Search
Clear search
Close search
Google apps
Main menu
true

Mobile audit log

This feature is available with G Suite Business and Enterprise editions. Compare editions

You can see a report of activities on Android and Apple® iOS® devices that are used in your organization. For example, you can see if a user’s device is compliant with the policies you set on the device. You review the various device activities in a log in the Google Admin console. What you see depends on the device and user account.

Before you begin

To view events on Android and iOS devices:

  • The devices need to be managed using advanced mobile management. For details, see Set up mobile device management. 
  • Devices need to sync data using Android sync or iOS Sync for G Suite.

View device activity (mobile audit log)

You can view events for all mobile devices, or for a specific device. You can set an alert to be notified when an event occurs. You can also use device management rules to automate mobile-management tasks when an event occurs. For example, you can block a device when suspicious activity is detected. For details, see Automate mobile management tasks with rules.

View events for all mobile devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, do one of the following:
    • Go to Reports and then Audit and then Mobile devices.
    • Go to Device Management and then Insights and then Mobile audit.

    To see Reports or Device management, you might have to click More controls at the bottom.

View events for a specific mobile device

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device Management and then Mobile devices.

    To see Device Management, you might have to click More controls at the bottom.

  3. Select a mobile device, and click Show Audit Events

How to read the tables

Each event description includes a table to help you understand the type of information you can filter for the event, and how to read the event log. Each event table includes these columns:

  • Property checked—The mobile device property the event audits.
  • Sub-filters (type)—Choose how you want to filter the data.
  • Audit occurs—The time at which the system audits the information—immediately or at the next sync (when the device syncs with your business domain).
  • Platform—The platform that supports the event—Android, iOS, or both.

Open all   |   Close all

 

Account registration change

You can monitor the registration state of devices in your domain. When a device is registered, you can view its device details. The system records an account registration change each time a user adds their managed account on a new device, or unregisters their account.

For example, the event log contains an entry, such as Username account registered on Nexus 6P with device administrator privilege.

There are three types of privileges:

  • Device owner. Corporate-owned devices configured to recognize the company as the device owner.
  • Work profile. Users’ personal devices configured with managed work profiles that are separate from their personal space.
  • Device administrator. Users’ personal devices configured with managed accounts within their personal space.

To monitor an account registration change:

  1. Click Event name and then Account registration change.
     
    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Registered, Unregistered

    Registration State (drop-down):

    Registered Unregistered

    Immediately

    Android, iOS

  2. Select the registration state you want to monitor: Registered, or Unregistered.

    Registered: The user has completed adding a managed account for this domain to the device.

    Unregistered: The user unregistered an account on the device. The user can no longer use the account on that device.
Device application change

You can monitor device application changes in your domain. For example, if you become aware of a new malware app, you can discover which users installed the app in your domain.

The system records a device application change each time a user installs, uninstalls, or updates an app on their device. 

  • Android devices—For Android devices, where the Device Policy app has Device administrator privileges: If you're not seeing any device application change entries in the audit log, ensure that Enable application auditing in personal space is set.
     
  • iOS devices—For iOS devices, only the managed apps installed using the Device Policy app are audited.

Application auditing is automatically enabled for devices with a work profile (work profile auditing), and for devices registered in Device Owner mode.

To monitor device application changes:  

  1. Click Event name and then Device application change.
     
    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Device application change

    Application Event (drop-down):

    Install
    Uninstall
    Update

    Package Name (text-box)

    2 Application Hash (text-box): 
    Enter the SHA-256 hash of the application package.

    1

    Android, iOS

    1 Android devices—If an app is installed, updated, or removed, the audit is immediate. 

    iOS devices—The audit is on the next sync.

    2 Applicable only for Android devices.

     

  2. Enter the package name of the app in the Application package name field.
  3. (Optional) Enter the hash of the application package in the Application hash field.

    Application hash is an optional column that shows the SHA-256 hash application package installed on the device. 
  4. Under Application event, select the event type you want to filter: Install, Uninstall, or Update.
Device compliance status

You can check whether or not Android devices comply with your organization’s policies. If there’s a change to a device that makes it noncompliant with a policy, it’s marked as not compliant in the mobile devices report. For example, you enforce a minimum password length of 6 characters, and a user changes their device password to 5 characters. The device is marked not compliant because it doesn’t adhere to your password policy.

When a device is noncompliant, Google Apps Device Policy disables access to certain work apps. On Android 7.0 Nougat and later devices, disabled work apps are grayed out and can’t be opened. On older devices, work apps are hidden. Access to work apps is restored when a device is compliant again. Users with devices older than Android 7.0 need to recreate any shortcuts they had to their work apps after their access is restored.

A device is marked not compliant if it:

To check a device, go to the Mobile Devices report and click Event name and then Device compliance status.

Property checked Sub-filters (type) Audit occurs:
Immediately,
Next sync
Platform:
Android, iOS

Compliance status:

Compliant, Not compliant

Not applicable  Next sync Android
Device compromise

You can monitor your domain for compromised Android and iOS devices. Devices can become compromised if they’re rooted or jailbroken—processes that remove restrictions on a device. Compromised devices can be a potential security threat.

The system records an entry each time a user’s device is compromised or no longer compromised. 

To check for compromised devices:  

Click Event name and then Device compromise.

Property checked Sub-filters (type) Audit occurs:
Immediately,
Next sync
Platform:
Android, iOS

Compromise status:

Compromised, No longer compromised

Not applicable  Next sync Android
iOS

 

Device OS update

You can monitor updates to mobile device OS properties. For example, you would like to audit when users have updated to the latest device OS or security patch.

  • Android devices—For Android devices, the system records an entry each time a user updates the OS version, build number, kernel version, baseband version, security patch, or bootloader version on their device.
     
  • iOS devices—For iOS devices, the system only records updates to OS version and build number.

To monitor device OS updates:  

  1. Click Event name and then Device OS update.
     
    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    OS version
    Build number
    Kernel version
    (Android only)
    Device baseband version
    (Android only)
    OS security patch (Android only)
    Bootloader version (Android only)

    System Properties
    (drop-down):

    OS version
    Build number
    Kernel version
    Device baseband version
    OS security patch
    Bootloader version

    Immediately
    (Android) 

    Next sync
    (iOS)

    Android, iOS
  2. Select the system property you want to monitor:  OS version, build number, kernel version, baseband version, security patch, or bootloader version. 
Device ownership

You can monitor device ownership changes on your company-owned mobile devices. For example, you might want to know which personal devices were changed to company-owned after they were imported, or which company-owned devices were changed to personal devices after they were deleted. The system records an entry for each device ownership change.

To monitor device ownership changes:  

Click Event name and then Device ownership.

Property checked Sub-filters (type) Audit occurs:
Immediately,
Next sync
Platform:
Android, iOS

Device ownership:

Company-owned

Personal

Not applicable

Company-owned:
Immediately

Personal:
Next sync

Android

1 Audit occurs immediately after the company-owned device is created as part of the bulk import.

2 Audit occurs at the next sync after the company-owned device is deleted.


 

Device settings change

You can monitor device settings changes on your managed mobile devices. For example, you might want to know if a user has turned on developer options on their device. The system records an entry each time a user changes the USB debugging, unknown sources, developer options or verify apps setting on their device.  

To monitor device settings changes:  

  1. Click Event name and then Device settings change.
     
    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Developer options
    Unknown sources
    USB debugging
    Verify apps

    Setting (drop-down):

    Developer options
    Unknown sources
    USB debugging
    Verify apps

    Next sync Android
  2. Select the type of setting change you want to monitor: Developer options, Unknown sources, USB debugging, or Verify apps.
Failed screen unlock attempts

You can monitor the number of failed attempts by a user to unlock a device. For example, someone might have stolen the device.

An event is generated only if there are more than five failed attempts to unlock a user's device. You can use a filter to show only events where the number of failed attempts is above a specified number.

To monitor failed screen unlock attempts:

Click Event name and then Failed screen unlock attempts.

Property checked Sub-filters (type) Audit occurs:
Immediately,
Next sync
Platform:
Android, iOS

Number of consecutive 
failed screen unlock attempts

Greater than (text-box): 

Enter a numeric value to find
the number of failed screen unlock 
attempts greater than that value.

Immediately Android
Suspicious activity

You can track suspicious activity affecting devices in your domain. For example, if you discover a device model has changed, but the device has not changed, this would be suspicious activity requiring further investigation. 

  • Android devices—For Android devices, the system records an entry each time any one of the following device properties changes on a user’s device: Device model, serial number, Wi-Fi MAC address, device policy app privilege, manufacturer, device brand, or device hardware. 
     
  • iOS devices—For iOS devices, the system only records changes to the Wi-Fi MAC address.

To monitor suspicious activity:

  1. Click Event name and then Suspicious activity.
     
    Property checked Sub-filters (type) Audit occurs:
    Immediately,
    Next sync
    Platform:
    Android, iOS

    Device model
    Serial number
    Wi-Fi MAC address
    Device policy app privilege 
    (Device Owner, Profile Owner, 
    Device Administrator, Unknown) 
    Manufacturer
    Device brand
    Device hardware

    Device property
    (drop-down):


    Device model
    Serial number
    Wi-Fi MAC address
    Device policy app privilege
    Manufacturer
    Device brand
    Device hardware
    Next sync Android, iOS
  2. Select the device property you want to monitor: device model, serial number, Wi-Fi MAC address, or device policy app privilege, manufacturer, device brand, device hardware. 
     
Work profile support

You can verify if an Android device supports work profile. For example, this event informs you when a device user has upgraded the OS version and the device is a work profile compliant device.

The system records an entry for each user’s device that supports Android in the enterprise.

To monitor the devices that support Android in the enterprise

Click Event name and then Work profile support.

Property checked Sub-filters (type) Audit occurs:
Immediately,
Next sync
Platform:
Android, iOS
Work profile support Not applicable Immediately Android

Customize and export your log data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users created or failed while entering their password, or find all suspicious activity for a particular user.

  1. Open your audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. You can filter on any combination of the data you can view in the log.
  4. Click Search.

Export your audit log data

You can export your Mobile audit log data to a Google Sheet, or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, on the toolbar, click Select columns Select columns.
  3. (Optional) Click the box next to each column with data you want to export, and click Apply.
  4. On the toolbar, click Download Download.

You can export up to 210,000 cells. The maximum number of rows depends on the number of columns you select.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Set up email alerts

You can easily track specific mobile device activities by setting up alerts. For example, get an alert whenever someone creates or deletes a calendar.

  1. Open your audit log as shown above.
  2. If you don't see the Filters section, click Filter Filter.
  3. Enter or select the criteria for your filter. To set up an alert, you can filter on any combination of the data you can view in the log except date and time range.
  4. Click Set Alert.
  5. In the Set alert: Mobile box, enter a name for the alert.
  6. Check the box to deliver the alert to the account super administrators.
  7. Enter the email addresses of any other alert recipients.
  8. Click Save.

To edit your custom alerts, see Administrator email alerts.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.