Control access to corporate data

This feature isn't available in the free edition of Cloud Identity.

As an administrator, you can individually review each user-owned device that requests access to corporate data. When a user adds a corporate account to their mobile device, they see a message that an administrator needs to review and approve the device. Once you approve a device, the user can synchronize corporate data to the device.

Set up device approval and review devices

Open all   |   Close all

Before you begin
  • If you use company-owned devices that are registered by serial number, they're automatically approved. 
  • If you set up a Wi-Fi network in the Google Admin console, Apple® iOS® devices can use that network while approval to corporate data is pending. For details on setting up or changing your Wi-Fi network, see Manage networks.
  • If you do not use Google endpoint management, you can still approve and block Google Sync devices using the steps below. For details, see What is Google Sync?
  • You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access corporate data.
  • If you use endpoint verification, approving or blocking a device does not change the device’s ability to access corporate data. Instead, it adds a tag to the device that you can use to configure access levels with Access Context Manager. For details, see the Access Context Manager documentation.  
Step 1: Set up advanced mobile management

If you haven’t already, you need to set up advanced mobile management to approve or block mobile devices. See Set up advanced mobile device management.

Step 2: Require device approval

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, click Setup.
  4. Click Device Approvals.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Check the Requires Admin approval box.  
  7. (Optional) Enter an email address to get notifications when users enroll their devices.
    Tip: Instead of an individual email address, use a group email address that includes all administrators who can activate devices. 
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 3: Review devices for approval
  1. Go back to the Device management page and on the left, click Device Approvals
  2. Review the list of devices that requested access to corporate data.
  3. Choose an option: 
    • To allow devices to access corporate data and to tag endpoint verification devices as approved, select the devices and click More More and then Approve Devices
    • To prevent devices from accessing corporate data and to tag endpoint verification devices as blocked, select the devices and click Block Block.
      Note: If you tag an endpoint verification device as blocked, it can still access corporate data until you enforce Access Context Manager policies.  For details, see the Access Context Manager documentation.

Related topics 

Was this helpful?
How can we improve it?