Devices audit log

This feature isn't available in the free edition of Cloud Identity.

You can use the Devices audit log to see a report of activities on computers and mobile devices that are used in your organization. For example, you can see if a user’s account was added to a device or if a device’s password doesn’t comply with your password policy. You review the various device activities in a devices audit log in the Google Admin console. You can also set an alert to be notified when an activity occurs.

Note: For details on when log data becomes available and how long it's retained, see Data retention and lag times.

Before you begin

  • To see all audit events for mobile devices, the devices need to be managed using advanced mobile device management
  • You can’t see activities for devices that sync corporate data using Google Sync. 

Step 1: Open your devices audit log

If you move from the Cloud Identify Premium edition to the free edition of Cloud Identity, the audit log stops collecting data on new events. However, old data is still visible to administrators.

View events for all devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Reportsand thenAuditand thenDevices.
  3. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.

View events for a specific device

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devicesand thenMobile devices.
  3. Choose an option: 
    • To see managed mobile devices, click Mobile devices.
    • To see laptop and desktop devices, click Endpoints.
    • To see devices that your organization owns, on the left, click Company owned inventory.
  4. Select one or more devices and click More and then View audit info.
    Note: From your company-owned inventory, select the devices and click View audit info Audit info
  5. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.
  6. See steps below to understand and customize the log data.

Step 2: Understand audit log data

Data you can view
Data Type Description
Device ID Identifier for the device that the event happened on. 
Event description Details of the event that happened on the device.
Date Date and time that the event occurred (displayed in your browser's default time zone).
Event name Name of the event that was logged, such as an account registration change, sign-in challenge, or a failed unlock attempt. For details, see the event descriptions below.
User Name of the user who performed the event on the device. 
Device type Type of device that the event happened on. For example, Android or  Apple® iOS®.
Application hash For app-related events, the SHA-256 hash of the application package.
Serial number The serial number of the device.
Device model The model of the device.
OS version

Available only if you enable enhanced desktop security for Windows.

Number assigned to a unique release of the operating system (OS).

Policy name

Available only if you enable enhanced desktop security for Windows®.

The name of the Microsoft® configuration service provider (CSP) that corresponds to the custom setting applied to the device.

Policy status code

Available only if you enable enhanced desktop security for Windows.

The code returned from a Windows 10 device when you attempt to apply a setting to the device.

Windows OS edition

Available only if you enable enhanced desktop security for Windows.

Variant of Windows with a unique package of features.

Event descriptions

You see an audit log entry for each of the following event types. On the left side of the Admin console, you can use the Event name filter to filter your audit log by these events. For some events, you can narrow your audit log results using subfilters. 

Event name Description Subfilters Supported devices
Account registration change

Registration state of a device in your organization changed. An entry is recorded each time a user adds their managed account on a new device, or unregisters their account from a device. 

For Android devices, you also see the device privilege the account is registered with. For details about device privileges, see Policy profile information.

Example: User’s account registered on Nexus 6P with device administrator privilege.

Registered—User added a managed account to the device.

Unregistered—User unregistered an account on the device. The user can no longer use the account on that device.

Apple® iOS®
Chrome OS

Advanced policy event

Specifies whether the application of a policy setting was successful.

Example: Applying ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools 0 Windows policy succeeded on User's account 20KHS1TG00 with serial id PF1FWXNF

  • Device ID
  • User email
Device action event

Status of an action carried out on a device by an admin. 

Example: Account Wipe with id 1234 on user’s Pixel 2 is Pending. 

Not applicable

Chrome OS

Device OS update

A device's OS property was updated. 

For iOS devices, the system only records updates to OS version and build number.

Example: OS Version updated on user’s Nexus 5 from 8.0 to 8.2.

  • OS version
  • Build number
  • Kernel version
  • Baseband version
  • Security patch
  • Bootloader version
Chrome OS
Device sync

A user’s managed account synced on the device.

Example: Username’s account synced on Nexus 6P.

Not applicable Android
Chrome OS
Device application change

A user installed, uninstalled, or updated an app on their device.

Android devices—Events are logged immediately. If you don’t see any entries in the audit log, make sure the application auditing setting is on. 

iOS devices—Events are logged the next time the device syncs. Only managed apps installed using the Device Policy app are audited. 

Example: version 50.0.2645.0 was deleted from user's Nexus 5.

Application Event—Install, uninstall, update

Package Name—Name of the application package

Application Hash—SHA-256 hash of the application package (Android only) 

Device compliance status

Whether the device complies with your organization’s policies.

A device is marked not compliant for the following reasons:

Example: User's Nexus 6P is not compliant with set policies because device is not adhering to password policy.

Not applicable Android
Device compromise

Whether the device is compromised. Devices can become compromised if they’re rooted or jailbroken—processes that remove restrictions on a device. Compromised devices can be a potential security threat.

The system records an entry each time a user’s device is compromised or no longer compromised. 

Example: User's Nexus 5 is compromised.

Not applicable Android 
Device ownership

Whether the ownership of the device changed. 

For example, a personal device was changed to company-owned after its details were imported into the Admin console. 

This audit occurs immediately after a company-owned device is added to the Admin console. If a company-owned device is deleted from the Admin console, the audit occurs at the next sync (after it’s re-enrolled for management).

Example: Ownership of user’s Nexus 5 has changed to company owned, with new device id abcd1234.

Not applicable Android
Chrome OS
Device settings change

The device user changed the developer options, unknown sources, USB debugging, or verify apps setting on their device.  

This event is recorded the next time the device syncs. 

Example: Verify Apps changed from off to on by user on Nexus 6P.

  • Developer options
  • Unknown sources
  • USB debugging
  • Verify apps
Failed screen unlock attempts

The number of failed attempts by a user to unlock a device. 

An event is generated only if there are more than 5 failed attempts to unlock a user's device. 

Example: 5 failed attempts to unlock user's Nexus 7.

Greater than—Enter a number to only display failed attempts greater than that number.

Sign out user An admin signed a user out from a device that is managed by fundamental management Not applicable Desktop devices managed by fundamental management
Suspicious activity 

Suspicious activity was detected on the device.

Android—The system records an entry each time any one of the device properties listed in the subfilters changes on a user’s device. 
iOS—The system records changes to the Wi-Fi MAC address only.

Example: WiFi MAC address changed on user's Nexus 5 from x to y.

  • Device model 
  • Serial number 
  • WiFi MAC address
  • Device policy app privilege 
  • Manufacturer
  • Device brand
  • Device hardware
Work profile support

The device supports work profiles. 

For example, this event informs you when a user upgrades the OS version so the device becomes work profile compliant.

The system records an entry for each device that supports work profiles.

Example: Work profile is supported on user's Nexus 5.

Not applicable Android

Step 3: Filter your log data

You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for failed attempts to unlock a device. Or, find all suspicious activity for a particular user.

  1. Open the audit log.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open the audit log.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open the audit log.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

Step 4: Export log data

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or comma-separated values (CSV).
  6. Click Download.

You can export a maximum of 100,000 rows to Sheets or CSV.

Step 5: Set up email alerts

Track specific activities by setting up alerts. For example, get an alert whenever someone creates or deletes a calendar on their device.

  1. Open the audit log.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?