Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
As an administrator, you can individually review user-owned devices that request access to work data. When a user adds a work or school account to their device, they see a message that an admin needs to review and approve the device. Once you approve a device, the user can access their work account data on the device.
- Android devices—Advanced mobile management
- iPhones and iPads—Advanced mobile management or Google Sync
- Computers and laptops—Endpoint verification.
- Some company owned devices are automatically approved and aren't blocked when you require admin approval:
- Company owned devices that are registered by serial number are automatically approved, except Android devices with a work profile. Learn more
- For devices with Google Drive for desktop, if you restrict Drive for desktop to authorized devices, company-owned devices with Drive for desktop are automatically approved.
- If you set up a Wi-Fi network in the Google Admin console, iPhones and iPads can use that network while approval is pending. For details on setting up or changing your Wi-Fi network, see Set up networks for managed devices (Wi-Fi, Ethernet, VPN).
- For endpoint verification devices, requiring approval doesn't prevent the user from accessing their Google data unless you create a Context-Aware Access policy to block access based on the "Pending approval" status tag.
- If you don't use Google endpoint management, you can still approve and block Google Sync devices using the steps below. You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access work data. For details, see What is Google Sync?
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
From the Admin console Home page, go to Devices.
- On the left, click Mobile & endpointsSettingsUniversal settings.
- Click SecurityDevice approvals.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Check the Require admin approval box.
- (Optional) Enter an email address to get notifications when users enroll their devices and require approval before they can access their work data.
Tip: Instead of an individual email address, use a group email address that includes all administrators who can approve devices.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Approve mobile devices
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.