Manage mobile apps for your organization

Supported editions for these features (except as noted): Business Starter, Standard, and Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; Essentials.  Compare your edition

As an admin, you can control which apps Android and iOS device users can find and install for work or school by adding them to the Web and mobile app list in the Google Admin console. You can add public apps—such as third-party apps for security, business, and document management—and private Android apps.

Contents

Before you begin: Learn how the apps list works

Open all  |  Close all

Requirements

Features require advanced mobile management except where noted.

  • Make Android apps managed*
  • Make iOS apps managed**
  • Force install Android apps*
  • Block installation of unmanaged Android apps
  • Prevent users from uninstalling an Android app
  • Allow Android app shortcut widgets
  • Set an Android app as the VPN service
  • Configure app settings by group or child organizational unit***

*Also supported for basic mobile management.

**All iPhone and iPad users in your organization must install the Google Device Policy app if you manage any iOS apps.

*** Business Plus, Enterprise, G Suite Business, and Cloud Identity Premium only.

Note: You can't distribute apps to user's personal devices when the user enrolled their device as user owned and didn't create a work profile. This set up mode (Device Admin mode) is available only on Android 9.0 and earlier, and is deprecated.

How managed Android apps work

Admin experience

When you add an app to the list, the app is automatically managed. When a user installs a managed app, you have more control over the app:

  • You can control some managed app settings, such as if the app is automatically installed on devices and if users can uninstall it.
  • Managed apps are automatically removed from a device when the user removes their work or school account.
  • If a user leaves your organization or their device is lost or stolen, you can remove only the user's work account and managed apps instead of wiping the entire device. Learn more
  • If you use advanced mobile management, you can restrict the apps that users can use with their work or school account to only managed apps.

Some Google mobile apps are already added to the list for you, such as Gmail and Google Drive.

User experience

Users get apps from the managed Google Play store, on the Work Apps tab. For details, see Using Google Play in your organization.

On the device, managed apps are marked with a briefcase "" so they’re easy to distinguish from personal apps.

If their device supports it and you use advanced mobile management, encourage users to set up a work profile to keep work and personal apps separate.

How managed iOS apps work

Admin experience

When you add an iOS app to the list and check Make this a managed app, you enforce app management and have more control over the app:

  • If a user leaves your organization or their device is lost or stolen, you can remove only the user's work account and managed apps instead of wiping the entire device. Learn more
  • You can manage the apps on the device until the user uninstalls the Google mobile device management configuration profile. You can set managed iOS apps to automatically uninstall from the device when the user removes the configuration profile.

If you don't check Make this a managed app when you add the app, app management is unenforced. Users can install it from the App Store and you don't have control over it. You can manage the app only if they download the app through the Google Device Policy app.

User experience

When you set an app as managed, users must accept management of the app:

  1. The user is prompted to install the Google Device Policy app if they haven't already.
  2. If any apps that you set as managed are installed on the device, the user is asked to allow your organization to manage the apps.
  3. If the user accepts, the apps become managed and the user can use them with their work account.
  4. If the user doesn’t accept within 24 hours, they can't use any apps with their work or school account.

Users can review which apps are managed in the Google Device Policy app:

  • Green checkmark—Managed
  • Gray checkmark—Unmanaged
  • Red exclamation—App management status needs attention. The red exclamation mark appears in the following situations:
    • The app is set as managed, but the user hasn’t allowed your organization to manage it yet.
    • The user installed the app and then you add it to the app list as managed.
    • The user accepted app management and then you make the app unmanaged. They can update the app to unmanaged. If they don't update the app, they can still use it and access their work or school data, and the app is treated as a managed app.
Control who can install managed apps (advanced mobile management only)

You can control which users in your organization can find and install a managed app by turning user access on or off. If your edition supports it, you can turn user access on or off for specific organizational units, or turn it on for specific groups.

Turn user access on

When you first add an app to the list, user access is turned on for everyone in your organization.

Turn user access off

To make an app unmanaged but retain its managed settings, you can turn user access off for an organizational unit. This setup prevents users from installing the app from the managed Google Play store or the Google Device Policy app for iOS. You might turn user access off for the following reasons:

  • To make the app managed for most of your organization or select groups, but make it unmanaged for select child organizational units (if supported by your edition)
  • To apply a managed configuration to an Android app before you make it available as a managed app

Turning user access off doesn't affect users who already installed the app. They can still use the app and your app settings are still enforced.

Note: Groups settings are applied at the top organizational unit level and override organizational unit settings. If a user belongs to multiple groups with conflicting configurations, the settings are applied in order of group precedence, which you can set after you add the app.

Block unmanaged app installation (advanced mobile management only)

You can use Google endpoint management settings to block access to all unmanaged apps. For company-owned mobile devices, you can also disable many system apps. You can also block or limit app access to Google services.

Block unmanaged Android apps

You can configure the Available apps setting to allow users to install only the apps you add to the Web and mobile app list. This setup prevents users from installing apps that aren't allowed, but apps already on their device aren't removed. Learn more

Block unmanaged iOS apps

Supervised company-owned devices only

You can configure the App installation setting to prevent users from installing apps from the App Store. This setup allows users to download and install apps only through the Google Device Policy app. Apps downloaded through the Google Device Policy app are automatically set up as managed. Apps already on their device aren't removed. Learn more

Disable system apps

Company-owned devices only

You can enable or disable many system apps. For details, see Manage system apps on company-owned mobile devices.

Block or limit app access to Google services

Block or limit managed app access

Mobile apps added to the Web and mobile app list are automatically given trusted access, which gives them access to all Google services, including services set to restricted.

To manage an app but not give it access to restricted Google services, block or limit access.

Block or limit unmanaged app access

Users can allow apps that aren't in your app list to access data in unrestricted Google services.

You can prevent unmanaged apps from accessing Google services in two ways:

  1. For individual apps of concern, block or limit access.
  2. For Google services that you want to hide from any app you don't explicitly trust (by adding to your Web and mobile app list), you can set the service as restricted.

Note: If you want to let iOS device users sync work data to Apple apps such as Apple Mail or Calendar, and any Google services required by the iOS apps have restricted access, you must explicitly trust iOS apps.

Set an app as the VPN service for all work app traffic on Android devices

To set an app as the VPN service for app traffic from a work profile or managed device, turn on Use as Always on VPN when you add the app to the list. This setting creates a more secure network connection for work profile traffic because all traffic must pass through the app and can't leak to the public Internet.

Important: Turn on Use as Always on VPN for only one app. If you turn it on for multiple apps, one of the apps is arbitrarily used as the always on VPN app.

Requires Android 7.0 or later.

Step 1: Add an app to the list

Open all  |  Close all

Add a third-party app
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click Add appand thenSearch for apps.
  4. Click Enter app name and enter some or all of the name of the app you want to add. Search begins as you enter the name. 
    • If your search returns many results, enter more information in the search box, such as the app developer or a keyword in the description.
    • If an app is already added to the list, it's labeled as "Installed" and you can click View app details to review the app's settings and user access.
    • To get more information about an Android app, click View on Google Play.
    • To get more information about an iOS app, click View on iOS App Store.
  5. When you identify the app you want to add, point to the app and click Select.
  6. Select which users can install the managed app from the managed Google Play store or the Google Device Policy app for iOS.
    • To let all users in your organization install the app, select Entire organization.
    • To allow only certain users to install the app, click Select groups or Select organizational units. You can add both groups and organizational units. This feature is available with Cloud Identity Premium edition. Compare editions 

      Groups settings are applied at the top organizational unit level and override organizational unit settings. If a user belongs to multiple groups with conflicting configurations, the settings are applied in order of group precedence, which you can set after you add the app.

  7. For Android apps, select how the user accesses the app.
    • To let users install the app themselves, select Available. With this option, users who don’t need the app don’t have to download it.
    • To install the app on all managed devices, select Force install. With this option, the app is automatically installed on all managed devices, with no option to opt out.
    • To apply a managed configuration before you force install the app, select Available, complete these steps, apply the managed configuration, then edit the app settings to force install the app.
  8. Configure app options, based on the app platform:
    Platform App options
    Android

    For devices under basic or advanced mobile management:

    • Automatically install the app on users' devices.

    For devices under advanced mobile management:

    • Prevent users from uninstalling the app.
    • Allow users to add an app widget (when available) for a home screen shortcut.
    • Set the app as the Always On VPN app. When enabled, app traffic from a work profile or managed device must pass through this app. Requires Android 7.0 or later. This setting creates a more secure network connection for work profile traffic.
    iOS
    • Make an app a managed app to have more control over the app and its data. Learn more
    • For managed apps, you can automatically remove the app when the management profile is removed. You might want to do this because otherwise managed apps stay on a user's device until the user removes their configuration profile in the Google Apps Device Policy app.
  9. Click Finish. The app's detail page opens automatically. When you return to the Web and mobile apps list, the app is listed almost immediately after you add it.

    Android apps are available for users to install from managed Google Play or the Work Apps tab of the Play Store the next time their device syncs with Google endpoint management. If a user installs an app from outside of the managed Google Play store or the Work Apps tab, the app isn't managed.

    iOS apps might take up to an hour to appear in the Google Device Policy app on users' devices. If you set the app as managed, the user must install it from the Google Device Policy app or, if they install it from the iOS App Store, they must open the Google Device Policy app and accept management of the app. For supervised company-owned iOS devices, the app is automatically installed silently.

  10. If you added Microsoft Outlook for Android or iOS (not recommended), ensure that it respects your endpoint management settings:
    1. In the Admin console, click Menu ""and thenSecurityand thenApp Access Controland thenManage Google services.
    2. Locate Gmail and Drive in the list of services. If Access is set to Unrestricted, change the value to Restricted. This setting prevents untrusted apps from accessing the services. When you add the app in the preceding steps, the app is automatically trusted and can access Gmail and Drive.
Add a private Android app

To add an Android app that is only for your organization's private use, publish it in managed Google Play and it's automatically added to the app list. For details, see Manage Google Play private apps.

Add an internal web app for Android

To add a web app that is only for your organization's private use, publish it in managed Google Play and it's automatically added to the app list. For details, see Publish internal web apps for Android devices.

Step 2: Configure app settings

Open all  |  Close all

Change who can install a managed app and set group precedence (advanced management only)

After you add an app to the list, you can hide it from users in the managed Google Play store (for Android apps) or the Google Device Policy app for iOS (for iOS apps) by turning user access off. When you turn user access off, users who already installed the app can still use it and your app settings still apply.

To turn user access on or off for certain users, put their accounts in an organizational unit (to control access by department) or add them to an access group (to allow access for users across or within departments). This feature is available with Cloud Identity Premium edition. Compare editions 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to change the user access for. To review the current user access settings across all organizational units and groups, under User access, click View details.
  4. Click User access.
  5. At the left, click the group or organizational unit you want to change user access for. By default, the top organizational unit is selected and the change applies to your entire organization.
  6. Turn user access off or on, as required. For example:
    • To hide the managed app for all users while you finish app configuration, turn user access off for the top organizational unit.
    • To make the managed app available for only some users, turn user access off for the top organizational unit and turn user access on for child organizational units or groups.

    Note: When user access is turned on for a group, this setting overrides organizational unit settings. However, you can't explicitly turn off user access for a group. When you uncheck On, users in that group inherit the setting from higher-ranked groups or the user's organizational unit.

  7. If you set user access for multiple groups, review the order of the groups and set their precedence:
    1. Click the app and click User access.
    2. At the left, click Groups.
    3. Drag the groups into the order you want their settings to apply to a user who belongs to more than one. Put the group with the highest precedence at the top.
  8. Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.

 

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Set up Android apps with managed configurations (advanced management only)

This feature is available with Cloud Identity Premium edition. Compare editions 

Requires advanced mobile management

Some Android apps have settings that you can save as managed configurations. For example, an app may give you the option to only sync data when a device is connected to Wi-Fi. The default managed configuration assigned to an app is set by the app’s developer. You can check if an app supports managed configurations in managed Google Play. Learn more

Managed configurations let you automatically configure apps for a group or organizational unit without any user interaction. You can create multiple managed configurations for the same app and apply different configurations to different groups or organizational units.

Create a managed configuration

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to manage.

    Tip: To only see the apps that are allowed for a specific organizational unit or group, click ""Add a filter and select the organizational unit or group.

  4. Click Managed Configurationsand thenAdd Managed Configuration.
    If the app doesn’t support managed configurations, this option isn't available.
  5. Enter a configuration name and set your preferred configuration.
    Note: The developer of the app defines the configuration options available to you. If you have questions about these settings, contact the developer.
  6. Click Save.
  7. Assign the managed configuration to an organizational unit or group, as described in the next section.

Assign a managed configuration to an organizational unit or group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to manage.
  4. Click Settings.
  5. At the left, click the organizational unit or group that you want to assign a managed configuration to.
  6. Under Managed configuration, click the menu and select the managed configuration you want to apply.
  7. Click Save.

To remove a managed configuration from an organizational unit or group, follow the same steps and select Default.

Edit or delete a managed configuration

Before you can delete a managed configuration, you must remove it from any organizational units or groups. When you remove a configuration, the app reverts to the default configuration defined by the developer unless you assign a different managed configuration.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to manage.
  4. Click Managed Configurations.
  5. Click the managed configuration you want to edit or delete.
  6. To edit, edit the configuration and click Save.
  7. To delete, click Delete.
Set Android app runtime permissions (advanced management only)

This feature is available with Cloud Identity Premium edition. Compare editions 

Requires advanced mobile management

Some Android apps request permissions from the user while the app is running. For example, an app might request access to a device’s calendar or location. You can manage how permission requests from an individual app are handled. These app settings take priority over any runtime permissions preferences specified for the device.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to manage.
  4. Click Runtime permissions. If the app doesn’t support runtime permissions, the option isn't available.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
  6. For each runtime permission:
    • To automatically allow the permission, select Allow.
    • To automatically deny the permission, select Deny.
    • To prompt the user to allow or deny the permission, select Prompt user.
    Note: Denying runtime permissions can affect the functionality of some apps.
  7. Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.
Approve Android app permission updates

When you add an Android app to the app list, you control what the app can access on behalf of users in your organization—also known as permissions. For example, an app might want permission to use a device’s contacts or location. No matter which permissions you grant, users can still change those permissions after the app installs on their device.

The permissions for a managed app might change when the app updates. Apps that have permission updates that need your approval are marked with Exception "" in your Admin console. To approve permission-update requests:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Point to the app with the Exception "" and click More and then View in Play Store.
  4. Click Approve, read the permissions, and click Approve again.
  5. (Optional) Decide how you want to handle new app permission requests (for example, access to in-app purchases or identity information):
    • To automatically reapprove an app when it requests new permissions, select Keep approved when app requests new permissions. The app is automatically reapproved, regardless of the new permissions being requested.
    • To remove an app from your managed app list until you reapprove it, select Revoke app approval when this app requests new permissions.
    For more details about app permissions, see Manage app permissions.
    Note: If you previously approved the app, click Approval Preferences to decide how you’d like to handle new app permission requests and click Done. Then, click Select.
  6. Click Done.
Edit app settings
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. Click the app you want to edit.
    Tip: To only see the apps that are turned on for a specific organizational unit or group, click Add a filter.
  4. Click Settings.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
  6. Edit the settings. Available settings depend on the platform and management type:
    Platform App options
    Android

    For devices under basic or advanced mobile management:

    • Automatically install the app on users' devices.

    For devices under advanced mobile management:

    • Prevent users from uninstalling the app.
    • Allow users to add an app widget (when available) for a home screen shortcut.
    • Set the app as the Always On VPN app. When enabled, app traffic from a work profile or managed device must pass through this app. Requires Android 7.0 or later. This setting creates a more secure network connection for work profile traffic.
    iOS
    • Make an app a managed app to have more control over the app and its data. Learn more
    • For managed apps, you can automatically remove the app when the management profile is removed. You might want to do this because otherwise managed apps stay on a user's device until the user removes their configuration profile in the Google Apps Device Policy app.

    For iOS apps, if you uncheck Make this a managed app, the app is still managed on devices where it's already installed. However, users will see a red exclamation mark on the app in the Google Apps Device Policy app list and can change the app to unmanaged.

  7. Click Save. If you configured an organizational unit or group, you might be able to Inherit or Override a parent organizational unit, or Unset a group.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Step 3: Manage the apps list

Remove an app

When you remove an Android app from your list, the app isn't available for users to install from the managed Google Play store or the Work Apps tab in the Play Store. If a user already installed the app, the app stays on the device but it's no longer managed. If you allow users to install any app in Google Play, they can still install the app but you can't manage it.

When you remove an iOS app from your list, the app isn't available for users to install from the Google Device Policy app. If a user already installed the app and the app is managed, the app stays on the device as managed until the user removes the Device Policy profile from their device. Other users can still install the app from the App Store, but you can't manage it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. You can delete individual apps or many apps at once:
    • To delete one app, find it in the list and click More""and thenDelete.
    • To delete many apps, next to each app, check the box. At the top, click Delete.
Organize Android apps in managed Google Play into collections
You can make it easier for your users to find relevant Android apps in the managed Google Play app. Learn how to organize Android apps into collections.

Step 4: Monitor apps on managed devices

Open all  |  Close all

See how apps are distributed
You can review all the apps available to an organizational unit or group, or which organizational units and groups have access to a specific mobile app:
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenWeb and mobile apps.

  3. To review the apps that a specific organizational unit or group can access:
    1. Click Add a filter.
    2. Click Organizational unit or Group
    3. Select the organizational unit or group.
  4. To review the distribution of a specific app, point to the row of the app you want to review and click Access details. A panel opens that lists the groups and organizational units and their app access status.
See which apps are installed on a device
For iOS devices, requires advanced mobile management.
You can get a list of all apps installed on a user's device, with details about the version:
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click the Mobile devices card.
  4. Click the row of the device you want to view details for.
    Tip: If your organization has many mobile devices, click Add a filter to narrow your search. For details, see Find specific mobile devices.
  5. Click Installed apps. The table lists the app, its version, and its App ID. For Android apps, you also get the SHA-256 hash value.
Review changes to apps and export audit log data (advanced management only)
This feature is available with Cloud Identity Premium edition. Compare editions 
Note: To audit apps on personal Android devices that don't have a work profile, turn on application auditing.

In the Devices audit log, filter the log for Event nameand thenDevice application change. You can filter the list further by specific device types, device application change events, application package name, and more.

After you create your filter, you can export your audit log data.

Automate app monitoring with rules (advanced management only)
This feature is available with Cloud Identity Premium edition. Compare editions 

Respond to app security incidents

If a user's account could be compromised through an app (because the device is lost or stolen) or you discover a malicious app on users' devices, you have several ways to respond.

To stop unauthorized access:

To block an app's access to Google services:

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?