This feature is available with Cloud Identity Free and Cloud Identity Premium editions. Compare editions
As an administrator, you can decide how people use their work account on managed iPhones and iPads. For example, you can prevent data from being copied from a managed app to an unmanaged app (Data protection), turn off certain apps, and control what work data syncs to built-in iOS apps.
Find the settings
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click a settings category and setting. Learn about the settings in the following section.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Turn on or off the setting.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Basic mobile management
Data protection applies to devices under basic and advanced mobile management.
This feature is available with Cloud Identity Premium edition. Compare editions
To use these settings, set up advanced mobile management for iOS devices.
Some settings apply only to supervised company-owned devices:
|All iOS devices under advanced management
|Supervised company-owned iOS devices only
Apple Push Notification Service
Create and manage your organization's Apple push certificates. When you first set up Google endpoint management, you set up a push certificate. When the certificate approaches its expiration date, you can renew an existing certificate.
Renew certificates early so that your iOS users aren't required to enroll their devices again. You can't renew a certificate that already expired.
Connect to your organization's Apple Business Manager or Apple School Manager account so you can manage your company-owned iOS devices. Learn how to set up company-owned iOS device management. When the MDM Server token approaches its expiration date, you can renew the token.
Purchase apps in bulk and distribute them to user-enrolled iOS devices in your organization. You connect Apple Business Manager or Apple School Manager with your Google Workspace or Cloud Identity account. You can purchase app licenses and sync them with your account using a content token. For details, see Distribute iOS apps with Apple VPP.
This setting isn't available when you turn on a custom push configuration.
Automatically syncs users’ Google Workspace email, calendars, and contacts with the corresponding built-in iOS apps that are on their device. Check the Push Google Account configuration box to:
- Sync Google Workspace emails with the Apple Mail app.
- Sync Google Workspace calendar events with the Apple Calendar app.
- Sync Google Workspace contacts with the Apple Contacts app.
- Allow users to search your organization’s Directory in the iOS Contacts app.
Users can view email and calendar events in Google mobile apps (recommended) or in iOS apps. For details, go to Enroll my iOS device.
If you don't want users to access their mail in the Apple Mail app, turn off IMAP access. Calendar events and contacts will still sync to iOS apps. For details, see Turn POP & IMAP access on and off. If you turn off IMAP, let users know that they're no longer syncing Google Workspace mail to the Apple Mail app because they might not get a notification on their device. Additionally, if users try to sign in to the Apple Mail app with their Google Account when IMAP is off, the sign-in fails silently.
When you turn on the Google Account setting, users with devices that are already enrolled for management get a notification asking them to add a password for their Google Workspace account. Users can enroll new devices by signing in to their Google Workspace account with a Google mobile app, such as the Google Device Policy app.
Google Workspace email, calendars, and contacts are all managed on the device. Therefore, if you block the device or remove the account, the user’s Google Workspace email, calendar events, and contacts are removed from the device. And, they all stop syncing.
This setting isn't available when you select Auto push configuration.
When turned on, Google Calendar is automatically synced to the iOS Calendar app on a user’s device.
If you decide to use this setting, Google Workspace calendar events are not fully managed on the device. If you remotely wipe the device or account, Google Workspace calendar events stop syncing and all existing events are removed from the device. However, if you block the device or if the device is pending approval, calendar events still sync to the device and existing events stay on the device too.
When you turn on this setting, users need to generate and enter an app password instead of using their Google Workspace password. Then, Google Workspace events sync to the iOS Calendar app. The user can turn off this syncing. For details, see Enroll my iOS device.
When you turn off CalDAV, users can still add their calendars manually.
This setting is not available when the Google Account setting is on.
When turned on, Google Contacts is automatically synced to the iOS Contacts app on a user’s device. This setting also allows users to search your organization’s Directory in the iOS Contacts app.
If you decide to use this setting, Google Workspace contacts are not fully managed on the device. If you remotely wipe the device or account, the user’s contacts stop syncing and existing contacts are removed from the device. However, if you block the device or if it’s pending approval, contacts still sync to the device.
When you turn on CardDAV, users need to generate and enter an app password instead of using their Google Workspace password. Then, Google Workspace contacts sync to the iOS Contacts app. Users can turn off this syncing. For details, see Enroll my iOS device.
If you share only Directory data that’s already visible to the public with apps and APIs, users won’t be able to search your organization’s Directory. For details, see Let third-party apps access Directory data.
When you turn off CardDAV, users can still add their contacts manually.
- Device Enrollment–(Default) Your organization has full control of the device including the ability to wipe all data from it. You can see an inventory of work apps on the device and require that users have a strong device password.
- User Enrollment—Separates work and personal data on iOS devices to give you full control of work data on the device while users retain privacy over their personal data. If you want to apply this setting only to new devices, check the Allow Device Enrollment for existing users box.
- User's choice—(New device registrations only) Let the user choose the enrollment type when they add their work account to the device.
Allows users to access and change settings in the Control Center when their device is locked. The Control Center lets users access settings and apps, such as Wi-Fi, Apple AirDrop, and their camera by swiping the screen.
To block access to Control Center on the lock screen, uncheck the Allow Control Center on lock screen box.
Allows users to open the Notification Center on locked devices. The Notification Center lets users see recent alerts, like a calendar event or a missed call by swiping down from the top of the screen.
To prevent users from opening the Notification Center on locked devices, uncheck the Allow Notifications view on lock screen box. Users can still see new notifications when they arrive.
Allows users to see Today View when their device is locked. Today View shows summary information for that day when a user swipes right from the left side of the screen. The information could include sensitive calendar event names and email subject lines.
To block Today View on the lock screen, uncheck the Allow Today view on lock screen box.
To use most of these settings, you must set up advanced mobile management for iOS devices. However, advanced mobile management isn't required to use the Data actions setting.Data actions
This feature is available with Cloud Identity Premium edition. Compare editions
If you allow users to transfer iOS data, the following settings control how users can transfer work data between apps.
Data exfiltration protection is designed to prevent accidental data leaks, and it can’t stop all possible data exfiltration methods, such as copying from Look Up, taking screenshots, or translation extensions.
Note: iOS share sheet is also known as an activity view.
Allow users to copy Google Workspace items to personal apps
Allows users to copy content from a Google app (such as Gmail, Google Drive, Google Docs, Sheets, and Slides, Google Chat, and Google Meet) to a Google app in their personal account or a third-party app. Also allows users to drag content between Google apps, for any account.
To prevent users from copying or dragging information from their work account, or using the All inboxes feature (which combines messages from multiple Gmail accounts into one inbox), uncheck the box.
Note: When you uncheck the box, users can't copy content from a Google app that supports data protection (Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) to an unsupported Google app, such as Calendar or Sites.
Allow users to share Google Workspace items to personal accounts or to iOS Mail with iOS share sheet
Allows users to share content in a Google app (Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) from work accounts to personal accounts or to Apple Mail. To prevent users from using iOS share sheet to share files and data from their work account to a personal account or to Apple Mail, uncheck the box.
To further prevent file sharing with personal apps:
- Make work apps managed.
- For the Open docs in unmanaged apps setting, uncheck the boxes and click Save.
Allow users to share Google Workspace items to AirDrop with iOS share sheet
Allows users to share content from a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) to Apple AirDrop using iOS share sheet. To prevent users from sharing Google Workspace items to AirDrop with iOS share sheet, uncheck the box.
Allow users to print Google Workspace files
Allows users to print content in a Google app (Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) from work accounts. To prevent users from printing Google Workspace files, uncheck the box.
Allow users to save Google Workspace items to Files with iOS share sheet
Allows users to save content from a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) to their device’s Files folder using iOS share sheet. To prevent users from saving content from their work account with the Save to Files option in iOS share sheet, uncheck the box.
Allow users to save Google Workspace images and videos to iOS photos
Allows users to save Google Workspace images and videos to iOS photos. To prevent users from saving images or videos from their work account in Google apps, uncheck the box.
Allow users to assign items to Contacts with iOS share sheet
Allows users to assign items from a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet) account to Contacts using iOS share sheet. To prevent users from using the Assign to Contacts option in iOS share sheet from their work account, uncheck the box.
Allows users to trust enterprise apps they install from outside the Apple App Store or Google Device Policy app.
When users are allowed to trust apps from unknown sources (box is checked) and they first open an app from an unknown source, they see a notification that the author of the app isn't trusted on the device. They can establish trust for the app author in their device settings. If the user trusts an author, they can install other apps from the same author and open them immediately.
To prevent users from trusting app authors, uncheck Allow users to trust new enterprise app authors. When you uncheck the box, any app authors a user trusts before this setting is applied to their device remain trusted. The user can install more apps from the same author and open them.
Allows users to open work files and links in unmanaged apps with unmanaged accounts and share them using Apple AirDrop.
To require that work files, attachments, and links open only in managed apps with managed accounts, uncheck the Allow items created with managed apps to open in unmanaged apps box. For example, you can prevent a user from opening a confidential email attachment from their work account in a personal app.
If you don't allow work files and links to open in unmanaged apps, you can still allow users to share these items using Apple AirDrop. To prevent users from sharing files with AirDrop, uncheck the Allow items created with managed apps to be shared using AirDrop box.
Allows managed apps to use Apple iCloud to store data. Data stored in iCloud stays there until the device user removes it.
To prevent work app data from being stored in iCloud, uncheck the Allow managed apps to store data in iCloud box. Users can still use iCloud for their personal data.
Allows users to open personal documents, attachments, and links in managed apps with their managed accounts.
To prevent managed apps from opening personal documents or links, uncheck the Allow items created in unmanaged apps to open in managed apps box. In this case, users can open personal documents and links only in unmanaged apps in their personal accounts.
Allows managed apps to use mobile data to go online. If you allow managed apps to sync using mobile data, you can also decide whether to allow them to sync when roaming. To turn off sync for managed apps while roaming, uncheck Allow managed apps to sync while roaming.
To prevent managed apps from using mobile data at any time, uncheck the Allow managed apps to sync using mobile data box.
Note: iOS device users need to give permission for automatic backup and sync using these settings.Document sync
Allows users to turn document and data syncing of their iOS devices to iCloud on or off. When allowed, data from the user’s various iOS apps is stored in iCloud and synchronized between the user’s supported iOS devices.
To block device sync with iCloud, uncheck the Allow users to sync documents and data with iCloud box.
For iOS 13 and later devices, applies only to supervised company-owned devices. For iOS 12 and earlier, the setting applies to all devices under advanced management.
When checked, forces encryption for all backups to Apple iTunes. When users back up their iOS devices to iTunes, they can see the Encrypt local backup or Encrypt iPhone backup box checked in the iTunes Device Summary screen but they can't uncheck it.
When backup encryption is first turned on, iTunes asks the user to enter a password. An encrypted backup is stored on the user’s computer and they need to enter this password to restore their iOS device.
To allow users to back up their devices unencrypted, uncheck the Require encryption for backups box.
Allows users to automatically back up their iOS devices to iCloud over Wi-Fi every day. The iOS device must be turned on, locked, and connected to a power source during an iCloud backup.
To block device backup to iCloud, uncheck the Allow user to backup device with iCloud box.
Allows users to use iCloud Keychain. With iCloud Keychain, the user's username, password, and credit card number is stored behind 256-bit Advanced Encryption Standard (AES) on iCloud. That data is synchronized between the user’s supported iOS devices.
To prevent users from using iCloud Keychain, uncheck the Allow users to sync keychains with iCloud.
Allows the photos in a user’s Camera roll to sync to My Photo Stream in iCloud. Uncheck the box to:
- Erase photos in My Photo Stream from the device.
- Stop Camera roll photos syncing to My Photo Stream.
- Prevent photos and videos in shared streams from being seen on the device.
Note: If there are no other copies of these photos and videos, they might be permanently deleted.
Allows users to keep their photos and videos in iCloud so they can access them from any device.
To block access to iCloud Photo Library, uncheck the Allow iCloud Photo Library box. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from the device.
Allows users to add photos and videos to a shared album in iCloud. It also allows users to invite others to add their own photos, videos, and comments to the album.
To prevent users from subscribing to or publishing shared albums, uncheck the Allow iCloud Photo Sharing box.
Allows users to save a screenshot or recording of their screen.
To block screen captures, uncheck the Allow screenshots and screen recording box.
Allows users to use Siri. To block Siri, uncheck Allow Siri.
If you allow users to use Siri, you can also decide if it responds to users when the device is locked. To block Siri on locked devices, uncheck the Allow Siri on lock screen box.
Allows a user to use an Apple Watch device after they take it off their wrist without unlocking it.
To lock the watch automatically when it’s removed from the user’s wrist, uncheck the Allow use of Apple Watch without wrist detection box. The user can still unlock an Apple Watch that's not on their wrist with its passcode or the paired iPhone.
Allows users to use Apple Handoff to send an app's data between devices so they can start work on one device and continue on another. For example, a user can start reading a document in Safari on their iPad and continue reading it in Safari on their iPhone.
To block Handoff, uncheck the Allow Handoff box.
Allows users to complete online forms in Safari with autofill. When the box is checked, Apple Safari remembers information that users enter in forms, such as name, address, phone number, or email address. That information is automatically completed in online forms later.
To block autofill in Safari, uncheck the Allow autofill in Safari box.
For iOS 13 and later, the setting applies only to supervised company-owned devices. For iOS 12 and earlier, the setting applies to all devices under advanced management.
Warns users when they use Safari to visit a website that’s suspected to be fraudulent.
To turn off the fraudulent website warning, uncheck the Enforce the Safari fraudulent website warning box.
Allows pop-up windows to open when users visit or close a web page in Safari. Pop-ups are often used to display ads. However, some websites use pop-up windows for essential content.
To block pop-ups, uncheck the Allow pop-ups in Safari box.
Lets all websites, third parties, and advertisers accessed by Safari to store cookies and other data on the device.
To block cookies and other data from being stored on the device, uncheck the Accept cookies in Safari box. If you turn off cookies, some websites might not work properly.
Company-owned devices onlyDevice enrollment settings—Allow pairing
Require users on devices with iOS 12 and earlier to install the MDM profile. The MDM profile is always required on devices with iOS 13 and later.
To allow users with iOS 12 and earlier devices to skip profile installation, uncheck the Require MDM profile box. In this case, the device isn't subject to the settings that apply to supervised company-owned devices, only the other advanced management settings.
Supervised company-owned devices only except for DiagnosticsAirDrop
- To turn off password sharing with AirDrop, go to AuthenticationPassword sharing and uncheck .
- To prevent users from sharing files created in managed apps with AirDrop, go to Data sharingOpen docs in unmanaged apps and uncheck Allow items created with managed apps to be shared using AirDrop.
Supervised company-owned devices only
If you restrict Wi-Fi networks and mobile data, make sure that at least one Wi-Fi network is allowed in your organization's network settings. Otherwise, devices might not be able to sync policies and eventually lock out all users.
Supervised company-owned devices onlyApp installation
- Users can't access the App Store.
- Apps purchased on other devices can't download automatically.
- The Google Device Policy app and any apps installed via the Device Policy app (not including private iOS apps) do not get automatic updates.
- Users can still download allowed apps through the Google Device Policy app.
- To block access to the App Store, uncheck the Allow users to install apps from the App Store box. Users can still download allowed apps through the Google Device Policy app.
- To prevent apps purchased on other devices from automatically downloading, uncheck the Allow apps purchased on other devices to download automatically box.
Supervised company-owned devices onlyFaceTime
Supervised company-owned devices onlyAuthenticate for AutoFill
Supervised company-owned devices onlyHost pairing
- Allow iBeacons to find AirPrint printers—Uncheck to prevent phishing attacks through AirPrint Bluetooth beacons. Devices can still detect AirPrint printers on the same Wi-Fi network when iBeacons are blocked.
- Allow Keychain to store AirPrint credentials—Uncheck to prevent Keychain from storing the username and password for AirPrint.
- Allow AirPrint connections with untrusted certificates—Uncheck to require a trusted certificate for TLS printing.
Supervised company-owned devices onlyKeyboard autocorrection
Want more mobile device settings?
- Require passwords for managed mobile devices
- Apply universal settings for mobile devices and endpoints
- Apply settings for Android mobile devices
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.