Control access to corporate data
This feature isn't available in the free edition of Cloud Identity.
As an administrator, you can individually review each user-owned device that requests access to corporate data. When a user adds a corporate account to their mobile device, they see a message that an administrator needs to review and approve the device. Once you approve a device, the user can synchronize corporate data to the device.
Set up device approval and review devicesBefore you begin
- If you use company-owned devices that are registered by serial number, they're automatically approved.
- If you set up a Wi-Fi network in the Google Admin console, Apple® iOS® devices can use that network while approval to corporate data is pending. For details on setting up or changing your Wi-Fi network, see Manage networks.
- If you do not use Google endpoint management, you can still approve and block Google Sync devices using the steps below. For details, see What is Google Sync?
- You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access corporate data.
- If you use endpoint verification, approving or blocking a device does not change the device’s ability to access corporate data. Instead, it adds a tag to the device that you can use to configure access levels with Access Context Manager. For details, see the Access Context Manager documentation.
If you haven’t already, you need to set up advanced mobile management to approve or block mobile devices. See Set up advanced mobile device management.
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
From the Admin console Home page, go to Devices.
To see Devices, you might have to click More controls at the bottom.
- On the left, click Setup.
- Click Device Approvals.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Check the Requires Admin approval box.
- (Optional) Enter an email address to get notifications when users enroll their devices.
Tip: Instead of an individual email address, use a group email address that includes all administrators who can activate devices.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Go back to the Device management page and on the left, click Device Approvals.
- Review the list of devices that requested access to corporate data.
- Choose an option:
- To allow devices to access corporate data and to tag endpoint verification devices as approved, select the devices and click More Approve Devices.
- To prevent devices from accessing corporate data and to tag endpoint verification devices as blocked, select the devices and click Block .
Note: If you tag an endpoint verification device as blocked, it can still access corporate data until you enforce Access Context Manager policies. For details, see the Access Context Manager documentation.