Approve, block, unblock, or delete a managed device

To manage the devices you use for work or school, go here instead.

This feature is available with Cloud Identity Free and Cloud Identity Premium editions. Compare editions 

As an administrator, you can control which devices users can access work data from by approving, blocking, or deleting a device in the Admin console. The actions available for a device and what the action does depends on the type of device (mobile or endpoint) and the type of management.

Default device states and management options

Management or device type Default state and options
Basic mobile management Approved by default. To prevent a device from syncing data, you can block it. To require the user to sign in again, you can delete the device.
Fundamental management Approved by default. To require the user to sign in again, you can delete the device.
Advanced mobile management

Approved by default unless you require admin approval. When admin approval is required, devices are blocked by default and added to the list of devices pending approval. To prevent a device from syncing data, you can block it. To require the user to sign in again, you can delete the device.

If your edition supports it, you can set up a device management rule to automatically approve and block devices.

Endpoint verification

Approved by default unless you require admin approval. When approval is pending or a device is blocked, devices can still sync data unless you create Context-Aware Access levels to block access based on the device status tag.

Google Drive for desktop Approved by default unless you restrict Drive for desktop to company-owned devices. To block access to Drive for desktop, you can block the device.
Google Credential Provider for Windows (GCPW) Approved by default. Doesn't support block and unblock.
Windows device management Approved by default unless you require admin approval. When approval is pending or a device is blocked, users can't re-enroll that device.
Smart home devices Approved by default. Block and unblock aren’t supported. To require the user to add their account again, you can delete the device.

Note: Deleting a device from the devices list doesn't remove work data (except for iOS). To remove all work data from a device, you can wipe the account from the device or wipe the entire device.

Jump to instructions

Approve a device

Not supported for mobile devices under basic mobile management or endpoints under fundamental management or GCPW

When you approve a device, the device is allowed to sync Google data, with the following exceptions:

Management type Approve behavior
Endpoint verification The device is approved and approval adds a tag that you can use to configure access levels with Context-Aware Access.
Windows device management The device is allowed to sync the device policy. A device that is pending approval can still access Google data.

These instructions are for how to manually approve devices. If your edition supports it, you can set up a rule to automatically approve devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenDevice approvals.
  3. Review the list of devices that requested access to corporate data.

  4. Choose an option:
    • To allow devices to access work data and to tag endpoint verification devices as approved, select the devices and click More and thenApprove Devices.
    • To prevent devices from accessing work data and to tag endpoint verification devices as blocked, select the devices and click Block Device .

Block a device

Not available for endpoints under fundamental management or GCPW

When you block a device, the device is prevented from syncing Google data, with the following exceptions:

Management type Block behavior
Endpoint verification The device can still sync Google data unless a Context-Aware Access policy blocks access.
Google Drive for desktop The user is signed out from Drive for desktop and can't sign in to Drive for desktop from that device.
Windows device management

The user can't re-enroll a device. If a device is already enrolled, block doesn't have any affect unless the device also has GCPW.

If the device has GCPW, the device is blocked until the user signs in while connected to the internet.

These instructions are for how to manually block devices. If your edition supports it, you can set up a rule to automatically block devices.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenDevices.
  3. Point to the device in the list and click Block Device .
  4. Click Change.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Blocked devices stay in your devices list until you delete them. You might see a message that a device can’t be blocked. For details, click the message. To try to block the device again, click Retry.

Unblock a device

Not available for endpoints under fundamental management or GCPW

Unblock is available for devices that were blocked by an admin or automatically by a security rule. Unblock has the same behavior as Approve.

When a device is blocked, you can see how it was blocked (by an admin or rule) in the Admin console on the device’s details page. For details about when the device was blocked and which admin or rule blocked the device, review the device log events.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenDevices.
  3. Point to the device in the list and click Unblock Device . The device’s status changes from Blocked to Compliant or Non-compliant, depending on its compliance with your organization’s policies.

Delete a device

To temporarily stop syncing work data to a device, you can delete it from the Devices list. The device is removed from the devices list and, in most cases, the device can’t sync work data until the user signs in again.

Note: Deleting a device from the devices list doesn't remove work data. To remove all work data from a device, you can wipe the account from the device or wipe the entire device.

The user impact depends on the device platform and management type:

Management or device type Delete behavior
Basic mobile management

Existing work data remains on the device and the user's profile is removed. Data doesn't sync until the user re-adds their account.

Advanced mobile management (Android) The user must re-enroll. After they sign in, the device syncs again unless you require device approval.
Advanced mobile management (iOS) The user's Google Account that they use for work or school is removed from the device and existing work data is deleted. VPP licenses assigned to the device are revoked.

Note: Don't delete company-owned iOS devices directly from the Devices list. If you do, the device could end up in unsupervised mode and won't respect any supervised mode settings. Instead, go to Apple Business Manager or Apple School Manager and remove the device. On the next sync with Google, the devices list in the Admin console is updated and the device is removed. Learn more

Google Sync (iOS) The user's Google Account is removed from the device, but existing work data remains on the device. Data doesn't sync until the user re-adds their account.
Fundamental management

Existing work data remains on the device. The user is signed out from their work account on the device. The device is added back to the list after the next sync, even when the user hasn't signed in. If the device is inactive for 180 days, it's removed from the list.

Endpoint verification The device is added back to the list after the next sync unless you set a Context-Aware Access policy. In this case, the device might require approval to sync data again.
Google Drive for desktop The device is added back to the list after the next sync.
GCPW and Windows device management The device is added back to the list after the next sync.
Smart home devices The user's Google Account that they use for work is removed from the device and other associated smart home devices.

To delete a device from the Devices list:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenDevices.
  3. To delete one device, point to the device and click More and thenDelete Device. To delete many devices, select the devices you want to delete and click More and thenDelete Devices. Deleted devices are removed from the list of managed devices.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16089580366475963148
true
Search Help Center
true
true
true
false
false