Set up advanced mobile management

This feature is available with Cloud Identity Premium edition. Compare editions 

As an administrator, you can use advanced management to have more control over access to your organization's data. You can restrict mobile device features like notifications on the lock screen, require device encryption, manage apps on Android devices, iPhones, and iPads, and wipe data from a device. 

Requirements

  • Devices must support advanced mobile management. Review supported platforms
  • To manage iPhones and iPads, set up an Apple push certificate.
  • Only one Google Account under advanced mobile management is allowed on each device.
  • User enrollment: After you turn on advanced mobile management, all mobile device users are prompted to install a device policy app so that you can manage their devices. Android users are also prompted to set up a work profile if their device supports it. iPhone and iPad users might also be prompted to install a configuration profile.

Step 1. Turn on advanced mobile management

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. At the left, click Settingsand thenUniversal settings.
  4. Click Generaland thenMobile management.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Select Advanced.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  8. If you get a message that you need to enable sync on mobile, click Go to Sync on Mobile. Check the boxes for the devices you want to allow to sync work data and click Save.
  9. If you want to manage iOS devices and apps, create an Apple push certificate. You need to renew this certificate annually.

Step 2. Set up password and approval requirements

Before you begin: Tell users you'll manage the mobile devices they use for work. Let them know about the policies you set, including password requirements.

  1. Set password requirements for managed mobile devices. You can set the password length, require special characters, and set an expiration.
  2. To screen devices before they can access work data, require admin approval for mobile devices.

Step 3. Set up company-owned mobile devices

Skip this step if you don't have company-owned devices.

For Android

For iPhones and iPads

Step 4. Protect your organization's data

To make your organization's data more secure, use advanced management settings as needed or required for your organization.

Recommended settings

Universal settings (all mobile devices)

  • Block compromised devices 
  • Require device encryption

Android settings

  • Autowipe devices that don't sync within a specified period
  • Block devices that are not Android CTS compliant
  • Don't allow application verification to be turned off
  • Don't allow USB file transfer
  • Don't allow apps from unknown sources
  • Don't allow notification details on lock screen
  • Don't allow trust agents (under lock screen settings)

iOS settings

  • Don't allow notification details on lock screen
  • Don't allow managed apps to store data iCloud
  • Require encryption for backups if you allow device backups

Next steps


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?