Apply universal settings for mobile devices and endpoints

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can set set the type of mobile management and password requirements for mobile devices in your organization. You can also enforce security policies, such as data access methods, encryption, device approval, and strong passwords.

Find the settings

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. At the left, click Settingsand thenUniversal settings.
  4. Click a settings category and setting. Learn about the settings in the following section.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Turn on or off the setting.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Changes typically take effect in minutes, but can take up to 24 hours. For details, go to How changes propagate to Google services.  

Universal settings index

Open all   |   Close all

General

Open all   |   Back to index

Mobile management

Set the mobile management type for devices in your organization. You can set different management types for specific device platforms and for specific organizational units.

Basic mobile management is on by default.

Password requirements

Supported for mobile devices only

Require passwords on managed mobile devices.

For details, see Set password requirements for managed mobile devices.

Data Access

Open all   |   Back to index

Endpoint verification

Turn endpoint verification on or off. When the Monitor which devices access organization data box is checked, you can get details about those devices, such as the operating system and user. Endpoint verification is also required to use context-aware access rules.

If you turn off endpoint verification but have context-aware access rules, users might not be able to access their managed account on their device.

Learn more about endpoint verification

Android Sync

Allows users' work or school data to sync to managed Android devices.

To block access to work or school data on Android devices, uncheck the Allow work data to sync on Android devices box. Users won't be able to use their work or school data in Google apps such as Gmail, Calendar, or Drive. Users can still access their work or school data through web apps in a browser on their device.

iOS Sync

Allows users' work or school data to sync to managed iPhones and iPads.

To block access to work or school data on iPhones and iPads, uncheck the Allow work data to sync on iOS devices box. Users won't be able to use their work or school data in Google apps such as Gmail, Calendar, or Drive. Users can still access their work or school data in the following ways:

  • Through web apps in a browser on their device
  • If you enable IMAP, through third-party apps such as built-in Apple iOS apps or Microsoft Outlook
  • If you turn on Google Sync (next setting), through built-in Apple iOS apps
Google Sync (Google Workspace only)

Supported for iPhones and iPads, Windows Phone, Windows Mobile, and BlackBerry 10 devices

Allows users to synchronize their work or school mail, contacts, and calendars to their mobile devices with Microsoft Exchange ActiveSync.

Note: Google Sync doesn’t support OAuth authentication, 2-factor authentication, or security keys. To better secure your organization's data, we recommend that you transition your organization off Google Sync.

When you turn on Google Sync, you can also set the following:

  • Restrict the IP addresses where users can access Google Sync.

    Allows users to only access Google Workspace mail, calendars, and contacts on mobile devices through the IP addresses that you list.

    In the Google Sync IP Whitelist box, add the IP addresses (masks) where users can access their Google Workspace mail, calendars, and contacts. To add more than one IP address, enter an IP range in CIDR notation. Or, separate each IP address with a comma.

    This setting is off by default. Only turn it on if your organization needs it. This setting is typically needed for organizations that need to use a Microsoft Exchange ActiveSync proxy to restrict how users access work data on mobile devices. These organizations might need to route their ActiveSync connections through separate device management servers (proxy servers).

  • Automatically enable Delete Email as Trash on Google Sync devices. When this setting is turned off on devices, Gmail archives the email instead of deleting it. Learn more
  • Allow Android and iOS devices to automatically synchronize when roaming. Syncing automatically can increase data costs.

    When you uncheck the Turn on automatic sync when roaming box, users can still manually sync their devices when roaming.

Google Assistant

Supported for iPhones, iPads, and Android 4.1 Jelly Bean and later devices.

Allows users to use Google Assistant with their managed account on their device. Learn more about Google Assistant.

Security

To apply these settings to mobile devices, set up advanced mobile management.

Open all   |   Back to index

Device approvals

Supported for mobile devices under advanced mobile management, Google Sync devices, and endpoints under endpoint verification

Require an admin to approve a device before a user can access their work or school data.

For details, see Require admin approval for device access.

Camera

Supported for iPhones and iPads, Android 4.0 Ice Cream Sandwich and later devices, and Microsoft Windows Phone

Allows users to use the camera on their device.

To block all camera use, uncheck the Allow camera box. However, for Android devices with work profiles, users can still use the camera with personal apps.

Encryption

Supported for Android 3.0 Honeycomb and later devices using Android Sync, and iOS devices using iOS Sync or Google Sync. For other devices and third-party apps, contact the device manufacturer or app developer.

Requires data encryption on devices so that the data can only be read when a device is unlocked. Encryption adds protection if a device is lost or stolen. Unlocking the device decrypts the data.

Inactive company owned devices (Android only)

Supported for company-owned Android devices

When checked, sends a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. Reports are automatically sent to all super administrators in your organization. To send reports to others, enter their emails in the text box.

For details, see Get a report of inactive company owned devices.

Compromised devices

Supported for Android devices and iPhones and iPads that sync data with iOS Sync

Blocks an Android or iOS device from syncing work or school data when there are indications that the device is compromised or jailbroken.

  • Check the Block compromised Android devices box to block an Android device if there are indications that it might be compromised. For example, a device is compromised if it's rooted—a process that removes restrictions on the device.
  • Check the Block jailbroken iOS devices box to block an iOS device if there are indications that it's jailbroken—a process that removes restrictions on the device. When you check this box, iOS users are prompted to install the Google Device Policy app if it’s not already installed on the device.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?