Tag Archives: MDM

Better insight into the managed mobile devices in your organization

As a G Suite admin, it’s important that you can easily view and obtain critical information about the mobile devices your organization manages. That’s why we’re making those details easier to find and utilize with our updated mobile device list in the Admin console.

Filter for key characteristics, take bulk actions, and more

This list, located at Device management > Mobile devices, is not only faster and easier to scan, it allows you to do the following:

  • Filter by several categories (e.g. user name, last sync date, compromised devices, etc.), and save the URL to apply the same filters later.
  • Search by keyword or serial number.
  • Add and remove columns, and increase the number of rows shown per page.
  • Download selected columns, export them to Google Sheets, and view the progress of that task.
  • Take action on multiple devices at once and directly from the device details page.

The mobile device list now shows all assigned mobile devices (both company-owned and personal) in one view.


More details about individual devices

Depending on the type of mobile management (advanced or basic) you have enabled for your organization, you can take some of the following actions when you click on a specific mobile device in the list:

  • Block, wipe, or delete the device or account.
  • See all of the apps installed on that device, and identify those that may be harmful.
  • Email the device’s user directly.
  • Learn if a device isn’t compliant and why.


Visit the Help Center to learn more about the new and improved mobile devices list, and the ways it can help you manage mobile devices in your organization.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: View and manage mobile devices


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Google Device Policy app ending support for iOS 8.0 soon

The next release of the Google Device Policy app (version 3.04) won’t support mobile devices running iOS version 8.0 or lower. If your organization has advanced mobile device management (MDM) enabled, your users must upgrade to iOS version 9.0 or higher to access new MDM features or if they need to download the Device Policy app for the first time.

We’re planning to release version 3.04 of the Device Policy app as early as next week. Please encourage your users to upgrade their iOS devices as soon as possible to avoid any disruption to their work.

More Information
Help Center: Minimum device requirements 

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Making it easier to set up Android devices as company-owned

When employees set up their phones and tablets as company-owned devices, they give your organization full control over those devices—allowing you to apply policies regarding app installation, network settings, security options, and more. This helps protect your users and your corporate data.

If you have advanced mobile device management but don’t register your company-owned devices in the Admin console, your users must choose to set up their devices as company-owned.

To encourage more users to make this choice, we’ll start showing the screen below to all users who add their G Suite account to a new Android device before adding their personal account.

This change will start rolling out on September 19th, 2018; please note that it may take several weeks for it to take effect for all users.


Starting on September 19th, users will be asked if they own the device they’re setting up. Unless they explicitly state that they own the device personally, ownership will be auto-assigned to your organization.

Currently, your users only see this choice if your organization has Device Owner mode enabled. That option will disappear from the Admin console on September 19th.

Note that users will only see the screen and option above on new (and recently factory-reset) devices running Android 6.0 or higher.

Allowing users to install any app from the managed Google Play store

In addition to the change outlined above, we’re making it easier to install apps on company-owned Android devices and work profiles.

Currently, you have to actively whitelist apps to make them available to your users. Starting on September 19th, users with company-owned Android devices and work profiles will be allowed to install any app from the managed Google Play store by default. If you don’t want your users to do this, you can choose to restrict app availability to whitelisted apps.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on September 19th, 2018

Editions:
Available to all G Suite and Cloud Identity Premium editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Set up Android devices your company owns


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Secure corporate data on employee iOS devices with managed apps

To better protect the G Suite data stored on your employees’ personal iOS devices, you can now specify that certain iOS apps be “managed” if your domain has advanced mobile device management enabled.

If an app is managed, you can:
  • Prevent the app’s data from being backed up to iCloud.
  • Block unmanaged apps from opening managed app files.


Note that these actions will impact both personal and corporate data on managed apps. Visit the Help Center for more information on how to manage apps on iOS devices.

Designate an app as managed
When you whitelist a new app for iOS devices, you can now choose to “Make this a managed app.” Once you make the app managed, you can also select to have it automatically removed from a device if that device’s MDM profile is removed.

When you whitelist a new app for iOS devices, you can now make it “managed.”


If you previously whitelisted an app, you can make it managed by changing that app’s settings in the Admin console.
You can make an app you’ve already whitelisted managed by editing the app’s configuration in the Admin console.


User notifications and required actions
If you designate an app as managed, any users with that app downloaded will be prompted to update it in their Google Device Policy app.

Users will be prompted to update apps that are marked as managed by their admins. 

Users need to accept management of their apps or they’ll lose access to all corporate data on their phone.


If a user doesn’t take action within 12 hours of receiving the notification, they’ll receive another notification prompting them to make the required apps managed.


If a user doesn’t take action within 24 hours of receiving the notification, they’ll no longer be able to access corporate data anywhere on their device.


Note that if you make a previously managed app “unmanaged,” users will need to remove the Google Apps Device Policy Payload Profile before the app becomes unmanaged.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
Admins and end users

Action:
Admin action suggested/FYI

More Information
Help Center: Recommend and manage iOS apps


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

View additional activities for managed devices in the devices audit log

The devices audit log in the Admin console provides a report on the activities of managed mobile and desktop devices in your organization. Previously, this report was limited to domains with advanced mobile management enabled. To make it even more useful, we’re now showing some of the events in this report to G Suite Business, Enterprise, and Enterprise for Education customers with basic mobile management and endpoint verification enabled as well.

These customers can now use this report to:
  • Find out when a G Suite account has been added to a device.
  • Learn when device screen locks have been enabled and disabled. 

In addition, the devices audit log will now contain admin activities, like when an account wipe has been requested or executed. Knowledge of these activities can help you keep your users’ devices, and the data contained on them, safe. You can find this report in the Admin console at Reports > Audit > Devices.


At launch, for basic mobile management and endpoint verification customers, this report will only show events on managed Android and endpoint verification devices. We’re working on expanding coverage to more devices in the future.

Visit the Help Center to learn more about the devices audit log and how to access it. If you haven’t done so yet, check out this article for information on how to set up mobile management in your domain.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to G Suite Business, Enterprise, and Enterprise for Education editions, as well as Cloud Identity Premium

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Manage your organization's mobile devices
Help Center: Devices audit log


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

New desktop device reporting in the Admin console

We’re giving G Suite admins more visibility into which computers are being used to access their corporate data and apps through a new feature called “Endpoint Verification.”

Endpoint Verification collects information via Chrome extensions and native apps on users’ devices, and displays that information to admins in a new report in the Admin console. It’s a lightweight and easy solution for desktop and laptop device reporting, and we hope this visibility empowers admins to maintain a strong security posture for their organization.

Endpoint Verification report provides desktop device information 

Endpoint Verification adds a new view in the Admin console. Once it is set up on user devices (see below), admins will be able to see:


  • An inventory of desktop and laptop devices within the enterprise that access corporate data. 
  • Device information including screen lock, disk encryption, and OS version. 


To see the report, open the Admin console and visit Device management > Endpoint Verification.

Information available in the Admin console when Endpoint Verification is enabled

How to deploy Endpoint Verification in your organization 

Endpoint Verification is available for ChromeOS, macOS, and Windows devices. It requires a Chrome extension to be installed. On Windows and MacOS devices, it also needs a native app which works with the extension. Extensions and apps can be installed by users individually or deployed centrally. See our Help Center article for admins to see details on how to deploy Endpoint Verification.

End user experience of Endpoint Verification 

When the Endpoint Verification extension is installed on a user’s device, there will be a notification shown to users (see image below). The user will have to click “Agree” before data from their device is shown in the admin’s Endpoint Verification report. If the user does not click “Agree,” information about that device will not be shown. The user Help Center has information about Endpoint Verification and user devices.

Endpoint Verification notification shown to users when the extension first runs 


Launch Details 

Release track:
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to all G Suite Editions 

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins and end users

Action: 
Admin action suggested

More Information 
Admin Help Center: Monitor your Chrome users' computers 
End User Help Center: Allow an admin to monitor your computer


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Google Mobile Management support for Hangouts Meet on iOS

On June 19th, 2018, Google Mobile Management will begin rolling out support for Hangouts Meet on iOS. Currently, G Suite users in domains with advanced mobile device management enabled can use the Hangouts Meet iOS app without first installing the device policy profile. Following the launch, these users will be required to install the device policy profile (if they haven’t already) in order to continue using Hangouts Meet on their iOS devices.

Impacts iOS users without device policy profile only
This only impacts iOS users who don’t already have the device policy profile installed. If your organization currently has advanced MDM enabled, your users would have been required to download the device policy profile in order to access Gmail, Calendar, and other Google apps on their iOS devices.

Notifications to users
Starting on June 19th, iOS users who try to access Hangouts Meet will see a notification prompting them to install a security profile. This notification will only appear for users on Hangouts Meet v16.0 and above; users can upgrade to this version starting on June 4th.


Users on older versions of Hangouts Meet will be able to sign in to the app, but they’ll be unable to perform critical functions (e.g. to view and join meetings). They should upgrade to v16.0 so that they receive the prompt and can install the required device policy profile.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on June 19th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Full rollout (1–3 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: How the device policy profile works


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Enforce a password policy on Android work profiles with Google Mobile Management

G Suite admins can use Google Mobile Management to give their users secure access to work apps and data on their mobile devices. One way admins guarantee this security is by mandating that managed devices are protected with a password, and that that password meets certain requirements (e.g. number of characters, password strength, etc.).

Many employees use their phones for both work and personal purposes, so we make it possible to separate the two on most Android devices by setting up work profiles. With this launch, admins will be able to mandate a password policy on just the apps within these work profiles, protecting corporate data while leaving users free to safeguard their personal apps however they see fit.


How it works
In the Admin console (under Device management > Password Settings), an admin can require their users to set a password on any managed device and specify certain requirements for that password. This password policy will apply to all managed devices in that admin’s domain.


If an admin wants to apply that password policy to work profiles only, they can navigate to Device management > Android Settings > Work Profile in the Admin console and check the box next to “Apply password settings only for the Work Profile.” This will apply the password policy to work profiles only on devices running Android 7.0 or higher. On all other managed devices in the domain, the password policy will be applied to the entire device.


For more information, visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
Admins and end users

Action:
Admin action suggested/FYI

More Information
Help Center: Apply settings for Android mobile devices


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Google Mobile Management now supports managed configurations for Android apps

Some apps designed for enterprises include built-in settings called “managed configurations” that IT admins can set up remotely. For example, many VPN apps offer automatic setup, meaning people don’t have to take lengthy and confusing steps to begin using VPN . These managed configurations save admins valuable time and allow them to easily deploy otherwise complex settings arrangements. With this launch, we’re making it possible to set up managed configurations for Android apps using advanced mobile device management from Google Mobile Management.

To set up managed configurations by organizational unit (OU) or group, visit Device Management > App Management > Manage Applications for Android Devices > Whitelisted Android Apps in the Admin console and select the “App Distribution and Configuration” for the app you’re looking to configure. For step-by-step instructions, visit the Help Center.



To check if an app supports managed configurations, visit the managed Google Play store and click on the app you’re interested in. If the app supports managed configurations, it’ll be noted under the “Approve” or “Buy” button.


We hope this will make it easier for G Suite admins to deploy the Android apps their users need most, with the built-in settings that work best for their organization.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to G Suite Business, Enterprise, and Enterprise for Education editions only

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Manage apps on mobile devices
Help Center: Managed app configuration


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Allow users to install any app on their managed Android devices

Until now, G Suite users with company-owned Android devices and those with work profiles could only install mobile apps that had been specifically whitelisted by their admin. In some organizations, however, such restrictions weren’t critical, and whitelisting required unnecessary time and effort. That’s why, going forward, we’re giving admins the option to allow their users to install any app in the managed Google Play store on Android devices that are corporate-owned or have work profiles.

Admins can select this option in the Admin console under Device management > App Management > Manage apps for Android devices.


If an admin selects “Allow all apps,” he or she can still whitelist specific apps. These whitelisted apps will appear on the managed Google Play homepage, but users will be able to find any app using the search tool.


For more information, visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
Admins only

Action:
Admin action suggested/FYI

More Information
Help Center: Manage apps on mobile devices


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates