Sign out a user from a lost or stolen device

To sign out of your Google Account on your own device, go here instead.

As an administrator, you can block unauthorized access to a user's Google Account if their device is lost or stolen. When a device is lost or stolen, an unauthorized user could potentially access your organization's Google data in the following scenarios:

  • The device has an open connection to the user’s managed Google Account (for example, their Google Workspace or Cloud Identity account).
  • The device stores cookies that allow it to connect automatically, without the user entering a username and password.
  • The user installed a third-party service on the device and gave it access to their Google data.

You might also sign out users or wipe data from devices in these other scenarios:

  • You don't recognize a device that is listed in your Admin console.
  • A user leaves your organization.

Option 1: Sign a user out of all Google apps and certain devices

Use this method when you want to require a fresh sign-in wherever the user is signed in. This way, if an unauthorized user has the device, they can’t use saved passwords for access.

These steps reset a user’s sign-in cookies, which achieves the following:

  • Signs out the user from all Google apps, such as Chrome browser or Gmail. To use these apps again, they must enter their username and password, and complete 2-Step Verification, if necessary.
  • Signs out the user from devices that they sign in to with their Google Account, such as devices with Chrome OS or Google Credential Provider for Windows (GCPW). Note: The user isn’t signed out of other devices. To sign a user out of computers or smart home devices, follow the steps in the next section on this page.

Note: When you suspend a user, their sign-in cookies are automatically reset.

To reset a user's sign-in cookies:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Directoryand thenUsers.
  3. In the Users list, find the user. If you need help, see Find a user account.
  4. Click the user's name to open the user's account page.
  5. Click Securityand thenSign-in cookiesand thenReset.
  6. (Optional) To return to the user’s account page, at the top right, click the Up arrow "" .

It can take up to an hour to sign the user out of current Gmail HTTP sessions. The time for other apps can vary.

Option 2: Sign a user out from a managed computer or smart home device

Supported for computers managed by Fundamental management or standalone GCPW, and Assistant-enabled smart home devices, such as Nest smart displays and speakers.

To remove yourself or other members from a home, see Remove Google Nest devices from the Google Home app.

Use this method when you want to require a fresh sign-in on a specific computer or smart home device. You might do these steps when the device is lost or stolen, or when you don’t recognize it in the endpoints list in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Endpoints.
  4. Select the devices that you want to sign users out from.
  5. At the top right, click More ""and thenSign Out User.
  6. Click Sign Out User to confirm.

Option 3: Wipe an account from a device or the entire device

If you use Google endpoint management, in many cases you can remotely remove data from the device. The user can still access their Google data through web apps and other authorized mobile devices.

Use this method if sensitive data is stored on a lost or stolen device, or when a user leaves your organization.

Additional account security step: Revoke authorized access

If a device is lost or stolen, you can revoke third-party app access to a user's managed Google Account so apps can’t access the user’s data anymore. For instructions, see View user security settings and revoke access.

Why is this important? Users can allow third-party services to access their managed Google Account. For example, a user might install a diagramming app that needs access to their Google Drive files so it can create diagrams or flowcharts. When the app is installed, it asks the user to grant access to the data for their Google service.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false
false