Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition
As an administrator, you can define rules to automate device management tasks and get security alerts. For example, you can automatically block devices that report suspicious activity.
You can apply device management rules to supported mobile devices.
Note: To approve mobile devices with rules, the devices must be under advanced mobile management. If needed, turn on advanced mobile management.
How rules work
A device management rule is triggered by an event on a managed device. When the event is detected, the rule checks for any conditions you specify. If the conditions are met, an action is carried out.
For example, you can block a device when the account registration state changes on Android devices because a user unregisters their corporate account from the device. In this example:
- The event is an account registration state change on a device.
- The first condition is that the device type is Android.
- The second condition is that a user unregisters their account from the device (Account state is Unregistered from).
- The action is blocking the device.
You can create your own rule or work with a predefined template. For the scope, you can assign a rule to your whole organization, an organizational unit, or a group in Google Groups. You can also exclude a group.
Note: Device management rules let you approve, block, or wipe a device in response to a specific event. To control access to Google apps for devices based on device attributes such as OS version, security status, IP address, geographic location, or ownership, you can use Context-Aware Access levels. Learn more
Create and edit rules
You must be signed in as a super administrator for this task.
-
Sign in with a
super administrator account to the Google Admin console.
If you aren’t using a super administrator account, you can’t complete these steps.
-
- Click Device management rules.
- Click Add Rule and choose an option:
- To use a rule template, click Rule from template and then click the template. For details, see Use the rule templates.
- To build your own rule, click New rule.
- Enter or edit the rule title and description.
- Choose who the rule applies to. By default, the rule applies to everyone in your organization.
- To apply the rule to only select users, click Specify organizational units or groups and select the organizational units and groups to include.
- To exclude users in specific groups, first select at least one organizational unit or group to include. Then click Exclude groups and select the group to exclude. Repeat to exclude more groups.
For example, to apply a rule to everyone in your organization except for one group, include the top-level organizational unit and exclude the one exempt group.
To remove an organizational unit or group, click Clear 
next to it.
- Click Continue.
- If necessary, select the event that triggers the rule. For details, see Choose a trigger and conditions.
- Click Add Condition and set a device type condition:
- Click Field and select Device type.
- Click Value and select the device type: All devices, Android, or iOS. Not all device type options may be available because some events are supported for only certain types.
Note: A device type condition is required before you can go on to the next step.
- (Optional) Click Add Condition and set up more conditions. A device must meet all conditions for the rule to apply.
- Click Continue.
- If necessary, select the action to take when the rule's conditions are met. Not all actions are available for all events.
- Block mobile device—Stops the device from syncing corporate data.
- Approve mobile device—(advanced mobile management only) Allows the device to sync corporate data.
- Perform wipe—Wipes the user’s corporate account and associated data from the device. Learn more about account wipes.
- No action—Take no action on the device. You can use this option when you only want to get a notification that the event occurred (described in the next steps).
- (Optional) To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
- Click Continue.
- Review the rule settings. If they're correct, click Finish. If not, click Back to edit the rule.
- In the dialog that opens, choose an option:
- To create the rule and turn it on now, click Active.
- To create the rule and turn it on later, click Inactive.
- Click Complete.
- To turn on an inactive rule, in the rules list, click the rule. At the left, click the menu and select Active.
-
Sign in with a
super administrator account to the Google Admin console.
If you aren’t using a super administrator account, you can’t complete these steps.
-
- Click Device management rules.
- Click the rule you want to edit.
- Click the section you want to edit and make your changes. Click Continue as needed to progress to the review page.
- Review the rule settings. If they're correct, click Finish. If not, click Back to edit the rule.
- In the dialog that opens, choose whether the rule is active or inactive.
- Click Complete.
Use the rule templates
Rule templates are set up for common conditions and actions. You can use one as a starting place and change it to suit your organization’s needs. For example, to automatically approve iPhones and iPads but manually approve Android devices, use the Auto-approve device registration template and change the device type to iOS.
This rule blocks an Android device when there are more than 5 failed attempts to unlock it. The rule stops the user's work or school data from synchronizing to the device.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
This rule removes corporate data from an Android device, iPhone, or iPad when suspicious activity is detected.
For iPhones and iPads, the account is wiped when the device’s Wi-Fi MAC address changes.
For Android devices, the device is wiped when any of the following device properties change:
- Bootloader version
- Device brand
- Device hardware
- Manufacturer
- Device model
- Device policy app privilege
- IMEI number
- MEID number
- Serial number
- Wi-Fi MAC address
For company-owned Android devices and personal devices set up as work only, all data is wiped from the device and the device is factory reset. For personal devices with a work profile, only the work profile is wiped, leaving personal data untouched.
For more about how account and device wipe works, see Remove corporate data from a device.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
Automatically approves all supported devices when a user enrolls their device for management. Corporate data will synchronize to the device when the user signs in with their account.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
Choose a trigger and conditions
Choose the event that triggers the rule. Use conditions to select the device type (Android, iOS, or all) and other conditions that determine if the rule applies to a device. The rule’s action is carried out only when the event happens on devices that meet the specified conditions.
You can choose one event and several conditions for every rule. You must set a device type condition. For all rules, you can also limit a rule to a specific devices by device ID, device serial number, device model, or condition-specific values. To apply more than one condition to a rule, click Add condition.
The OS Version condition is listed for some triggers but isn't currently supported.
Open all | Close all
The rule is triggered when the account registration state of a device in your organization changes. The registration state can change when:
- A user adds their managed work or school account on a new device.
- A user unregisters their managed work or school account from a managed device.
- The management privilege your organization has on an Android device changes.
By default, the rule is triggered when any of these events are detected.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Account state |
Select the type of registration change:
- Registered on—Applies the rule when an account is added to a device.
- Unregistered from—Applies the rule when an account is unregistered from a managed device.
|
| Device policy app privilege |
Select the management privilege your organization has on the device:
- With device administrator privilege—Applies the rule to personal devices that have a managed account in their personal space.
- With work profile privilege—Applies the rule to personal devices that have a work profile set up.
- With device owner privilege—Applies the rule to company-owned devices and personal devices set up as "work only".
|
The rule is triggered when user access to work or school data changes. These events include:
- A device is approved, blocked, or wiped
- The managed account is wiped, signed out by an admin, or unenrolled
By default, the rule is triggered when any device action event occurs.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Status of an action taken on a device |
Select the status of the action: Action rejected by user, Cancelled, Executed, Failed, Pending, Sent to device, or Unknown action execution status. |
| Type of action taken on a device |
Select the action associated with the event:
- Account wipe
- Allow access
- Approve
- Block
- Collect bug report
- Device wipe
- Disallow access
- Locate device
- Lock device
- Remove app
- Remove iOS profile
- Reset pin
- Revoke token
- Ring device
- Sign out user
- Sync device
- Unenroll
- Unknown
|
For example, to block a device when a device wipe isn't successful:
- Set Type of action taken on a device to Device wipe.
- Set Status of an action taken on a device to Failed.
The rule is triggered whenever a user installs, uninstalls, or updates an app on their device. For personal Android devices that don’t have a work profile, the Application Auditing setting needs to be turned on. For iPhones and iPads, only changes to managed apps installed using the Google Device Policy app are detected.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Application ID |
Enter all or part of the app ID for the app that changed.
For example, to apply the rule only when the YouTube mobile app changes, select Contains and enter youtube.
|
| Application SHA-256 |
Enter all or part of the SHA-256 hash of the app package for the app that changed. |
| Application state |
Select the state the app changed to:
- Installed on
- Not flagged as potentially harmful
- Detected as potentially harmful
- Started on
- Deleted from
- Updated on
|
| New Value |
Enter all or part of the version number an app changed to. For example, to trigger the rule when the Chrome app is updated to any version 86, select Contains and enter 86. |
| Potentially harmful app category |
Select the type of potentially harmful app:
- The app potentially contains a backdoor
- The app potentially contains call fraud
- The app potentially contains data collection capabilities
- The app potentially contains denial of service logic
- The app potentially contains fraudware
- The app potentially contains malware
- The app potentially contains harmful sites
- The app potentially contains a hostile downloader
- The app potentially contains threats to non-Android systems token
- The app potentially contains phishing
- The app potentially contains privilege escalation capabilities
- The app potentially contains ransomware
- The app potentially contains rooting capabilities
- The app potentially contains spam
- The app potentially contains spyware
- The app potentially contains toll fraud
- The app potentially contains tracking logic
- The app potentially contains a trojan
- The app is uncommon
- The app potentially contains WAP fraud
- The app potentially contains Windows malware
|
The rule is triggered when a device becomes noncompliant with your organization's’ policies. For example, a user changes their device password and it no longer complies with your password policy. For details, see Device compliance status.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Applies the rule to |
| Device compliance state |
Devices whose compliance status has changed. Choose an option:
- Compliant with set policies—Applies the rule when a device becomes compliant with your organization’s policies.
- Not compliant with set policies because device—Then click Add and use the Reason for deactivation of the mobile device condition.
|
| Reason for deactivation of the mobile device |
Select the reason the device isn't compliant:
- Has not restricted accessibility services
- Was account wiped by admin
- Has camera enabled
- Is compromised
- Has been blocked by the administrator
- Has harmful apps
- Needs to have device policy app verification done
- Is unsupported
- Screenlock information required
- Is of a model not allowed by the admin
- Was wiped by admin
- Is not in device owner mode
- Does not have the latest device policy app
- Does not have work profile created
- Has not restricted input methods
- Needs to convert one or more apps to managed state
- Has not synced in the last 24 hours
- Has lock screen widgets enabled
- Has multiple managed accounts
- Is not adhering to password policy
- Permission to reset device password was not granted
- Does not have sync enabled
|
The rule is triggered when an Android device becomes compromised or is no longer compromised. An Android device is compromised when it’s rooted—a process that removes restrictions on a device. Compromised devices can indicate a potential security threat.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Device compromised state |
Select what the device's status changed to:
- Is compromised—Applies to the rule to devices that become compromised.
- Is no longer compromised—Applies the rule to devices that were compromised, but are no longer compromised.
|
The rule is triggered when a device’s operating system (OS) changes. The types of OS changes that trigger the rule depend on the device type:
- Android—Changes to the OS version, build number, kernel version, baseband version, security patch, or bootloader version.
- iOS—Only changes to the OS version and build number. For example, a user updates their device to a new OS or applies the latest security patch.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Old value |
Enter some or all of the OS property value that the device changed from. |
| New value |
Enter some or all of the OS property value that the device changed to. |
| OS property |
Select the OS property that triggers the rule when its value changes:
- OS version
- Build number
- Kernel version
- Device baseband version
- OS security patch
- Bootloader version on their device
For iOS, only OS version and build number are supported.
|
The rule is triggered when the ownership of a device changes from personal to company-owned, or from company-owned to personal.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Device ownership of the device |
Select the device-ownership state the device changed to:
- Company owned—Applies the rule to devices whose ownership has changed to company-owned.
- Personal—Applies to the rule to devices whose ownership has changed to personal.
|
The rule is triggered when device settings change on Android devices, such as USB debugging, unknown sources, developer options, or verify apps.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Old value |
Enter some or all of the device setting value that the device changed from. |
| New value |
Enter some or all of the device setting value that the device changed to. |
| Device setting |
Select the device setting that triggers the rule when its value changes:
- Developer options
- Unknown sources
- USB debugging
- Verify apps
|
The rule is triggered when a user's account syncs on a device.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Last sync audit event date |
Enter a date as a UNIX timestamp. For example, 1606167154.
You can trigger the rule when the last device sync happened after the specified date (is greater than) or on or after the specified date (is greater than or equal to).
|
The rule is triggered when a device reaches a set number of failed attempts to unlock it. By default, the rule is applied when there are more than 5 failed attempts.
To change the number of failed attempts before the rule is applied, use this option:
| Condition |
Values |
| Failed screen unlock attempts |
Select how the number of failed attempts is counted (Is greater than or Is greater than or equal to) and enter the number of failed attempts.
For example, if you enter 3 and select Is greater than, then the rule is triggered by the 4th failed attempt. If you enter 3 and select Is greater than or equal to, then the rule is triggered by the 3rd failed attempt.
|
The rule is triggered when a device property changes on a managed device and that property isn't one that usually changes. For example, the device model changes when the device hasn’t changed.
For Android devices, suspicious activity includes changes to the following device properties:
- Bootloader version
- Device brand
- Device hardware
- Manufacturer
- Device model
- Device policy app privilege
- IMEI number
- MEID number
- Serial number
- Wi-Fi MAC address
For iPhones and iPads, it only includes changes to the Wi-Fi MAC address.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
| Condition |
Values |
| Device property |
Select the device property that triggers the rule when it changes. To select more than one property, create a separate rule for that property. If you add more than one property to a rule, the device must report changes to all the properties you select.
Note: For iOS devices, only changes to the Wi-Fi MAC address are detected.
|
| Old value |
For Android devices, select the device management privilege the device changed from. |
| New value |
For Android devices, select the device management privilege the device changed to. |
Applies the rule when an Android device starts supporting work profiles. For example, when the OS version is upgraded and the device now supports work profiles.
View data about detected events
You can review data about events on managed devices in a Rules Audit.
-
Sign in with an
administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
- To review actions related to your device management rules, click Add Filter
Device management. You can also filter by other event characteristics, such as the rule name or the device owner's account (filter by Resource Owner).
-
(Optional) To customize what data you see, on the right, click Manage columns 
. Select the columns that you want to see or hideclick Save.
- (Optional) To export the report data directly to a Google Sheets file in Google Drive or to download a CSV file with the report data:
- Click Download
.
- Under Select columns, click Currently selected columns or All columns.
- Select a format and click Download.
With either file type, you can export up to 100,000 rows of data.
Reporting > Audit and investigation > Rule log events.
