Device management security checklist

These security best practices are for administrators of Google Workspace and Cloud Identity.

As an administrator, you can help protect work data on users’ personal devices (BYOD) and on your organization’s company-owned devices by using Google endpoint management features and settings. Other security features provide stronger account protection, granular access control, and data protection. Review the following checklist to make sure that you're set up to meet your organization's device security goals.

All mobile devices

Require passwords

Protect data on managed mobile devices by requiring that users set a screen lock or password for their device. For devices with advanced management, you can also set the password type, strength, and minimum number of characters.

Set password requirements for managed mobile devices

Lock down or wipe corporate data from missing devices

When a device goes missing or an employee leaves your organization, the work data on the device is at risk. You can wipe a user's work account from the device, including all their work data. For devices with advanced management, you can wipe the entire device. This feature isn't available with the free version of Cloud Identity.

Mobile devices under advanced management

Require device encryption

Encryption stores data in a form that can be read only when a device is unlocked. Unlocking the device decrypts the data. Encryption adds protection if a device is lost or stolen.

Require device encryption

Apply device restrictions​

You can restrict how users share and backup data on Android and Apple iOS devices. For example, on Android, you can prevent USB file transfers and on iOS devices, you can stop backups to personal cloud storage. You can also restrict access to some device and network settings. For example, you can turn off the device’s camera and prevent Android users from changing their Wi-Fi settings.

Block compromised devices

Stop a user’s work account from syncing with Android and Apple iOS devices that might be compromised. A device becomes compromised when it’s jailbroken or rooted—processes that remove restrictions on a device. Compromised devices can indicate a potential security threat.

Block compromised devices

Automatically block Android devices that don't comply with your policies

When a device falls out of compliance with your organization’s policies, you can automatically block it from accessing work data and notify the user. For example, if you enforce a minimum password length of 6 characters and a user changes their device password to 5 characters, the device is not compliant because it doesn’t adhere to your password policy.

Set device management rules

Computers that access work data

Turn on endpoint verification

When laptops and desktops are managed with endpoint verification, you can use context-aware access to protect your organization's data and get more information about the devices that access that data.

Turn on endpoint verification

Restrict Drive File Stream syncing to company-owned devices

Drive File Stream allows users to work on Drive files on their Apple Mac or Microsoft Windows computer outside a browser. To limit the exposure of your organization's data, you can allow Drive File Stream to run on only company-owned devices listed in your inventory.

Restrict Drive File Stream to authorized devices

Set up Google Credential Provider for Windows (GCPW)

Let users sign in to Windows 10 computers with their work Google Account. GCPW includes 2-Step Verification and sign-in challenges. Users can also access Google Workspace services and other single sign-on (SSO) apps without the need to re-enter their Google username and password.

Overview: Google Credential Provider for Windows

Restrict user privileges on company-owned Windows computers

You can control what users can do on their company-owned Windows 10 computers with Windows device management. You can set users' administrative permission level for Windows. You can also apply Windows security, network, hardware, and software settings.

More security options for all devices

Prevent unauthorized access to a user's account​

Require additional proof of identity when users sign in to their Google Account with 2-Step Verification (2SV). This proof could be a physical security key, a security key built in to the user's device, a security code delivered by text or phone call, and more.

When Google suspects that an unauthorized person is trying to access a user's account, we present them with an extra security question or challenge. When you use Google endpoint management, we might ask users to verify their identity with their managed mobile device (the device they normally use to access their work account). Extra challenges significantly reduce the chance of an unauthorized person breaking in to user accounts.

Use context-aware access to conditionally allow access from outside your VPN

You can set up different access levels based on a user’s identity and the context of the request (country/region, device security status, IP address). For example, you can block mobile device access to Google Workspace data if the device is outside a specific country/region, or if the device doesn't meet your encryption and password requirements. As another example, you can allow contractor to access Google Workspace data only on company-managed Chromebooks.

Context-aware access overview

Control the apps that can access Google Workspace data

Set which mobile apps are managed by your organization. You can also specify which services an app can access with app access control. This prevents malicious apps from tricking users into accidentally granting access to their work data. App access control is device-agnostic and blocks access by unauthorized apps on both BYOD and company-owned devices.

Identify sensitive data in Google Drive, Docs, Sheets, Slides, and Gmail

Protect sensitive data, such as government-issued personal IDs, by setting Data Loss Prevention (DLP) policies. These policies can detect many common data types, and you can also create custom content detectors to meet business-specific needs. DLP protects data at the source and application level, and applies across devices and access methods.

Protect sensitive information using DLP

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue