Devices audit log
This feature is available with G Suite Business and Enterprise editions, or Drive Enterprise edition. Compare editions
You can see a report of activities on computers and mobile devices that are used in your organization. For example, you can see if a user’s account was added to a device or if a device’s password doesn’t comply with your password policy. You review the various device activities in a devices audit log in the Google Admin console. You can also set an alert to be notified when an activity occurs.
Before you begin
- To see all audit events for mobile devices, the devices need to be managed using advanced mobile management. For details, see Set up advanced mobile device management.
- You can’t see activities for devices that sync corporate data using Google Sync.
If you move from the G Suite Business or Enterprise edition to G Suite Basic, the audit log stops collecting data on new events. However, old data is still visible to administrators.
View events for all devices
From the Admin console Home page, do one of the following:
- Go to Reports Audit Devices.
- Go to Device Management Insights Device audit.
To see Reports or Device management, you might have to click More controls at the bottom.
- On the toolbar, click Select columns . Then, select the data you want to show in your log.
- See steps below for how to understand and customize the log data.
View events for a specific device
From the Admin console Home page, go to Device Management Mobile devices.
To see Device Management, you might have to click More controls at the bottom.
Choose an option:
Click Mobile devices to see your managed mobile devices.
Click Endpoint Verification to see laptop and desktop devices that use Endpoint Verification.
On the left, click Company owned inventory to see devices that your organization owns.
Select one or more devices and click More View audit info.
Note: From your company-owned inventory, select the devices and click View audit info .
(Optional) On the toolbar, click Select columns . Then, select the data you want to show in your log.
See steps below to understand and customize the log data.
|Device ID||Identifier for the device that the event happened on.|
|Event name||Name of the event that was logged, such as an account registration change, sign-in challenge, or a failed unlock attempt. For details, see the event descriptions below.|
|Event description||Details of the event that happened on the device.|
|Date||Date and time that the event occurred (displayed in your browser's default time zone).|
|User||Name of the user who performed the event on the device.|
|Device type||Type of device that the event happened on. For example, Android or iOS.|
|Application hash||For app-related events, the SHA-256 hash of the application package.|
You see an audit log entry for each of the following event types. On the left of the Admin console, you can use the Event name filter to filter your audit log by these events. (If you don't see Filters on the left, click Filter .) For some events, you can narrow your audit log results using sub-filters.
|Event name||Description||Sub-filters||Supported devices|
|Account registration change||
Registration state of a device in your organization changed. An entry is recorded each time a user adds their managed account on a new device, or unregisters their account from a device.
For Android devices, you also see the device privilege the account is registered with. For details about device privileges, see Policy profile information.
Example: User’s account registered on Nexus 6P with device administrator privilege.
Registered—User added a managed account to the device.
Unregistered—User unregistered an account on the device. The user can no longer use the account on that device.
|Device action event||
Status of an action carried out on a device by an admin.
Example: Account Wipe with id 1234 on user’s Pixel 2 is Pending.
|Device OS update||
A device's OS property was updated.
For iOS devices, the system only records updates to OS version and build number.
Example: OS Version updated on user’s Nexus 5 from 8.0 to 8.2.
A user’s managed account synced on the device.
Example: Username’s account synced on Nexus 6P.
|Device application change||
A user installed, uninstalled, or updated an app on their device.
Android devices—Events are logged immediately. If you don’t see any entries in the audit log, make sure the application auditing setting is on.
iOS devices—Events are logged the next time the device syncs. Only managed apps installed using the Device Policy app are audited.
Example: com.android.chrome version 50.0.2645.0 was deleted from user's Nexus 5.
Application Event—Install, uninstall, update
Package Name—Name of the application package
Application Hash—SHA-256 hash of the application package (Android only)
|Device compliance status||
Whether or not the device complies with your organization’s policies.
A device is marked not compliant if it:
Example: User's Nexus 6P is not compliant with set policies because device is not adhering to password policy.
Whether or not the device is compromised. Devices can become compromised if they’re rooted or jailbroken—processes that remove restrictions on a device. Compromised devices can be a potential security threat.
The system records an entry each time a user’s device is compromised or no longer compromised.
Example: User's Nexus 5 is compromised.
Whether the ownership of the device changed.
For example, a personal device was changed to company-owned after its details were imported into the Admin console.
This audit occurs immediately after a company-owned device is added to the Admin console. If a company-owned device is deleted from the Admin console, the audit occurs at the next sync (after it’s re-enrolled for management).
Example: Ownership of user’s Nexus 5 has changed to company owned, with new device id abcd1234.
|Device settings change||
The device user changed the developer options, unknown sources, USB debugging, or verify apps setting on their device.
This event is recorded the next time the device syncs.
Example: Verify Apps changed from off to on by user on Nexus 6P.
|Failed screen unlock attempts||
The number of failed attempts by a user to unlock a device.
An event is generated only if there are more than 5 failed attempts to unlock a user's device.
Example: 5 failed attempts to unlock user's Nexus 7.
Greater than—Enter a number to only display failed attempts greater than that number.
Suspicious activity was detected on the device.
Android—The system records an entry each time any one of the device properties listed in the sub-filters changes on a user’s device.
Example: WiFi MAC address changed on user's Nexus 5 from x to y.
|Work profile support||
The device supports work profiles.
For example, this event informs you when a user upgrades the OS version so the device becomes work profile compliant.
The system records an entry for each device that supports work profiles.
Example: Work profile is supported on user's Nexus 5.
Step 3: Customize and export your log data
Filter the audit log data by user or activity
You can narrow your audit log to show specific events or users. For example, find all log events for failed attempts at unlocking a device. Or, find all suspicious activity for a particular user.
- Open your audit log (details above).
- If you don't see the Filters section, click Filter .
- Select or enter the criteria for your filter. You can choose events, users, devices, and dates. For details about each event type and the corresponding filters, see Event descriptions (above).
- Click Search.
Filter by organizational unit
You can filter by organizational unit to compare statistics between child organizations in a domain.
- Open your report as shown above.
- On the left, under Filters, select an organizational unit from the list.
You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.
Export your audit log data
You can export your audit log data to Google Sheets or download it to a CSV file.
- Open your audit log as shown above.
- (Optional) To change the data to include in your export:
- On the toolbar, click Select columns .
- Check the box next to the data you want to export and click Apply.
- On the toolbar, click Download .
You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select. Audit logs to Sheets are limited to 10,000 rows, while CSV exports can include up to 500,000 rows.
How old is the data I'm seeing?
For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.
Step 4: Set up email alerts
You can easily track specific activities by setting up alerts. For example, get an alert whenever someone creates or deletes a calendar on their device.
- Open your audit log (details above).
- If you don't see the Filters section, click Filter .
- Enter or select the criteria for your filter. You can filter any combination of the data you can view in the log except date and time range.
- Click Set Alert.
- In the Set alert: Mobile box, enter a name for the alert.
- Check the box to deliver the alert to the account super administrators.
- Enter the email addresses of any other alert recipients.
- Click Save.
To edit your custom alerts, see Administrator email alerts.