Device management security checklist

These security best practices are for administrators of G Suite and Cloud Identity.

As an admin, you can help protect work data on users’ personal mobile devices and on your organization’s company-owned devices by enrolling the devices for management. Users get secure access to their work email, apps, documents, and more. You can set and monitor policies to keep the devices and data more secure.

All mobile devices

Require passwords

Protect data on managed mobile devices by requiring that users set a screen lock or password for their device. For devices with advanced management, you can also set the password type, strength, and minimum number of characters.

Set password requirements for managed mobile devices

Lock down or wipe corporate data from missing devices

When a device goes missing or an employee leaves your organization, the work data on the device is at risk. You can wipe a user's work account from the device, including all their work data. For devices with advanced management, you can wipe the entire device. This feature isn't available with the free version of Cloud Identity. 

Prevent unauthorized access to a user's account​

When Google suspects that an unauthorized person is trying to access a user's account, we present them with an extra security question or challenge. When you use Google endpoint management, we might ask users to verify their identity with their managed mobile device (the device they normally use to access their work account). Extra challenges significantly reduce the chance of an unauthorized person breaking in to user accounts.

Verify a user’s identity with a login challenge

Mobile devices under advanced management

Require device encryption

Encryption stores data in a form that can be read only when a device is unlocked. Unlocking the device decrypts the data. Encryption adds protection if a device is lost or stolen.

Require device encryption

Apply device restrictions​

You can restrict how users share and backup data on Android and Apple® iOS® devices. For example, on Android, you can prevent USB file transfers and on iOS devices, you can stop backups to personal cloud storage. You can also restrict access to some device and network settings. For example, you can turn off the device’s camera and prevent Android users from changing their Wi-Fi settings.

Block compromised devices

Stop a user’s work account from syncing with Android and Apple iOS devices that might be compromised. A device becomes compromised when it’s jailbroken or rooted—processes that remove restrictions on a device. Compromised devices can indicate a potential security threat.

Block compromised devices

Automatically block Android devices that don't comply with your policies

When a device falls out of compliance with your organization’s policies, you can automatically block it from accessing work data and notify the user. For example, if you enforce a minimum password length of 6 characters and a user changes their device password to 5 characters, the device is not compliant because it doesn’t adhere to your password policy.

Set device management rules

Computers that access work data

Turn on Endpoint Verification

When laptops and desktops are managed with Endpoint Verification, you can use Context-Aware Access to protect your organization's data and get more information about the devices that access that data.

Turn on endpoint verification

Restrict Drive File Stream syncing to company-owned devices

Drive File Stream allows users to work on Drive files on their Mac or PC outside a browser. To limit the exposure of your organization's data, you can allow Drive File Stream to run on only company-owned devices listed in your inventory.

Restrict Drive File Stream to authorized devices

Was this helpful?
How can we improve it?