Require admin approval for device access

Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Basic and G Suite Business; Cloud Identity Premium.  Compare your edition

As an administrator, you can individually review user-owned devices that request access to work data. When a user adds a work or school account to their device, they see a message that an admin needs to review and approve the device. Once you approve a device, the user can access their work account data on the device.

Device requirements

Important device approval behaviors

  • Some company owned devices are automatically approved and aren't blocked when you require admin approval:
    • Company owned devices that are registered by serial number are automatically approved, except Android devices with a work profile. Learn more 
    • For devices with Google Drive for desktop, if you restrict Drive for desktop to authorized devices, company-owned devices with Drive for desktop are automatically approved.
  • If you set up a Wi-Fi network in the Google Admin console, iPhones and iPads can use that network while approval is pending. For details on setting up or changing your Wi-Fi network, see Set up networks for managed devices (Wi-Fi, Ethernet, VPN).
  • For endpoint verification devices, requiring approval doesn't prevent the user from accessing their Google data unless you create a Context-Aware Access policy to block access based on the "Pending approval" status tag.
  • If you don't use Google endpoint management, you can still approve and block Google Sync devices using the steps below. You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access work data. For details, see What is Google Sync?

Turn on admin approval for device access

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu ""and then"" Devicesand thenMobile & endpointsand thenSettingsand thenUniversal settings.
  3. Click Securityand thenDevice approvals.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Check the Require admin approval box.
  6. (Optional) Enter an email address to get notifications when users enroll their devices and require approval before they can access their work data.

    Tip: Instead of an individual email address, use a group email address that includes all administrators who can approve devices.

  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Approve mobile devices

Approve mobile devices for management individually, or set up a rule to automatically approve devices.

Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center