Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
From the security health page, you can monitor the configuration of the following Devices settings:
- Mobile management
- Blocking of compromised mobile devices
- Mobile password requirements
- Device encryption
- Mobile inactivity reports
- Auto-wipe
- Application verification
- Installation of mobile applications from unknown sources
- External media storage
Mobile management
Mobile management allows you to set device policies that determine how your users can use their mobile devices in your organization. Mobile management lets you keep your organization's data more secure, take remote actions, and manage apps on mobile devices.
When mobile management is turned off:
- You can’t wipe corporate data from a device if it’s lost or stolen.
- You can’t apply policies or manage the device from the Admin console.
- Devices aren’t listed in the Admin console.
| Setting | Mobile management |
| Status | Specifies the number of organizational units where mobile management is turned off |
|
Recommendation |
Turn on advanced mobile management to make your organization's data more secure, to take remote actions, and to manage applications on mobile devices in your organization. By default, your organization has basic mobile management, which reduces data leaks, malware, and malicious insider risks. The other settings described in this article require advanced mobile management. |
|
How to turn on mobile management |
For details and instructions, go to Set up advanced mobile management. |
|
Effect on your users |
You can choose the level of control and impact on your users depending on your organization's policy. With basic mobile management, you can require passwords for devices and wipe work accounts. With advanced mobile management you can enforce passwords, manage mobile apps, apply policy settings (Android, iOS), approve personal devices, and get mobile reports, audits, and alerts. For details, go to Compare mobile management features. |
Block compromised mobile devices
You can prevent users from using compromised mobile devices to access their corporate account data. A device can be compromised in many ways, such as if it has an unlocked boot loader, uses a custom read-only memory (ROM), or has a superuser binary on the device.
| Setting | Blocking of compromised mobile devices |
| Status | Specifies the number of organizational units where compromised mobile devices aren't blocked |
|
Recommendation |
Set mobile management to Advanced, and then configure your settings to block compromised devices for all of your users. This reduces data leaks, malware, and malicious insider risks. |
|
How to block compromised mobile devices |
For details and instructions, go to Apply universal settings. |
|
Effect on your users |
Users with compromised devices will be blocked and won't be able to use their mobile device to access corporate data for their Google service, such as Google Workspace or Cloud Identity. Users get a notification that their device is blocked, and they're instructed to contact their administrator. |
Mobile password requirements
You can require users to set a password for their mobile devices. You can also configure password strength, expiration, password reuse, locking, and device wipeout settings.
| Setting | Mobile password requirements |
| Status | Specifies the number of organizational units where users aren't required to set up a password for their mobile devices |
|
Recommendation |
Set mobile management to Advanced, and then require users to set up passwords for mobile devices. Set password strength, expiration, password reuse, locking, and device wipeout. This reduces the risk of data leaks in case devices are lost or stolen. |
|
How to require mobile users to set a password |
For details and instructions, go to Set password requirements for managed mobile devices. |
|
Effect on your users |
Your users will be required to set up a password to use their mobile device. If you set password strength, expiration, password reuse, locking and wipe-out, users must set passwords that match the requirements. Your settings also control what happens when the password is entered incorrectly. |
Device encryption
You can require data encryption on mobile devices that allow encryption.
| Setting | Device encryption |
| Status | Specifies the number of organizational units where encryption is not enforced for users’ mobile devices |
|
Recommendation |
Set mobile management to Advanced, and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold. |
|
How to require data encryption |
For details and instructions, go to Apply universal settings. |
|
Effect on your users |
Requiring encryption helps reduce the risk of data leaks if your user’s mobile device is lost, stolen, or sold. Some users might report that encrypting mobile device data has some effect on device performance, especially on older, slower phones. |
Mobile inactivity reports
You can get a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and review who last signed in with them.
| Setting | Mobile inactivity reports |
| Status | Specifies the number of organizational units where mobile inactivity reports are turned off |
|
Recommendation |
Set mobile management to Advanced, and then turn on inactivity reports. If you choose to disable the inactive accounts, your risk of data leaks reduces. |
|
How to turn on mobile inactivity reports |
For more details and instructions, go to Get a report of inactive company devices. |
|
Effect on your users |
These reports have no direct effect on your users. After you review the report, you can disable inactive accounts. This prevents the affected users from using their company-owned devices until the account is reactivated. |
Auto-wipe
You can remove corporate account data from an Android device when it's inactive for too long or falls out of compliance with device policies.
| Setting | Auto-wipe |
| Status |
Specifies the number of organizational units where the Auto-wipe setting isn't turned on |
|
Recommendation |
Set mobile management to Advanced, and then turn on Auto-wipe for all organizational units. This removes corporate account data from the mobile device when a device is inactive for a certain time or falls out of compliance with your organization’s device policies. Choose a number of days that aligns with your organization’s mobile usage policy. This reduces your risk of data leaks. |
|
How to turn on the Auto-wipe setting |
For details and instructions, go to Auto-wipe. |
|
Effect on your users |
Corporate account data is removed from the user’s device when any of the following situations occur, and the user doesn't address the problem:
The work profile is removed or, if there's no work profile, the device is factory reset. For details, go to Auto-wipe. Before any data is removed from the device, the user is prompted to sign in to their account to fix the problem. |
Application verification
You can enforce app verification for all of your users. This allows your users to install apps only from known sources and periodically scans devices for potentially harmful apps.
| Setting | Application verification |
| Status | Specifies the number of organizational units where mobile app verification is not enforced |
|
Recommendation |
Set mobile management to Advanced, and then enforce mobile app verification for all organizational units. This allows your users to install apps only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of malware and data leaks. |
|
How to enforce app verification for your Android users |
For details and instructions, go to Apply settings for Android mobile devices. |
|
Effect on your users |
Users will be able to install and run only verified apps. |
Installation of mobile applications from unknown sources
You can block users from installing non-Play Store apps from unknown sources.
| Setting | If you choose to disable the inactive accounts |
| Status | Specifies the number of organizational units where users are allowed to install mobile apps from unknown sources (the Block app installation from unknown sources box is unchecked) |
|
Recommendation |
Set mobile management to Advanced, and then require your users to install mobile applications only from known sources (for example, from Play Store). This reduces data leaks, account breach, data exfiltration, data deletion, and malware risks. |
|
How to require your users to install mobile apps only from known sources |
For details and instructions, go to Apply settings for Android mobile devices. |
|
Effect on your users |
Users will be able to install mobile apps only from known sources. If they try to install an app from an unknown source, they'll get an error message. |
External media storage
You can block external media storage so that users can't move data and apps to and from their mobile devices.
| Setting | External media storage |
| Status | Specifies the number of organizational units where external media storage is allowed |
|
Recommendation |
Set mobile management to Advanced, and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks. |
|
How to prevent your users from using external media for storage |
For details and instructions, go to Apply settings for Android mobile devices. |
|
Effect on your users |
Users will be unable to use external media for storage. |
