Tag Archives: MDM

User enrollment for managed iOS devices is now generally available

What’s changing 

In late 2023, we introduced user enrollment in beta, an additional option for iOS mobile management. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. Beginning today, user enrollment is now generally available. For more information, use our Help Center or reference our original announcement.


Getting started



Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers.


Updates for managed iOS devices with the release of Chrome 120

What’s changing

In the coming weeks, we’ll be introducing several improvements to Chrome-on-iOS that will help admins more seamlessly apply policies and preferences across their users’ managed devices. This launch will align with the planned release of Chrome 120. Specifically, these improvements are: 
  • Cross-device policy application: Whether it’s a company-owned or personal device, Chrome User Policies can be applied when a user signs into the Chrome browser with their managed account. This ensures a consistent and secure browsing experience across all devices.
  • Management notice for end-users: Managed end-users will begin seeing a management notice, informing them that their organization manages the account they are signing into. This transparency not only fosters trust but also keeps users informed about the security measures in place to protect their data. 
  • Admin console integration: Admins can easily activate this functionality through the Admin console under the "Chrome on iOS" Browser setting. This centralized control allows admins to tailor policies to meet the specific needs of their organization, ensuring a customized and secure browsing environment for all users.

Getting started

 
We’ll remind you that your account is managed upon login and when you’re logged in.


Rollout pace

End user notifications

Admin console integration

Availability

  • Available to all Chrome Browser Cloud Management and Google Workspace customers

Resources


Updated grace periods for resolving policy violations in managed iOS devices

What’s changing 

Ensuring only managed applications can access sensitive information is vital to security. Currently, when admins make a policy change that results in an app going from unmanaged to managed, if a policy violation is detected, a 24-hour grace period is given to users to comply with the change. After this grace period, users will lose the ability to access their Google Workspace account. 


Moving forward, we’re adjusting a few components to how this grace period operates to boost compliance and prevent inadvertent circumvention. Specifically:

Grace Period 

Situation

Next Steps



None 

-The managed apps policy violation is detected during the device enrollment.

-The managed apps policy violation by an app is detected after 24 hrs from the moment the admin changes the policy.

Users will be prompted to install the app from the Google Device Policy app for IOS or they will lose access to Google Workspace.

Visit the Help Center to learn more.


24 hours

The managed apps policy violation by an app is detected within the 24hrs from the moment the admin changes the policy. 



Who’s impacted

Admins and end users


Why it’s important

Improving these safeguards helps ensure that  only managed applications can access sensitive organization information. If the managed applications do not meet the requirements of the access policies set by admins, managed application access to Workspace data is deactivated until users take the proper steps.


Getting started


Rollout pace

Availability

  • Available to Google Workspace Frontline Starter and Frontline Standard, Business Plus, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus; Enterprise Essentials and Enterprise Essentials Plus and Cloud Identity Premium customers

Resources


Managed Android devices must upgrade to Android Device Policy during March 2023

What’s changing 

In 2019, we announced that a new Android management client, Android Device Policy, would replace the legacy Google Apps Device Policy client. We’re now in the final stages of this upgrade. 


All devices with the Google Apps Device Policy will lose access during March 2023 if they have not already upgraded. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on the legacy Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. Admins can act directly from the alert in the Admin console to identify users who need to upgrade.




Visit the Help Center to learn more about migrating to Android Device Policy and our previous announcement for more information.


Getting started 


Rollout pace

  • Devices on the old agent will lose access during March 2023. 
  • Android Device Policy is available now and all users should upgrade to avoid disruption.  


Availability

  • This change impacts Google Workspace customers who use basic and advanced mobile management.


Resources


Google Workspace Updates Weekly Recap – January 7, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 



PPTX file limit increase in Google Slides 
You can now import PPTX files up to 300MB into Google Slides using Office Editing mode — previously, 100MB was the maximum. Once imported, you can save back your edits to the underlying PPTX file. | Available to all Google Workspace customers and users with personal Google accounts. | Learn more.



Previous announcements 


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details. 



Use a new enterprise certificate condition to set context-aware access rules for company-managed devices 
When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more. 



For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Use a new enterprise certificate condition to set context-aware access rules for company-managed devices

Quick launch summary 

When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. By using new enterprise certificates as an alternative context-aware signal to determine if a device is a company-managed asset, you can set more specific context-aware policies that are appropriate based on the trustworthiness of the device. 
admin console screen to configure context-aware access rules
The Admin console screen to configure context-aware access rules using enterprise certificate condition


Getting started 

Rollout pace 

  • This feature is now available for all eligible users. 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business, and Cloud Identity Free customers 

Resources 

Google Device Policy app ending support for iOS 11 soon

Quick launch summary 

The Google Device Policy app won’t support mobile devices running iOS version 11 or lower after August 2021. If your organization has advanced mobile device management (MDM) enabled, users must upgrade to iOS version 12 or higher to access new MDM features or to download the Device Policy app for the first time. 


We will remove support for iOS 11 in the first release of the Device Policy app beginning September 2021. Therefore please ensure your users upgrade their devices by the end of August 2021 to avoid any disruption to their work. 


Use our Help Center to find more information on minimum device requirements for Google mobile management.

New option to block devices with basic management from accessing your organization’s data

What’s changing 

We’re adding the ability for admins to manually block or unblock mobile apps from accessing access to their organization’s Google Workspace data on Android and iOS devices with basic mobile management. These actions can be automated using device management rules (for supported editions). 


Who’s impacted 

Admins 


Why it’s important 

Previously, admins had a limited set of actions they could perform with basic management—they could wipe an account or delete the device from inventory. However, they couldn’t block apps on those devices from accessing organizational data in the way that they could for devices with advanced mobile management. This launch makes that possible, helping to keep your organization’s data secure. 

While the blocking action is the same for devices with basic and advanced management, advanced management allows you to proactively block devices based on the Require Admin Approval setting. With basic management, you can only do this on a per-device basis. 


Getting started 

  • Admins: This feature will be available by default. To use it, navigate to a device page in the Admin console and click block device. Visit the Help Center to learn more about blocking and unblocking devices
  • End users: If a user’s device is blocked by an admin, the user will be signed out of all Google Workspace mobile apps. If they try to sign in again, they will see a message indicating that they do not have access to the app, and that they should contact their administrator for help. 
New option to block a device available for devices with basic management 

Once a device is manually blocked, admins can unblock the device 

Those trying to access Google Workspace apps on a blocked device will see a message to contact the administrator for help 


Rollout pace 

Availability 

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 

Resources 

Improved mobile device management rules experience in the Admin console

Quick launch summary

We’re making improvements to how you manage rules related to mobile device management (MDM) in the Admin console. There are two key aspects of the launch: 
  1. A new location for MDM rules: You can now manage rules at Devices > Security rules. Previously, MDM rules were managed at Admin console > Rules
  2. New rule options and creation workflow: You’ll see a new flow to create MDM rules, including new conditions which can trigger rules, and new device management and notification actions to take as a result. 
Use our Help Center to learn more about managing MDM rules for your organization. Note that any previously created rules will continue to function as before. However, you’ll be able to use the new flow and options if you update the rules. 


Getting started 

Device management rules are now in the Security rules section of the Admin console 

A sample screen from the new rule creation flow 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard, and Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 

Introducing two BeyondCorp Alliance partner integrations for improved context-aware access

What’s changing 

We’re announcing new integrations with our BeyondCorp Alliance partners Check Point and Lookout. The integrations, initially available in beta, are built using the Devices API and enable customers to use third party signals in context-aware access decisions. 


Who’s impacted

Admins 


Why it’s important 

In the BeyondCorp security model, device inventory, state, and security posture are central to making context-aware access decisions. So far our context-aware access solution obtained these signals from first party (i.e. Google) sources, such as Endpoint Verification. However our vision has always been to help customers to fully leverage their existing investments in security tools and controls, add key functionality and signals to Google’s context-aware access to achieve superior access control security posture for our customers. The BeyondCorp Alliance is a group of partners that share our Zero Trust vision and who are committed to working with us to help our joint customers make it a reality. 


Today, we are excited to announce the first integrations (in beta) with our BeyondCorp Alliance partners Check Point and Lookout, to use third party signals in our context-aware access decisions. For example, the mobile threat defence system might detect malware on the device and notify Google about a reduced security assurance, and customer-defined access rules can reduce the level of access allowed from such devices, without impacting access for that user from other devices or for other users. The integrations are built using the new Devices API we announced earlier this year. The API was designed to be used by partners in the BeyondCorp Alliance to add device security metadata, and also by customers to manage their device fleet. 


Getting started 

  • Admins: Google customers who use Checkpoint or Lookout as their mobile threat defense solutions can benefit from the integration. Visit our Help Center for more information and to learn more about how to set up third-party partner integrations. You can also see blog posts by our partners to see more about how you can use Check Point or Lookout solutions as part of this integration. 
  • End users: No impact for end users. 

Rollout pace 

Availability 

  • Available to Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education, and Nonprofits customers 

Resources