Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition
As an administrator, you can define rules to automate device management tasks and get security alerts. For example, you can automatically block devices that report suspicious activity.
You can apply device management rules to supported mobile devices.
Note: To approve mobile devices with rules, the devices must be under advanced mobile management. If needed, turn on advanced mobile management.
How rules work
A device management rule is triggered by an event on a managed device. When the event is detected, the rule checks for any conditions you specify. If the conditions are met, an action is carried out.
For example, you can block a device when the account registration state changes on Android devices because a user unregisters their corporate account from the device. In this example:
- The event is an account registration state change on a device.
- The first condition is that the device type is Android.
- The second condition is that a user unregisters their account from the device (Account state is Unregistered from).
- The action is blocking the device.
You can create your own rule or work with a predefined template. For the scope, you can assign a rule to your whole organization, an organizational unit, or a group in Google Groups. You can also exclude a group.
Note: Device management rules let you approve, block, or wipe a device in response to a specific event. To control access to Google apps for devices based on device attributes such as OS version, security status, IP address, geographic location, or ownership, you can use Context-Aware Access levels. Learn more
Create and edit rules
You must be signed in as a super administrator for this task.
Create a device management rule-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Click Device management rules.
- Click Add Rule and choose an option:
- To use a rule template, click Rule from template and then click the template. For details, see Use the rule templates.
- To build your own rule, click New rule.
- Enter or edit the rule title and description.
- Choose who the rule applies to. By default, the rule applies to everyone in your organization.
- To apply the rule to only select users, click Specify organizational units or groups and select the organizational units and groups to include.
- To exclude users in specific groups, first select at least one organizational unit or group to include. Then click Exclude groups and select the group to exclude. Repeat to exclude more groups.
For example, to apply a rule to everyone in your organization except for one group, include the top-level organizational unit and exclude the one exempt group.
To remove an organizational unit or group, click Clear next to it.
- Click Continue.
- If necessary, select the event that triggers the rule. For details, see Choose a trigger and conditions.
- Click Add Condition and set a device type condition:
- Click Field and select Device type.
- Click Value and select the device type: All devices, Android, or iOS. Not all device type options may be available because some events are supported for only certain types.
Note: A device type condition is required before you can go on to the next step.
- (Optional) Click Add Condition and set up more conditions. A device must meet all conditions for the rule to apply.
- Click Continue.
- If necessary, select the action to take when the rule's conditions are met. Not all actions are available for all events.
- Block mobile device—Stops the device from syncing corporate data.
- Approve mobile device—(advanced mobile management only) Allows the device to sync corporate data.
- Perform wipe—Wipes the user’s corporate account and associated data from the device. Learn more about account wipes.
- No action—Take no action on the device. You can use this option when you only want to get a notification that the event occurred (described in the next steps).
- (Optional) To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
- Click Continue.
- Review the rule settings. If they're correct, click Finish. If not, click Back to edit the rule.
- In the dialog that opens, choose an option:
- To create the rule and turn it on now, click Active.
- To create the rule and turn it on later, click Inactive.
- Click Complete.
- To turn on an inactive rule, in the rules list, click the rule. At the left, click the menu and select Active.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Click Device management rules.
- Click the rule you want to edit.
- Click the section you want to edit and make your changes. Click Continue as needed to progress to the review page.
- Review the rule settings. If they're correct, click Finish. If not, click Back to edit the rule.
- In the dialog that opens, choose whether the rule is active or inactive.
- Click Complete.
Use the rule templates
Rule templates are set up for common conditions and actions. You can use one as a starting place and change it to suit your organization’s needs. For example, to automatically approve iPhones and iPads but manually approve Android devices, use the Auto-approve device registration template and change the device type to iOS.
Block account on multiple failed screen unlocks (Android only)This rule blocks an Android device when there are more than 5 failed attempts to unlock it. The rule stops the user's work or school data from synchronizing to the device.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
This rule removes corporate data from an Android device, iPhone, or iPad when suspicious activity is detected.
For iPhones and iPads, the account is wiped when the device’s Wi-Fi MAC address changes.
For Android devices, the device is wiped when any of the following device properties change:
- Bootloader version
- Device brand
- Device hardware
- Manufacturer
- Device model
- Device policy app privilege
- IMEI number
- MEID number
- Serial number
- Wi-Fi MAC address
For company-owned Android devices and personal devices set up as work only, all data is wiped from the device and the device is factory reset. For personal devices with a work profile, only the work profile is wiped, leaving personal data untouched.
For more about how account and device wipe works, see Remove corporate data from a device.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
Automatically approves all supported devices when a user enrolls their device for management. Corporate data will synchronize to the device when the user signs in with their account.
To send email notifications to all super administrators, check the Send to alert center box and then check the All super administrators box. Note: Alert center notification aren't yet supported, but must be turned on to send emails to super administrators.
Choose a trigger and conditions
Choose the event that triggers the rule. Use conditions to select the device type (Android, iOS, or all) and other conditions that determine if the rule applies to a device. The rule’s action is carried out only when the event happens on devices that meet the specified conditions.
You can choose one event and several conditions for every rule. You must set a device type condition. For all rules, you can also limit a rule to a specific devices by device ID, device serial number, device model, or condition-specific values. To apply more than one condition to a rule, click Add condition.
The rule is triggered when the account registration state of a device in your organization changes. The registration state can change when:
- A user adds their managed work or school account on a new device.
- A user unregisters their managed work or school account from a managed device.
- The management privilege your organization has on an Android device changes.
By default, the rule is triggered when any of these events are detected.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Account state |
Select the type of registration change:
|
Device policy app privilege |
Select the management privilege your organization has on the device:
|
The rule is triggered when user access to work or school data changes. These events include:
- A device is approved, blocked, or wiped
- The managed account is wiped, signed out by an admin, or unenrolled
By default, the rule is triggered when any device action event occurs.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Status of an action taken on a device | Select the status of the action: Action rejected by user, Cancelled, Executed, Failed, Pending, Sent to device, or Unknown action execution status. |
Type of action taken on a device |
Select the action associated with the event:
|
For example, to block a device when a device wipe isn't successful:
- Set Type of action taken on a device to Device wipe.
- Set Status of an action taken on a device to Failed.
The rule is triggered whenever a user installs, uninstalls, or updates an app on their device. For personal Android devices that don’t have a work profile, the Application Auditing setting needs to be turned on. For iPhones and iPads, only changes to managed apps installed using the Google Device Policy app are detected.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Application ID |
Enter all or part of the app ID for the app that changed. For example, to apply the rule only when the YouTube mobile app changes, select Contains and enter youtube. |
Application SHA-256 | Enter all or part of the SHA-256 hash of the app package for the app that changed. |
Application state |
Select the state the app changed to:
|
New Value | Enter all or part of the version number an app changed to. For example, to trigger the rule when the Chrome app is updated to any version 86, select Contains and enter 86. |
Potentially harmful app category |
Select the type of potentially harmful app:
|
The rule is triggered when a device becomes noncompliant with your organization's’ policies. For example, a user changes their device password and it no longer complies with your password policy. For details, see Device compliance status.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Applies the rule to |
---|---|
Device compliance state |
Devices whose compliance status has changed. Choose an option:
|
Reason for deactivation of the mobile device | Select the reason the device isn't compliant:
|
The rule is triggered when an Android device becomes compromised or is no longer compromised. An Android device is compromised when it’s rooted—a process that removes restrictions on a device. Compromised devices can indicate a potential security threat.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Device compromised state |
Select what the device's status changed to:
|
The rule is triggered when a device’s operating system (OS) changes. The types of OS changes that trigger the rule depend on the device type:
- Android—Changes to the OS version, build number, kernel version, baseband version, security patch, or bootloader version.
- iOS—Only changes to the OS version and build number. For example, a user updates their device to a new OS or applies the latest security patch.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Old value | Enter some or all of the OS property value that the device changed from. |
New value | Enter some or all of the OS property value that the device changed to. |
OS property |
Select the OS property that triggers the rule when its value changes:
For iOS, only OS version and build number are supported. |
The rule is triggered when the ownership of a device changes from personal to company-owned, or from company-owned to personal.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Device ownership of the device |
Select the device-ownership state the device changed to:
|
The rule is triggered when device settings change on Android devices, such as USB debugging, unknown sources, developer options, or verify apps.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Old value | Enter some or all of the device setting value that the device changed from. |
New value | Enter some or all of the device setting value that the device changed to. |
Device setting | Select the device setting that triggers the rule when its value changes:
|
The rule is triggered when a user's account syncs on a device.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Last sync audit event date |
Enter a date as a UNIX timestamp. For example, 1606167154. You can trigger the rule when the last device sync happened after the specified date (is greater than) or on or after the specified date (is greater than or equal to). |
The rule is triggered when a device reaches a set number of failed attempts to unlock it. By default, the rule is applied when there are more than 5 failed attempts.
To change the number of failed attempts before the rule is applied, use this option:
Condition | Values |
---|---|
Failed screen unlock attempts |
Select how the number of failed attempts is counted (Is greater than or Is greater than or equal to) and enter the number of failed attempts. For example, if you enter 3 and select Is greater than, then the rule is triggered by the 4th failed attempt. If you enter 3 and select Is greater than or equal to, then the rule is triggered by the 3rd failed attempt. |
The rule is triggered when a device property changes on a managed device and that property isn't one that usually changes. For example, the device model changes when the device hasn’t changed.
For Android devices, suspicious activity includes changes to the following device properties:
- Bootloader version
- Device brand
- Device hardware
- Manufacturer
- Device model
- Device policy app privilege
- IMEI number
- MEID number
- Serial number
- Wi-Fi MAC address
For iPhones and iPads, it only includes changes to the Wi-Fi MAC address.
To apply the rule to only certain devices, you can set conditions based on device properties and the following event-specific options:
Condition | Values |
---|---|
Device property |
Select the device property that triggers the rule when it changes. To select more than one property, create a separate rule for that property. If you add more than one property to a rule, the device must report changes to all the properties you select. Note: For iOS devices, only changes to the Wi-Fi MAC address are detected. |
Old value | For Android devices, select the device management privilege the device changed from. |
New value | For Android devices, select the device management privilege the device changed to. |
Applies the rule when an Android device starts supporting work profiles. For example, when the OS version is upgraded and the device now supports work profiles.
View data about detected events
You can review data about events on managed devices in a Rules Audit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu ReportingAudit and investigationRule log events.
- To review actions related to your device management rules, click Add FilterDevice management. You can also filter by other event characteristics, such as the rule name or the device owner's account (filter by Resource Owner).
-
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
- (Optional) To export the report data directly to a Google Sheets file in Google Drive or to download a CSV file with the report data:
- Click Download .
- Under Select columns, click Currently selected columns or All columns.
- Select a format and click Download.
With either file type, you can export up to 100,000 rows of data.