Apply settings for Android mobile devices

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can control how users access and interact with their Android device by applying policy settings.

Requirements

Find and set Android settings

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile and endpointsand thenSettingsand thenAndroid.
  3. Click a settings category and a setting. Learn about the settings in the following section.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. To apply a setting, check the box or enter the required information.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Changes can take up to 24 hours but typically happen more quickly. Learn more

Android settings index

Expand all  |  Collapse all

General settings

Expand section  |  Collapse all & go to top

Auto wipe

Automatically removes a user's work or school data from their device when any of the following situations occur and the user doesn't address the problem:

The user's data is not removed immediately after the specified time. First, the user gets a notification and time to fix the problem. 

To turn off auto wipe, uncheck the Wipe device if it doesn't sync or falls out of compliance box.

What data is wiped

The data that’s removed depends on how the device is set up:

Android Device Policy

  • Company-owned devices or personal devices that the user set as use for work only (your organization's management privilege is Device owner) are factory reset.
  • For personal devices with a work profile (your organization's management privilege is Profile owner), only the work profile is wiped. Personal data and apps remain on the devices.

Google Apps Device Policy

The work or school account is removed. Personal data and apps remain on the device. However, if the device is in fully-managed mode and the work account is added back, all apps are removed from the device.

CTS Compliance

Supported for Android 6.0 Marshmallow or later devices

Not available for Education Fundamentals

Blocks Android devices that aren't compliant with the Compatibility Test Suite (CTS). For details, go to Compatibility Test Suite.

Application auditing

Note: The Audit apps on personal devices with no work profile setting is no longer applicable because personal devices under advanced mobile management are now required to have a work profile.

Allows admins to get details about apps installed on personal devices that don't have a work profile. Note: Apps are automatically audited on company-owned devices and devices with a work profile.

When you check the Audit apps on personal devices with no work profile box, devices report the following information to the Admin console:

  • A list of apps that are installed on a device. For details, go to View mobile device details.
  • Details of when a user installed, uninstalled, or updated an app on their device. For details, go to Device log events.
User device wipe

Allows users with Android devices to access the Android Device Manager.

When you check the Allow users to wipe their devices from Find My Device box, a user can use Android Device Manager to find a lost device. They can also remotely ring, lock, or erase data from the device. For details, go to Android Device Manager.

Older Android devices

Accommodates older devices by enforcing only those policies supported on older devices.

When turned on, older devices can continue to sync corporate data without encrypted storage. These devices can sync data even when you require encryption.

Work profile

Use work profiles to separate your organization’s apps from personal apps. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, go to What is a work profile?

Expand section  |  Collapse all & go to top

Work profile setup

Note: Work profiles are now always required on personal devices and this setting is no longer applicable.

Controls the creation of work profiles on personal Android devices that are used in your organization.

Users can add one managed account to a device with a work profile. Within the work profile, you offer and manage corporate apps from the mobile apps list. Once installed, managed apps are marked with Android enterprise so they’re easy for users to distinguish from personal apps. Learn more about managing mobile apps for your organization.

Next to Work Profile Setup, click the Down arrow and choose an option:

  • User opt-in—Prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still protect the work or school data on the device. For example, if a device is lost, you can wipe all data from the device.
  • Enforce—Require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they can't opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. To find out if a device supports a work profile, check the device properties in your Admin console. For details, go to View mobile device details.
  • Disable—Prevent device users from setting up a work profile. Existing work profiles set up on registered devices aren't affected.
Work profile password

Supported for Android 7.0 Nougat and later devices

Enforces password settings only on apps running in a user’s work profile, and allows users to set up their own lock screen settings for their device. For details, go to Require passwords for managed mobile devices.

To enforce password settings on the entire device, uncheck the Apply password requirements only on work profile apps box.

Note: For devices older than Android 7.0, password settings are always enforced on the entire device.

Apps and data sharing

Supported for company-owned devices and BYOD devices with work profiles, except where noted

Expand section  |  Collapse all & go to top

Available apps

Allows users to find and install all apps in the Google Play store or only allowed apps.

Note:

  • This setting overrides User access settings for apps in the Web and mobile app list.
  • If you select All apps, users can install any app in the Google Play store, including apps that have User access set to Off and unmanaged apps.
  • If you select Only allowed apps, users can install only apps in the Web and mobile app list. However, unmanaged apps already installed on devices stay on devices.
System apps

Supported for company-owned devices only

Allows users to install all or select system apps. System apps are preinstalled apps such as Clock and Calculator. You can allow all, block all, or select specific apps to block or allow.

Some system apps are critical to device function and are still available even when you select Block all. Selecting Block all doesn’t remove access to Android apps you add to the Web and mobile app list.

For details, go to Manage system apps on company-owned mobile devices.

Screen capture

Supported for Android 5.0 Lollipop and later devices

Allows users to take screen captures on their mobile devices.

To block screen captures in work apps, uncheck the Allow screen capture box. In this case, users can get screen captures only in their personal apps.

Sharing to other profiles

Supported for Android 5.0 Lollipop and later devices, except where noted

Allows users to share data and files from their work profile to the personal space on their device. This setting does not change users' ability to share content from their personal space to their work profile. 

When you check the Allow content sharing from the work profile to the personal space box:

  • Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
  • Caller ID information from the work profile is shown in the personal space for incoming calls.
  • (Google Workspace only, Android 7.0 Nougat and later devices) Users can search for work contacts from their personal space.
  • URLs are opened in the personal space if there’s no browser in the work profile.
  • A map app in the personal profile opens a geographic location if there’s no map app in the work profile.

Note: To allow users to see personal and work data together in an app, such as Google Calendar, turn on Connected apps configuration for the app. For details, see Allow Android users to see personal and work data together in an app.

Cross profile copy

Supported for Android 5.0 Lollipop and later devices with work profiles

Allows users to copy text from any app in their work profile and paste it in any app in their personal space.

To block users from copying work data to their personal apps, uncheck the Allow pasting between the work profile and personal space box.

Android Beam

Allows users to share content between Android devices with Android Beam, which uses near field communication (NFC).

To block data sharing with Android Beam, uncheck the Allow outgoing Beam box.

Location Sharing

Supported for Android 5.0 Lollipop and later devices

Allows users to turn on or off Google’s Location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device from the My Devices page.

To block Location Sharing for all apps, uncheck the Allow location sharing box.

Google Play private apps

Allows Android users to access and publish private apps in Google Play.

  • To allow users to access private apps you distribute, check the Allow users to access Google Play private apps box.
  • To allow users to create and update Android apps for internal use and distribute them to users in your domain, check the Allow users to publish and update Google Play private apps box.

For more information about private apps, go to Manage private Android apps in Google Play.

Runtime permissions

Supported for Android 6.0 Marshmallow and later devices

Note: Denying runtime permissions can affect the functionality of some apps.

Sets the default response to permission requests from apps at run time. This setting is overridden by the permissions preferences that are set for an individual app in the managed apps list. For details, go to Set Android app runtime permissions.

Apps settings

Supported for company-owned Android 6.0 Marshmallow and later devices

Allows users to uninstall apps, turn off apps, force stop (halt processes), show notifications, and clear data, cache, or defaults.

To block users from changing app settings, uncheck Allow users to change app settings.

Verify apps

Supported for company-owned Android 6.0 Marshmallow and later devices

Allows users to turn off Google Play Protect (formerly Verify Apps). Play Protect helps prevent the installation of harmful software on Android devices. It also periodically scans devices for potentially harmful apps. For details, go to Use Google Play Protect to help keep your apps safe and your data private.

To require that Play Protect is always on, uncheck Allow users to turn off Google Play Protect.

USB file transfer

Supported for company-owned Android 6.0 Marshmallow and later devices

Allows users to transfer files to and from their mobile devices using a USB connection.

To block file transfer over a USB connection, uncheck Allow USB file transfer.

Unknown sources

Supported for Android 8.0 Oreo and later devices.

This setting prevents users from installing apps from sources other than the Google Play Store to their work profile. However, users can still install apps from unknown sources to their personal profile.

To allow app installation from unknown sources, uncheck the Block app installation from unknown sources box.

Developer options

Supported for Android 5.0 Lollipop and later devices

Allows users to use developer options on their devices.

To block users from using developer options, uncheck Allow developer options. If the device has a work profile, users can still turn on developer options for their personal space. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't sideload apps to their work profile.

Networks

Supported for company-owned Android 6.0 Marshmallow and later devices

If you restrict Wi-Fi networks and mobile data, make sure that at least one Wi-Fi network is allowed in your organization's network settings. Otherwise, devices might not be able to sync policies and eventually lock out all users.

Expand section  |  Collapse all & go to top

VPN access

Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings and thenWireless & networksand thenMoreand thenVPN.

To block users from changing their device's VPN configuration, uncheck Allow VPN configuration.

Tethering

Allows users to set up and use Wi-Fi hotspots and USB or Bluetooth tethering services.

To block users from using these types of connections, uncheck Allow tethering and Wi-Fi hotspots.

Mobile networks

Allows users to change the settings for data access and roaming on their devices. This setting also allows users to take the following actions:

  • Display the mobile network name in the status bar
  • Change the access point name (APN)
  • Choose a mobile network operator

To block users from changing these settings, uncheck Allow changes to mobile network settings.

Cell broadcasts

Allows users to opt in to broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.

To block users from changing cell broadcast settings, uncheck Allow changes to cell broadcast settings.

Bluetooth

Allows users to change the Bluetooth settings on their mobile devices.

Note: For Android 6.0 Marshmallow and later, to allow users to configure Bluetooth settings, you must also allow Location Sharing (under Apps and data sharing).

To block users from changing Bluetooth settings, uncheck Allow changes to Bluetooth settings.

Wi-Fi

Allows users to change the Wi-Fi network settings on their mobile devices.

To block changes to Wi-Fi settings, uncheck Allow changes to Wi-Fi network settings.

Device features

Supported for company-owned Android 6.0 Marshmallow and later devices, except where noted

Expand section  |  Collapse all & go to top

Physical media

For devices with external SD card slots, allows users to move data or applications to an SD card. SD cards are used for removable storage.

To block users from copying data to external SD cards, uncheck Allow external SD cards.

Trusted credentials

Allows users to modify certificate authority (CA) forms for their work profiles in Settingsand thenSecurityand thenTrusted credentials on their mobile device.

To block changes to CA certificates, uncheck Allow changes to trusted credentials. When unchecked, users can still view CA certificates for their work profile.

Microphone

Allows the use of device microphones.

To mute the microphone and prevent it from being turned back on, uncheck Allow microphone. You might want to block microphone use to ensure that malicious apps can’t use the microphone to record sound near the device.

Speaker

Allows the use of device speakers.

To mute the speaker for apps in the work profile and prevent speakers from being turned back on, uncheck Allow speakers.

Administrator restriction PIN

Supported for Android 5.1 Lollipop and earlier devices

When checked, the specified administrator restriction PIN is synced to user devices. The PIN must be 5 or more numbers. Users are asked to enter this PIN when they try to reset the phone or change Wi-Fi or Bluetooth settings.

To prevent changes to the administrator restriction PIN, uncheck the Enable remote management of administrator restriction PIN box. To update the PIN, you must check the box to set the new PIN and allow it to sync to devices.

Factory reset

Allows users to reset their Android device to factory settings with the Settings app. A factory reset removes all apps, data, and settings from the device, including settings configured by an administrator through device management.

If you check the Allow users to factory reset a device box, consider using the Factory reset protection to allow administrators to access a reset device.

If you uncheck the box, users can't factory reset their device with the Settings app. However, users might still be able to reset their device using its power and volume buttons.

Factory reset protection

Allows the specified administrator accounts to sign in to a company-owned device after it’s reset to its factory settings from the Admin console. This does not apply to devices that were reset on the device itself.

Who can sign in after a factory reset depends on how the device is company-owned and its management client:

To add an administrator, enter their email address and click Add.

Note: Make sure you can access the admin accounts before you reset the device. Support can’t remotely unlock a reset device or restore it. If you have problems unlocking a reset device, contact the device manufacturer for help.

Account requirements

  • You can enter up to ten email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses.
  • Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account was restored.
  • Don’t use group email addresses. Group accounts can’t access a device that’s been factory reset.

Before you reset a device

  • Sign out and remove the user’s work or school account.
  • If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Edit time

Allows users to set the date and time on their devices.

To block users from changing the date and time, uncheck the Allow user to edit the date and time box.

Data roaming

Supported for company-owned Android 7.0 Nougat and later devices

Allows users to access data services while using the device outside the mobile carrier’s operating area.

To block internet access while roaming, uncheck the Allow user to connect to data services when roaming box.

Safeboot

Allows users to restart their devices in safe mode. In safe mode, the device runs only standard, preinstalled apps and deactivates all third-party apps.

Note: For Android devices where the Google Apps Device Policy app wasn't preinstalled, safe mode deactivates the Google Apps Device Policy app. Without that app running, the device stops syncing your management policies and the user's access to their work or school account on the device is eventually blocked.

To prevent users from rebooting in safe mode (recommended), uncheck the Allow user to reboot their device in safe mode box.

Users and accounts

Supported for company-owned devices and personal devices with work profiles

Expand section  |  Collapse all & go to top

Add users

Supported for Android 6.0 Marshmallow devices only

Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, and settings.

Remove users

Supported for Android 6.0 Marshmallow devices only

Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.

Accounts

Supported for Android 5.0 Lollipop and later devices

Allows users to add and remove accounts on their device. Only one managed account can be added to devices with a work profile. To remove a managed account, the user must remove the work profile from their device.

To block users from changing accounts on their device, uncheck Allow user to add and remove accounts. When unchecked, you can't turn on the Google Accounts setting, and users can't add any managed Google Accounts to their device.

Google Accounts

Supported for Android 5.0 Lollipop and later devices

Allows users to add work or school accounts on their device. Only one managed account can be added to a device with a work profile.

Note: To turn on this setting, you must turn on the Accounts setting.

To block users from adding Google Accounts, uncheck Allow user to add their Google Account. Users can still add their accounts in their work profile or on their device through Microsoft Exchange, IMAP, or POP3.

Lock screen features

Supported for company-owned devices and Device-owner mode personal devices with Android 6.0 Marshmallow and later

Expand section  |  Collapse all & go to top

Lock screen features overview

Not available for Education Fundamentals

Lock screen features allows you to control the availability of these settings on the user's lock screen:

  • Camera
  • Fingerprint unlock
  • Face unlock
  • Iris unlock
  • Lock screen widgets
  • Notifications
  • Notification details
  • Periodic authentication with pin, password, or pattern
  • Trust agents

To turn off lock screen features, uncheck the Allow lock screen features box. When unchecked, only the lock screen features in this group of settings are blocked. Features that aren't listed, such as facial recognition, aren't blocked.

To block individual lock screen features, check the Allow lock screen features box and then uncheck the boxes for the lock screen features you want to block.

Camera

Not available for Education Fundamentals

Allows camera use while the device is locked.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block camera use from the lock screen, uncheck the Allow camera box.

Face unlock

Not available for Education Fundamentals

Allows users to use the device camera’s facial recognition feature to unlock the device. This is available only on devices that support face unlock.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block unlocking the device with face unlock, uncheck the Allow face unlock box.

This feature is affected by the Periodic authentication with pin, password, or pattern settings.

Iris unlock

Not available for Education Fundamentals

Allows users to use the device’s iris scanner to unlock the device. This is only available on devices that support iris unlock.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block unlocking the device with iris unlock, uncheck the Allow iris unlock box.

Fingerprint unlock

Not available for Education Fundamentals

Allows users to use the device’s fingerprint reader to unlock the device.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block unlocking the device with the fingerprint reader, uncheck Allow fingerprint unlock.

This feature is affected by the Periodic authentication with pin, password, or pattern settings.

Lock screen widgets

Supported for Android versions 4.2 Jelly Bean to 4.4 KitKat devices

Allows users to add widgets, such as email and calendar widgets, to the lock screen on their devices.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block lock screen widgets, uncheck the Allow lock screen widgets box.

Notifications

Not available for Education Fundamentals

Allows users to receive notifications while the device is locked.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block notifications, uncheck the Allow notifications on the lock screen box. When unchecked, the Notification details setting is also turned off.

Notification details

Allows users to receive notification details while the device is locked.

If the Notifications setting is turned off, this feature is also off.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block notification details, uncheck the Allow notification details box.

Periodic authentication with pin, password, or pattern

Supported for Android versions 8 and above

Allows users who use face or fingerprint unlock to authenticate with more secure methods like pin, password, or pattern after a set period of time.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

This setting is enforced on work profile apps when the Apply password requirements only on work profile apps box is checked in the Work Profile settings.

Trust agents

Not available for Education Fundamentals

Allows users to use Smart Lock to keep their device unlocked in some situations, like when their phone is in their pocket or they're at home. With Smart Lock, users don't need to unlock with their PIN, pattern, or password. For details, see Set your Android device to automatically unlock.

If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.

To block Smart Lock, uncheck the Allow Smart Lock to keep a device unlocked box.

System updates

Expand section  |  Collapse all & go to top

OS update policy

Supported for Android 6.0 Marshmallow and later devices.

Allows admins to set up and apply over-the-air (OTA) system updates to your organization’s devices. 

Admins can choose when devices are updated:

  • Never—OS updates are not automatically downloaded.
  • As soon as updates are available—Automatically download the OS update when it’s available.
  • Only at specified times—Download OS update within a set time frame. Scheduling an update during non-working hours might prevent downtime for users.
    Note: If the end time is earlier than the start time, then the update begins at the start time and continues into the next day. 
  • 30 days after updates first become available—You can delay the OS update for 30 days. During this time:
    • Devices do not receive notifications about updates
    • Users can’t manually update their devices

    Admins can turn off the 30-day hold at any time. The system resets the 30-day postponement if a new update becomes available during the period.

    Once 30 days pass without a new update, the system prompts the user to install all the pending updates. Later, when a new system update becomes available, the 30-day period begins again.

Note: OS updates are downloaded during the device’s local time, not the admin’s local time. 

Support messages

Expand section  |  Collapse all & go to top

Enforced settings

Supported for Android 7.0 Nougat and later devices.

Create and display a message for the user in settings screens where the admin turned off functionality. 

Choose from:

  • Default message stating the setting can’t be changed due to organization policy—The default message for enforced settings. The default message comes in two lengths:
    • Default short message—This setting is managed by your organization.
    • Default long message—This setting is managed by your organization. For questions please contact your IT department.
  • Custom messages—You can write a custom message to display to users explaining why a setting can’t be changed. The custom message comes in two lengths:
    • Custom short message—The short message is displayed to the user in settings screens where functionality was turned off. The message can be up to 200 characters.
    • Custom long message—The long message is displayed to the user in the device administrator’s settings screen (Settingsand thenSecurityand thenDevice).

For more information about user-facing messages, go to the Android Management API.

Work profile wipe

Supported for Android 9.0 Pie and later devices

Allows admins to create a custom message to users when removing a work profile from a managed device. 

Choose from:

  • Default message stating their work profile has been removed—The default message for a work profile wipe. When you remove a work profile, the user sees “Your work profile is wiped. Please contact your IT admin if this is not expected.”
  • Custom message—Admins can create a custom message for a work profile wipe. This message can be up to 200 characters long.

Note: Work profile wipe follows the same rules as Policy transparency management.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu