Devices audit log

Review activities on your organization’s devices

Supported editions for this feature: Business Plus; Enterprise; Education Standard and Plus; G Suite Business; Cloud Identity Premium. Compare your edition

As an administrator, you can get a report of activities on computers and mobile devices that are used to access your organization's data. For example, you can see when a user added their account to a device or if a device’s password doesn’t comply with your password policy. You can also set an alert to be notified when an activity occurs.

Before you begin

To see all audit events for mobile devices, the devices need to be managed using advanced device management.
To see changes to applications on Android devices, application auditing must be turned on.
You can’t see activities for devices that sync corporate data using Google Sync.
If you downgrade to an edition that doesn't support the audit log, the audit log stops collecting data for new events. However, old data is still available to admins.

Open the devices audit log

View events for all devices

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to ReportsAuditDevices.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.

View events for a specific device

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
From the Admin console Home page, go to DevicesMobile devices.
Choose an option:
- To see managed mobile devices, click Mobile devices.
- To see laptop and desktop devices, click Endpoints.
- To see devices that your organization owns, on the left, click Company owned inventory.
Select one or more devices and click More View audit info.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.

Understand audit log data

Data you can view

The Devices audit log provides the following information:

Data Type	Description
Device ID	Identifier for the device that the event happened on
Event description	Details of the event that happened on the device
Date	Date and time that the event occurred (displayed in your browser's default time zone)
Event name	Name of the event that was logged, such as an account registration change, sign-in challenge, or a failed unlock attempt. For details, go to the Event names description below.
User	Name of the user who performed the event on the device Note: For company-owned iOS devices, changes to the device enrollment in Apple Business Manager or Apple School Manager are made by a service account that's reported as "Anonymous user".
Device type	Type of device that the event happened on. For example, Android or Apple iOS.
Application hash	For app-related events, the SHA-256 hash of the application package
Serial number	The serial number of the device
Device model	The model of the device
OS version	Available only if you turn on enhanced desktop security for Windows. Number assigned to a unique release of the operating system (OS).
Policy name	Available only if you turn on enhanced desktop security for Windows. The name of the Microsoft configuration service provider (CSP) that corresponds to the custom setting applied to the device.
Policy status code	Available only if you turn on enhanced desktop security for Windows. The code returned from a Windows 10 device when you attempt to apply a setting to the device.
Windows OS edition	Available only if you turn on enhanced desktop security for Windows. Variant of Windows with a unique package of features.

Event names

At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. For some events, you can narrow your audit log results using subfilters.

Event names for the Devices audit log include:

Event name	Description	Subfilters	Supported devices
Account registration change	Registration state of a device in your organization changed. An entry is recorded each time a user adds their managed account on a new device, or unregisters their account from a device. For Android devices, you also see the device privilege the account is registered with. For details about device privileges, see Policy profile information. Example: User’s account registered on Nexus 6P with device administrator privilege.	Registered on—User added a managed account to the device. Unregistered from—User unregistered an account on the device. The user can no longer use the account on that device.	Android Apple iOS Chrome OS Mac Windows
Device action event	Status of an action carried out on a device by an admin. Example: Account Wipe with id 1234 on user’s Pixel 2 is Pending.	Not applicable	Android iOS Chrome OS Mac Windows
Device application change	A user installed, uninstalled, or updated an app on their device. Android devices—Events are logged immediately. If you don’t see any entries in the audit log, make sure the application auditing setting is on. iOS devices—Events are logged the next time the device syncs. Only managed apps installed using the Device Policy app are audited. Example: com.android.chrome version 50.0.2645.0 was deleted from user's Nexus 5.	Application Event—Install, uninstall, update Package Name—Name of the application package Application Hash—SHA-256 hash of the application package (Android only)	Android iOS
Device compliance status	Whether the device complies with your organization’s policies. A device is marked not compliant if it: Violates an applied password setting or encryption policy. Doesn’t have the latest Device Policy app installed. Doesn't comply with security settings. Doesn’t have a work profile when a work profile is expected. Isn’t in device owner mode when device owner mode is expected. Is blocked by an administrator. Is no longer syncing because an administrator disabled synchronization. Example: User's Nexus 6P is not compliant with set policies because device is not adhering to password policy.	Not applicable	Android
Device compromise	Whether the device is compromised. Devices can become compromised if they’re rooted or jailbroken—processes that remove restrictions on a device. Compromised devices can be a potential security threat. The system records an entry each time a user’s device is compromised or no longer compromised. Example: User's Nexus 5 is compromised.	Not applicable	Android iOS
Device OS update	A device's OS property was updated. For iOS devices, the system only records updates to OS version and build number. Example: OS Version updated on user’s Nexus 5 from 8.0 to 8.2.	OS version Build number Kernel version Device baseband version OS security patch	Android iOS Chrome OS Mac Windows
Device ownership	Whether the ownership of the device changed. For example, a personal device was changed to company-owned after its details were imported into the Admin console. This audit occurs immediately after a company-owned device is added to the Admin console. If a company-owned device is deleted from the Admin console, the audit occurs at the next sync (after it’s re-enrolled for management). Example: Ownership of user’s Nexus 5 has changed to company owned, with new device id abcd1234.	Not applicable	Android Chrome OS Mac Windows
Device settings change	The device user changed the developer options, unknown sources, USB debugging, or verify apps setting on their device. This event is recorded the next time the device syncs. Example: Verify Apps changed from off to on by user on Nexus 6P.	Developer options Unknown sources USB debugging Verify apps	Android
Device status changed on Apple portal	For company-owned iOS devices, when the device was added or deleted through Apple Business Manager or Apple School Manager. Note: The user for these events is a service account but is reported as "Anonymous user".	Not applicable	Company-owned iOS
Device sync	A user’s managed account synced on the device. Example: Username’s account synced on Nexus 6P.	Not applicable	Android iOS Chrome OS Mac Windows
Failed screen unlock attempts	The number of failed attempts by a user to unlock a device. An event is generated only if there are more than 5 failed attempts to unlock a user's device. Example: 5 failed attempts to unlock user's Nexus 7.	Greater than—Enter a number to only display failed attempts greater than that number.	Android
Sign out user	An admin signed a user out from a device that is managed by fundamental management.	Not applicable	Desktop devices managed by fundamental management
Suspicious activity	Suspicious activity was detected on the device. Android—The system records an entry each time any one of the device properties listed in the subfilters changes on a user’s device. iOS—The system records changes to the WiFi MAC address only. Example: WiFi MAC address changed on user's Nexus 5 from x to y.	Device model Serial number WiFi MAC address Device policy app privilege Manufacturer Device brand Device hardware Bootloader version	Android iOS
Work profile support	The device supports work profiles. For example, this event informs you when a user upgrades the OS version so the device becomes work profile compliant. The system records an entry for each device that supports work profiles. Example: Work profile is supported on user's Nexus 5.	Not applicable	Android

When and how long is data available?

Go to Data retention and lag times.