Control what devices can access your data

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator, you can individually review each device that requests access to corporate data. In the Google Admin console you can:

  • Approve or block mobile devices to control whether they can access your organization’s data. 
  • Tag endpoint verification devices as approved or blocked. You can use the tag to configure access levels in Access Context Manager

Before you begin

What you need to do...

  • To approve or block mobile devices, you need advanced mobile management. Learn more
  • To tag endpoint verification devices as approved or blocked, you need to set up endpoint verification. Learn more

What you need to know...

  • Company-owned devices—Devices that are registered by serial number are approved automatically, even if you set up device approvals. For details, see Set up Android devices your company owns
  • Apple® iOS® devices—If you set up your network to allow Wi-Fi access, that access is available while device approval is pending. After you approve devices, users will also have access to corporate apps and data.
  • (G Suite only) Google Sync devices—When device approval is pending, users get an error if they try to sync the device to G Suite. If you specified an email address to receive notifications for new device activations, you might receive duplicate notifications for pending device activations. However, you only need to approve the device once.
  • Endpoint verification devices—Approving or blocking a device doesn’t change the device’s ability to access corporate data. Instead, it adds a tag to the device that can be used to configure access levels with Access Context Manager

Require new devices to be reviewed

Normally, devices are automatically approved when users add their account to the device. This means mobile devices can access your organization’s data right away, and endpoint verification devices are tagged as approved. Your organization can require an admin to review devices first, before they’re approved.

Step 1: Require an admin to review devices
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Setup.
  4. Click Device Approvals.
  5. (Optional) To customize device approvals across organizational units, on the left, select an organization.
  6. Check the Requires Admin approval box.  
  7. (Optional) Enter an email address to get notifications when users enroll their devices.
    Tip: Instead of an individual email address, use a group email address that includes all administrators who can activate devices. 
  8. Click Save.

Step 2: Review devices for approval

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Device Approvals
  4. Review the list of devices that requested access to corporate data.
  5. Choose an option: 
    • To allow mobile devices to access corporate data and to tag endpoint verification devices as approved, select the devices and click Approve
    • To prevent mobile devices from accessing corporate data and to tag endpoint verification devices as blocked, select the devices and click Block.
      Note: If you tag an endpoint verification device as blocked, it can still access corporate data until you enforce Access Context Manager policies.

When a user adds a corporate account to their mobile device, they see a message that an administrator needs to activate the device. Once a device is approved, the user can synchronize corporate data to the device.

Block, unblock, and delete devices

When you block or delete a mobile device, the device stops syncing corporate data. The user can still access corporate data that’s already saved on the device. To remove all corporate data from the mobile device, wipe the account or device. For details, see Remove corporate data from a mobile device

When you block or delete an endpoint verification device, the device can still access corporate data until you enforce Access Context Manager policies.

Block a device

You can block devices when their status is Pending or Approved.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. Click Mobile devices.
  4. Choose an option: 
    • To block a mobile device, click Mobile devices.
    • To block an endpoint verification device, click Endpoint Verification.
  5. Choose an option: 
    • To block one device, point at the device and click Block Block.
    • To block multiple devices, select the devices and click More More and then Block Devices.

The device’s status changes to Blocked. Blocked devices stay in your devices list until you delete them.

Unblock a device

Unblocking a mobile device allows the device to sync corporate data. Unblocking an endpoint verification device adds an Approved tag to the device. 
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. Choose an option: 
    • To unblock a mobile device, click Mobile devices.
    • To unblock an endpoint verification device, click Endpoint Verification.
  4. Click the Exception Exception for the blocked device and click Unblock Device
  5. Click Unblock Device

The device’s status changes from Blocked to Compliant or Non-compliant, depending on its compliance with your organization’s policies. 

Delete a device

When you delete a mobile device, the device stops syncing corporate data, but no information is removed from it. If you want to remove corporate data from the device, wipe the account or device before you delete it. For details, see Remove corporate data from a mobile device
When you delete an endpoint verification device, the device continues to sync corporate data, but you can’t see the device in your Admin console.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. Choose an option: 
    • To delete a mobile device, click Mobile devices.
    • To delete an endpoint verification device, click Endpoint Verification.
  4. Select the devices you want to delete and then click More Moreand then Delete Devices.

Deleted devices are removed from the list of managed devices.

Related topics 

Was this article helpful?
How can we improve it?