Apply settings for Android mobile devices
This feature isn't available in the free edition of Cloud Identity.
As an administrator, you can control how users access and interact with their Android device by applying policy settings.
Before you begin
- To use the settings, you need to set up advanced mobile management for Android devices. For details, see Set up advanced mobile device management.
- Some of these settings are available only for company-owned devices. For details, see Set up Android devices your company owns.
Find the settings
From the Admin console Home page, go to Device management.
To see Device management, you might have to click More controls at the bottom.
- On the left, click Android Settings.
- (Optional) On the left, select the organization to which you want to apply the settings.
- Select a category and next to the setting, check the box to apply it. For details about each setting, see Learn about the settings.
- After you make a change, click Save.
Learn about the settings
You can manage application auditing, account sync and wipe, lock screen details and widgets, and the Android Device Manager.
- A list of apps that are installed on a device. For details, see View mobile device details.
- Details of when a user installed, uninstalled, or updated an app on their device. For details, see Devices audit log.
Note: Apps are automatically audited on company-owned devices and devices with a work profile.
Use work profiles to separate your organization’s apps from personal apps. You can offer and manage apps through your whitelist. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, see What is a work profile?
- User opt-in—Select this option to prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still make changes to protect the corporate data on the device. For example, if a device is lost, you can wipe all data from the device.
- Enforce—Select this option to require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they don’t have the option to opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. Check the device properties in your Admin console to find out if a device supports a work profile. For details, see View mobile device details.
- Disable—Select this option to prevent device users from setting up a work profile. Existing work profiles set up on registered devices are not affected.
Enforces password settings only on apps running in a user’s work profile, and allows users to configure their own lock screen settings for their device. For devices older than Android 7.0, password settings are enforced on the entire device.
Apps and data sharing
You can give users permission to install apps. You can also control what users can share from installed apps. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
This setting is supported for Android 5.0 Lollipop and later devices, except where noted.
Controls whether users can share data and files, such as photos, from their work profile to the personal space on their device.
When you check the Allow content sharing from Work Profile to personal space box:
- Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
- Caller ID information from the work profile is shown in the personal space for incoming calls.
- (G Suite only) Users can search for corporate contacts from their personal space on Android 7.0 Nougat and later devices.
- URLs are opened in the personal space if there’s no browser in the work profile.
- A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Denying runtime permissions can affect the functionality of some apps.Sets how permission requests from apps at runtime are handled by default. Permissions preferences specified for an individual app take priority over the default setting. For details, see Manage runtime permissions for Android apps. Supported for Android 6.0 Marshmallow and later.
Users and accounts
Company-owned devices and personal devices with work profiles
This feature is not available on Android 7.0 Nougat and later devices
Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, settings, and more.
Android 6.0 Marshmallow and later company-owned devices
Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.
Android 5.0 Lollipop and later devices
Controls whether users can add and remove accounts in the work profile on their device.
Only one managed corporate account can be added to devices with a work profile. To prevent users from adding other types of accounts, uncheck the Allow account addition and removal box.
Android 5.0 Lollipop and later devices
Allows users to add Google or corporate accounts in the work profile on their device. Before you can turn this setting on, the Accounts setting (above) must also be on.
Only one managed corporate account can be added to a device with a work profile. If you turn the Accounts setting off, users can still add Google Accounts in their work profile or on their device through Microsoft® Exchange®, IMAP, or POP3.
You can manage the way users access networks. These settings are available for company-owned, Android 6.0 Marshmallow and later devices.
You can give users access to hardware options. These settings are available only for company-owned Android 6.0 Marshmallow and later devices, except where noted.
Controls whether users can reset the device to its factory settings. A factory reset removes all apps, data, and settings from the device. The settings that are removed include those that are set by an administrator using device management.
If you turn this setting on, consider using the Factory Reset Protection Setting to allow administrators to access a reset device. This can help to prevent locked devices if the user is unable to access their account after the device is reset.
Allows specific administrator accounts to access a device after it’s been reset to its factory settings. For company-owned devices (those that you add to your Admin console by serial number), only the accounts you list can access the device after a factory reset. For personal devices in device owner mode, the user can access the device, too.
Click Add an account and enter the email addresses of the admins who you want to allow to access the device after a factory reset.
- You can enter up to 10 email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses you enter.
- Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account has been restored.
- Don’t enter any group email addresses—they can’t access a device that’s been factory reset.
- Before you reset a device:
- Sign out and remove the user’s corporate account.
- If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
- Apply password settings for mobile devices
- Apply advanced settings
- Apply settings for Apple® iOS® devices