Tag Archives: MDM

Use tokens as placeholders for user specific information when configuring managed iOS applications

What’s changing

In May 2024, we launched the ability for admins to remotely configure managed iOS apps on end-user devices via Google Mobile Device Management.

Beginning today, admins can use tokens in the app configurations for managed iOS apps. Tokens act as placeholders for information specific to a user or device that uses the app, such as a user's email address or their device serial number. Previously, configuration data was static, but this update gives admins the flexibility to configure devices dynamically according to various users and devices.

Creating the app configuration using XML information using a token placeholder

Getting started

Admins: Visit the Help Center to learn more about setting up iOS apps with managed configurations.
End users: Visit the Help Center to learn more about how your iOS device is managed.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on January 16, 2025

Availability

Available for Google Workspace:

Business Plus
Enterprise Standard and Plus
Enterprise Essentials and Essentials Plus
Education Standard and Plus
Nonprofits
Frontline Starter and Standard
Cloud Identity Premium

Resources

Source: Google Workspace Updates

Use the Apple Volume Purchasing Program (VPP) to distribute apps for device enrollment and company owned devices

What’s changing

In November 2023, we announced the ability to purchase and distribute iOS apps to user-enrolled devices through Apple’s Volume Purchase Program. Beginning today, we’re expanding this functionality to include device enrollment and company-owned iOS devices.

Who’s impacted

Admins and end users

Why you’d use it

Admins can use the Volume Purchasing Program to efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform. To further streamline the enrollment and app distribution process, we’re automatically installing mandatory apps during enrollment for company-owned devices. This latest update makes it easier for admins to deploy apps across various device types in their organization.

Additional details

Please note that Apple ID sign-in won't be needed in the company-owned iOS devices flow after configuring apps with VPP.

The automatic installation of mandatory apps during onboarding applies to all enrollment types and devices that violate mandatory apps compliance will be immediately blocked until the required app(s) are installed.

Getting started

Admins: This feature can be configured at the domain, OU, or group level. Visit the Help Center to learn more about setting up company-owned iOS devices and distributing iOS apps with the Apple VPP.
End users: Visit our Help Center for more information about how your iOS device is managed and getting approved work apps on your iOS device.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on July 9, 2024

Availability

Available to Google Workspace

Business Plus
Enterprise Essentials and Enterprise Essentials Plus
Enterprise Standard and Plus
Education Standard and Plus, and the Endpoint Education Upgrade add-on
Frontline Starter and Standard
Cloud Identity Premium

Resources

Source: Google Workspace Updates

Block compromised mobile devices using context-aware access

What’s changing

Using context-aware access, you now have the option to automatically block access to Google Workspace data from compromised Android and iOS devices. A device may be counted as compromised if certain unusual events are detected, including devices that are jailbroken, bypassing of security controls, modification of restricted settings, and more.

Creating a new rule to block compromised mobile devices

Blocking message for compromised iOS and Android devices

Getting started

Admins: Visit the Help Center to learn more about how to create context conditions and apply rules with compromised device signals, and our Developer documentation regarding custom access level specification. Compromised device events reports can be viewed in the security center by going to Security > Security center > dashboard > compromised device events.

Rollout pace

Block access to Google Workspace data: available immediately for both Android and iOS.
Remediation message: available immediately for Android, available on May 9, 2024 for iOS.

Availability

Available to Google Workspace

Enterprise Standard and Plus
Education Standard and Plus
Frontline Standard
Enterprise Essentials Plus
Cloud Identity Premium

Resources

Source: Google Workspace Updates

Configure managed iOS apps for your users using Google Mobile Device Management

What’s changing

Directly from the Admin console, admins can remotely set custom configs for managed iOS apps on end-user devices for their enterprise using Google Mobile Device Management. Managed configurations are applied using XML property lists and the same app can be configured differently across different domains, groups, or organizational units (OUs).

Creating the app configuration using XML information

Applying the configuration

Who’s impacted

Admins and end users

Why it’s important

Prior to this update, mobile app configuration was only available for managed Android devices. Beginning today, Workspace admins can use Managed App Configuration to set custom app configurations and deploy them to manage iOS devices across their organization. This gives admins the flexibility they need to create safety parameters that align with the various needs of users across their organization.

Getting started

Admins: Visit the Help Center to learn more about setting up iOS apps with managed configurations. You can also utilize managed configurations to set up Chrome Browser Cloud Management for iOS.
End users: Visit the Help Center to learn more about how your iOS device is managed.

Rollout pace

Rapid and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on May 1, 2024

Availability

Available to Google Workspace

Business Plus
Enterprise Standard and Plus
Enterprise Essentials and Essentials Plus
Education Standard and Plus
Nonprofits
Frontline Starter and Standard
Cloud Identity Premium

Resources

Source: Google Workspace Updates

User enrollment for managed iOS devices is now generally available

What’s changing

In late 2023, we introduced user enrollment in beta, an additional option for iOS mobile management. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. Beginning today, user enrollment is now generally available. For more information, use our Help Center or reference our original announcement.

Getting started

Admins: Use our Help Center to learn more about separating work and personal data on iOS devices,
End users: The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.

Visit our Help Center for more information about how to install the Google Device Policy app and a configuration profile on your device, how your iOS device is managed and getting approved work apps on your iOS device.

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on March 7, 2024 with anticipated completion by the end of the month.

Availability

Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers.

Resources

Source: Google Workspace Updates

Updates for managed iOS devices with the release of Chrome 120

What’s changing

In the coming weeks, we’ll be introducing several improvements to Chrome-on-iOS that will help admins more seamlessly apply policies and preferences across their users’ managed devices. This launch will align with the planned release of Chrome 120. Specifically, these improvements are:

Cross-device policy application: Whether it’s a company-owned or personal device, Chrome User Policies can be applied when a user signs into the Chrome browser with their managed account. This ensures a consistent and secure browsing experience across all devices.
Management notice for end-users: Managed end-users will begin seeing a management notice, informing them that their organization manages the account they are signing into. This transparency not only fosters trust but also keeps users informed about the security measures in place to protect their data.
Admin console integration: Admins can easily activate this functionality through the Admin console under the "Chrome on iOS" Browser setting. This centralized control allows admins to tailor policies to meet the specific needs of their organization, ensuring a customized and secure browsing environment for all users.

Getting started

Admins: In the Admin console, navigate to Chrome browser > Settings > Chrome on iOS to start applying policies and preferences. Visit the Help Center to learn more about setting Chrome policies for users or browsers.
End users: Visit the Help Center to learn more about how your iOS device is managed.

We’ll remind you that your account is managed upon login and when you’re logged in.

Rollout pace

End user notifications

Rapid and Scheduled release domains: Extended rollout (potentially longer than 15 days for feature visibility) beginning on January 3, 2024

Admin console integration

Rapid and Scheduled release domains: Gradual rollout (up to 15 days for feature visibility) beginning January 24, 2024.

Availability

Available to all Chrome Browser Cloud Management and Google Workspace customers

Resources

Source: Google Workspace Updates

Updated grace periods for resolving policy violations in managed iOS devices

What’s changing

Ensuring only managed applications can access sensitive information is vital to security. Currently, when admins make a policy change that results in an app going from unmanaged to managed, if a policy violation is detected, a 24-hour grace period is given to users to comply with the change. After this grace period, users will lose the ability to access their Google Workspace account.

Moving forward, we’re adjusting a few components to how this grace period operates to boost compliance and prevent inadvertent circumvention. Specifically:

Grace Period

Situation

Next Steps

None

-The managed apps policy violation is detected during the device enrollment.

-The managed apps policy violation by an app is detected after 24 hrs from the moment the admin changes the policy.

Users will be prompted to install the app from the Google Device Policy app for IOS or they will lose access to Google Workspace.

Visit the Help Center to learn more.

24 hours

The managed apps policy violation by an app is detected within the 24hrs from the moment the admin changes the policy.

Who’s impacted

Admins and end users

Why it’s important

Improving these safeguards helps ensure that only managed applications can access sensitive organization information. If the managed applications do not meet the requirements of the access policies set by admins, managed application access to Workspace data is deactivated until users take the proper steps.

Getting started

Admins: Visit the Help Center to learn more about managing mobile apps for your organization.
End users: Visit the Help Center to learn more about managed iOS apps.

Rollout pace

Rapid Release and Scheduled Release domains: Available now.

Availability

Available to Google Workspace Frontline Starter and Frontline Standard, Business Plus, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus; Enterprise Essentials and Enterprise Essentials Plus and Cloud Identity Premium customers

Resources

Source: Google Workspace Updates

Managed Android devices must upgrade to Android Device Policy during March 2023

What’s changing

In 2019, we announced that a new Android management client, Android Device Policy, would replace the legacy Google Apps Device Policy client. We’re now in the final stages of this upgrade.

All devices with the Google Apps Device Policy will lose access during March 2023 if they have not already upgraded. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on the legacy Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. Admins can act directly from the alert in the Admin console to identify users who need to upgrade.

Visit the Help Center to learn more about migrating to Android Device Policy and our previous announcement for more information.

Getting started

Admins: Admins can find devices which may need to act in the Admin console. Visit our Help Center to learn more about the differences between Android Device Policy and Google Apps Device Policy. Different devices may need to take different steps to upgrade:

Advanced management devices:

Find advanced management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Advanced.
Determine which of these devices are currently managed by the Google Apps Device Policy app and support the Android Device Policy app (i.e. devices with Android 6+ and support for a work profile)
Send these instructions to your users to help them migrate to Android Device Policy.

Basic management devices:

Find basic management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Basic.
Instruct users of these devices to upgrade the Android OS to version 6.0 Marshmallow or later.

End users: Affected users can visit our Help Center to learn how to transition devices from Google Apps Device Policy to Android Device Policy.

Rollout pace

Devices on the old agent will lose access during March 2023.
Android Device Policy is available now and all users should upgrade to avoid disruption.

Availability

This change impacts Google Workspace customers who use basic and advanced mobile management.

Resources

Source: Google Workspace Updates

Google Workspace Updates Weekly Recap – January 7, 2022

New updates

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.

PPTX file limit increase in Google Slides

You can now import PPTX files up to 300MB into Google Slides using Office Editing mode — previously, 100MB was the maximum. Once imported, you can save back your edits to the underlying PPTX file. | Available to all Google Workspace customers and users with personal Google accounts. | Learn more.

Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.

Use a new enterprise certificate condition to set context-aware access rules for company-managed devices

When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more.

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Source: Google Workspace Updates

Use a new enterprise certificate condition to set context-aware access rules for company-managed devices

Quick launch summary

When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. By using new enterprise certificates as an alternative context-aware signal to determine if a device is a company-managed asset, you can set more specific context-aware policies that are appropriate based on the trustworthiness of the device.

The Admin console screen to configure context-aware access rules using enterprise certificate condition

Getting started

Admins: The feature is available by default, but needs to be configured before use. Use our Help Center to learn more about configuring enterprise certificates and configuring context-aware access rules.
End users: No end user impact.

Rollout pace

This feature is now available for all eligible users.

Availability

Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business, and Cloud Identity Free customers