Search
Clear search
Close search
Google apps
Main menu

    Mobile audit log

    This feature is available with G Suite Business and Enterprise editions. Compare editions

    You can view all events on user’s Android and iOS® devices in your domain. To view events for Android and iOS devices:

    • The devices need to be managed using Android sync and iOS sync, respectively.
    • The user must be assigned a G Suite Business license for their mobile device to be audited.

    For example, when a user installs an app on their device, the mobile audit log records the package name (for Android devices) or bundle ID (for iOS devices), and their device type.

    Note: We recommend to set up mobile device management before working with the mobile audit log.

    You can use the mobile audit log to capture the following events. You can set an alert to be notified when an event occurs.

    Access the Mobile audit log

    There are several ways to access the Mobile audit log.

    From the Reports page:

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. From the dashboard, click Reports and then Audit and then Mobile devices

    From the Insights page:

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. From the dashboard, click Device management and then Insights and then Mobile audit.
      Learn more

    From the Mobile devices page:

    1. Sign in to your Google Admin console.

      Sign in using your administrator account (does not end in @gmail.com).

    2. From the dashboard, click Device management and then Mobile devices and then Show audit events.
       Learn more

    How to read the tables

    Each event description includes a table to help you understand the type of information you can filter for the event, and how to read the event log. Each event table includes these columns:

    • Property checked—The mobile device property the event audits.
    • Sub-filters (type)—Choose how you want to filter the data.
    • Audit occurs—The time at which the system audits the information—immediately or at the next sync (when the device syncs with your business domain).
    • Platform—The platform that supports the event—Android, iOS, or both.

    Open all   |   Close all

     

    Account registration change

    You can monitor the registration state of devices in your domain. When a device is registered, you can view its device details. The system records an account registration change each time a user adds their managed account on a new device, or unregisters their account.

    For example, the event log contains an entry, such as Username account registered on Nexus 6P with device administrator privilege.

    There are three types of privileges:

    • Device owner. Corporate-owned devices configured to recognize the company as the device owner.
    • Work profile. Users’ personal devices configured with managed work profiles that are separate from their personal space.
    • Device administrator. Users’ personal devices configured with managed accounts within their personal space.

    To monitor an account registration change:

    1. Click Event name and then Account registration change.
       
      Property checked Sub-filters (type) Audit occurs:
      Immediately,
      Next sync
      Platform:
      Android, iOS

      Registered, Unregistered

      Registration State (drop-down):

      Registered Unregistered

      Immediately

      Android, iOS

    2. Select the registration state you want to monitor: Registered, or Unregistered.

      Registered: The user has completed adding a managed account for this domain to the device.

      Unregistered: The user unregistered an account on the device. The user can no longer use the account on that device.
    Device application change

    You can monitor device application changes in your domain. For example, if you become aware of a new malware app, you can discover which users installed the app in your domain.

    The system records a device application change each time a user installs, uninstalls, or updates an app on their device. 

    • Android devices—For Android devices, where the Device Policy app has Device administrator privileges: If you're not seeing any device application change entries in the audit log, ensure that Enable application auditing in personal space is set.
       
    • iOS devices—For iOS devices, only the managed apps installed using the Device Policy app are audited.

    Application auditing is automatically enabled for devices with a work profile (work profile auditing), and for devices registered in Device Owner mode.

    To monitor device application changes:  

    1. Click Event name and then Device application change.
       
      Property checked Sub-filters (type) Audit occurs:
      Immediately,
      Next sync
      Platform:
      Android, iOS

      Device application change

      Application Event (drop-down):

      Install
      Uninstall
      Update

      Package Name (text-box)

      2 Application Hash (text-box):
        Enter the SHA-256 hash of the
        the application package.

      1

      Android, iOS

      1 Android devices—If an app is installed, updated, or removed, the audit is immediate. 

      iOS devices—The audit is on the next sync.

      2 Applicable only for Android devices.

       

    2. Enter the package name of the app in the Application package name field.
    3. (Optional) Enter the hash of the application package in the Application hash field.

      Application hash is an optional column that shows the SHA-256 hash application package installed on the device. 
    4. Under Application event, select the event type you want to filter: Install, Uninstall, or Update.
    Device compliance status

    You can check whether or not Android devices comply with your organization’s policies. If there’s a change to a device that makes it noncompliant with a policy, it’s marked as not compliant in the mobile devices report. For example, you enforce a minimum password length of 6 characters, and a user changes their device password to 5 characters. The device is marked not compliant because it doesn’t adhere to your password policy.

    A device is marked not compliant if it:

    To check a device, go to the Mobile Devices report and click Event name and then Device compliance status.

    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Compliance status:

    Compliant, Not compliant

    Not applicable  Next sync Android

     

    Device compromise

    You can monitor your domain for compromised devices. A device becomes compromised when it is rooted. For example, a compromised device can indicate a potential security threat.

    The system records an entry each time a user’s device is compromised, or no longer compromised. 

    To check for compromised devices:  

    Click Event name and then Device compromise.

    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Compromise status:

    Compromised, No longer compromised

    Not applicable  Next sync Android

     

    Device OS update

    You can monitor updates to mobile device OS properties. For example, you would like to audit when users have updated to the latest device OS or security patch.

    • Android devices—For Android devices, the system records an entry each time a user updates the OS version, build number, kernel version, baseband version or security patch on their device.
       
    • iOS devices—For iOS devices, the system only records updates to OS version and build number.

    To monitor device OS updates:  

    1. Click Event name and then Device OS update.
       
      Property checked Sub-filters (type) Audit occurs:
      Immediately,
      Next sync
      Platform:
      Android, iOS

      OS version
      Build number
      Kernel version
      (Android only)
      Device baseband version
      (Android only)
      OS security patch (Android only)

      System Properties
      (drop-down):

      OS version
      Build number
      Kernel version
      Device baseband version
      OS security patch

      Immediately
      (Android) 

      Next sync
      (iOS)

      Android, iOS
    2. Select the system property you want to monitor:  OS version, build number, kernel version, baseband version, or security patch. 

       
    Device ownership

    You can monitor device ownership changes on your company-owned mobile devices. For example, you might want to know which personal devices were changed to company-owned after they were imported, or which company-owned devices were changed to personal devices after they were deleted. The system records an entry for each device ownership change.

    To monitor device ownership changes:  

    Click Event name and then Device ownership.

    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Device ownership:

    Company-owned

    Personal

    Not applicable

    Company-owned:
    Immediately

    Personal:
    Next sync

    Android

    1 Audit occurs immediately after the company-owned device is created as part of the bulk import.

    2 Audit occurs at the next sync after the company-owned device is deleted.


     

    Device settings change

    You can monitor device settings changes on your managed mobile devices. For example, you might want to know if a user has turned on developer options on their device. The system records an entry each time a user changes the USB debugging, unknown sources, developer options or verify apps setting on their device. 
     

    To monitor device settings changes:  

    1. Click Event name and then Device settings change.
       
      Property checked Sub-filters (type) Audit occurs:
      Immediately,
      Next sync
      Platform:
      Android, iOS

      Developer options
      Unknown sources
      USB debugging
      Verify apps

      Setting (drop-down):

      Developer options
      Unknown sources
      USB debugging
      Verify apps

      Next sync Android
    2. Select the type of setting change you want to monitor: Developer options, Unknown sources, USB debugging, or Verify apps.
       
    Failed password attempts

    You can monitor the number of failed attempts by a user to unlock a device. For example, someone might have stolen the device.

    An event is generated only if there are more than five failed attempts to unlock a user's device. You can use a filter to show only events where the number of failed attempts is above a specified number.

    To monitor failed password attempts:

    Click Event name and then Failed password attempts.
     

    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Number of consecutive 
    failed password attempts

    Greater than (text-box): 

    Enter a numeric value to find
    the number of failed password 
    attempts greater than that value.

    Immediately Android


     

    Suspicious activity

    You can track suspicious activity affecting devices in your domain. For example, if you discover a device model has changed, but the device has not changed, this would be suspicious activity requiring further investigation. 

    • Android devices—For Android devices, the system records an entry each time any one of the following device properties changes on a user’s device: Device model, serial number, Wi-Fi MAC address, device policy app privilege, manufacturer, device brand, device hardware, or bootloader version. 
       
    • iOS devices—For iOS devices, the system only records changes to the Wi-Fi MAC address.

    To monitor suspicious activity:

    1. Click Event name and then Suspicious activity.
       
      Property checked Sub-filters (type) Audit occurs:
      Immediately,
      Next sync
      Platform:
      Android, iOS

      Device model
      Serial number
      Wi-Fi MAC address
      Device policy app privilege 
      (Device Owner, Profile Owner, 
      Device Administrator, Unknown) 
      Manufacturer
      Device brand
      Device hardware
      Bootloader version

      Device property
      (drop-down):


      Device model
      Serial number
      Wi-Fi MAC address
      Device policy app privilege
      Manufacturer
      Device brand
      Device hardware
      Bootloader version
      Next sync Android, iOS
    2. Select the device property you want to monitor: device model, serial number, Wi-Fi MAC address, or device policy app privilege, manufacturer, device brand, device hardware, bootloader version. 
       
    Work profile support

    You can verify if an Android device supports work profile. For example, this event informs you when a device user has upgraded the OS version and the device is a work profile compliant device.

    The system records an entry for each user’s device that supports Android in the enterprise.

    To monitor the devices that support Android in the enterprise

    Click Event name and then Work profile support.

    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS
    Work profile support Not applicable Immediately Android

    Customize and export your log data

    Filter the audit log data by user or activity

    You can narrow your audit log to show specific events or users. For example, find all log events for when users created or failed while entering their password, or find all suspicious activity for a particular user.

    1. Open your audit log as shown above.
    2. If you don't see the Filters section, click Filter Filter.
    3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
    4. Click Search.

    Export your audit log data

    You can export your Mobile audit log data to a Google Sheet, or download it to a CSV file.

    1. Open your audit log as shown above.
    2. (Optional) To change the data to include in your export, on the toolbar, click Select columns Select columns.
    3. On the toolbar, click Download Download.

    You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select.

    How old is the data I'm seeing?

    You won’t see complete data up to the present day. Instead, under the graph heading you'll see the latest date for the column data. 

    Occasionally, you'll see an asterisk "*" next to a column name. This indicates that the data in this particular column might be stale compared to the data in other columns on the same page.

    For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

    Set up email alerts

    You can easily track specific mobile device activities by setting up alerts. For example, get an alert whenever someone creates or deletes a calendar.

    1. Open your audit log as shown above.
    2. If you don't see the Filters section, click Filter Filter.
    3. Enter or select the criteria for your filter. To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.
    4. Click Set Alert.
    5. In the Set alert: Mobile box, enter a name for the alert.
    6. Check the box to deliver the alert to the account super administrators.
    7. Enter the email addresses of any other alert recipients.
    8. Click Save.

    To edit your custom alerts, see Administrator email alerts.

    Was this article helpful?
    How can we improve it?
    Sign in to your account

    Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.