This feature isn't available in the free edition of Cloud Identity.
As an administrator, you can control how users access and interact with their Android device by applying policy settings.
Before you begin
Find the settings
From the Admin console Home page, go to Devices
- On the left, click SettingsAndroid settings.
- (Optional) On the left, select the organizational unit to which you want to apply the settings.
- Select a category and next to the setting, check the box to apply it. For details about each setting, see below.
- After you make a change, click Save.
Open all | Close all
You can manage application auditing, account sync and wipe, lock screen details and widgets, and the Android Device Manager.
Allows admins to see details about apps that are installed on devices that have a corporate account in the device’s personal space. Check the Enable application auditing in personal space box to see:
Note: Apps are automatically audited on company-owned devices and devices with a work profile.
Automatically removes corporate data from a device when the device:
- Reaches a specified number of days of inactivity
(Choose a number of days that aligns with your organization’s mobile usage policy.)
- Falls out of compliance with any of these device policies:
- Password policies
- Block compromised Android devices
- Block devices that are not Android CTS compliant
- Require device encryption
Before the wipe, the user gets a notification and time to fix the problem. The data that’s removed depends on the type of device:
Android Device Policy devices
—If the device is company-owned or a personal device that the user lets the company manage (they don't check I own this device
during set up
and don't have a work profile), the device is factory reset. If the device is personally owned and has a work profile, only the work profile is wiped, leaving personal data untouched.
Google Apps Device Policy devices—The corporate account is removed. Personal data and apps remain on the device. However, if the device is in fully-managed mode and the corporate account is added back, all apps are removed from the device.
Older Android devices
Accommodates older devices by enforcing only those policies supported on older devices. Applying this setting allows older devices to continue to sync corporate data without encrypted storage, even when you apply the setting that requires encryption for Android 3.0 Honeycomb and later devices.
Use work profiles to separate your organization’s apps from personal apps. You can offer and manage apps through your whitelist. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, see What is a work profile?
Work Profile Setup
Android 5.0 Lollipop and later devices running the legacy Google Device Policy app only. This setting doesn't apply to devices running Android Device Policy, which automatically requires a work profile on personal devices.
Controls the creation of work profiles on personal Android devices that are used in your organization.
Users can add one managed corporate account to a device with a work profile. Within the work profile, you offer and manage corporate apps using a whitelist. Once installed, managed apps are marked with Android enterprise
so they’re easy for users to distinguish from personal apps. Learn more about whitelisting Android apps
Next to Work Profile Setup
, click the Down arrow
and choose an option:
- User opt-in—Select this option to prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still make changes to protect the corporate data on the device. For example, if a device is lost, you can wipe all data from the device.
- Enforce—Select this option to require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they don’t have the option to opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. Check the device properties in your Admin console to find out if a device supports a work profile. For details, see View mobile device details.
- Disable—Select this option to prevent device users from setting up a work profile. Existing work profiles set up on registered devices are not affected.
Work Profile Password
Android 7.0 Nougat and later devices
Enforces password settings only on apps running in a user’s work profile, and allows users to configure their own lock screen settings for their device. For devices older than Android 7.0, password settings are enforced on the entire device.
Apps and data sharing
You can give users permission to install apps. You can also control what users can share from installed apps. These settings apply to company-owned devices and BYOD devices with work profiles, except where noted.
Allows users to uninstall apps, disable apps, force stop (halt processes), show notifications, and clear data, cache, or defaults. Supported for Android 6.0 Marshmallow and later.
Allows users to turn off the Verify Apps setting. The setting helps prevent harmful software from being installed. It also periodically scans devices for potentially harmful apps. Supported for Android 6.0 Marshmallow and later. For details, see Protect against harmful apps
USB file transfer
Allows users to transfer files to and from their mobile devices using a USB connection. Supported for Android 6.0 Marshmallow and later, on company-owned devices only.
Allows users to install apps from other sources in addition to the Google Play Store. Uncheck this box to offer additional security by preventing app installation from unknown sources. Supported for Android 5.0 Lollipop and later.
Allows users to use developer options on their devices. If you disable this setting, users with Android enterprise on their device can still enable developer options on their device for their personal space, but not for their work profile. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't do this in their work profile. Supported for Android 5.0 Lollipop and later.
Allows users to turn on or off Google’s location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device
from the My Devices page. Supported for Android 5.0 Lollipop and later.
Allows users to take screen captures on their mobile devices. If you turn off this setting, users are limited to screen captures with their personal applications. Supported for Android 5.0 Lollipop and later.
Sharing to other profiles
This setting is supported for Android 5.0 Lollipop and later devices, except where noted.
Controls whether users can share data and files, such as photos, from their work profile to the personal space on their device.
When you check the Allow content sharing from Work Profile to personal space box:
- Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
- Caller ID information from the work profile is shown in the personal space for incoming calls.
- (G Suite only) Users can search for corporate contacts from their personal space on Android 7.0 Nougat and later devices.
- URLs are opened in the personal space if there’s no browser in the work profile.
- A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Cross Profile Copy Paste
Allows users to copy text from any app in their work profile and paste it using any app in their personal space. Supported for Android 5.0 Lollipop and later.
Allows device users to share content through Android Beam via near field communication (NFC). Uncheck the box to prevent using Android Beam.
Denying runtime permissions can affect the functionality of some apps.
Sets how permission requests from apps at runtime are handled by default. Permissions preferences specified for an individual app take priority over the default setting. For details, see Manage runtime permissions for Android apps
. Supported for Android 6.0 Marshmallow and later.
Users and accounts
Company-owned devices and personal devices with work profiles
This feature is only available on Android 6.0 Marshmallow devices
Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, settings, and more.
This feature is only available on Android 6.0 Marshmallow devices
Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.
Android 5.0 Lollipop and later devices
Allows users to add and remove accounts on their device.
Only one managed account can be added to devices with a work profile. To remove a managed account, the user needs to remove the work profile from their device.
Android 5.0 Lollipop and later devices
Allows users to add Google or corporate accounts on their device. To turn on this setting, you must turn on the Accounts setting.
Only one managed account can be added to a device with a work profile. If you turn off Allow account addition and removal, users can still add their Google accounts in their work profile or on their device through Microsoft® Exchange®, IMAP, or POP3.
You can manage the way users access networks. These settings are available for company-owned, Android 6.0 Marshmallow and later devices.
Allows users to change the Wi-Fi network settings on their mobile devices.
Allows users to change the Bluetooth® settings on their mobile devices. For Android 6.0 Marshmallow and later, if you want to allow Bluetooth configuration, remember to apply the Location sharing setting (under Apps and Data Sharing) to enable it to work.
Allows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings > Wireless & networks > More > VPN.
Allows users to configure and use Wi-Fi hotspot and USB or Bluetooth tethering services.
Allows users to change the settings for data access and roaming on their devices. This setting also allows users to choose whether or not to display the mobile network name in the status bar, to change the access point name (APN), and to choose a mobile network operator.
Allows users to receive broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.
You can give users access to hardware options. These settings are available only for company-owned Android 6.0 Marshmallow and later devices, except where noted.
Allows users to insert an SD card and move data or applications to the card, on those devices with external SD card slots. SD cards are generally used for removable storage.
Allows users to modify certificate authority (CA) forms for their work profiles in Settings > Security > Trusted credentials on their mobile device. If unchecked, users can still view CA certificates for their work profile; however, they can't modify them.
Allows the use of device microphones. Uncheck this box to mute the microphone and prevent it from being turned back on. Leaving the microphone off ensures that malicious apps can’t use the microphone's functionality to record sound near the device.
Allows the use of device speakers. Uncheck this box to mute the speaker for apps in the work profile and prevent it from being turned back on.
Administrator Restriction PIN Settings
Android 5.1 Lollipop and earlier devices
Continues to sync the administrator restriction PIN with user devices. With this setting applied, users are asked to enter this PIN if they try to reset the phone, or to change Wi-Fi or Bluetooth settings. (The PIN needs to be numeric and have at least 5 characters.) If you uncheck this box, the previous administrator restriction PIN is recognized, and you can't change the administrator restriction PIN again until you re-apply this setting.
Controls whether users can reset the device to its factory settings via the Settings app. A factory reset removes all apps, data, and settings from the device. The settings that are removed include those that are set by an administrator using device management.
If you turn this setting on, consider using the Factory Reset Protection Setting to allow administrators to access a reset device. This can help to prevent locked devices if the user is unable to access their account after the device is reset.
This setting does not prevent users from resetting an Android device using its power and volume buttons.
Factory Reset Protection Setting
Allows specific administrator accounts to access a device after it’s been reset to its factory settings. For company-owned devices (those that you add to your Admin console by serial number), only the accounts you list can access the device after a factory reset. For personal devices in device owner mode, the user can access the device, too.
Click Add an account and enter the email addresses of the admins who you want to allow to access the device after a factory reset.
Note: If you use this setting and need to reset a device to factory settings, make sure you can access any associated admin accounts before you reset the device. (See Tips below.) Support can’t remotely unlock a reset device or restore it. If you have problems unlocking a reset device, contact the device manufacturer for help.
- You can enter up to 10 email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses you enter.
- Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account has been restored.
- Don’t enter any group email addresses—they can’t access a device that’s been factory reset.
- Before you reset a device:
- Sign out and remove the user’s corporate account.
- If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Allows users to set the date and time on their devices. Uncheck the box to prevent users from setting the date and time.
Allows users to access data services while roaming (using the device outside the cell phone carrier’s operating area). Uncheck the box to prevent Internet access while roaming. This setting is only available for company-owned Android 7.0 Nougat and later devices.
Allows users to reboot their devices in safe mode, where the device reboots with only standard, pre-installed apps running, and third-party apps disabled. Uncheck the box to prevent users from rebooting in safe mode.
For Android devices where the Google Apps Device Policy app is not pre-installed, allowing the user to go into Safe Boot mode prevents the device policy app from running, which means that corporate access is eventually blocked on the device. We recommend to not allow Safe Boot access.
Lock screen features
Only company-owned devices and personal devices without personal profiles running Android 6.0 Marshmallow and later
You can allow or disallow notifications and other features while a device is locked.
Lock screen features
Controls each of the lock screen settings in the Lock screen features category. To turn on all lock screen features, check the Allow lock screen features box. To turn off all lock screen features, uncheck the box.
Lock screen widgets
Controls whether users can add widgets, such as email and calendar widgets, to the lock screen on their devices. Lock screen widgets are supported on Android versions 4.2 Jelly Bean to 4.4 KitKat.
Allows users to use the device’s fingerprint reader to unlock the device.
Controls whether users can access the device’s camera while it’s locked.
Controls whether users can use Smart Lock to keep their device unlocked in some situations, like when their phone is in their pocket or they're at home. With Smart Lock, users don't need to unlock with their PIN, pattern, or password. For details, see Set your Android device to automatically unlock
Allows users to receive notifications while the device is locked.
Allows users to receive notification details while the device is locked. This setting is disabled if the Notifications setting (above) is off.