Monitor the health of your device management settings

Security health page

Supported editions for this feature: Enterprise; Education Standard and Plus.  Compare your edition

From the security health page, you can monitor the configuration of the following Devices settings:

Mobile management

Mobile management allows you to set device policies that determine how your users can use their mobile devices in your fleet. Mobile management lets you keep your organization's data more secure, take remote actions, and manage apps on mobile devices.

When mobile management is turned off:

  • You can’t wipe corporate data from a device if it’s lost or stolen.
  • You can’t apply policies or manage the device from the Admin console.
  • Devices aren’t listed in the Admin console.
Setting Mobile management
Status Specifies the number of organizational units where mobile management is turned off

Recommendation

Turn on advanced mobile management to make your organization's data more secure, take remote actions, and manage applications on mobile devices in your organization. By default, your organization has basic mobile management, which reduces data leak, harmful software, and malicious insider risks.

The other settings described in this article require advanced mobile management.

How to turn on mobile management

From the Security Health page, click Mobile management. Or, in the Google Admin console, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management. You can choose between the Basic, Advanced, and Custom options.

To make sure you can configure all the security settings described in this article, choose Advanced.

For details and instructions, see Set up advanced mobile management.

Effect on your users

You can choose the level of control and impact on your users depending on your organization's policy. With basic mobile management, you can require passwords for devices and wipe work accounts. With advanced mobile management you can enforce passwords, manage mobile apps, apply policy settings (Android, iOS), approve personal devices, and get mobile reports, audits, and alerts.

For details, see Compare mobile management features.

Blocking of compromised mobile devices

You can prevent users from using compromised mobile devices to access their corporate account data. A device can be compromised in many ways, such as if it has an unlocked boot loader, uses a custom read-only memory (ROM), or has a superuser binary on the device.

Setting Blocking of compromised mobile devices
Status Specifies the number of organizational units where compromised mobile devices aren't blocked

Recommendation

Set mobile management to Advanced and then configure your settings to block compromised devices for all of your users. This reduces data leak, harmful software, and malicious insider risks.

How to block compromised mobile devices

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenUniversal settingsand thenSecurityand thenCompromised devices, and check both the Block compromised Android devices and Block jailbroken iOS devices boxes.

For details and instructions, see Apply universal settings.

Effect on your users

Users with a compromised devices will be blocked and won't be able to use their mobile device to access corporate data for their Google service (such as Google Workspace or Cloud Identity). Users get a notification that their device is blocked and they're instructed to contact their administrator.

Mobile password requirements

You can require users to set a password for their mobile devices. You can also configure password strength, expiration, password reuse, locking, and device wipeout settings.

Setting Mobile password requirements
Status Specifies the number of organizational units where users aren't required to set up a password for their mobile devices

Recommendation

Set mobile management to Advanced and then require users to set up passwords for mobile devices. Set password strength, expiration, password reuse, locking, and device wipeout. This reduces the risk of data leaks in case devices are lost or stolen.

How to require mobile users to set a password

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenPassword requirements, and check the Require users to set a password box.

For details and instructions, see Set password requirements for managed mobile devices.

Effect on your users

Your users will be required to set up a password to use their mobile device. If you set password strength, expiration, password reuse, locking and wipe-out, users must set passwords that match the requirements. Your settings also control what happens when the password is entered incorrectly.

Device encryption

You can require data encryption on mobile devices that allow encryption.

Setting Device encryption
Status Specifies the number of organizational units where encryption is not enforced for users’ mobile devices

Recommendation

Set mobile management to Advanced and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold.

How to require data encryption

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenUniversal settingsand thenSecurityand thenEncryption, and check the Require device encryption box.

For details and instructions, see Apply universal settings.

Effect on your users

Requiring encryption will help reduce the risk of data leaks if your user’s mobile device is lost, stolen, or sold. Some users might report that encrypting mobile device data has some effect on device performance, especially on older, slower phones.

Mobile inactivity reports

You can get a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is automatically emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and review who last signed in with them.

Setting Device inactivity reports
Status Specifies the number of organizational units where mobile inactivity reports are turned off

Recommendation

Set mobile management to Advanced and then turn on inactivity reports. This reduces your risk of data leaks if you choose to disable the inactive accounts.

How to turn on device inactivity reports

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenUniversal settingsand thenInactive company owned devices, and check the Send monthly report of inactive company owned devices to super administrators box.

For more details and instructions, see Get a report of inactive company devices.

Effect on your users

These reports have no direct effect on your users. After you review the report, you can disable inactive accounts. This will prevent the affected users from using their company owned device until the account has been reactivated.

Auto wipe

You can automatically remove corporate account data from an Android device when it's inactive for too long or falls out of compliance with device policies.

Setting AutoWipe
Status Specifies the number of organizational units where the Auto Wipe setting isn't turned on

Recommendation

Set mobile management to Advanced and then turn on Auto wipe for all organizational units. This automatically removes corporate account data from the mobile device when a device is inactive for a certain time or falls out of compliance with your organization’s device policies. Choose a number of days that aligns with your organization’s mobile usage policy. This reduces your risk of data leaks.

How to turn on the Auto Wipe setting

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenAndroid settingsand thenGeneral, and check the Wipe if device isn't synced within a set time box. Enter the number of days a device can go without syncing before it's wiped.

For details, see Auto wipe.

Effect on your users

Corporate account data is removed from the user’s device when any of the following occur and the user doesn't address the problem:

For devices with Android Device Policy, the work profile is removed. Or, if there’s no work profile, the device is factory reset. For devices with Google Apps Device Policy, the account is wiped. For details, see Auto wipe.

Before any data is removed from the device, the user is prompted to sign in to their account to fix the problem.

Application verification

You can enforce app verification for all of your users. This allows your users to install apps only from known sources, and periodically scans devices for potentially harmful apps.

Setting Application verification
Status Specifies the number of organizational units where mobile app verification is not enforced

Recommendation

Set mobile management to Advanced and then enforce mobile app verification for all organizational units. This allows your users to install apps only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of harmful software and data leaks.

How to enforce mobile app verification for your Android users

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenAndroid settingsand thenApps and data sharing. For Verify apps, uncheck the Allow users to turn off Google Play Protect box.

For more details and instructions, see Apply settings for Android mobile devices.

Effect on your users

Users will be able to install and run only verified apps.

Installation of mobile applications from unknown sources

You can block users from installing non-Play Store apps from unknown sources.

Setting Installation of mobile applications from unknown sources
Status Specifies the number of organizational units where users are allowed to install mobile apps from unknown sources (the Block app installation from unknown sources box is unchecked)

Recommendation

Set mobile management to Advanced and then require your users to install mobile applications only from known sources (for example, from Play Store).

This reduces data leak, account breach, data exfiltration, data deletion, and harmful software risks.

How to require your users to install mobile apps only from known sources

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenAndroid settingsand thenApps and data sharing, and for Unknown Sources, check the Block app installation from unknown sources box.

For details, see Apply settings for Android mobile devices.

Effect on your users

Users will be able to install mobile apps only from known sources. If they try to install an app from an unknown source, they'll get an error message.

External media storage

You can block external media storage so that users can't move data and apps to and from their mobile devices.

Setting External media storage
Status Specifies the number of organizational units where external media storage is allowed

Recommendation

Set mobile management to Advanced and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks.

How to disallow your users from using external media for storage

First, make sure mobile management is set to Advanced. From the Security Health page, click Mobile management. Or, go to Devicesand thenSettingsand thenUniversal settingsand thenGeneraland thenMobile management to review your settings.

Then, go to Devicesand thenSettingsand thenAndroid settingsand thenDevice features, and for Physical Media, uncheck the Allow external SD cards box.

For details and instructions, see Apply settings for Android mobile devices.

Effect on your users

Users will be unable to use external media for storage.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue