Search
Clear search
Close search
Google apps
Main menu

Automate mobile management tasks with rules

This feature is only available with G Suite Enterprise.

As a G Suite administrator, you can define rules to automate mobile device management tasks. For example, you can automatically approve all Android devices that enroll for management. You set up actions that are triggered when a specified event is detected on an Android or Apple® iOS® device. When an event occurs, you can send a notification email to administrators, block or approve a device, or wipe a corporate account from the device.

Before you begin

  • To set up device-management rules in the Google Admin console you need to have super administrator privileges. For details, see Pre-built administrator roles.
  • The rules you set up are only applied to devices that are managed with advanced mobile management. For details, see Set up mobile device management.

How rules work

Each device-management rule starts with an event that happens on a managed mobile device. When the event is detected, the rule checks for any conditions you specify. If the conditions are met, an action is carried out.

For example, you can notify administrators when the account registration state changes on Android devices because a user unregisters their G Suite account from the device. In this example:

  • The event is an account registration state change on an Android device.
  • The condition is that a user unregisters their account from the device.
  • The action is notifying administrators.

You can create your own rule or work with a predefined template. You can assign a rule to your whole domain, an organizational unit, or a group in Google Groups. You can also exempt a group. 

Create and edit rules

Create device-management rule

You can use one of the predefined templates and customize it to suit your needs. If you can’t find a suitable template, select a blank template to build your own custom rule.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. Click Add Add.
  4. Scroll to the Device Management section and choose an option: 
    • Select Blank Template to build your own rule from scratch.
    • Select a predefined template from the list. For details, see Use the rule templates
  5. Edit the rule title and description.
  6. Click Conditions
  7. (Optional) Under Users, select an organizational unit or group to apply the rule to. You can also exempt a group from the rule. To add more than one condition, click Add. If you don’t select an option, the rule is applied to all users in your top-level organization who are assigned a G Suite Enterprise license.
  8. Under Filters, do the following steps:
    • Select a device type (Android, iOS, or all) to apply the rule to.
    • Select the event that will trigger the rule. 
    • (Optional) Select additional conditions that the rule should check for before it carries out an action. To add more than one condition, click Add.
    For more details, see Choose an event and conditions.
  9. Click Done
  10. Click Actions and select the action that the rule should carry out on a device when it finds the conditions you specified above. For details, see Choose an action.
  11. Click Done
  12. Choose an option: 
    • To create the rule and turn it on now, click Create and Activate
    • To create the rule and turn it on later, click Create. When you want to turn it on, select the rule from the list of rules and at the top, click Activate rules Activate rules.
Edit an existing device management rule
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, select Manage to see the list of rules.
  4. Click the rule you want to modify.
  5. Under Conditions, select your settings and click Done. For details, see Choose an event and conditions.
  6. Under Actions, select your settings and click Done. For details, see Choose an action.
  7. Choose an option: 
    • To save your changes and activate them now, click Save and Activate.
    • If the rule is paused and you don’t want to activate it yet, click Save

Use the rule templates

Rule templates are available for you to use. They have predefined conditions and actions that you can change to suit your organization’s needs. For example, if you want to automatically approve all iOS devices, but manually approve Android devices, use the Auto-approve device registration template and change the device type to iOS. 

Available templates 

Block account on multiple failed screen unlocks

Blocks an Android device when there are more than 5 failed attempts to unlock it. G Suite data will stop synchronizing to the device. An email notification is sent to G Suite super administrators.

Wipe account on suspicious event

Removes G Suite data from an Android or iOS device when suspicious activity is detected. For iOS devices, the account is wiped if there are changes to the device’s Wi-Fi MAC address. For Android devices, the account is wiped when there are changes to any of the following device properties: 

  • Device model
  • Serial number
  • Wi-Fi MAC address
  • Device policy app privilege
  • Manufacturer
  • Device brand
  • Device hardware

An email notification is sent to G Suite super administrators. 

Auto-approve device registration

Automatically approves all Android and iOS devices when a user enrolls their device for management. G Suite data will synchronize to the device when the user signs in with their account. They don't need to wait for an administrator to approve the device. G Suite administrators aren’t notified when devices are approved. 

Choose users to apply the rule to

You can apply a rule only to device users is in a specific organizational unit or group in Google Groups. For example, you can automatically approve devices that are enrolled by users in the Management group. You can also ignore the rule for users in a group. You can choose from these options: 

  • Apply to Organization Unit—Applies the rule to users in the organization you select from the drop-down list. 
  • Apply to group—Applies the rule to the users in a group. You need to enter the exact name of the group.
  • Exempt group—Excludes users in a group from the rule. You need to enter the exact name of the group. The rule applies to all users except those in the group you specify. 

To choose more than one organization or group, click Add. To remove an organization or group, click X next to it. If you don’t select an option, the rule is applied to all users in your top-level organization who are assigned a G Suite Enterprise license.
 

Choose an event and conditions (filters)

Use filters to select the device type (Android, iOS, or all), event, and other conditions that will trigger the rule. The rule’s action is only carried out when the event happens on devices that meet the conditions you specify. 

You can choose one event and several conditions for every rule. The conditions include a full or partial user email address, device ID, device serial number, or device model. Additional conditions are available for individual events. To apply more than one condition to a rule, click Add.

Account registration change

Triggers the rule when the account registration state of a device in your domain changes. The registration state can change when:

  • A user adds their G Suite account on a new device. 
  • A user unregisters their G Suite account from a managed device.
  • There are changes to the device policy app privilege on the device. 

By default, the rule is triggered when any of those events are detected. To only apply the rule when specific conditions are met, use these options:  

Condition Applies the rule to
Account state

Devices whose G Suite account state has changed. Choose an option: 

  • Registered on—Applies the rule when an account is added to a device.
  • Unregistered from—Applies the rule when an account is unregistered from a managed device. 
Device policy app privilege

Choose an option: 

  • With device administrator privilege—Applies the rule to personal devices that have a managed account in their personal space.
  • With work profile privilege—Applies the rule to personal devices that have a work profile set up.
  • With device owner privilege—Applies the rule to devices that are configured to recognize your organization as the device owner. 
Device application change

Applies the rule whenever a user installs, uninstalls, or updates an app on their device. For personal Android devices that don’t have a work profile, the Application Auditing setting needs to be turned on. For iOS devices, only changes to managed apps that were installed using the Google Device Policy app are detected.

To only apply the rule when specific conditions are met, use these options:

Event Applies the rule to
Application ID

Devices that have had changes to the app you specify. Choose an option: 

  • Contains—Enter a partial app ID.
  • Equals—Enter the full app ID.
New Value Devices where the version number of an app changed to the value you specify. Enter the new version number of the app. For example, 50.0.2645.0.
Application state 

Devices where the state of an app was changed to the value you select. Choose an option:

  • Installed on.
  • Deleted from.
  • Updated on.
Application hash Devices with an app installed that matches the application hash you specify. Enter the SHA-256 hash of the application package.
Device compliance status (Android only)

Triggers the rule when a device becomes noncompliant with your organization's’ policies. For example, a user changes their device password and it no longer complies with your password policy. For details, see Device compliance status.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Device compliance state

Devices whose compliance status has changed. Choose an option:  

  • Compliant with set policies—Applies the rule when a device becomes compliant with your organization’s policies. 
  • Not compliant with set policies because device—Then click Add and use the Reason for deactivation of the mobile device condition.
Reason for deactivation of the mobile device  Devices that become noncompliant with your organization for the reason you select. You can select from these reasons:
 
  • Is not adhering to password policy
  • Is not encrypted
  • Does not have the latest device policy app
  • Is compromised
  • Has camera enabled
  • Has lock screen widgets enabled
  • Does not have work profile created
  • Is not in device owner mode
  • Has been blocked by the administrator
  • Does not have sync enabled
  • Does not have the device policy app installed
  • Has not synced in the last 24 hours
Device compromise (Android only)

Applies the rule to Android devices that become compromised or are no longer compromised. An Android device is compromised when it’s rooted—a process that removes restrictions on a device. Compromised devices can indicate a potential security threat. 

To only apply the rule when specific conditions are met, use this option:

Condition Applies the rule to
Device compromised state

Devices whose compromised status has changed. Choose an option: 

  • Is compromised—Applies to the rule to devices that have become compromised. 
  • Is no longer compromised—Applies the rule to devices that were compromised, but are no longer compromised.  
Device OS update

Triggers a rule when there are changes to a device’s OS properties. For Android devices, this includes the OS version, build number, kernel version, baseband version, security patch, or bootloader version on their device. For iOS devices, it only includes updates to the OS version and build number. For example, a user updates their device to a new OS or applies the latest security patch.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Old value Devices where an OS property was changed from the value you specify.      
New value Devices where an OS property was changed to the value you specify.
OS property

Devices that have had changes to the OS property you select. Select from the following OS properties: 

  • OS version
  • Build number
  • Kernel version
  • Device baseband version
  • OS security patch
  • Bootloader version on their device

For iOS, only OS version and build number are supported. 

Device ownership (Android only)

Applies a rule when ownership of a device changes from personal to company-owned, or from company-owned to personal.

To only apply the rule when specific conditions are met, use this option:

Condition Applies the rule to
Device ownership of the device

Devices whose device-ownership state has changed. Choose an option: 

  • Company owned—Applies the rule to devices whose ownership has changed to company-owned. 
  • Personal—Applies to the rule to devices whose ownership has changed to personal. 
Device settings change (Android only)

Triggers a rule when there are changes to the device settings on Android devices. This includes changes to USB debugging, unknown sources, developer options, or verify-apps settings on a device.  

To only apply the rule when specific settings are changed, use these options:

Condition Applies the rule to
Old value Devices where a device setting was changed from the value you specify.
New value Devices where a device setting was changed to the value you specify.
Device setting Devices that have had changes to the device setting you select. Select from the following settings: 
  • Developer options
  • Unknown sources
  • USB debugging
  • Verify apps 
Failed screen unlock attempts (Android only)

Applies the rule to a device when there are failed attempts to unlock it. By default, the rule is applied when there are more than 5 failed attempts.

To change the number of failed attempts before the rule is applied, use this option:

Condition Applies the rule to
Failed screen unlock attempts

Devices where failed unlock attempts have been detected. To specify how many attempts should be made before the rule is applied, choose an option and enter the number of attempts:

  • > (More than)
  • >= (More than or equal to)
Suspicious activity

The rule is triggered when there’s suspicious activity on managed mobile devices in your domain. For example, a device model has changed, but the device hasn’t changed. 

For Android devices, this includes changes to the following device properties: 

  • Device model
  • Serial number
  • Wi-Fi MAC address
  • Device policy app privilege
  • Manufacturer
  • Device brand
  • Device hardware
  • Bootloader version

For iOS devices, it only includes changes to the Wi-Fi MAC address.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Device property

Devices with changes to the device properties you select. Select a property from the list. To select more than one property, click Add and select another device property. 

Note: For iOS devices, only changes to the Wi-Fi MAC address are detected.

Old value Devices where a device property was changed from the value you specify.
New value Devices where a device property was changed to the value you specify.
Work profile support (Android only)

Applies the rule when an Android device starts supporting work profiles. For example, when the OS version is upgraded and the device now supports work profiles.

Choose an action 

An action specifies what the rule does when it detects an event. You can send a notification email to G Suite super administrators, block or approve a device, or wipe a corporate account from the device. If you don't choose an action, you can see devices that triggered a rule in the Rules Audit log. For details, see View data about detected events.

Choose from the following actions: 

  • Send email to super administrators—Sends an email to let super administrators know that the event occurred on a managed mobile device. The maximum number of emails sent is 25 emails in 2 hours.
  • Block mobile device—Stops the device from syncing corporate data. 
  • Approve mobile device—Allows the device to sync corporate data. 
  • Wipe corp account from device—Wipes the user’s G Suite account and associated corporate data from the device. 

View data about detected events

You can see data about events that were detected on mobile devices in a Rules Audit. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Rules.

    To see Rules, you might have to click More controls at the bottom. 

  3. At the top, click Audit.
  4. (Optional) To change the criteria that’s displayed, click Select columns Select columns . Your changes are saved automatically and available the next time you sign in.
  5. To configure the table to only show certain elements, on the left, use the Filters section:
    • Rule name—The event that was detected.
    • Flagged item name—The name of the device that the event was detected on.
    • Flagged item identifier—The device ID.
    • Item owner—The email address of the registered user of the device that the event was detected on.
    • Date and time range—A start and end date and time for listing events. Each entry in the log is associated with a single event.
  6. (Optional) To export the report data directly to a Google Sheets file in Google Drive or to download a CSV file with the report data, click Download Download. The exported Sheets file and downloaded CSV file both can individually contain a maximum of 200,000 cells. The maximum number of rows depends on the number of columns you select.
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.