Monitor the health of your device management settings

Security health page

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

This feature is available with Cloud Identity Premium edition. Compare editions 

From the security health page, you can monitor the configuration of the following Devices settings:

Mobile management

Mobile management allows you to set device policies that determine how your users can use their mobile devices in your organization. Mobile management lets you keep your organization's data more secure, take remote actions, and manage apps on mobile devices.

When mobile management is turned off:

  • You can’t wipe corporate data from a device if it’s lost or stolen.
  • You can’t apply policies or manage the device from the Admin console.
  • Devices aren’t listed in the Admin console.
Setting Mobile management
Status Specifies the number of organizational units where mobile management is turned off

Recommendation

Turn on advanced mobile management to make your organization's data more secure, to take remote actions, and to manage applications on mobile devices in your organization. By default, your organization has basic mobile management, which reduces data leaks, malware, and malicious insider risks.

The other settings described in this article require advanced mobile management.

How to turn on mobile management

 

For details and instructions, go to Set up advanced mobile management.

Effect on your users

You can choose the level of control and impact on your users depending on your organization's policy. With basic mobile management, you can require passwords for devices and wipe work accounts. With advanced mobile management you can enforce passwords, manage mobile apps, apply policy settings (Android, iOS), approve personal devices, and get mobile reports, audits, and alerts.

For details, go to Compare mobile management features.

Block compromised mobile devices

You can prevent users from using compromised mobile devices to access their corporate account data. A device can be compromised in many ways, such as if it has an unlocked boot loader, uses a custom read-only memory (ROM), or has a superuser binary on the device.

Setting Blocking of compromised mobile devices
Status Specifies the number of organizational units where compromised mobile devices aren't blocked

Recommendation

Set mobile management to Advanced, and then configure your settings to block compromised devices for all of your users. This reduces data leaks, malware, and malicious insider risks.

How to block compromised mobile devices

For details and instructions, go to Apply universal settings.

Effect on your users

Users with compromised devices will be blocked and won't be able to use their mobile device to access corporate data for their Google service, such as Google Workspace or Cloud Identity. Users get a notification that their device is blocked, and they're instructed to contact their administrator.

Mobile password requirements

You can require users to set a password for their mobile devices. You can also configure password strength, expiration, password reuse, locking, and device wipeout settings.

Setting Mobile password requirements
Status Specifies the number of organizational units where users aren't required to set up a password for their mobile devices

Recommendation

Set mobile management to Advanced, and then require users to set up passwords for mobile devices. Set password strength, expiration, password reuse, locking, and device wipeout. This reduces the risk of data leaks in case devices are lost or stolen.

How to require mobile users to set a password

For details and instructions, go to Set password requirements for managed mobile devices.

Effect on your users

Your users will be required to set up a password to use their mobile device. If you set password strength, expiration, password reuse, locking and wipe-out, users must set passwords that match the requirements. Your settings also control what happens when the password is entered incorrectly.

Device encryption

You can require data encryption on mobile devices that allow encryption.

Setting Device encryption
Status Specifies the number of organizational units where encryption is not enforced for users’ mobile devices

Recommendation

Set mobile management to Advanced, and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold.

How to require data encryption

For details and instructions, go to Apply universal settings.

Effect on your users

Requiring encryption helps reduce the risk of data leaks if your user’s mobile device is lost, stolen, or sold. Some users might report that encrypting mobile device data has some effect on device performance, especially on older, slower phones.

Mobile inactivity reports

You can get a monthly report of company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and review who last signed in with them.

Setting Mobile inactivity reports
Status Specifies the number of organizational units where mobile inactivity reports are turned off

Recommendation

Set mobile management to Advanced, and then turn on inactivity reports. If you choose to disable the inactive accounts, your risk of data leaks reduces.

How to turn on mobile inactivity reports

For more details and instructions, go to Get a report of inactive company devices.

Effect on your users

These reports have no direct effect on your users. After you review the report, you can disable inactive accounts. This prevents the affected users from using their company-owned devices until the account is reactivated.

Auto-wipe

You can remove corporate account data from an Android device when it's inactive for too long or falls out of compliance with device policies.

Setting Auto-wipe
Status

Specifies the number of organizational units where the Auto-wipe setting isn't turned on

Recommendation

Set mobile management to Advanced, and then turn on Auto-wipe for all organizational units. This removes corporate account data from the mobile device when a device is inactive for a certain time or falls out of compliance with your organization’s device policies. Choose a number of days that aligns with your organization’s mobile usage policy. This reduces your risk of data leaks.

How to turn on the Auto-wipe setting

For details and instructions, go to Auto-wipe.

Effect on your users

Corporate account data is removed from the user’s device when any of the following situations occur, and the user doesn't address the problem:

The work profile is removed or, if there's no work profile, the device is factory reset. For details, go to Auto-wipe.

Before any data is removed from the device, the user is prompted to sign in to their account to fix the problem.

Application verification

You can enforce app verification for all of your users. This allows your users to install apps only from known sources and periodically scans devices for potentially harmful apps.

Setting Application verification
Status Specifies the number of organizational units where mobile app verification is not enforced

Recommendation

Set mobile management to Advanced, and then enforce mobile app verification for all organizational units. This allows your users to install apps only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of malware and data leaks.

How to enforce app verification for your Android users

For details and instructions, go to Apply settings for Android mobile devices.

Effect on your users

Users will be able to install and run only verified apps.

Installation of mobile applications from unknown sources

You can block users from installing non-Play Store apps from unknown sources.

Setting If you choose to disable the inactive accounts
Status Specifies the number of organizational units where users are allowed to install mobile apps from unknown sources (the Block app installation from unknown sources box is unchecked)

Recommendation

Set mobile management to Advanced, and then require your users to install mobile applications only from known sources (for example, from Play Store).

This reduces data leaks, account breach, data exfiltration, data deletion, and malware risks.

How to require your users to install mobile apps only from known sources

For details and instructions, go to Apply settings for Android mobile devices.

Effect on your users

Users will be able to install mobile apps only from known sources. If they try to install an app from an unknown source, they'll get an error message.

External media storage

You can block external media storage so that users can't move data and apps to and from their mobile devices.

Setting External media storage
Status Specifies the number of organizational units where external media storage is allowed

Recommendation

Set mobile management to Advanced, and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks.

How to prevent your users from using external media for storage

For details and instructions, go to Apply settings for Android mobile devices.

Effect on your users

Users will be unable to use external media for storage.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
6042760010401495656
true
Search Help Center
true
true
true
false
false