Control what devices can access your data

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator, you can individually review each device that requests access to corporate data.

Before you begin

What you need to do...

  • To approve or block mobile devices, you need advanced mobile management. Learn more
  • To tag endpoint verification devices as approved or blocked, you need to set up endpoint verification. Learn more

What you need to know...

  • Company-owned devices—Devices that are registered by serial number are approved automatically, even if you set up device approvals. For details, see Set up Android devices your company owns
  • Apple® iOS® devices—If you set up your network to allow Wi-Fi access, that access is available while device approval is pending. After you approve devices, users will also have access to corporate apps and data.
  • (G Suite only) Google Sync devices—When device approval is pending, users get an error if they try to sync the device to G Suite. If you specified an email address to receive notifications for new device activations, you might receive duplicate notifications for pending device activations. However, you only need to approve the device once.
  • Endpoint verification devices—Approving or blocking a device doesn’t change the device’s ability to access corporate data. Instead, it adds a tag to the device that can be used to configure access levels with Access Context Manager

Require new devices to be reviewed

Normally, devices are automatically approved when users add their account to the device. This means mobile devices can access your organization’s data right away, and endpoint verification devices are tagged as approved. Your organization can require an admin to review devices first, before they’re approved.

Step 1: Require an admin to review devices
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Setup.
  4. Click Device Approvals.
  5. (Optional) To customize device approvals across organizational units, on the left, select an organization.
  6. Check the Requires Admin approval box.  
  7. (Optional) Enter an email address to get notifications when users enroll their devices.
    Tip: Instead of an individual email address, use a group email address that includes all administrators who can activate devices. 
  8. Click Save.

Step 2: Review devices for approval

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Device Approvals
  4. Review the list of devices that requested access to corporate data.
  5. Choose an option: 
    • To allow devices to access corporate data and to tag endpoint verification devices as approved, select the devices and click Approve
    • To prevent devices from accessing corporate data and to tag endpoint verification devices as blocked, select the devices and click Block.
      Note: If you tag an endpoint verification device as blocked, it can still access corporate data until you enforce Access Context Manager policies.

When a user adds a corporate account to their mobile device, they see a message that an administrator needs to activate the device. Once a device is approved, the user can synchronize corporate data to the device.

Related topics 

Was this helpful?
How can we improve it?