These security best practices are for administrators of Google Workspace and Cloud Identity.
As an administrator, you can help protect work data on users’ personal devices (BYOD) and on your organization’s company-owned devices by using Google endpoint management features and settings. Other security features provide stronger account protection, granular access control, and data protection. Review the following checklist to make sure that you're set up to meet your organization's device security goals.
Protect data on managed mobile devices by requiring that users set a screen lock or password for their device. For devices with advanced management, you can also set the password type, strength, and minimum number of characters.
Lock down or wipe corporate data from missing devices
When a device goes missing or an employee leaves your organization, the work data on the device is at risk. You can wipe a user's work account from the device, including all their work data. For devices with advanced management, you can wipe the entire device. This feature isn't available with the free version of Cloud Identity.
Manage Android apps used for work
Prevent unauthorized access to Android apps used for work by adding them to the Web and mobile apps list to make the apps managed. You can force install managed security apps and remove managed apps from lost or stolen devices. Managed apps are automatically removed from a device when a user removes their work account.
Require device encryption
Encryption stores data in a form that can be read only when a device is unlocked. Unlocking the device decrypts the data. Encryption adds protection if a device is lost or stolen.
Apply device restrictions
You can restrict how users share and backup data on Android and Apple iOS devices. For example, on Android, you can prevent USB file transfers and on iOS devices, you can stop backups to personal cloud storage. You can also restrict access to some device and network settings. For example, you can turn off the device’s camera and prevent Android users from changing their Wi-Fi settings.
Block compromised devices
Stop a user’s work account from syncing with Android and Apple iOS devices that might be compromised. A device becomes compromised when it’s jailbroken or rooted—processes that remove restrictions on a device. Compromised devices can indicate a potential security threat.
Automatically block Android devices that don't comply with your policies
When a device falls out of compliance with your organization’s policies, you can automatically block it from accessing work data and notify the user. For example, if you enforce a minimum password length of 6 characters and a user changes their device password to 5 characters, the device is not compliant because it doesn’t adhere to your password policy.
Enable Auto Account Wipe for Android devices
Automatically remove work account data and managed apps from an Android device when it’s inactive for a specified number of days. This reduces the risk of data leaks.
Manage iOS apps used for work
Prevent unauthorized access to iOS apps used for work by adding them to the Web and mobile apps list and making the apps managed. You can remove managed apps from lost or stolen devices. Managed apps are automatically removed from a device when a user removes their work account.
Block potentially dangerous Android apps
By default, Google blocks non-Play Store apps on Android mobile devices from unknown sources. Apps are also automatically scanned, and blocked if dangerous, by Google Play Protect. These features reduce data leak, account breach, data exfiltration, data deletion, and malware risks. Make sure Block app installation from unknown sources is turned on and Allow users to turn off Google Play Protect is turned off for all your users.
Turn on endpoint verification
When laptops and desktops are managed with endpoint verification, you can use context-aware access to protect your organization's data and get more information about the devices that access that data.
Restrict Google Drive for desktop to company-owned devices
Drive for desktop allows users to work on Drive files on their Mac or Windows computer outside a browser. To limit the exposure of your organization's data, you can allow Drive for desktop to run on only company-owned devices listed in your inventory.
Set up Google Credential Provider for Windows (GCPW)
Let users sign in to Windows 10 computers with their work Google Account. GCPW includes 2-Step Verification and sign-in challenges. Users can also access Google Workspace services and other single sign-on (SSO) apps without the need to re-enter their Google username and password.
Restrict user privileges on company-owned Windows computers
You can control what users can do on their company-owned Windows 10 computers with Windows device management. You can set users' administrative permission level for Windows. You can also apply Windows security, network, hardware, and software settings.
Prevent unauthorized access to a user's account
Require additional proof of identity when users sign in to their Google Account with 2-Step Verification (2SV). This proof could be a physical security key, a security key built in to the user's device, a security code delivered by text or phone call, and more.
When Google suspects that an unauthorized person is trying to access a user's account, we present them with an extra security question or challenge. When you use Google endpoint management, we might ask users to verify their identity with their managed mobile device (the device they normally use to access their work account). Extra challenges significantly reduce the chance of an unauthorized person breaking in to user accounts.
Use Context-Aware Access to conditionally allow access to Google apps
You can set up different access levels based on a user’s identity and the context of the request (country/region, device security status, IP address). For example, you can block mobile device access to a Google app (web and mobile) if the device is outside a specific country/region, or if the device doesn't meet your encryption and password requirements. As another example, you can allow contractor to access Google web apps only on company-managed Chromebooks.
Control the apps that can access Google Workspace data
Set which mobile apps are managed by your organization. You can also specify which services an app can access with app access control. This prevents malicious apps from tricking users into accidentally granting access to their work data. App access control is device-agnostic and blocks access by unauthorized apps on both BYOD and company-owned devices.
Identify sensitive data in Google Drive, Docs, Sheets, Slides, and Gmail
Protect sensitive data, such as government-issued personal IDs, by setting Data Loss Prevention (DLP) policies. These policies can detect many common data types, and you can also create custom content detectors to meet business-specific needs. DLP protects data at the source and application level, and applies across devices and access methods.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.