Device management settings
This feature is available with G Suite Enterprise, G Suite Enterprise for Education, Drive Enterprise, and Cloud Identity Premium editions.
From the security health page, you can monitor the configuration of the following Device management settings:
- Mobile management
- Blocking of compromised mobile devices
- Mobile password requirements
- Device encryption
- Mobile inactivity reports
- Auto account wipe for Android
- Mobile application verification for Android
- Installation of mobile applications from unknown sources
- External media storage
Important: Before you can configure the settings described here, you'll first need to enable mobile management in Advanced mode. For details, see the sections below.
Mobile management
Mobile management allows you to configure device policies that determine how your users can use their mobile devices in your fleet. Mobile management enables you to secure corporate data, take remote actions, and manage applications on mobile devices in your organization.
Unless you have mobile management enabled:
- You can’t wipe corporate data from a device if it’s lost or stolen.
- You can’t apply policies or manage the device from the Admin console.
- Devices aren’t listed in the Admin console.
Setting mobile management to Advanced is recommended. For more details, see the table below.
| Setting | Mobile management |
| Status | Specifies the number of organizational units where mobile management is disabled |
|
Recommendation |
Enable mobile management to secure corporate data, take remote actions, and manage applications on mobile devices in your organization. This reduces data leak, malware, and malicious insider risks. As you enable mobile management, you can choose the level of control (Basic/Advanced/Custom) depending on your organizational policy. Before you can configure many of the settings described in the sections below, you'll need to enable mobile management in Advanced mode. |
|
How to enable mobile management |
In the Google Admin console, go to Device management > Setup > Mobile Management. You can then enable mobile management while choosing between the Basic, Advanced, and Custom options. To make sure you can configure the security settings described in the sections below, choose Advanced. For more details and instructions, see Set up mobile device management. |
|
Effect on your users |
By enabling mobile device management, you can choose the level of control depending on your organizational policy. In the basic mode you can enforce passwords for your users. In the advanced mode you can enforce passwords, manage the apps your users are using, create work profiles, apply policy settings (Android, iOS), approve personal devices, and access mobile reports, audits and alerts. |
Blocking of compromised mobile devices
Configure mobile management settings to block the use of compromised Android mobile devices for all of your users. Indications of compromise might include, for example, the presence of an unlocked boot loader, the use of a custom read-only memory (ROM), or the presence of a superuser binary on the device. This setting is currently supported only on Android devices.
For more details, see the table below.
| Setting | Blocking of compromised mobile devices |
| Status | Specifies the number of organizational units where the blocking of compromised mobile devices is disabled |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then configure your settings to block compromised Android devices for all of your users. This reduces data leak, malware, and malicious insider risks. |
|
How to set up the blocking of compromised mobile devices |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if Advanced mobile management is enabled, go to Device management > Advanced settings > Security, and check the Block compromised Android devices box. For more details and instructions, see Apply advanced settings. |
|
Effect on your users |
A user with a compromised device (for example, if it’s rooted/unlocked) will be blocked and will not be able to use their mobile device to access corporate data for their Google service (such as G Suite or Cloud Identity). Users receive a notification telling them that their device has been blocked, and they are instructed to contact their domain administrator. |
Mobile password requirements
If mobile management is enabled for an organization, you can require users to set a password for a mobile device and configure the settings for password strength, expiration, password reuse, locking, and device wipeout settings.
For more details, see the table below.
| Setting | Mobile password requirements |
| Status | Specifies the number of organizational units where users are not required to set up a password for their mobile devices |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then require users to set up passwords for mobile devices. Configure settings for password strength, expiration, password reuse, locking, and device wipeout settings. This reduces the risk of data leaks in case devices are lost or stolen. |
|
How to require mobile users to set a password |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if Advanced mobile management is enabled, go to Device management > Password Settings, and check the Require users to set a password box. For more details and instructions, see Apply password settings for mobile devices. |
|
Effect on your users |
Your users will be required to set up a password for using their mobile device. In addition, if you configure password strength, expiration, password reuse, locking and wipe-out, this will affect your users’ password selection process as well as what happens when the password is entered incorrectly. |
Device encryption
If mobile management is enabled for an organization, you can encrypt data on Android mobile devices that allow encryption. For more details, see the table below.
| Setting | Device encryption |
| Status | Specifies the number of organizational units where encryption is not enforced for users’ mobile devices |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold. |
|
How to encrypt data on Android mobile devices that allow encryption |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if Advanced mobile management is enabled, go to Device management > Advanced Settings > Security, and check the Require device encryption box. For more details and instructions, see Apply advanced settings. |
|
Effect on your users |
Enabling this setting will help reduce data leak risks in case your user’s mobile device is lost, stolen, or sold. Note that some users might report that encrypting the mobile device data has some effect on performance, especially on older, slower phones. |
Mobile inactivity reports
If advanced mobile management is enabled for an organization, you can get a monthly report of unused company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is automatically emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and see who last signed in with them.
For more details, see the table below.
| Setting | Device inactivity reports |
| Status | Specifies the number of organizational units where mobile inactivity reports are disabled |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then enable the sending of monthly reports to super-admins of inactive company-owned devices that haven’t synchronized any work data in the last 30 days. This reduces your risk of data leaks if you choose to disable the inactive accounts. |
|
How to enable device inactivity reports |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if Advanced mobile management is enabled, go to Device management > Setup > Company Owned Devices, and check the Send monthly report of inactive company owned devices to super administrator(s) box. For more details and instructions, see Get a report of inactive company devices. |
|
Effect on your users |
Enabling this setting will not have a direct effect on your users. Once you review the report, you’ll have the option to disable inactive accounts. This will prevent the affected users from using their company owned device until the account has been reactivated. |
Auto account wipe
If mobile management is enabled for an organization, you can turn on the Auto Account Wipe setting for all of your users to automatically remove corporate account data from the mobile device when a device reaches a specified number of days of inactivity.
For more details, see the table below.
| Setting | Auto account wipe |
| Status | Specifies the number of organizational units where Auto Account Wipe is not turned on |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then turn on the Auto Account Wipe setting for all organizational units. This automatically removes corporate account data from the mobile device when a device reaches a specified number of days of inactivity (choose a number of days that aligns with your organization’s mobile usage policy). This reduces your risk of data leaks. |
|
How to turn on the Auto Account Wipe setting |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if Advanced mobile management is enabled, go to Device management > Android Settings > General Settings, and check the Remove account if device does not sync box. For more details and instructions, see Apply settings for Android mobile devices. Go to General settings, and Auto Account Wipe. |
|
Effect on your users |
If your users have been inactive on their mobile device for a number of days greater than the one specified in the setting, their account is removed from the device. Users are prompted to reconnect to the Internet and sync the device before the system removes the account. The user will need to reconfigure this account the next time they sign in to the system using this device. |
Application verification
If mobile management is enabled for an organization, you can enforce application verification for all of your users. This allows your users to install applications only from known sources, and periodically scans devices for potentially harmful apps.
For more details, see the table below.
| Setting | Application verification |
| Status | Specifies the number of organizational units where mobile application verification is not enforced |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then enforce mobile application verification for all organizational units. This allows your users to install applications only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of malware and data leaks. |
|
How to enforce mobile application verification for your Android users |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if advanced mobile management is enabled, go to Device management > Android Settings > Apps and Data Sharing. Under Verify Apps, uncheck the Allow application verification to be turned off box. For more details and instructions, see Apply settings for Android mobile devices. |
|
Effect on your users |
If you enforce application verification, your users will only be able to install and run verified apps. |
Installation of mobile applications from unknown sources
If mobile management is enabled for an organization, you can allow the installation of non-Play Store apps from unknown sources. Disabling this setting requires the installation of apps only from known sources.
For more details, see the table below.
| Setting | Installation of mobile applications from unknown sources |
| Status | Specifies the number of organizational units where the installation of mobile applications from unknown sources is allowed (the Allow non-Play Store apps from unknown sources box is checked) |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then require your users to install mobile applications only from known sources (for example, from Play Store). This reduces data leak, account breach, data exfiltration, data deletion, and malware risks. |
|
How to require your users to install mobile applications only from known sources |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if advanced mobile management is enabled, go to Device management > Android Settings > Apps and Data Sharing, and under Unknown Sources, uncheck the Allow non-Play Store apps from unknown sources box. For more details and instructions, see Apply settings for Android mobile devices. |
|
Effect on your users |
Your users will be able to install mobile applications only from known sources. If they try to install an app from an unknown source, they will receive an error message. |
External media storage
If you have mobile management enabled, you can allow or disallow external media storage for your users. Disabling external media storage prevents users from moving data and applications from and to the device.
For more details, see the table below.
| Setting | External media storage |
| Status | Specifies the number of organizational units where external media storage is allowed |
|
Recommendation |
Make sure you have enabled mobile management in Advanced mode, and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks. |
|
How to disallow your users from using external media for storage |
First, make sure you have enabled mobile management in Advanced mode. In the Google Admin console, go to Device management > Setup > Mobile Management to review your settings. Then, if advanced mobile management is enabled, go to Device management > Android Settings > Device Features, and under Physical Media, uncheck the Allow external SD card box. For more details and instructions, see Apply settings for Android mobile devices. |
|
Effect on your users |
Users will be unable to use external media for storage. |
