or select specific apps to block or allow.

Some system apps are critical to device function are still available even when you select Block all. Selecting Block all doesn’t remove access to Android apps you add to the Web and mobile app list.

For details, see Manage system apps on company-owned mobile devices.

Screen capture

Supported for Android 5.0 Lollipop and later devices.

Allows users to take screen captures on their mobile devices.

To block screen captures in work apps, uncheck the Allow screen capture box. In this case, users can get screen captures only in their personal apps.

Sharing to other profiles

Supported for Android 5.0 Lollipop and later devices, except where noted.

Allows users to share data and files from their work profile to the personal space on their device.

When you check the Allow content sharing from the work profile to the personal space box:

  • Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
  • Caller ID information from the work profile is shown in the personal space for incoming calls.
  • (Google Workspace only, Android 7.0 Nougat and later devices) Users can search for work contacts from their personal space.
  • URLs are opened in the personal space if there’s no browser in the work profile.
  • A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Cross profile copy

Supported for Android 5.0 Lollipop and later devices with work profiles.

Allows users to copy text from any app in their work profile and paste it in any app in their personal space.

To block users from copying work data to their personal apps, uncheck the Allow pasting between the work profile and personal space box.

Android Beam

Allows users to share content between Android devices with Android Beam, which uses near field communication (NFC).

To block data sharing with Android Beam, uncheck the Allow outgoing Beam box.

Location Sharing

Supported for Android 5.0 Lollipop and later devices.

Allows users to turn on or off Google’s Location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device from the My Devices page.

To block Location Sharing for all apps, uncheck the Allow location sharing box.

Google Play private apps

Allows Android users to access and publish private apps in Google Play.

  • To allow users to access private apps you distribute, check the Allow users to access Google Play private apps box.
  • To allow users to create and update Android apps for internal use and distribute them to users in your domain, check the Allow users to publish and update Google Play private apps box.

For more information about private apps, see Manage Google Play private apps.

Runtime permissions

Supported for Android 6.0 Marshmallow and later devices.

Note: Denying runtime permissions can affect the functionality of some apps.

Sets the default response to permission requests from apps at runtime are handled by default. This setting is overridden by the permissions preferences that are set for an individual app in the managed apps list. For details, see Manage runtime permissions for Android apps.

Apps settings

Supported for company-owned Android 6.0 Marshmallow and later devices.

Allows users to uninstall apps, disable apps, force stop (halt processes), show notifications, and clear data, cache, or defaults.

To block users from changing app settings, uncheck Allow users to change app settings.

Verify apps

Supported for company-owned Android 6.0 Marshmallow and later devices.

Allows users to turn off Google Play Protect (formerly Verify Apps). Play Protect helps prevent the installation of harmful software on Android devices. It also periodically scans devices for potentially harmful apps. For details, see Help protect against harmful apps with Google Play Protect.

To require that Play Protect is always on, uncheck Allow users to turn off Google Play Protect.

USB file transfer

Supported for company-owned Android 6.0 Marshmallow and later devices.

Allows users to transfer files to and from their mobile devices using a USB connection.

To block file transfer over a USB connection, uncheck Allow USB file transfer.

Unknown sources

Supported for Android 5.0 Lollipop and later devices.

Prevents users from installing apps from sources other than the Google Play Store. When checked, users can still install apps from unknown sources in their personal space if the device has a work profile.

To also block app installation from unknown sources in the personal space, check the Block app installation from unknown sources in the personal profile of a work profile device box.

To allow app installation from unknown sources, uncheck the Block app installation from unknown sources box.

Developer options

Supported for Android 5.0 Lollipop and later devices.

Allows users to use developer options on their devices.

To block users from using developer options, uncheck Allow developer options. If the device has a work profile, users can still turn on developer options for their personal space. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't sideload apps to their work profile.

Networks

Supported for company-owned Android 6.0 Marshmallow and later devices

Open all   |   Back to index

VPN access

Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings and thenWireless & networksand thenMoreand thenVPN.

To block users from changing their device's VPN configuration, uncheck Allow VPN configuration.

Tethering

Allows users to set up and use Wi-Fi hotspots and USB or Bluetooth tethering services.

To block users from using these types of connections, uncheck Allow tethering and Wi-Fi hotspots.

Mobile networks

Allows users to change the settings for data access and roaming on their devices. This setting also allows users to take the following actions:

  • Display the mobile network name in the status bar
  • Change the access point name (APN)
  • Choose a mobile network operator

To block users from changing these settings, uncheck Allow changes to mobile network settings.

Cell broadcasts

Allows users to opt in to broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.

To block users from changing cell broadcast settings, uncheck Allow changes to cell broadcast settings.

Bluetooth

Allows users to change the Bluetooth settings on their mobile devices.

Note: For Android 6.0 Marshmallow and later, to allow users to configure Bluetooth settings, you must also allow Location Sharing (under Apps and data sharing).

To block users from changing Bluetooth settings, uncheck Allow changes to Bluetooth settings.

Wi-Fi

Allows users to change the Wi-Fi network settings on their mobile devices.

To block changes to Wi-Fi settings, uncheck Allow changes to Wi-Fi network settings.

Device features

Supported for company-owned Android 6.0 Marshmallow and later devices, except where noted

Open all   |   Back to index

Physical media

For devices with external SD card slots, allows users to move data or applications to an SD card. SD cards are used for removable storage.

To block users from copying data to external SD cards, uncheck Allow external SD cards.

Trusted credentials

Allows users to modify certificate authority (CA) forms for their work profiles in Settingsand thenSecurityand thenTrusted credentials on their mobile device.

To block changes to CA certificates, uncheck Allow changes to trusted credentials. When unchecked, users can still view CA certificates for their work profile.

Microphone

Allows the use of device microphones.

To mute the microphone and prevent it from being turned back on, uncheck Allow microphone. You might want to block microphone use to ensure that malicious apps can’t use the microphone to record sound near the device.

Speaker

Allows the use of device speakers.

To mute the speaker for apps in the work profile and prevent speakers from being turned back on, uncheck Allow speakers.

Administrator restriction PIN

Supported for Android 5.1 Lollipop and earlier devices.

When checked, the specified administrator restriction PIN is synced to user devices. The PIN must be 5 or more numbers. Users are asked to enter this PIN when they try to reset the phone, or to change Wi-Fi or Bluetooth settings.

To prevent changes to the administrator restriction PIN, uncheck the Set administrator restriction PIN remotely box. To update the PIN, you must check the box to set the new PIN and allow it to sync to devices.

Factory reset

Allows users to reset their Android device to factory settings with the Settings app. A factory reset removes all apps, data, and settings from the device, including settings configured by an administrator through device management.

If you check the Allow users to factory reset a device box, consider using the Factory reset protection to allow administrators to access a reset device.

If you uncheck the box, users can't factory reset their device with the Settings app. However, users might still be able to reset their device using its power and volume buttons.

Factory reset protection

Allows the specified administrator accounts to access a device after it’s been reset to its factory settings. For company-owned devices (devices you add to your Admin console by serial number), only the accounts you list can access the device after a factory reset. For personal devices in device owner mode, the user can access the device, too.

To add an administrator, enter their email address and click Add.

Note: Make sure you can access any associated admin accounts before you reset the device. Support can’t remotely unlock a reset device or restore it. If you have problems unlocking a reset device, contact the device manufacturer for help.

Account requirements

  • You can enter up to 10 email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses.
  • Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account was restored.
  • Don’t use group email addresses. Group accounts can’t access a device that’s been factory reset.

Before you reset a device

  • Sign out and remove the user’s work or school account.
  • If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Edit time

Allows users to set the date and time on their devices.

To block users from changing the date and time, uncheck the Allow user to edit the date and time box.

Data roaming

Supported for company-owned Android 7.0 Nougat and later devices.

Allows users to access data services while using the device outside the mobile carrier’s operating area.

To block internet access while roaming, uncheck the Allow user to connect to data services when roaming box.

Safeboot

Allows users to reboot their devices in safe mode. In safe mode, the device runs only standard, pre-installed apps and disables all third-party apps.

Note: For Android devices where the Google Apps Device Policy app wasn't pre-installed, safe mode disables the Google Apps Device Policy app. Without that app running, the device stops syncing your management policies and the user's access to their work or school account on the device is eventually blocked.

To prevent users from rebooting in safe mode (recommended), uncheck the Allow user to reboot their device in safe mode box.

Users and accounts

Supported for company-owned devices and personal devices with work profiles

Open all   |   Back to index

Add users

Supported for Android 6.0 Marshmallow devices only

Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, and settings.

Remove users

Supported for Android 6.0 Marshmallow devices only

Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.

Accounts

Supported for Android 5.0 Lollipop and later devices

Allows users to add and remove accounts on their device. Only one managed account can be added to devices with a work profile. To remove a managed account, the user needs to remove the work profile from their device.

To block users from changing accounts on their device, uncheck the Allow user to add and remove accounts. When unchecked, you can't turn on the Google Accounts setting and users can't add any managed Google Accounts to their device.

Google Accounts

Supported for Android 5.0 Lollipop and later devices

Allows users to add work or school accounts on their device. Only one managed account can be added to a device with a work profile.

Note: To turn on this setting, you must turn on the Accounts setting.

To block users from adding Google accounts, uncheck Allow user to add their Google Account. Users can still add their accounts in their work profile or on their device through Microsoft Exchange, IMAP, or POP3.

Lock screen features

Supported for company-owned devices and Device-owner mode personal devices with Android 6.0 Marshmallow and later

Open all   |   Back to index

Lock screen features

Allows all lock screen features.

To turn off lock screen features, uncheck the Allow lock screen features box. When unchecked, only the lock screen features in this group of settings are blocked. Features that aren't listed, such as facial recognition, aren't blocked.

To block individual lock screen features, check the Allow lock screen features box and then uncheck the boxes for the lock screen features you want to block.

Camera

Allows camera use while the device is locked.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block camera use from the lock screen, uncheck the Allow camera box.

Fingerprint unlock

Allows users to use the device’s fingerprint reader to unlock the device.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block unlocking the device with the fingerprint reader, uncheck the Allow fingerprint unlock.

Lock screen widgets

Supported for Android versions 4.2 Jelly Bean to 4.4 KitKat devices

Allows users to add widgets, such as email and calendar widgets, to the lock screen on their devices.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block lock screen widgets, uncheck the Allow lock screen widgets box.

Notifications

Allows users to receive notifications while the device is locked.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block notifications, uncheck the Allow notifications on the lock screen box. When unchecked, the Notification details setting is also turned off.

Notification details

Allows users to receive notification details while the device is locked.

If the Notifications setting is turned off, this feature is also off.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block notification details, uncheck the Allow notification details box.

Trust agents

Allows users to use Smart Lock to keep their device unlocked in some situations, like when their phone is in their pocket or they're at home. With Smart Lock, users don't need to unlock with their PIN, pattern, or password. For details, see Set your Android device to automatically unlock.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block Smart Lock, uncheck the Allow Smart Lock to keep a device unlocked box.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue