Search
Clear search
Close search
Google apps
Main menu
true

Apply settings for Android mobile devices

  If you have the legacy free edition of Google Apps, upgrade to G Suite to get this feature. 

As an administrator, you can control how users access and interact with their Android device by applying policy settings.

To use the settings, you need to choose advanced management when you set up mobile device management.

Some of these settings are available only for company-owned devices. You can set up management specifically for company-owned Android devices.

Find the settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Android Settings.
  4. (Optional) On the left, select the organization to which you want to apply the settings.
  5. Select a category and next to the setting, check the box to apply it. For details about each setting, see Learn about the settings.
  6. After you make a change, click Save.

Learn about the settings

Open all   |   Close all

General settings

You can manage user application auditing, account sync and wipe, lock screen details and widgets, and the Android Device Manager.

Application Auditing
Allows users to audit their apps on the Mobile devices page. The Google Apps Device Policy makes this setting work, and administrator privilege is required.
Auto Account Wipe
Automatically removes corporate account data when a device reaches a specified number of days of inactivity. The user is prompted to reconnect to the Internet and sync the device before the system removes the account. The Google Apps Device Policy performs this operation. Enter the number of days allowed to elapse after the last sync operation before removing the account.
Notifications
Shows notifications, such as email senders and subjects, on locked devices. Uncheck this box to prevent the device from showing notification details. This setting applies to users accessing corporate data through work profiles on their personal devices, and users using corporate devices. This setting is supported on Android 5.0 Lollipop devices and later.
Allow lock screen widgets
Controls whether users can add widgets, such as email and calendar widgets, to the lock screen on their devices. Lock screen widgets are supported on Android versions 4.2 Jelly Bean to 4.4 KitKat.
User Remote Wipe on Android
Allows users with Android devices to access the Android Device Manager. If a user loses their Android device they can use Android Device Manager to find it. They can also remotely ring, lock, or erase data from the device. For details, see Android Device Manager
Older Android devices
Accommodates older devices by enforcing only those policies supported on older devices. For example, applying this setting allows older devices to continue to sync with G Suite without encrypted storage, even when you apply the setting that requires encryption for Android 3.0 Honeycomb and later devices.

Work profile

Android 5.0 Lollipop and later devices 

Use work profiles to separate your organization’s apps from personal apps. You can offer and manage apps through your whitelist. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, see What is a work profile? 

Work Profile Setup
Android 5.0 Lollipop and later devices
Controls the creation of work profiles on personal Android devices that are used in your organization. 
Users can add one managed G Suite account to a device with a work profile. Within the work profile, you offer and manage corporate apps using a whitelist. Once installed, managed apps are marked with Android enterprise Android enterprise so they’re easy for users to distinguish from personal apps. Learn more about whitelisting Android apps.
Next to Work Profile Setup, click the Down arrow Down Arrow and choose an option:
  • User opt-in—Select this option to prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still make changes to protect the corporate data on the device. For example, if a device is lost, you can wipe all data from the device.
  • Enforce—Select this option to require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they don’t have the option to opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. Check the device properties in your Admin console to find out if a device supports a work profile. For details, see View mobile device details.
  • Disable—Select this option to prevent device users from setting up a work profile. Existing work profiles set up on registered devices are not affected.

Apps and data sharing

You can give users permission to install apps. You can also control what users can share from installed apps. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.

Apps Settings
Allows users to show notifications, force stop (halt processes), uninstall updates, disable apps, and clear data, cache, or defaults. Supported for Android 6.0 Marshmallow and later company-owned devices only.
Verify Apps
Allows users to turn off the Verify Apps setting. The setting helps prevent harmful software from being installed. It also periodically scans devices for potentially harmful apps. Supported for Android 6.0 Marshmallow and later on company-owned devices only. For details, see Protect against harmful apps.
USB file transfer
Allows users to transfer files to and from their mobile devices using a USB connection. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Unknown Sources
Allows users to install apps from other sources in addition to the Google Play Store. Uncheck this box to offer additional security by preventing app installation from unknown sources. Supported for Android 5.0 Lollipop and later.
Developer Options
Allows users to use developer options on their devices. If you disable this setting, users with Android enterprise on their device can still enable developer options on their device for their personal space, but not for their work profile. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't do this in their work profile. Supported for Android 5.0 Lollipop and later.
Location Sharing
Allows users to turn on or off Google’s location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device from the My Devices page. Supported for Android 5.0 Lollipop and later.
Screen Capture
Allows users to take screen captures on their mobile devices. If you turn off this setting, users are limited to screen captures with their personal applications. Supported for Android 5.0 Lollipop and later.
Sharing to other profiles

This setting is supported for Android 5.0 Lollipop and later devices, except where noted.

Controls whether users can share data and files, such as photos, from their work profile to the personal space on their device. 

When you check the Allow content sharing from Work Profile to personal space box: 

  • Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app. 
  • Caller ID information from the work profile is shown in the personal space for incoming calls.
  • Users can search for G Suite contacts from their personal space (Android 7.0 Nougat and later only).
  • URLs are opened in the personal space if there’s no browser in the work profile.
  • A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Cross Profile Copy Paste
Allows users to copy text from any app in their work profile and paste it using any app in their personal space. Supported for Android 5.0 Lollipop and later.  
Android Beam
Allows device users to share content through Android Beam via near field communication (NFC). Uncheck the box to prevent using Android Beam.

Users and accounts

Company-owned devices and personal devices with work profiles

Add Users

Android 6.0 Marshmallow and later company-owned devices

Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, settings, and more. 

Remove Users

Android 6.0 Marshmallow and later company-owned devices

Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.

Accounts

Android 5.0 Lollipop and later devices

Controls whether users can add and remove accounts in the work profile on their device. 

Only one managed G Suite account can be added to devices with a work profile. To prevent users from adding other types of accounts, uncheck the Allow account addition and removal box.

Google Accounts

Android 5.0 Lollipop and later devices

Allows users to add Google or G Suite accounts in the work profile on their device. Before you can turn this setting on, the Accounts setting (above) must also be on. 

Only one managed G Suite account can be added to a device with a work profile. If you turn the Accounts setting off, users can still add Google Accounts in their work profile or on their device through Microsoft® Exchange®, IMAP, or POP3.

Networks

You can manage the way users access networks. These settings are available for company-owned, Android 6.0 Marshmallow and later devices. 

WiFi
Allows users to change the Wi-Fi network settings on their mobile devices. 
Bluetooth
Allows users to change the Bluetooth® settings on their mobile devices. For Android 6.0 Marshmallow and later, if you want to allow Bluetooth configuration, remember to apply the Location sharing setting (under Apps and Data Sharing) to enable it to work.
VPN access
Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings > Wireless & networks > More > VPN.
Tethering
Allows users to configure and use Wi-Fi hotspot and USB or Bluetooth tethering services.
Mobile Networks
Allows users to change the settings for data access and roaming on their devices. This setting also allows users to choose whether or not to display the mobile network name in the status bar, to change the access point name (APN), and to choose a mobile network operator. 
Cell Broadcasts
Allows users to receive broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards. 

Device features

You can give users access to hardware options. These settings are available only for company-owned Android 6.0 Marshmallow and later devices, except where noted.

Physical Media
Allows users to insert an SD card and move data or applications to the card, on those devices with external SD card slots. SD cards are generally used for removable storage. 
Trusted Credentials
Allows users to modify certificate authority (CA) forms for their work profiles in Settings > Security > Trusted credentials on their mobile device. If unchecked, users can still view CA certificates for their work profile; however, they can't modify them. 
Microphone
Allows the use of device microphones. Uncheck this box to mute the microphone and prevent it from being turned back on. Leaving the microphone off ensures that malicious apps can’t use the microphone's functionality to record sound near the device. 
Speaker
Allows the use of device speakers. Uncheck this box to mute the speaker for apps in the work profile and prevent it from being turned back on. 
Administrator Restriction PIN Settings
Continues to sync the administrator restriction PIN with user devices. With this setting applied, users are asked to enter this PIN if they try to reset the phone, or to change Wi-Fi or Bluetooth settings. (The PIN needs to be numeric and have at least 5 characters.) If you uncheck this box, the previous administrator restriction PIN is recognized, and you can't change the administrator restriction PIN again until you re-apply this setting.
Factory Reset

Controls whether users can reset the device to its factory settings. A factory reset removes all apps, data, and settings from the device. The settings that are removed include those that are set by a G Suite administrator using device management. 

If you turn this setting on, consider using the Factory Reset Protection Setting to allow administrators to access a reset device. This can help to prevent locked devices if the user is unable to access their account after the device is reset.

Factory Reset Protection Setting

Allows specific administrator accounts to access a device after it’s been reset to its factory settings. For company-owned devices (those that you add to your Admin console by serial number), only the accounts you list can access the device after a factory reset. For personal devices in device owner mode, the user can access the device, too. For details, see Know the differences between personal and company-owned devices.

Click Add an account and enter the email addresses of the admins who you want to allow to access the device after a factory reset.

Note: If you use this setting and need to reset a device to factory settings, make sure you can access any associated admin accounts before you reset the device. (See Tips below.) G Suite support can’t remotely unlock a reset device or restore it. If you have problems unlocking a reset device, contact the device manufacturer for help.

Tips

  • You can enter up to 10 email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses you enter. 
  • Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account has been restored. 
  • Don’t enter any group email addresses—they can’t access a device that’s been factory reset.
  • Before you reset a device:
    • Sign out and remove the user’s G Suite account.
    • If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Edit time
Allows users to set the date and time on their devices. Uncheck the box to prevent users from setting the date and time.
Data roaming
Allows users to access data services while roaming (using the device outside the cell phone carrier’s operating area). Uncheck the box to prevent Internet access while roaming. This setting is only available for company-owned Android 7.0 Nougat and later devices.
Safeboot
Allows users to reboot their devices in safe mode, where the device reboots with only standard, pre-installed apps running, and third-party apps disabled. Uncheck the box to prevent users from rebooting in safe mode. 
For Android devices where the Google Apps Device Policy app is not pre-installed, allowing the user to go into Safe Boot mode prevents the device policy app from running, which means that corporate access is eventually blocked on the device. We recommend to not allow Safe Boot access. 

Want more mobile device management settings?

Consider applying Password settings and Advanced settings.

See how to apply Apple® iOS® settings.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.