Approve, block, unblock, or delete a device

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an admin, you can control which devices users can access work data from by approving, blocking, or deleting a device in the Admin console. The actions available for a device and what the action does depends on the type of device (mobile or endpoint) and the type of management.

Key behavior 

  • Basic mobile management and Fundamental management don't support approve, block, and unblock. These devices are always approved and can access work data.
  • For advanced mobile management, to approve mobile devices, you must require admin approval.
  • For endpoint verification devices, requiring approval and blocking a device doesn't prevent the user from accessing their Google data unless you create Context-Aware Access rules to block access based on the device status tag.
  • For Drive File Stream devices, to approve access you must restrict Drive File Stream to authorized devices.
  • Deleting a device from the devices list generally doesn't remove work data (except for iOS). To remove all work data from a device, you can wipe the account from the device or wipe the entire device

Complete reference

Approve, block, unblock, and delete by management type

Management type Action

Basic mobile management

Fundamental management

Approve, Block, Unblock—Not available (always approved)

Delete—Removes device from the devices list. Old data remains on the device. For mobile devices, the profile is removed from the device and data doesn't sync until the user add their account again. For endpoints, data doesn't sync until the user signs in again.

Advanced mobile management

Approve/Unblock—Allows device to sync Google data. Available when you require admin approval.

Block—Prevents device from syncing Google data. 

Delete—Depends on the device platform:

  • Android—Removes device from the devices list. Old data isn't removed but new data no longer syncs and the user must re-enroll. After they sign in, the device resyncs unless you require device approval.
  • iOS—Removes device from the devices list. The user's Google Account is removed from the device and old data is deleted.
Google Sync

Approve/Unblock—Allows device to sync Google data.

Block—Prevents device from syncing Google data.

Delete—Removes device from the devices list. The user's Google Account is removed from the device, but old data remains on the device. Data doesn't sync until the user add their account again.

These actions are available even when you don't use Google endpoint management to manage the device.

Endpoint verification

Approve—Allows device to sync Google data and adds a tag that you can use to configure access levels with Context-Aware Access.

Block—Allows device to continue to sync Google data unless a Context-Aware Access rule blocks access.

Unblock—Allows device to sync Google data and adds a tag that you can use to configure access levels with Context-Aware Access.

Delete—Removes the device from the devices list. If you don't have a Context-Aware Access rule, the device is added back to the list after the next sync. If you do have a Context-Aware Access rule, the device might require approval to sync data again.

Drive File Stream

Approve—Allows device to sync Google data. Available when you restrict Drive File Stream to authorized devices.

Block—Signs out the user from Drive File Stream and all sign-ins from that account and that device are blocked.

Unblock—Allows device to sync Google data.

Delete—Deletes Drive File Stream data from the device. User can sign in again to resync.

Enhanced desktop security for Windows

Approve/Unblock—Allows device to sync the device policy. Doesn't impact access to Google data on the device.

Block—Prevents device from syncing the device policy. Doesn't impact access to Google data on the device.

Delete—Removes the device from the devices list. The device is added back to the list after the next sync.

Approve a device

Not available for devices under basic mobile management or endpoints under fundamental management.

For mobile devices under advanced mobile management, you can manually approve devices, as described in the following steps, or set up a rule to automatically approve devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Device Approvals

  4. Review the list of devices that requested access to corporate data.
  5. Choose an option: 
    • To allow devices to access work data and to tag endpoint verification devices as approved, select the devices and click More ""and thenApprove Devices
    • To prevent devices from accessing work data and to tag endpoint verification devices as blocked, select the devices and click Block Device "".

Block a device

Not available for devices under basic mobile management or endpoints under fundamental management.

For mobile devices under advanced mobile management, you can manually block devices, as described in the following steps, or set up a rule to automatically block devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:

    1. To block Android, Apple iOS, and Google Sync devices, click Mobile devices.
    2. To block desktops and laptops, click Endpoints.
    3. To block a mix of device types, click Devices.
  4. Point to the device in the list and click  Block Device "" .

Blocked devices stay in your devices list until you delete them. You might see a message that a device can’t be blocked. For details, click the message. To try to block the device again, click Retry.

Unblock a device

Not available for devices under basic mobile management or endpoints under fundamental management.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:

    1. To unblock Android, iOS, and Google Sync devices, click Mobile devices.
    2. To unblock desktops and laptops, click Endpoints.
    3. To unblock a mix of device types, click Devices.
  4.  Point to the device in the list and click Unblock Device "" . The device’s status changes from Blocked to Compliant or Non-compliant, depending on its compliance with your organization’s policies. 

Delete a device

Note: Deleting a device from the devices list generally doesn't remove work data. To remove all work data from a device, you can wipe the account from the device or wipe the entire device

Note: Don't delete company-owned iOS devices directly from the Devices list. If you do, the device could end up in unsupervised mode and won't respect any supervised mode settings. Instead, go to Apple Business Manager or Apple School Manager and remove the device. On the next sync with Google, the devices list in the Admin console is updated and the device is removed. Learn more

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:
    1. To delete Android, iOS, and Google Sync devices, click Mobile devices.
    2. To delete desktops and laptops, click Endpoints.
    3. To delete a mix of device types, click Devices.
  4. To delete one device, point to the device and click  More ""and thenDelete Device. To delete many devices, select the devices you want to delete and click More""and thenDelete Devices. Deleted devices are removed from the list of managed devices.


Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?