Approve, block, unblock, or delete a managed device

To manage the devices you use for work or school, go here instead.

Supported editions for these features (except as noted): Frontline; Business Starter, Standard, and Plus; EnterpriseEducation Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Basic and Business; Essentials.  Compare your edition

As an administrator, you can control which devices users can access work data from by approving, blocking, or deleting a device in the Admin console. The actions available for a device and what the action does depends on the type of device (mobile or endpoint) and the type of management.

Default device states and management options

Management type Default state and options
Basic mobile management
Fundamental management
Approved by default. To prevent a device from syncing data, you can block it. To require the user to sign in again, you can delete the device.
Advanced mobile management

Approved by default unless you require admin approval. When admin approval is required, devices are blocked by default and added to the list of devices pending approval. To prevent a device from syncing data, you can block it. To require the user to sign in again, you can delete the device.

If your edition supports it, you can set up a device management rule to automatically approve and block devices.

Endpoint verification

Approved by default unless you require admin approval. When approval is pending or a device is blocked, devices can still sync data unless you create Context-Aware Access levels to block access based on the device status tag.

Google Drive for desktop (formerly Drive File Stream) Approved by default unless you require admin approval and restrict Drive for desktop to company-owned devices. To block access to Drive for desktop, you can block the device. To require the user to sign in again, you can delete the device.
Google Credential Provider for Windows (GCPW) Approved by default. Doesn't support block and unblock.
Windows device management Approved by default unless you require admin approval. When approval is pending or a device is blocked, users can't enroll a device.

Note: Deleting a device from the devices list generally doesn't remove work data (except for iOS). To remove all work data from a device, you can wipe the account from the device or wipe the entire device.

Jump to instructions

Approve a device

Not supported for mobile devices under basic mobile management or endpoints under fundamental management or GCPW

When you approve a device, the device is allowed to sync Google data, with the following exceptions:

Management type Approve behavior
Endpoint verification The device is approved and approval adds a tag that you can use to configure access levels with Context-Aware Access.
Windows device management The device is allowed to sync the device policy. A device that is pending approval can still access Google data.

These instructions are for how to manually approve devices. If your edition supports it, you can set up a rule to automatically approve devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Device Approvals

  4. Review the list of devices that requested access to corporate data.
  5. Choose an option:
    • To allow devices to access work data and to tag endpoint verification devices as approved, select the devices and click More""and thenApprove Devices.
    • To prevent devices from accessing work data and to tag endpoint verification devices as blocked, select the devices and click Block Device "".

Block a device

Not available for endpoints under fundamental management or GCPW

When you block a device, the device is prevented from syncing Google data, with the following exceptions:

Management type Block behavior
Endpoint verification The device can still sync Google data unless a Context-Aware Access policy blocks access.
Google Drive for desktop (formerly Drive File Stream) The user is signed out from Drive for desktop and all sign-ins from that account and that device are blocked.
Windows device management

The user can't re-enroll a device. If a device is already enrolled, block doesn't have any affect unless the device also has GCPW.

If the device has GCPW, the device is blocked until the user signs in while connected to the internet.

These instructions are for how to manually block devices. If your edition supports it, you can set up a rule to automatically block devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:

    1. To block Android, Apple iOS, and Google Sync devices, click Mobile devices.
    2. To block desktops and laptops, click Endpoints.
    3. To block a mix of device types, click Devices.
  4. Point to the device in the list and click Block Device "".
  5. Click Change.
  6. For company-owned iOS devices, the device might not be blocked after the first time you block it. Repeat these steps and confirm that the device status switches to Blocked.

Blocked devices stay in your devices list until you delete them. You might see a message that a device can’t be blocked. For details, click the message. To try to block the device again, click Retry.

Unblock a device

Not available for endpoints under fundamental management or GCPW

Unblock is available for devices that were blocked by an admin or automatically by a security rule. Unblock has the same behavior as Approve.

When a device is blocked, you can see how it was blocked (by an admin or rule) in the Admin console on the device’s details page. For details about when the device was blocked and which admin or rule blocked the device, review the devices audit log.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:

    1. To unblock Android, iOS, and Google Sync devices, click Mobile devices.
    2. To unblock desktops and laptops, click Endpoints.
    3. To unblock a mix of device types, click Devices.
  4. Point to the device in the list and click Unblock Device "". The device’s status changes from Blocked to Compliant or Non-compliant, depending on its compliance with your organization’s policies.

Delete a device

To temporarily stop syncing work data to a device, you can delete it from the Devices list. The device is removed from the devices list and, in most cases, the device can’t sync work data until the user signs in again.

Note: Deleting a device from the devices list generally doesn't remove work data. To remove all work data from a device, you can wipe the account from the device or wipe the entire device.

The user impact depends on the device platform and management type:

Management type Delete behavior
Basic mobile management

Existing work data remains on the device and the user's profile is removed. Data doesn't sync until the user re-adds their account.

Advanced mobile management (Android) The user must re-enroll. After they sign in, the device syncs again unless you require device approval.
Advanced mobile management (iOS) The user's Google Account is removed from the device and existing work data is deleted.

Note: Don't delete company-owned iOS devices directly from the Devices list. If you do, the device could end up in unsupervised mode and won't respect any supervised mode settings. Instead, go to Apple Business Manager or Apple School Manager and remove the device. On the next sync with Google, the devices list in the Admin console is updated and the device is removed. Learn more

Google Sync (iOS) Removes device from the devices list. The user's Google Account is removed from the device, but existing work data remains on the device. Data doesn't sync until the user re-adds their account.
Fundamental management

Existing work data remains on the device. The device is automatically added back to the list after the next sync, even when the user hasn't signed in. If the device is inactive for 180 days, it's removed from the list.

Endpoint verification The device is added back to the list after the next sync unless you set a Context-Aware Access policy. In this case, the device might require approval to sync data again.
Google Drive for desktop (formerly Drive File Stream) Deletes Drive for desktop data from the device. Users can sign in again to sync.
GCPW and Windows device management The device is added back to the list after the next sync.

To delete a device from the Devices list:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Choose an option:
    1. To delete Android, iOS, and Google Sync devices, click Mobile devices.
    2. To delete desktops and laptops, click Endpoints.
    3. To delete a mix of device types, click Devices.
  4. To delete one device, point to the device and click More ""and thenDelete Device. To delete many devices, select the devices you want to delete and click More""and thenDelete Devices. Deleted devices are removed from the list of managed devices.

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?
How can we improve it?