Require admin approval for device access

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator, you can individually review each user-owned device that requests access to work data. When a user adds a work account to their mobile device, they see a message that an administrator needs to review and approve the device. Once you approve a device, the user can sync work data to the device.

Important considerations for device approvals

  • If you haven’t already, turn on advanced mobile device management.
  • Company-owned devices that are registered by serial number are automatically approved. 
  • If you set up a Wi-Fi network in the Google Admin console, Apple® iOS® devices can use that network while approval to corporate data is pending. For details on setting up or changing your Wi-Fi network, see Set up networks for managed devices (Wi-Fi, Ethernet, VPN).
  • If you don't use Google endpoint management, you can still approve and block Google Sync devices using the steps below. For details, see What is Google Sync?
  • You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access corporate data.
  • If you use endpoint verification, approving or blocking a device doesn't change the device’s ability to access corporate data. Instead, it adds a tag to the device that you can use to configure access levels with Context-Aware Access. For details, see Context-Aware Access overview.

Turn on admin approval for device access

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Setup.
  4. Click Device approvals.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Requires Admin approval box.  
  7. (Optional) Enter an email address to get notifications when users enroll their devices.
    Tip: Instead of an individual email address, use a group email address that includes all administrators who can activate devices. 
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Approve devices

Approve mobile devices for management individually, or set up a rule to automatically approve devices.

 

Was this helpful?
How can we improve it?