Device management security checklist

These security best practices are for administrators of Google Workspace and Cloud Identity.

As an administrator, you can help protect work data on users’ personal devices (BYOD) and on your organization’s company-owned devices by using Google endpoint management features and settings. Other security features provide stronger account protection, granular access control, and data protection. Review the following checklist to make sure that you're set up to meet your organization's device security goals.

All mobile devices

Require passwords

Protect data on managed mobile devices by requiring that users set a screen lock or password for their device. For devices with advanced management, you can also set the password type, strength, and minimum number of characters.

Set password requirements for managed mobile devices

Lock down or wipe corporate data from missing devices

When a device goes missing or an employee leaves your organization, the work data on the device is at risk. You can wipe a user's work account from the device, including all their work data. For devices with advanced management, you can wipe the entire device. This feature isn't available with the free version of Cloud Identity.

Manage Android apps used for work

Prevent unauthorized access to Android apps used for work by adding them to the Web and mobile apps list to make the apps managed. You can force install managed security apps and remove managed apps from lost or stolen devices. Managed apps are automatically removed from a device when a user removes their work account.

Manage mobile apps for your organization

Mobile devices under advanced management

Require device encryption

Encryption stores data in a form that can be read only when a device is unlocked. Unlocking the device decrypts the data. Encryption adds protection if a device is lost or stolen.

Require device encryption

Apply device restrictions​

You can restrict how users share and backup data on Android and Apple iOS devices. For example, on Android, you can prevent USB file transfers and on iOS devices, you can stop backups to personal cloud storage. You can also restrict access to some device and network settings. For example, you can turn off the device’s camera and prevent Android users from changing their Wi-Fi settings.

Block compromised devices

Stop a user’s work account from syncing with Android and Apple iOS devices that might be compromised. A device becomes compromised when it’s jailbroken or rooted—processes that remove restrictions on a device. Compromised devices can indicate a potential security threat.

Block compromised devices

Automatically block Android devices that don't comply with your policies

When a device falls out of compliance with your organization’s policies, you can automatically block it from accessing work data and notify the user. For example, if you enforce a minimum password length of 6 characters and a user changes their device password to 5 characters, the device is not compliant because it doesn’t adhere to your password policy.

Set device management rules

Enable Auto Account Wipe for Android devices

Automatically remove work account data and managed apps from an Android device when it’s inactive for a specified number of days. This reduces the risk of data leaks.

Apply settings for Android mobile devices

Manage iOS apps used for work

Prevent unauthorized access to iOS apps used for work by adding them to the Web and mobile apps list and making the apps managed. You can remove managed apps from lost or stolen devices. Managed apps are automatically removed from a device when a user removes their work account.

Manage mobile apps for your organization

Block potentially dangerous Android apps

By default, Google blocks non-Play Store apps on Android mobile devices from unknown sources. Apps are also automatically scanned, and blocked if dangerous, by Google Play Protect. These features reduce data leak, account breach, data exfiltration, data deletion, and malware risks. Make sure Block app installation from unknown sources is turned on and Allow users to turn off Google Play Protect is turned off for all your users.

Apply settings for Android mobile devices

Computers that access work data

Turn on endpoint verification

When laptops and desktops are managed with endpoint verification, you can use context-aware access to protect your organization's data and get more information about the devices that access that data.

Turn on endpoint verification

Restrict Google Drive for desktop to company-owned devices

Drive for desktop allows users to work on Drive files on their Mac or Windows computer outside a browser. To limit the exposure of your organization's data, you can allow Drive for desktop to run on only company-owned devices listed in your inventory.

Restrict Drive for desktop to company-owned devices

Set up Google Credential Provider for Windows (GCPW)

Let users sign in to Windows 10 computers with their work Google Account. GCPW includes 2-Step Verification and sign-in challenges. Users can also access Google Workspace services and other single sign-on (SSO) apps without the need to re-enter their Google username and password.

Overview: Google Credential Provider for Windows

Restrict user privileges on company-owned Windows computers

You can control what users can do on their company-owned Windows 10 computers with Windows device management. You can set users' administrative permission level for Windows. You can also apply Windows security, network, hardware, and software settings.

Enable Windows device management

Apply Windows settings

More security options for all devices

Prevent unauthorized access to a user's account

Require additional proof of identity when users sign in to their Google Account with 2-Step Verification (2SV). This proof could be a physical security key, a security key built in to the user's device, a security code delivered by text or phone call, and more.

When Google suspects that an unauthorized person is trying to access a user's account, we present them with an extra security question or challenge. When you use Google endpoint management, we might ask users to verify their identity with their managed mobile device (the device they normally use to access their work account). Extra challenges significantly reduce the chance of an unauthorized person breaking in to user accounts.

Use Context-Aware Access to conditionally allow access to Google apps

You can set up different access levels based on a user’s identity and the context of the request (country/region, device security status, IP address). For example, you can block mobile device access to a Google app (web and mobile) if the device is outside a specific country/region, or if the device doesn't meet your encryption and password requirements. As another example, you can allow contractor to access Google web apps only on company-managed Chromebooks.

Context-Aware Access overview

Control the apps that can access Google Workspace data

Set which mobile apps are managed by your organization. You can also specify which services an app can access with app access control. This prevents malicious apps from tricking users into accidentally granting access to their work data. App access control is device-agnostic and blocks access by unauthorized apps on both BYOD and company-owned devices.

Identify sensitive data in Google Drive, Docs, Sheets, Slides, and Gmail

Protect sensitive data, such as government-issued personal IDs, by setting Data Loss Prevention (DLP) policies. These policies can detect many common data types, and you can also create custom content detectors to meet business-specific needs. DLP protects data at the source and application level, and applies across devices and access methods.

Protect sensitive information using DLP


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
6807403780876459862
true
Search Help Center
true
true
true
true
true
73010
false
false