Set up advanced mobile management

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition

As an administrator, you can use advanced management to have more control over access to your organization's data. You can restrict mobile device features like notifications on the lock screen, require device encryption, manage apps on Android devices, iPhones, and iPads, and wipe data from a device. 

Requirements

  • Devices must support advanced mobile management. See the Device requirements.
  • To manage iPhones and iPads, follow the steps to Set up an Apple push certificate.
  • Only one Google account under advanced mobile management is allowed on each device.
  • The user must have a license that supports advanced mobile management. If you turn on advanced mobile management for a user whose license doesn't support it, only settings supported for basic mobile management apply to the user's devices.
  • Users must install a device policy app on their devices so that you can manage them.
    • Android users should not manually install the app. Instead, they should follow the on-screen prompts. For details, see Set up Google Workspace on an Android device. During installation, users get a prompt to set up a work profile if their device supports it.
    • For user-enrolled iOS devices, users get an installation prompt during setup.
    • iOS users might also get a prompt to install a configuration profile. For more about the profile and how it handles user information, see Mobile training and help.

Step 1. Turn on advanced mobile management

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand thenUniversal.
  3. Click Generaland thenMobile management.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Turn on advanced mobile management:
    • If you want all supported mobile devices to be under advanced management and you set up an Apple push certificate, select Advanced. This option isn't available if no Apple push certificate is set up, even if you don't manage iOS devices.
    • If you want to turn on advanced management for certain platforms or aren't managing iOS devices, select Custom. Then, select Advanced for the platforms. For iOS, Advanced isn't available if no Apple push certificate is set up.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

  7. If you get a message that you need to enable sync on mobile, click Go to Sync on Mobile. Check the boxes for the devices you want to allow to sync work data and click Save.
  8. If you want to manage iOS devices and apps, create an Apple push certificate. You need to renew this certificate annually.

Step 2. Set up password and approval requirements

Before you begin: Tell users you'll manage the mobile devices they use for work. Let them know about the policies you set, including password requirements.

  1. Set password requirements for managed mobile devices. You can set the password length, require special characters, and set an expiration.
  2. To screen devices before they can access work data, require admin approval for mobile devices.

Step 3. Set up company-owned mobile devices

Skip this step if you don't have company-owned devices.

For Android

For iPhones and iPads

Step 4. Protect your organization's data

To make your organization's data more secure, use advanced management settings as needed or required for your organization.

Recommended settings

Universal settings (all mobile devices)

  • Block compromised devices 
  • Require device encryption

Android settings

  • Autowipe devices that don't sync within a specified period
  • Block devices that are not Android CTS compliant
  • Don't allow application verification to be turned off
  • Don't allow USB file transfer
  • Don't allow apps from unknown sources
  • Don't allow notification details on lock screen
  • Don't allow trust agents (under lock screen settings)

iOS settings

  • Don't allow notification details on lock screen
  • Don't allow managed apps to store data iCloud
  • Require encryption for backups if you allow device backups

Next steps


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1911329082508473171
true