Manage Mobile Devices for Google Workspace

Learning Objectives

After completing this unit, you’ll be able to:

Enforce mobile device policies for Google services.
Secure access from mobile apps.
Manage lost or noncompliant devices.

Explore Google Endpoint Management

Configure Mobile Device Policies

In this exercise you use Google Workspace Mobile Management to enforce your company’s mobile policies for Android devices. You disable iOS and Google Sync devices.

You receive the following message from Alex, IT manager.

Hey Awesome Admin,

I hope I’m not keeping you too busy with my requests, but I have another urgent one for you.

Our immediate task is to make sure we secure mobile access to Google Workspace. We've decided to go with the "BYOD—Bring Your Own Device" strategy so our employees can use their personal mobile devices for work too using a work profile. But they need to adhere to our security policies. I've read that you can enforce these policies with Google Workspace Mobile Management.

I've decided to go with Google's best practices and define a standard set of access policies across all devices and organizations with emphasis on password settings. Mobile policies can be adjusted later, if necessary.

Thanks,

Alex Bell, IT Manager

Consider it done, Alex.

If you are not already signed in, sign in to your domain as the administrator at admin.google.com.
Click the Devices icon.
Click Mobile devices and navigate to Settings | Universal settings.
Click the General card, then click Mobile Management.
Adjust both Android and iOS policies. Select Custom.
1. Set Android to Advanced.
2. Set iOS and Google Sync to Unmanaged.
Click Save if you have made any changes.
Return to the Universal settings page, and click the Security card.
Click Camera, deselect Allow camera, then click Save.
Click Device approvals, then select Require admin approval and enter your administrator email address.
Then, click Save.
Click Compromised devices.
Enable Block compromised Android devices, then click Save.
Return to the Universal settings page, and click the Data Access card.
Click Android Sync, select Allow work data to sync on Android devices, then click Save.
Click Google Sync, deselect Allow work data to sync via ActiveSync, then click Save.
Click iOS Sync, deselect Allow work data to sync on iOS devices, then click Save.
Navigate to Settings | Android settings.
Click the Work Profile card, then click Work Profile Setup.
Check Enable work profile creation, and Enforce work profile creation, then click Save. By enforcing the creation of a work profile users can’t sync corporate data unless they accept the work profile, and they don’t have the option to opt out.

Congratulations! You’ve set up mobile management for your organization. Users can enroll their devices for management by adding their corporate account to a device. After users enroll their devices, you can see the device in the admin console. There, you can manage the device, apply settings, monitor it, and more.

To enforce these policies on Android devices, your users must install the Google Apps Device Policy app on their device. This app ensures that your domain policies are set properly on the user's Android device before synchronizing any data. See Google Apps Device Policy overview for more details. If the app isn’t already installed when the user adds their corporate account to their phone, the app is typically installed automatically as part of the sign up process.

Handle Lost or Noncompliant Devices

If a user loses a computer or mobile device that has an open connection to that user’s Google Workspace account, or maintains cookies that permit a connection without first entering a username and password, that Google Workspace account is potentially exposed to anyone who has possession of the computer or device.

There are several ways to address this.

Option 1: Device management—Wiping and blocking a device

If you are not already signed in, sign in to your domain as the administrator at admin.google.com.
Click the Devices icon.
Click the Mobile devices icon. From here you can see details of your mobile devices such as the device name, owner details, OS version, and status.

If a user has lost a device or it is believed to have been compromised, you have the following options.

Block device.
Wipe account.
Delete device.

The action you choose will depend upon the type of device (personal or company-owned) and the situation that is presented. See Wipe corporate data from a device for more information.

Option 2: Using a device management rule

This second option is not available in the trial version of Google Workspace, but if your organization’s Google Workspace edition supports it, you can also use rules to automate mobile management tasks.

When a device falls out of compliance with your organization’s policies, you can create a rule to automatically block it from accessing corporate data and notify the user. For example, if you enforce a minimum password length and a user's password is shorter than the length required, the device is not compliant because it doesn’t adhere to your password policy.

Option 3: Reset a user’s sign-in cookies

To block unauthorized access to an account, you can reset the sign-in cookies for that user, which has the effect of signing that user out from all current HTTP sessions, and requiring new authentication the next time that user tries to initiate an HTTP session to sign in to Google Workspace.

If you are not already signed in, sign in to your domain as the administrator at admin.google.com.
Click the Users icon.
Locate the user in the list and click the name
Then, click the Security card.
Click the Sign-in cookies row.
Then, click Reset.

Explore Advanced Device Management Options

Let’s explore Google Vault next.

需要帮助？