The document details how Google Workspace administrators can apply and manage various settings for Android mobile devices using the Admin console.
It covers prerequisites, supported editions, and a comprehensive breakdown of policy categories, including device compliance, app management, network settings, device features, user accounts, lock screen options, system updates, and support messaging.
Instructions are provided for both company-owned and BYOD scenarios, with specific features called out by device type and Android OS version.
Action Items
None noted, as this content is a reference guide and does not contain meeting-derived tasks.
Requirements for Managing Android Devices
Administrators must set up advanced mobile management for affected users.
Some policies require devices to be company-owned and added to the inventory.
How to Apply Android Device Settings
Admins must sign into the Google Admin console with appropriate privileges.
Device settings are found under Devices > Mobile and endpoints > Settings > Android.
Settings can be applied globally or to organizational units (departments/teams).
Applying, overriding, or inheriting settings is available; changes may take up to 24 hours to propagate.
Major Android Device Settings Categories
General Settings
Auto wipe: Automatically clears work data from devices that fall out of compliance or fail to sync, with user notifications prior to wiping.
CTS compliance: Blocks use of Android devices not passing the Compatibility Test Suite.
Application auditing: Allows viewing of app inventory and activity, especially on managed/company-owned devices.
User device wipe: Users can remotely wipe their own devices via Find My Device.
Support for legacy devices: Allows basic syncing for non-encrypted legacy devices if needed.
Work Profile
Work profile separates work from personal data; now required for all personal devices under advanced management.
Admins can require, allow opt-in, or disable work profiles.
Work profile password requirements may be enforced independently from device password, with options varying by Android version.
Apps and Data Sharing
Admins can restrict users to install only pre-approved apps or allow full Play Store access.
System apps management is available for company-owned devices.
Controls available for screen capture, data sharing between work/personal profiles, copy-paste, location, private apps, runtime permissions, app settings, Play Protect, USB transfers, installations from unknown sources, and developer options.
Network Settings
Controls for VPN, tethering, mobile networks, cell broadcasts, Bluetooth, and Wi-Fi settings, with options to restrict user modifications.
For Bluetooth, Location Sharing must also be enabled for Android 6.0+ devices.
Device Features
Options to block/allow SD card use, trusted credentials, microphone, speaker, admin PIN, factory reset and protection, editing date/time, data roaming, and safe booting.
Users and Accounts
Settings to manage profile/user addition/removal, and to restrict adding/removing of accounts, including Google Accounts.
Lock Screen Features
Fine-grained controls for camera access, biometric unlock, lock screen widgets, notifications, periodic authentication with PIN/password/pattern, and Smart Lock.
Settings can be globally disabled or individually managed.
System Updates
Admins can schedule or defer OS updates, including a 30-day postponement option.
Support Messages
Customizable default or custom messages can be shown to users whenever a feature is restricted due to policy.
Custom message is also available for wiping work profiles.
Decisions
Work profiles are now mandatory on personal devices with advanced management — ensures better separation and security of corporate data.