Supported editions for this feature: Business Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; Cloud Identity Premium. Compare your edition
As an administrator, you can individually review user-owned devices that request access to work data. When a user adds a work or school account to their device, they see a message that an admin needs to review and approve the device. Once you approve a device, the user can access their work account data on the device.
- Android devices—Advanced mobile management
- iPhones and iPads—Advanced mobile management or Google Sync
- Computers and laptops—Endpoint verification or, for company-owned devices with Drive File Stream, restrict Drive File Stream to authorized devices.
- Company-owned devices that are registered by serial number are automatically approved.
- If you set up a Wi-Fi network in the Google Admin console, iPhones and iPads can use that network while approval is pending. For details on setting up or changing your Wi-Fi network, see Set up networks for managed devices (Wi-Fi, Ethernet, VPN).
- For endpoint verification devices, requiring approval doesn't prevent the user from accessing their Google data unless you create a Context-Aware Access policy to block access based on the "Pending approval" status tag.
- If you don't use Google endpoint management, you can still approve and block Google Sync devices using the steps below. You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access work data. For details, see What is Google Sync?
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
From the Admin console Home page, go to Devices.
- At the left, click SettingsUniversal settings.
- Click SecurityDevice approvals.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Check the Require admin approval box.
- (Optional) Enter an email address to get notifications when users enroll their devices and require approval before they can access their work data.
Tip: Instead of an individual email address, use a group email address that includes all administrators who can approve devices.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Approve mobile devices
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.