📱

Android Device Management Policies

Jun 20, 2025

Summary

This document outlines how Google Workspace administrators can apply and manage policy settings for Android mobile devices within their organization. It provides step-by-step guidance on accessing the Admin console, configuring various device settings, and customizing user experience and restrictions. The content covers requirements, setup, device management options, and references related topics and support resources. The intended audience is IT admins responsible for enforcing corporate device compliance and security.

Action Items

  • No explicit dated action items provided in this technical documentation.

Requirements for Applying Settings

  • Set up advanced mobile management for targeted Android users before applying policies.
  • Certain settings are only available for company-owned devices.
  • To target departments or teams, organizational units must be created within the Admin console.

Accessing and Setting Android Device Policies

  • Admins sign in to the Google Admin console with appropriate privileges.
  • Device policies can be set via Devices > Mobile and endpoints > Settings > Android.
  • Settings can be applied universally or to specific organizational units.
  • Admins can save, override, or inherit settings for organizational units.
  • Policy changes may take up to 24 hours to take effect.

Policy Categories and Key Settings

General Settings

  • Auto-wipe: Automatically removes work data from non-compliant or unsynced devices; user notification precedes data removal.
  • CTS Compliance: Blocks devices not passing Android’s Compatibility Test Suite.
  • Application auditing: Admins can view app installation activity on devices.
  • Device wipe: Users can remotely wipe their own devices via Find My Device.
  • Support for legacy/older device policy compatibility.

Work Profile

  • Work profiles separate company apps/data from personal ones (BYOD).
  • Options: Prompt to set up, enforce requirement, or disable work profile creation.
  • Enforce/relax password requirements for work profile or entire device.

Apps and Data Sharing

  • Control app availability in Google Play and restrict to approved apps.
  • Manage system/preinstalled app access (company-owned devices).
  • Options to allow/block screen capture, content sharing, cross-profile copy/paste, Android Beam, and location sharing.
  • Manage access to Google Play private apps and runtime permissions.
  • Allow/block user ability to uninstall or configure apps, enable/disable Google Play Protect, USB file transfer, installation from unknown sources, and developer options.

Network Settings

  • Admins can allow or restrict user changes to VPN, tethering, mobile networks, cell broadcasts, Bluetooth, and Wi-Fi.
  • Ensure at least one network is available if Wi-Fi/data is restricted to prevent user lockout.

Device Features

  • Control user access to external SD cards, trusted credentials, microphone, speaker, restriction PIN.
  • Manage permissions for factory reset, including post-reset administrator access.
  • Edit time/date, enable/disable data roaming, safeboot, and reboot in safe mode.

Users and Accounts

  • Manage settings that allow users to add/remove user profiles or accounts (including Google Accounts) on devices.
  • Restrict user ability to modify accounts or add their Google Account to devices.

Lock Screen Features

  • Enable or block access to camera, fingerprint, face/iris unlock, widgets, notifications, and trust agents on lock screen.
  • Control requirement for periodic authentication with PIN/password when using biometric unlock.

System Updates

  • Set OS update policy: never, immediate, scheduled, or deferred up to 30 days.
  • Scheduling updates outside working hours is possible.
  • Deferred updates can be cancelled and are reset if a new update is released in the deferral period.

Support Messages and Wipe Notifications

  • Admins can customize system messages shown to users for enforced settings or when a work profile is wiped.
  • Messages can be default or custom and are shown as short or long texts depending on item and context.

Decisions

  • Work profiles required on personal devices — Work profiles are now enforced for all personal devices under advanced management for data separation and compliance.
  • App auditing on personal devices with no work profile deprecated — Advanced management now mandates work profile, making previous auditing setting non-applicable.

Open Questions / Follow-Ups

  • None explicitly identified in this documentation. For nuanced implementation or device-specific concerns, admins are directed to linked support articles and community forums.

View note sourcehttps://support.google.com/a/answer/6328708#apply