This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can individually review user-owned devices that request access to a work or school account. When a user adds a work or school account to their device, they see a message that an admin needs to review and approve the device. Once you approve a device, the user can access their work account data on the device.
Device requirements
- Android devices—Advanced mobile management
- iPhones and iPads—Advanced mobile management or Google Sync
- Computers and laptops—Endpoint verification
Important device approval behaviors
- Some company owned devices are automatically approved and aren't blocked when you require admin approval:
- Company owned devices that are registered by serial number are automatically approved, except Android devices with a work profile. Learn more
- For devices with Google Drive for desktop, if you restrict Drive for desktop to authorized devices, company-owned devices with Drive for desktop are automatically approved.
- If you set up a Wi-Fi network in the Google Admin console, iPhones and iPads can use that network while approval is pending. For details on setting up or changing your Wi-Fi network, see Set up networks for managed devices (Wi-Fi, Ethernet, VPN).
- For endpoint verification devices, Drive for desktop is blocked while approval is pending. Users can access their work data at drive.google.com. Requiring approval doesn't prevent the user from accessing other Google data unless you create a Context-Aware Access policy to block access based on the pending approval status.
- If you don't use Google endpoint management, you can still approve and block Google Sync devices using the steps below. You might receive duplicate email notifications for Google Sync devices that are pending approval. You only need to approve the device once. While approval is pending, users get an error if they try to access work data. For details, see What is Google Sync?
Turn on admin approval for device access
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsUniversal.
- Click SecurityDevice approvals.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Check the Require admin approval box.
- (Optional) Enter an email address to get notifications when users enroll their devices and require approval before they can access their work data.
Tip: Instead of an individual email address, use a group email address that includes all administrators who can approve devices.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
Approve mobile devices
Approve mobile devices for management individually, or set up a rule to automatically approve devices.
Related topic
Approve, block, unblock, or delete a managed device
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.