Monitor the health of your device management settings

Security health page

Supported editions for this feature: Enterprise; Education Plus. Compare your edition

From the security health page, you can monitor the configuration of the following Devices settings:

Mobile management
Blocking of compromised mobile devices
Mobile password requirements
Device encryption
Mobile inactivity reports
Autowipe for Android
Mobile application verification for Android
Installation of mobile applications from unknown sources
External media storage

Mobile management

Mobile management allows you to set device policies that determine how your users can use their mobile devices in your fleet. Mobile management lets you keep your organization's data more secure, take remote actions, and manage apps on mobile devices.

When mobile management is turned off:

You can’t wipe corporate data from a device if it’s lost or stolen.
You can’t apply policies or manage the device from the Admin console.
Devices aren’t listed in the Admin console.

Setting	Mobile management
Status	Specifies the number of organizational units where mobile management is turned off
Recommendation	Turn on advanced mobile management to make your organization's data more secure, take remote actions, and manage applications on mobile devices in your organization. By default, your organization has basic mobile management, which reduces data leak, harmful software, and malicious insider risks. The other settings described in this article require advanced mobile management.
How to turn on mobile management	From the Security Health page, click Mobile management. Or, in the Google Admin console, go to DevicesSettingsUniversal settingsGeneralMobile management. You can choose between the Basic, Advanced, and Custom options. To make sure you can configure all the security settings described in this article, choose Advanced. For details and instructions, see Set up advanced mobile management.
Effect on your users	You can choose the level of control and impact on your users depending on your organization's policy. With basic mobile management, you can require passwords for devices and wipe work accounts. With advanced mobile management you can enforce passwords, manage mobile apps, apply policy settings (Android, iOS), approve personal devices, and get mobile reports, audits, and alerts. For details, see Compare mobile management features.

Blocking of compromised mobile devices

You can prevent users from using compromised mobile devices to access their corporate account data. A device can be compromised in many ways, such as if it has an unlocked boot loader, uses a custom read-only memory (ROM), or has a superuser binary on the device.

Setting	Blocking of compromised mobile devices
Status	Specifies the number of organizational units where compromised mobile devices aren't blocked
Recommendation	Set mobile management to Advanced and then configure your settings to block compromised devices for all of your users. This reduces data leak, harmful software, and malicious insider risks.
How to block compromised mobile devices	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsUniversal settingsSecurityCompromised devices, and check both the Block compromised Android devices and Block jailbroken iOS devices boxes. For details and instructions, see Apply universal settings.
Effect on your users	Users with a compromised devices will be blocked and won't be able to use their mobile device to access corporate data for their Google service (such as Google Workspace or Cloud Identity). Users get a notification that their device is blocked and they're instructed to contact their administrator.

Mobile password requirements

You can require users to set a password for their mobile devices. You can also configure password strength, expiration, password reuse, locking, and device wipeout settings.

Setting	Mobile password requirements
Status	Specifies the number of organizational units where users aren't required to set up a password for their mobile devices
Recommendation	Set mobile management to Advanced and then require users to set up passwords for mobile devices. Set password strength, expiration, password reuse, locking, and device wipeout. This reduces the risk of data leaks in case devices are lost or stolen.
How to require mobile users to set a password	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsUniversal settingsGeneralPassword requirements, and check the Require users to set a password box. For details and instructions, see Set password requirements for managed mobile devices.
Effect on your users	Your users will be required to set up a password to use their mobile device. If you set password strength, expiration, password reuse, locking and wipe-out, users must set passwords that match the requirements. Your settings also control what happens when the password is entered incorrectly.

Device encryption

You can require data encryption on mobile devices that allow encryption.

Setting	Device encryption
Status	Specifies the number of organizational units where encryption is not enforced for users’ mobile devices
Recommendation	Set mobile management to Advanced and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold.
How to require data encryption	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsUniversal settingsSecurityEncryption, and check the Require device encryption box. For details and instructions, see Apply universal settings.
Effect on your users	Requiring encryption will help reduce the risk of data leaks if your user’s mobile device is lost, stolen, or sold. Some users might report that encrypting mobile device data has some effect on device performance, especially on older, slower phones.

Mobile inactivity reports

You can get a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is automatically emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and review who last signed in with them.

Setting	Device inactivity reports
Status	Specifies the number of organizational units where mobile inactivity reports are turned off
Recommendation	Set mobile management to Advanced and then turn on inactivity reports. This reduces your risk of data leaks if you choose to disable the inactive accounts.
How to turn on device inactivity reports	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsUniversal settingsInactive company owned devices, and check the Send monthly report of inactive company owned devices to super administrators box. For more details and instructions, see Get a report of inactive company devices.
Effect on your users	These reports have no direct effect on your users. After you review the report, you can disable inactive accounts. This will prevent the affected users from using their company owned device until the account has been reactivated.

Auto wipe

You can automatically remove corporate account data from an Android device when it's inactive for too long or falls out of compliance with device policies.

Setting	AutoWipe
Status	Specifies the number of organizational units where the Auto Wipe setting isn't turned on
Recommendation	Set mobile management to Advanced and then turn on Auto wipe for all organizational units. This automatically removes corporate account data from the mobile device when a device is inactive for a certain time or falls out of compliance with your organization’s device policies. Choose a number of days that aligns with your organization’s mobile usage policy. This reduces your risk of data leaks.
How to turn on the Auto Wipe setting	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsAndroid settingsGeneral, and check the Wipe if device isn't synced within a set time box. Enter the number of days a device can go without syncing before it's wiped. For details, see Auto wipe.
Effect on your users	Corporate account data is removed from the user’s device when any of the following occur and the user doesn't address the problem: The user is inactive on their mobile device longer than the period specified in the setting. Users are prompted to reconnect to the internet and sync the device before the system removes corporate data. The user will need to reconfigure this account the next time they sign in to the system using this device. (Android Device Policy only) The device falls out of compliance with any of these device policies: Password requirements Block compromised Android devices Block devices that are not Android CTS compliant Require device encryption For devices with Android Device Policy, the work profile is removed. Or, if there’s no work profile, the device is factory reset. For devices with Google Apps Device Policy, the account is wiped. For details, see Auto wipe. Before any data is removed from the device, the user is prompted to sign in to their account to fix the problem.

Application verification

You can enforce app verification for all of your users. This allows your users to install apps only from known sources, and periodically scans devices for potentially harmful apps.

Setting	Application verification
Status	Specifies the number of organizational units where mobile app verification is not enforced
Recommendation	Set mobile management to Advanced and then enforce mobile app verification for all organizational units. This allows your users to install apps only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of harmful software and data leaks.
How to enforce mobile app verification for your Android users	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsAndroid settingsApps and data sharing. For Verify apps, uncheck the Allow users to turn off Google Play Protect box. For more details and instructions, see Apply settings for Android mobile devices.
Effect on your users	Users will be able to install and run only verified apps.

Installation of mobile applications from unknown sources

You can block users from installing non-Play Store apps from unknown sources.

Setting	Installation of mobile applications from unknown sources
Status	Specifies the number of organizational units where users are allowed to install mobile apps from unknown sources (the Block app installation from unknown sources box is unchecked)
Recommendation	Set mobile management to Advanced and then require your users to install mobile applications only from known sources (for example, from Play Store). This reduces data leak, account breach, data exfiltration, data deletion, and harmful software risks.
How to require your users to install mobile apps only from known sources	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsAndroid settingsApps and data sharing, and for Unknown Sources, check the Block app installation from unknown sources box. For details, see Apply settings for Android mobile devices.
Effect on your users	Users will be able to install mobile apps only from known sources. If they try to install an app from an unknown source, they'll get an error message.

External media storage

You can block external media storage so that users can't move data and apps to and from their mobile devices.

Setting	External media storage
Status	Specifies the number of organizational units where external media storage is allowed
Recommendation	Set mobile management to Advanced and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks.
How to disallow your users from using external media for storage	First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to DevicesSettingsUniversal settingsGeneralMobile management to review your settings. Then, go to DevicesSettingsAndroid settingsDevice features, and for Physical Media, uncheck the Allow external SD cards box. For details and instructions, see Apply settings for Android mobile devices.
Effect on your users	Users will be unable to use external media for storage.

Was this helpful?

How can we improve it?