Automate mobile management tasks with rules

This feature isn't available in the free edition of Cloud Identity.

As an administrator, you can define rules to automate mobile device management tasks and get security alerts. For example, you can automatically block devices that report suspicious activity. 

How rules work

A device management rule is triggered by an event on a managed mobile device. When the event is detected, the rule checks for any conditions you specify. If the conditions are met, an action is carried out.

For example, you can notify admins when the account registration state changes on Android devices because a user unregisters their corporate account from the device. In this example:

  • The event is an account registration state change on an Android device.
  • The condition is that a user unregisters their account from the device.
  • The action is notifying admins.

You can create your own rule or work with a predefined template. You can assign a rule to your whole organization, an organizational unit, or a group in Google Groups. You can also exempt a group. 

You can set rules for devices that are managed with basic or advanced mobile management, but the approve and block actions are supported only for advanced mobile management. If needed, turn on advanced mobile management.

Create and edit rules

Create a device management rule
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.
  3. Click Create rule "".
  4. Click Device Management and choose an option: 
    • To use a rule template, click the template. For details, see Use the rule templates.
    • To build your own rule, click Blank Template. 
  5. Edit the rule title and description.
  6. Click Conditions
  7. (Optional) Under Users, choose an organizational unit or group to apply the rule to, or a group to exclude from the rule. If you don’t select an option, the rule is applied to all applicable users in your organization.

    To apply the rule to more than one organizational unit or group, or to exempt more than one group, click Add. To remove an organization or group, click X next to it.

    • Apply to organizational unit—Select an organizational unit from the drop-down list. 
    • Apply to Group—Enter the exact name of the group.
    • Exempt Group—Excludes users in a group from the rule. Enter the exact name of the group. The rule applies to all users except users in the group you specify. 
  8. If necessary, under Filters, edit the event and conditions for the rule. For more details, see Choose an event and conditions.
    1. Select a device type (Android, iOS, or All Devices) to apply the rule to.
    2. Select the event that triggers the rule. 
    3. (Optional) Select additional conditions that the rule should check for before it carries out an action.

      To set more than one additional condition, click Add.

  9. Click Done
  10. Click Actions and select one or more actions to take when the rule's conditions are met. Not all actions are available for all events.
    • Send email to super administrators—Sends an alert when the event occurs on a managed mobile device. The maximum number of emails sent is 25 emails in 2 hours.
    • Block mobile device—(advanced mobile management only) Stops the device from syncing corporate data.
    • Approve mobile device—(advanced mobile management only) Allows the device to sync corporate data. 
    • Perform wipe—Wipes the user’s corporate account and associated data from the device.
  11. Click Done
  12. Choose an option: 
    • To create the rule and turn it on now, click Create and Activate
    • To create the rule and turn it on later, click Create. When you want to turn it on, select the rule from the list of rules and at the top, click Activate rules "".
Edit an existing device management rule
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.
  3. At the top, click Manage to see the list of rules.
  4. Click the rule you want to edit.
  5. Click the section you want to edit and make your changes. Click Done.
  6. Choose an option: 
    • To save your changes and activate them now, click Save and Activate.
    • If the rule is paused and you don’t want to activate it yet, click Save

Use the rule templates

Rule templates have predefined conditions and actions that you can change to suit your organization’s needs. For example, if you want to automatically approve all iOS devices, but manually approve Android devices, use the Auto-approve device registration template and change the device type to iOS. 

Block account on multiple failed screen unlocks

Blocks an Android device when there are more than 5 failed attempts to unlock it. The rule stops corporate data from synchronizing to the device and sends an email notification to super admins.

Perform wipe on suspicious event

Removes corporate data from an Android or iOS device when suspicious activity is detected. For iOS devices, the account is wiped if there are changes to the device’s Wi-Fi MAC address. 

For Android devices, the device is wiped when there are changes to any of the following device properties:

  • Device model
  • Serial number
  • Wi-Fi MAC address
  • Device policy app privilege
  • Manufacturer
  • Device brand
  • Device hardware

If ownership of the Android device is assigned to your organization (company-owned), all data is wiped from the device and the device is factory reset. If the device is personally owned and has a work profile, only the work profile is wiped, leaving personal data untouched. 

An email notification is sent to super admins.

Auto-approve device registration

Automatically approves all Android and iOS devices when a user enrolls their device for management. Corporate data will synchronize to the device when the user signs in with their account. Admins aren’t notified when devices are approved. 

Choose an event and conditions (filters)

Use filters to select the device type (Android, iOS, or all), event, and other conditions that trigger the rule. The rule’s action is only carried out when the event happens on devices that meet the conditions you specify. 

You can choose one event and several conditions for every rule. The conditions include a full or partial user email address, device ID, device serial number, or device model. Additional conditions are available for individual events. To apply more than one condition to a rule, click Add.

Account registration change

Triggers the rule when the account registration state of a device in your domain changes. The registration state can change when:

  • A user adds their corporate account on a new device. 
  • A user unregisters their corporate account from a managed device.
  • There are changes to the device policy app privilege on the device. 

By default, the rule is triggered when any of those events are detected. To only apply the rule when specific conditions are met, use these options:  

Condition Applies the rule to
Account state

Devices whose user’s account state has changed. Choose an option: 

  • Registered on—Applies the rule when an account is added to a device.
  • Unregistered from—Applies the rule when an account is unregistered from a managed device. 
Device policy app privilege

Choose an option: 

  • With device administrator privilege—Applies the rule to personal devices that have a managed account in their personal space.
  • With work profile privilege—Applies the rule to personal devices that have a work profile set up.
  • With device owner privilege—Applies the rule to devices that are configured to recognize your organization as the device owner. 
Device application change

Applies the rule whenever a user installs, uninstalls, or updates an app on their device. For personal Android devices that don’t have a work profile, the Application Auditing setting needs to be turned on. For iOS devices, only changes to managed apps that were installed using the Google Device Policy app are detected.

To only apply the rule when specific conditions are met, use these options:

Event Applies the rule to
Application ID

Devices that have had changes to the app you specify. Choose an option: 

  • Contains—Enter a partial app ID.
  • Equals—Enter the full app ID.
New Value Devices where the version number of an app changed to the value you specify. Enter the new version number of the app. For example, 50.0.2645.0.
Application state 

Devices where the state of an app was changed to the value you select. Choose an option:

  • Installed on.
  • Deleted from.
  • Updated on.
Application hash Devices with an app installed that matches the application hash you specify. Enter the SHA-256 hash of the application package.
Device compliance status (Android only)

Triggers the rule when a device becomes noncompliant with your organization's’ policies. For example, a user changes their device password and it no longer complies with your password policy. For details, see Device compliance status.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Device compliance state

Devices whose compliance status has changed. Choose an option:  

  • Compliant with set policies—Applies the rule when a device becomes compliant with your organization’s policies. 
  • Not compliant with set policies because device—Then click Add and use the Reason for deactivation of the mobile device condition.
Reason for deactivation of the mobile device  Devices that become noncompliant with your organization for the reason you select. You can select from these reasons:
 
  • Is not adhering to password policy
  • Is not encrypted
  • Does not have the latest device policy app
  • Is compromised
  • Has camera enabled
  • Has lock screen widgets enabled
  • Does not have work profile created
  • Is not in device owner mode
  • Has been blocked by the administrator
  • Does not have sync enabled
  • Does not have the device policy app installed
  • Has not synced in the last 24 hours
Device compromise (Android only)

Applies the rule to Android devices that become compromised or are no longer compromised. An Android device is compromised when it’s rooted—a process that removes restrictions on a device. Compromised devices can indicate a potential security threat. 

To only apply the rule when specific conditions are met, use this option:

Condition Applies the rule to
Device compromised state

Devices whose compromised status has changed. Choose an option: 

  • Is compromised—Applies to the rule to devices that have become compromised. 
  • Is no longer compromised—Applies the rule to devices that were compromised, but are no longer compromised.  
Device OS update

Triggers a rule when a device’s operating system changes. For Android devices, these changes include the OS version, build number, kernel version, baseband version, security patch, or bootloader version on their device. For iOS devices, these changes only include updates to the OS version and build number. For example, a user updates their device to a new OS or applies the latest security patch.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Old value Devices where an OS property was changed from the value you specify.      
New value Devices where an OS property was changed to the value you specify.
OS property

Devices that have had changes to the OS property you select. Select from the following OS properties: 

  • OS version
  • Build number
  • Kernel version
  • Device baseband version
  • OS security patch
  • Bootloader version on their device

For iOS, only OS version and build number are supported. 

Device ownership (Android only)

Applies a rule when ownership of a device changes from personal to company-owned, or from company-owned to personal.

To only apply the rule when specific conditions are met, use this option:

Condition Applies the rule to
Device ownership of the device

Devices whose device-ownership state has changed. Choose an option: 

  • Company owned—Applies the rule to devices whose ownership has changed to company-owned. 
  • Personal—Applies to the rule to devices whose ownership has changed to personal. 
Device settings change (Android only)

Triggers a rule when there are changes to the device settings on Android devices, such as changes to USB debugging, unknown sources, developer options, or verify-apps settings on a device.  

To only apply the rule when specific settings are changed, use these options:

Condition Applies the rule to
Old value Devices where a device setting was changed from the value you specify.
New value Devices where a device setting was changed to the value you specify.
Device setting Devices that have had changes to the device setting you select. Select from the following settings: 
  • Developer options
  • Unknown sources
  • USB debugging
  • Verify apps 
Failed screen unlock attempts (Android only)

Applies the rule to a device when there are failed attempts to unlock it. By default, the rule is applied when there are more than 5 failed attempts.

To change the number of failed attempts before the rule is applied, use this option:

Condition Applies the rule to
Failed screen unlock attempts

Devices where failed unlock attempts have been detected. To specify how many attempts should be made before the rule is applied, choose an option and enter the number of attempts:

  • > (More than)
  • >= (More than or equal to)
Suspicious activity

The rule is triggered when there’s suspicious activity on managed mobile devices in your domain. For example, a device model has changed, but the device hasn’t changed. 

For Android devices, suspicious activity includes changes to the following device properties: 

  • Device model
  • Serial number
  • Wi-Fi MAC address
  • Device policy app privilege
  • Manufacturer
  • Device brand
  • Device hardware
  • Bootloader version

For iOS devices, it only includes changes to the Wi-Fi MAC address.

To only apply the rule when specific conditions are met, use these options:

Condition Applies the rule to
Device property

Devices with changes to the device properties you select. Select a property from the list. To select more than one property, click Add and select another device property. 

Note: For iOS devices, only changes to the Wi-Fi MAC address are detected.

Old value Devices where a device property was changed from the value you specify.
New value Devices where a device property was changed to the value you specify.
Work profile support (Android only)

Applies the rule when an Android device starts supporting work profiles. For example, when the OS version is upgraded and the device now supports work profiles.

View data about detected events

You can see data about events that were detected on mobile devices in a Rules Audit. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Rules.
  3. At the top, click Audit.
  4. (Optional) To change the criteria that’s displayed, click Select columns "" . Your changes are saved automatically and available the next time you sign in.
  5. To configure the table to only show certain elements, on the left, use the Filters section:
    • Rule name—The event that was detected.
    • Flagged item name—The name of the device that the event was detected on.
    • Flagged item identifier—The device ID.
    • Item owner—The email address of the registered user of the device that the event was detected on.
    • Date and time range—A start and end date and time for listing events. Each entry in the log is associated with a single event.
  6. (Optional) To export the report data directly to a Google Sheets file in Google Drive or to download a CSV file with the report data, click Download "". The exported Sheets file and downloaded CSV file both can individually contain a maximum of 200,000 cells. The maximum number of rows depends on the number of columns you select.
Was this helpful?
How can we improve it?