This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can control how users access and interact with their Android device by applying policy settings.
Requirements
- Set up advanced mobile management for the Android device users you want the settings to apply to.
- Some settings are available only for company-owned devices. For details, go to Add company-owned devices to the inventory.
Find and set Android settings
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile and endpointsSettingsAndroid.
- Click a settings category and a setting. Learn about the settings in the following section.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- To apply a setting, check the box or enter the required information.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Android settings index
- General settings
- Work profile
- Apps and data sharing
- Networks
- Device features
- Users and accounts
- Lock screen features
- System update
- Support messages
General settings
Expand section | Collapse all & go to top
Auto wipeAutomatically removes a user's work or school data from their device when any of the following situations occur and the user doesn't address the problem:
- The device hasn't synced for the specified number of days.
- The device falls out of compliance with any of these device policies:
The user's data is not removed immediately after the specified time. First, the user gets a notification and time to fix the problem.
To turn off auto wipe, uncheck the Wipe device if it doesn't sync or falls out of compliance box.
What data is wiped
The data that’s removed depends on how the device is set up:
Android Device Policy
- Company-owned devices or personal devices that the user set as use for work only (your organization's management privilege is Device owner) are factory reset.
- For personal devices with a work profile (your organization's management privilege is Profile owner), only the work profile is wiped. Personal data and apps remain on the devices.
Google Apps Device Policy
The work or school account is removed. Personal data and apps remain on the device. However, if the device is in fully-managed mode and the work account is added back, all apps are removed from the device.
Supported for Android 6.0 Marshmallow or later devices
Not available for Education Fundamentals
Blocks Android devices that aren't compliant with the Compatibility Test Suite (CTS). For details, go to Compatibility Test Suite.
Note: The Audit apps on personal devices with no work profile setting is no longer applicable because personal devices under advanced mobile management are now required to have a work profile.
Allows admins to get details about apps installed on personal devices that don't have a work profile. Note: Apps are automatically audited on company-owned devices and devices with a work profile.
When you check the Audit apps on personal devices with no work profile box, devices report the following information to the Admin console:
- A list of apps that are installed on a device. For details, go to View mobile device details.
- Details of when a user installed, uninstalled, or updated an app on their device. For details, go to Device log events.
Allows users with Android devices to access the Android Device Manager.
When you check the Allow users to wipe their devices from Find My Device box, a user can use Android Device Manager to find a lost device. They can also remotely ring, lock, or erase data from the device. For details, go to Android Device Manager.
Accommodates older devices by enforcing only those policies supported on older devices.
When turned on, older devices can continue to sync corporate data without encrypted storage. These devices can sync data even when you require encryption.
Work profile
Use work profiles to separate your organization’s apps from personal apps. Your users’ bring your own device (BYOD) personal space remains private and available only to them. For details, go to What is a work profile?
Expand section | Collapse all & go to top
Work profile setupNote: Work profiles are now always required on personal devices and this setting is no longer applicable.
Controls the creation of work profiles on personal Android devices that are used in your organization.
Users can add one managed account to a device with a work profile. Within the work profile, you offer and manage corporate apps from the mobile apps list. Once installed, managed apps are marked with Android enterprise so they’re easy for users to distinguish from personal apps. Learn more about managing mobile apps for your organization.
Next to Work Profile Setup, click the Down arrow and choose an option:
- User opt-in—Prompt users to create a work profile when they register their device for management. If a user decides to not set up a work profile, they can still synchronize their corporate data. However, you (and other administrators) can still protect the work or school data on the device. For example, if a device is lost, you can wipe all data from the device.
- Enforce—Require users to set up a work profile on their device. Users can’t sync corporate data unless they accept the work profile, and they can't opt out. If Android devices without work profiles are already registered for management, users are prompted to create one. Data stops syncing to the devices until a work profile is in place. If the device doesn’t support work profiles, this setting isn’t applied. To find out if a device supports a work profile, check the device properties in your Admin console. For details, go to View mobile device details.
- Disable—Prevent device users from setting up a work profile. Existing work profiles set up on registered devices aren't affected.
Supported for Android 7.0 Nougat and later devices
Enforces password settings only on apps running in a user’s work profile, and allows users to set up their own lock screen settings for their device. For details, go to Require passwords for managed mobile devices.
To enforce password settings on the entire device, uncheck the Apply password requirements only on work profile apps box.
Note: For devices older than Android 7.0, password settings are always enforced on the entire device.
Apps and data sharing
Supported for company-owned devices and BYOD devices with work profiles, except where noted
Expand section | Collapse all & go to top
Available appsAllows users to find and install all apps in the Google Play store or only allowed apps.
Note:
- This setting overrides User access settings for apps in the Web and mobile app list.
- If you select All apps, users can install any app in the Google Play store, including apps that have User access set to Off and unmanaged apps.
- If you select Only allowed apps, users can install only apps in the Web and mobile app list. However, unmanaged apps already installed on devices stay on devices.
Supported for company-owned devices only
Allows users to install all or select system apps. System apps are preinstalled apps such as Clock and Calculator. You can allow all, block all, or select specific apps to block or allow.
Some system apps are critical to device function and are still available even when you select Block all. Selecting Block all doesn’t remove access to Android apps you add to the Web and mobile app list.
For details, go to Manage system apps on company-owned mobile devices.
Supported for Android 5.0 Lollipop and later devices
Allows users to take screen captures on their mobile devices.
To block screen captures in work apps, uncheck the Allow screen capture box. In this case, users can get screen captures only in their personal apps.
Supported for Android 5.0 Lollipop and later devices, except where noted
Allows users to share data and files from their work profile to the personal space on their device. This setting does not change users' ability to share content from their personal space to their work profile.
When you check the Allow content sharing from the work profile to the personal space box:
- Content from the work profile can be shared with apps in the user’s personal space. For example, a user can add work documents to their personal Gmail app.
- Caller ID information from the work profile is shown in the personal space for incoming calls.
- (Google Workspace only, Android 7.0 Nougat and later devices) Users can search for work contacts from their personal space.
- URLs are opened in the personal space if there’s no browser in the work profile.
- A map app in the personal profile opens a geographic location if there’s no map app in the work profile.
Note: To allow users to see personal and work data together in an app, such as Google Calendar, turn on Connected apps configuration for the app. For details, see Allow Android users to see personal and work data together in an app.
Supported for Android 5.0 Lollipop and later devices with work profiles
Allows users to copy text from any app in their work profile and paste it in any app in their personal space.
To block users from copying work data to their personal apps, uncheck the Allow pasting between the work profile and personal space box.
Allows users to share content between Android devices with Android Beam, which uses near field communication (NFC).
To block data sharing with Android Beam, uncheck the Allow outgoing Beam box.
Supported for Android 5.0 Lollipop and later devices
Allows users to turn on or off Google’s Location service. Apps use location information to provide location-based services, such as the ability to view commute traffic or find nearby restaurants. This setting also allows users to manage their Android device from the My Devices page.
To block Location Sharing for all apps, uncheck the Allow location sharing box.
Allows Android users to access and publish private apps in Google Play.
- To allow users to access private apps you distribute, check the Allow users to access Google Play private apps box.
- To allow users to create and update Android apps for internal use and distribute them to users in your domain, check the Allow users to publish and update Google Play private apps box.
For more information about private apps, go to Manage private Android apps in Google Play.
Supported for Android 6.0 Marshmallow and later devices
Note: Denying runtime permissions can affect the functionality of some apps.
Sets the default response to permission requests from apps at run time. This setting is overridden by the permissions preferences that are set for an individual app in the managed apps list. For details, go to Set Android app runtime permissions.
Supported for company-owned Android 6.0 Marshmallow and later devices
Allows users to uninstall apps, turn off apps, force stop (halt processes), show notifications, and clear data, cache, or defaults.
To block users from changing app settings, uncheck Allow users to change app settings.
Supported for company-owned Android 6.0 Marshmallow and later devices
Allows users to turn off Google Play Protect (formerly Verify Apps). Play Protect helps prevent the installation of harmful software on Android devices. It also periodically scans devices for potentially harmful apps. For details, go to Use Google Play Protect to help keep your apps safe and your data private.
To require that Play Protect is always on, uncheck Allow users to turn off Google Play Protect.
Supported for company-owned Android 6.0 Marshmallow and later devices
Allows users to transfer files to and from their mobile devices using a USB connection.
To block file transfer over a USB connection, uncheck Allow USB file transfer.
Supported for Android 8.0 Oreo and later devices.
This setting prevents users from installing apps from sources other than the Google Play Store to their work profile. However, users can still install apps from unknown sources to their personal profile.
To allow app installation from unknown sources, uncheck the Block app installation from unknown sources box.
Supported for Android 5.0 Lollipop and later devices
Allows users to use developer options on their devices.
To block users from using developer options, uncheck Allow developer options. If the device has a work profile, users can still turn on developer options for their personal space. For example, users can sideload (download and then use a file manager to install) apps from their computer to their personal space, but they can't sideload apps to their work profile.
Networks
Supported for company-owned Android 6.0 Marshmallow and later devices
If you restrict Wi-Fi networks and mobile data, make sure that at least one Wi-Fi network is allowed in your organization's network settings. Otherwise, devices might not be able to sync policies and eventually lock out all users.
Expand section | Collapse all & go to top
VPN accessAllows users to add, edit, connect to, or delete a Virtual Private Network (VPN) on their device. Users can access VPN settings on their devices by tapping Settings Wireless & networksMoreVPN.
To block users from changing their device's VPN configuration, uncheck Allow VPN configuration.
Allows users to set up and use Wi-Fi hotspots and USB or Bluetooth tethering services.
To block users from using these types of connections, uncheck Allow tethering and Wi-Fi hotspots.
Allows users to change the settings for data access and roaming on their devices. This setting also allows users to take the following actions:
- Display the mobile network name in the status bar
- Change the access point name (APN)
- Choose a mobile network operator
To block users from changing these settings, uncheck Allow changes to mobile network settings.
Allows users to opt in to broadcast notifications, such as weather emergencies and missing children (AMBER) alerts, on devices equipped with SIM cards.
To block users from changing cell broadcast settings, uncheck Allow changes to cell broadcast settings.
Allows users to change the Bluetooth settings on their mobile devices.
Note: For Android 6.0 Marshmallow and later, to allow users to configure Bluetooth settings, you must also allow Location Sharing (under Apps and data sharing).
To block users from changing Bluetooth settings, uncheck Allow changes to Bluetooth settings.
Allows users to change the Wi-Fi network settings on their mobile devices.
To block changes to Wi-Fi settings, uncheck Allow changes to Wi-Fi network settings.
Device features
Supported for company-owned Android 6.0 Marshmallow and later devices, except where noted
Expand section | Collapse all & go to top
Physical mediaFor devices with external SD card slots, allows users to move data or applications to an SD card. SD cards are used for removable storage.
To block users from copying data to external SD cards, uncheck Allow external SD cards.
Allows users to modify certificate authority (CA) forms for their work profiles in SettingsSecurityTrusted credentials on their mobile device.
To block changes to CA certificates, uncheck Allow changes to trusted credentials. When unchecked, users can still view CA certificates for their work profile.
Allows the use of device microphones.
To mute the microphone and prevent it from being turned back on, uncheck Allow microphone. You might want to block microphone use to ensure that malicious apps can’t use the microphone to record sound near the device.
Allows the use of device speakers.
To mute the speaker for apps in the work profile and prevent speakers from being turned back on, uncheck Allow speakers.
Supported for Android 5.1 Lollipop and earlier devices
When checked, the specified administrator restriction PIN is synced to user devices. The PIN must be 5 or more numbers. Users are asked to enter this PIN when they try to reset the phone or change Wi-Fi or Bluetooth settings.
To prevent changes to the administrator restriction PIN, uncheck the Enable remote management of administrator restriction PIN box. To update the PIN, you must check the box to set the new PIN and allow it to sync to devices.
Allows users to reset their Android device to factory settings with the Settings app. A factory reset removes all apps, data, and settings from the device, including settings configured by an administrator through device management.
If you check the Allow users to factory reset a device box, consider using the Factory reset protection to allow administrators to access a reset device.
If you uncheck the box, users can't factory reset their device with the Settings app. However, users might still be able to reset their device using its power and volume buttons.
Allows the specified administrator accounts to sign in to a company-owned device after it’s reset to its factory settings from the Admin console. This does not apply to devices that were reset on the device itself.
Who can sign in after a factory reset depends on how the device is company-owned and its management client:
- For devices in the company-owned inventory, only the accounts you list can sign in to the device after a factory reset. For more information on company-owned inventory, go to Add company-owned devices to the inventory.
- For personal devices set up for work only (device owner privilege), both the specified accounts and the previous owner can sign in to the device. For information on using personal devices set up for work only, go to Set up Google Workspace on an Android device.
To add an administrator, enter their email address and click Add.
Account requirements
- You can enter up to ten email addresses. We recommend that you enter more than one email address in case there are problems with any of the addresses.
- Ensure the email addresses you add are active and have never been deleted or suspended. If an account is suspended or deleted, it might not be able to access a device that’s been reset, even if the account was restored.
- Don’t use group email addresses. Group accounts can’t access a device that’s been factory reset.
Before you reset a device
- Sign out and remove the user’s work or school account.
- If the user doesn’t know their password, reset it. Do this before you wipe the device. If you wait, the user might need to wait at least 24 hours before they can sign back in to the device.
Allows users to set the date and time on their devices.
To block users from changing the date and time, uncheck the Allow user to edit the date and time box.
Supported for company-owned Android 7.0 Nougat and later devices
Allows users to access data services while using the device outside the mobile carrier’s operating area.
To block internet access while roaming, uncheck the Allow user to connect to data services when roaming box.
Allows users to restart their devices in safe mode. In safe mode, the device runs only standard, preinstalled apps and deactivates all third-party apps.
Note: For Android devices where the Google Apps Device Policy app wasn't preinstalled, safe mode deactivates the Google Apps Device Policy app. Without that app running, the device stops syncing your management policies and the user's access to their work or school account on the device is eventually blocked.
To prevent users from rebooting in safe mode (recommended), uncheck the Allow user to reboot their device in safe mode box.
Users and accounts
Supported for company-owned devices and personal devices with work profiles
Expand section | Collapse all & go to top
Add usersSupported for Android 6.0 Marshmallow devices only
Allows the primary device user to add user profiles to the device. Each user profile has personal space on the device for accounts, apps, and settings.
Supported for Android 6.0 Marshmallow devices only
Allows the primary device user to remove user profiles from the device. When a user profile is removed, any accounts that were added to that profile are also removed.
Supported for Android 5.0 Lollipop and later devices
Allows users to add and remove accounts on their device. Only one managed account can be added to devices with a work profile. To remove a managed account, the user must remove the work profile from their device.
To block users from changing accounts on their device, uncheck Allow user to add and remove accounts. When unchecked, you can't turn on the Google Accounts setting, and users can't add any managed Google Accounts to their device.
Supported for Android 5.0 Lollipop and later devices
Allows users to add work or school accounts on their device. Only one managed account can be added to a device with a work profile.
Note: To turn on this setting, you must turn on the Accounts setting.
To block users from adding Google Accounts, uncheck Allow user to add their Google Account. Users can still add their accounts in their work profile or on their device through Microsoft Exchange, IMAP, or POP3.
Lock screen features
Supported for company-owned devices and Device-owner mode personal devices with Android 6.0 Marshmallow and later
Expand section | Collapse all & go to top
Lock screen features overviewNot available for Education Fundamentals
Lock screen features allows you to control the availability of these settings on the user's lock screen:
- Camera
- Fingerprint unlock
- Face unlock
- Iris unlock
- Lock screen widgets
- Notifications
- Notification details
- Periodic authentication with pin, password, or pattern
- Trust agents
To turn off lock screen features, uncheck the Allow lock screen features box. When unchecked, only the lock screen features in this group of settings are blocked. Features that aren't listed, such as facial recognition, aren't blocked.
To block individual lock screen features, check the Allow lock screen features box and then uncheck the boxes for the lock screen features you want to block.
Not available for Education Fundamentals
Allows camera use while the device is locked.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block camera use from the lock screen, uncheck the Allow camera box.
Not available for Education Fundamentals
Allows users to use the device camera’s facial recognition feature to unlock the device. This is available only on devices that support face unlock.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block unlocking the device with face unlock, uncheck the Allow face unlock box.
This feature is affected by the Periodic authentication with pin, password, or pattern settings.
Not available for Education Fundamentals
Allows users to use the device’s iris scanner to unlock the device. This is only available on devices that support iris unlock.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block unlocking the device with iris unlock, uncheck the Allow iris unlock box.
Not available for Education Fundamentals
Allows users to use the device’s fingerprint reader to unlock the device.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block unlocking the device with the fingerprint reader, uncheck Allow fingerprint unlock.
This feature is affected by the Periodic authentication with pin, password, or pattern settings.
Supported for Android versions 4.2 Jelly Bean to 4.4 KitKat devices
Allows users to add widgets, such as email and calendar widgets, to the lock screen on their devices.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block lock screen widgets, uncheck the Allow lock screen widgets box.
Not available for Education Fundamentals
Allows users to receive notifications while the device is locked.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block notifications, uncheck the Allow notifications on the lock screen box. When unchecked, the Notification details setting is also turned off.
Allows users to receive notification details while the device is locked.
If the Notifications setting is turned off, this feature is also off.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block notification details, uncheck the Allow notification details box.
Supported for Android versions 8 and above
Allows users who use face or fingerprint unlock to authenticate with more secure methods like pin, password, or pattern after a set period of time.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
This setting is enforced on work profile apps when the Apply password requirements only on work profile apps box is checked in the Work Profile settings.
Not available for Education Fundamentals
Allows users to use Smart Lock to keep their device unlocked in some situations, like when their phone is in their pocket or they're at home. With Smart Lock, users don't need to unlock with their PIN, pattern, or password. For details, see Set your Android device to automatically unlock.
If Lock screen features is turned off, this feature is also off and can't be changed until you turn on Lock screen features.
To block Smart Lock, uncheck the Allow Smart Lock to keep a device unlocked box.
System updates
Expand section | Collapse all & go to top
OS update policySupported for Android 6.0 Marshmallow and later devices.
Allows admins to set up and apply over-the-air (OTA) system updates to your organization’s devices.
Admins can choose when devices are updated:
- Never—OS updates are not automatically downloaded.
- As soon as updates are available—Automatically download the OS update when it’s available.
- Only at specified times—Download OS update within a set time frame. Scheduling an update during non-working hours might prevent downtime for users.
Note: If the end time is earlier than the start time, then the update begins at the start time and continues into the next day. - 30 days after updates first become available—You can delay the OS update for 30 days. During this time:
- Devices do not receive notifications about updates
- Users can’t manually update their devices
Admins can turn off the 30-day hold at any time. The system resets the 30-day postponement if a new update becomes available during the period.
Once 30 days pass without a new update, the system prompts the user to install all the pending updates. Later, when a new system update becomes available, the 30-day period begins again.
Note: OS updates are downloaded during the device’s local time, not the admin’s local time.
Support messages
Expand section | Collapse all & go to top
Enforced settingsSupported for Android 7.0 Nougat and later devices.
Create and display a message for the user in settings screens where the admin turned off functionality.
Choose from:
- Default message stating the setting can’t be changed due to organization policy—The default message for enforced settings. The default message comes in two lengths:
- Default short message—This setting is managed by your organization.
- Default long message—This setting is managed by your organization. For questions please contact your IT department.
- Custom messages—You can write a custom message to display to users explaining why a setting can’t be changed. The custom message comes in two lengths:
- Custom short message—The short message is displayed to the user in settings screens where functionality was turned off. The message can be up to 200 characters.
- Custom long message—The long message is displayed to the user in the device administrator’s settings screen (SettingsSecurityDevice).
For more information about user-facing messages, go to the Android Management API.
Supported for Android 9.0 Pie and later devices
Allows admins to create a custom message to users when removing a work profile from a managed device.
Choose from:
- Default message stating their work profile has been removed—The default message for a work profile wipe. When you remove a work profile, the user sees “Your work profile is wiped. Please contact your IT admin if this is not expected.”
- Custom message—Admins can create a custom message for a work profile wipe. This message can be up to 200 characters long.
Note: Work profile wipe follows the same rules as Policy transparency management.
Related topics
- Require passwords for managed mobile devices
- Apply universal settings for mobile devices and endpoints
- Apply settings for iOS devices
- About Android Device Policy
- Android device management agents FAQ
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.