Supported editions for this feature: Enterprise; Education Plus. Compare your edition
From the security health page, you can monitor the configuration of the following Devices settings:
- Mobile management
- Blocking of compromised mobile devices
- Mobile password requirements
- Device encryption
- Mobile inactivity reports
- Autowipe for Android
- Mobile application verification for Android
- Installation of mobile applications from unknown sources
- External media storage
Mobile management
Mobile management allows you to set device policies that determine how your users can use their mobile devices in your fleet. Mobile management lets you keep your organization's data more secure, take remote actions, and manage apps on mobile devices.
When mobile management is turned off:
- You can’t wipe corporate data from a device if it’s lost or stolen.
- You can’t apply policies or manage the device from the Admin console.
- Devices aren’t listed in the Admin console.
Setting | Mobile management |
Status | Specifies the number of organizational units where mobile management is turned off |
Recommendation |
Turn on advanced mobile management to make your organization's data more secure, take remote actions, and manage applications on mobile devices in your organization. By default, your organization has basic mobile management, which reduces data leak, harmful software, and malicious insider risks. The other settings described in this article require advanced mobile management. |
How to turn on mobile management |
From the Security Health page, click Mobile management. Or, in the Google Admin console, go to Devices To make sure you can configure all the security settings described in this article, choose Advanced. For details and instructions, see Set up advanced mobile management. |
Effect on your users |
You can choose the level of control and impact on your users depending on your organization's policy. With basic mobile management, you can require passwords for devices and wipe work accounts. With advanced mobile management you can enforce passwords, manage mobile apps, apply policy settings (Android, iOS), approve personal devices, and get mobile reports, audits, and alerts. For details, see Compare mobile management features. |
Blocking of compromised mobile devices
You can prevent users from using compromised mobile devices to access their corporate account data. A device can be compromised in many ways, such as if it has an unlocked boot loader, uses a custom read-only memory (ROM), or has a superuser binary on the device.
Setting | Blocking of compromised mobile devices |
Status | Specifies the number of organizational units where compromised mobile devices aren't blocked |
Recommendation |
Set mobile management to Advanced and then configure your settings to block compromised devices for all of your users. This reduces data leak, harmful software, and malicious insider risks. |
How to block compromised mobile devices |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details and instructions, see Apply universal settings. |
Effect on your users |
Users with a compromised devices will be blocked and won't be able to use their mobile device to access corporate data for their Google service (such as Google Workspace or Cloud Identity). Users get a notification that their device is blocked and they're instructed to contact their administrator. |
Mobile password requirements
You can require users to set a password for their mobile devices. You can also configure password strength, expiration, password reuse, locking, and device wipeout settings.
Setting | Mobile password requirements |
Status | Specifies the number of organizational units where users aren't required to set up a password for their mobile devices |
Recommendation |
Set mobile management to Advanced and then require users to set up passwords for mobile devices. Set password strength, expiration, password reuse, locking, and device wipeout. This reduces the risk of data leaks in case devices are lost or stolen. |
How to require mobile users to set a password |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details and instructions, see Set password requirements for managed mobile devices. |
Effect on your users |
Your users will be required to set up a password to use their mobile device. If you set password strength, expiration, password reuse, locking and wipe-out, users must set passwords that match the requirements. Your settings also control what happens when the password is entered incorrectly. |
Device encryption
You can require data encryption on mobile devices that allow encryption.
Setting | Device encryption |
Status | Specifies the number of organizational units where encryption is not enforced for users’ mobile devices |
Recommendation |
Set mobile management to Advanced and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold. |
How to require data encryption |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details and instructions, see Apply universal settings. |
Effect on your users |
Requiring encryption will help reduce the risk of data leaks if your user’s mobile device is lost, stolen, or sold. Some users might report that encrypting mobile device data has some effect on device performance, especially on older, slower phones. |
Mobile inactivity reports
You can get a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is automatically emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and review who last signed in with them.
Setting | Device inactivity reports |
Status | Specifies the number of organizational units where mobile inactivity reports are turned off |
Recommendation |
Set mobile management to Advanced and then turn on inactivity reports. This reduces your risk of data leaks if you choose to disable the inactive accounts. |
How to turn on device inactivity reports |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For more details and instructions, see Get a report of inactive company devices. |
Effect on your users |
These reports have no direct effect on your users. After you review the report, you can disable inactive accounts. This will prevent the affected users from using their company owned device until the account has been reactivated. |
Auto wipe
You can automatically remove corporate account data from an Android device when it's inactive for too long or falls out of compliance with device policies.
Setting | AutoWipe |
Status | Specifies the number of organizational units where the Auto Wipe setting isn't turned on |
Recommendation |
Set mobile management to Advanced and then turn on Auto wipe for all organizational units. This automatically removes corporate account data from the mobile device when a device is inactive for a certain time or falls out of compliance with your organization’s device policies. Choose a number of days that aligns with your organization’s mobile usage policy. This reduces your risk of data leaks. |
How to turn on the Auto Wipe setting |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details, see Auto wipe. |
Effect on your users |
Corporate account data is removed from the user’s device when any of the following occur and the user doesn't address the problem:
For devices with Android Device Policy, the work profile is removed. Or, if there’s no work profile, the device is factory reset. For devices with Google Apps Device Policy, the account is wiped. For details, see Auto wipe. Before any data is removed from the device, the user is prompted to sign in to their account to fix the problem. |
Application verification
You can enforce app verification for all of your users. This allows your users to install apps only from known sources, and periodically scans devices for potentially harmful apps.
Setting | Application verification |
Status | Specifies the number of organizational units where mobile app verification is not enforced |
Recommendation |
Set mobile management to Advanced and then enforce mobile app verification for all organizational units. This allows your users to install apps only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of harmful software and data leaks. |
How to enforce mobile app verification for your Android users |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For more details and instructions, see Apply settings for Android mobile devices. |
Effect on your users |
Users will be able to install and run only verified apps. |
Installation of mobile applications from unknown sources
You can block users from installing non-Play Store apps from unknown sources.
Setting | Installation of mobile applications from unknown sources |
Status | Specifies the number of organizational units where users are allowed to install mobile apps from unknown sources (the Block app installation from unknown sources box is unchecked) |
Recommendation |
Set mobile management to Advanced and then require your users to install mobile applications only from known sources (for example, from Play Store). This reduces data leak, account breach, data exfiltration, data deletion, and harmful software risks. |
How to require your users to install mobile apps only from known sources |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details, see Apply settings for Android mobile devices. |
Effect on your users |
Users will be able to install mobile apps only from known sources. If they try to install an app from an unknown source, they'll get an error message. |
External media storage
You can block external media storage so that users can't move data and apps to and from their mobile devices.
Setting | External media storage |
Status | Specifies the number of organizational units where external media storage is allowed |
Recommendation |
Set mobile management to Advanced and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks. |
How to disallow your users from using external media for storage |
First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devices Then, go to Devices For details and instructions, see Apply settings for Android mobile devices. |
Effect on your users |
Users will be unable to use external media for storage. |