Mobile audit log

You can monitor the registration state of devices in your domain. When a device is registered, you can view its device details. The system records an account registration change each time a user adds their managed account on a new device, or unregisters their account.

For example, the event log contains an entry, such as Username account registered on Nexus 6P with device administrator privilege.

There are three types of privileges:

• Device owner. Corporate-owned devices configured to recognize the company as the device owner.
• Work profile. Users’ personal devices configured with managed work profiles that are separate from their personal space.
• Device administrator. Users’ personal devices configured with managed accounts within their personal space.

To monitor an account registration change:

1. Click Event name Account registration change.
    

   Property checked	Sub-filters (type)	Audit occurs: Immediately, Next sync	Platform: Android, iOS
   Registered, Unregistered	Registration State (drop-down): Registered Unregistered	Immediately	Android, iOS

2. Select the registration state you want to monitor: Registered, or Unregistered.
   
   Registered: The user has completed adding a managed account for this domain to the device.
   
   Unregistered: The user unregistered an account on the device. The user can no longer use the account on that device.

You can monitor device application changes in your domain. For example, if you become aware of a new malware app, you can discover which users installed the app in your domain.

The system records a device application change each time a user installs, uninstalls, or updates an app on their device. 

• Android devices—For Android devices, where the Device Policy app has Device administrator privileges: If you're not seeing any device application change entries in the audit log, ensure that Enable application auditing in personal space is set.
   
• iOS devices—For iOS devices, only the managed apps installed using the Device Policy app are audited.

Application auditing is automatically enabled for devices with a work profile (work profile auditing), and for devices registered in Device Owner mode.

To monitor device application changes:  

1. Click Event name Device application change.
    

   Property checked	Sub-filters (type)	Audit occurs: Immediately, Next sync	Platform: Android, iOS
   Device application change	Application Event (drop-down): Install Uninstall Update Package Name (text-box) 2 Application Hash (text-box):  Enter the SHA-256 hash of the application package.	1	Android, iOS
   1 Android devices—If an app is installed, updated, or removed, the audit is immediate.  iOS devices—The audit is on the next sync. 2 Applicable only for Android devices.

    

2. Enter the package name of the app in the Application package name field.
3. (Optional) Enter the hash of the application package in the Application hash field.
   
   Application hash is an optional column that shows the SHA-256 hash application package installed on the device. 
4. Under Application event, select the event type you want to filter: Install, Uninstall, or Update.

You can check whether or not Android devices comply with your organization’s policies. If there’s a change to a device that makes it noncompliant with a policy, it’s marked as not compliant in the mobile devices report. For example, you enforce a minimum password length of 6 characters, and a user changes their device password to 5 characters. The device is marked not compliant because it doesn’t adhere to your password policy.

A device is marked not compliant if it:

• Violates an applied password setting or encryption policy.
• Doesn’t have the latest Device Policy app installed.
• Is compromised by noncompliance with security settings.
• Doesn’t have a work profile when a work profile is expected.
• Isn’t in device owner mode when device owner mode is expected (as a result of serial number import and assignment as company-owned).
• Is blocked by an administrator action.
• Is no longer syncing because an administrator disabled synchronization.

To check a device, go to the Mobile Devices report and click Event name Device compliance status.

You can monitor your domain for compromised Android and iOS devices. Devices can become compromised if they’re rooted or jailbroken—processes that remove restrictions on a device. Compromised devices can be a potential security threat.

The system records an entry each time a user’s device is compromised, or no longer compromised. 

To check for compromised devices:  

Click Event name Device compromise.

You can monitor updates to mobile device OS properties. For example, you would like to audit when users have updated to the latest device OS or security patch.

• Android devices—For Android devices, the system records an entry each time a user updates the OS version, build number, kernel version, baseband version, security patch, or bootloader version on their device.
   
• iOS devices—For iOS devices, the system only records updates to OS version and build number.

To monitor device OS updates:  

1. Click Event name Device OS update.
    

   Property checked	Sub-filters (type)	Audit occurs: Immediately, Next sync	Platform: Android, iOS
   OS version Build number Kernel version (Android only) Device baseband version (Android only) OS security patch (Android only) Bootloader version (Android only)	System Properties (drop-down): OS version Build number Kernel version Device baseband version OS security patch Bootloader version	Immediately (Android)  Next sync (iOS)	Android, iOS

2. Select the system property you want to monitor:  OS version, build number, kernel version, baseband version, security patch, or bootloader version. 

You can monitor device ownership changes on your company-owned mobile devices. For example, you might want to know which personal devices were changed to company-owned after they were imported, or which company-owned devices were changed to personal devices after they were deleted. The system records an entry for each device ownership change.

To monitor device ownership changes:  

Click Event name Device ownership.

You can monitor device settings changes on your managed mobile devices. For example, you might want to know if a user has turned on developer options on their device. The system records an entry each time a user changes the USB debugging, unknown sources, developer options or verify apps setting on their device.  

To monitor device settings changes:  

1. Click Event name Device settings change.
    

   Property checked	Sub-filters (type)	Audit occurs: Immediately, Next sync	Platform: Android, iOS
   Developer options Unknown sources USB debugging Verify apps	Setting (drop-down): Developer options Unknown sources USB debugging Verify apps	Next sync	Android

2. Select the type of setting change you want to monitor: Developer options, Unknown sources, USB debugging, or Verify apps.

You can monitor the number of failed attempts by a user to unlock a device. For example, someone might have stolen the device.

An event is generated only if there are more than five failed attempts to unlock a user's device. You can use a filter to show only events where the number of failed attempts is above a specified number.

To monitor failed screen unlock attempts:

Click Event name Failed screen unlock attempts.

You can track suspicious activity affecting devices in your domain. For example, if you discover a device model has changed, but the device has not changed, this would be suspicious activity requiring further investigation. 

• Android devices—For Android devices, the system records an entry each time any one of the following device properties changes on a user’s device: Device model, serial number, Wi-Fi MAC address, device policy app privilege, manufacturer, device brand, or device hardware. 
   
• iOS devices—For iOS devices, the system only records changes to the Wi-Fi MAC address.

To monitor suspicious activity:

1. Click Event name Suspicious activity.
    

   Property checked	Sub-filters (type)	Audit occurs: Immediately, Next sync	Platform: Android, iOS
   Device model Serial number Wi-Fi MAC address Device policy app privilege  (Device Owner, Profile Owner,  Device Administrator, Unknown)  Manufacturer Device brand Device hardware	Device property (drop-down): Device model Serial number Wi-Fi MAC address Device policy app privilege Manufacturer Device brand Device hardware	Next sync	Android, iOS

2. Select the device property you want to monitor: device model, serial number, Wi-Fi MAC address, or device policy app privilege, manufacturer, device brand, device hardware. 
    

You can verify if an Android device supports work profile. For example, this event informs you when a device user has upgraded the OS version and the device is a work profile compliant device.

The system records an entry for each user’s device that supports Android in the enterprise.

To monitor the devices that support Android in the enterprise

Click Event name Work profile support.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.