Tag Archives: MDM

Fundamental device management brings basic coverage to all desktop computers

What’s changing 

With this launch, all desktop devices that log in to G Suite will get fundamental device management by default. This means that when a user logs in to G Suite through any browser on a Windows, Mac, Chrome, or Linux device, the device will be registered with endpoint management. This will happen automatically upon login and does not require any other user actions or software to be installed on the device.

When a device is registered with fundamental device management, admins can see the device type, operating system, first sync time, and last sync time in the Admin console. They can also sign the user out from that device.

This provides the basic benefits of device management without additional costs or requiring installation of agents or profiles. We’re also making enhancements to the filters available in the device list that will strengthen our endpoint verification and Context-Aware Access functionality. See more information below.

Who’s impacted 

Admins only

Why you’d use it 

Fundamental device management provides a base level of security to every desktop device that accesses G Suite data. The device data collected can help admins make more informed security and policy decisions about how to manage the devices in their organization. More specifically, the feature will help admins to:
  • Get a clearer picture of all the devices that are accessing corporate data. 
  • Use more comprehensive data to analyze device access in the organization through reports and the security center. For example, you could use it to identify devices that require OS updates. 
  • Take remedial action to remotely sign out a user when a device is lost, stolen, or compromised.
  • Improve Context-Aware Access controls. The device inventory will be more comprehensive, and admins can use a new “Exclude Endpoint Verification” filter, which will enable admins to see which devices would not be able to access G Suite when context-aware access is deployed. 


How to get started 



Additional details 


Fundamental desktop management provides device information without apps or agents 

When fundamental device management is enabled, the admin will get information about a limited set of device properties: device type, device model, OS version, first sync, and last sync.

This will be visible in two places in the Admin console:

  • The devices list found at Admin console > Device management > Devices > Endpoints
  • The audit section found at Admin console > Reporting > Audit > Devices

Information about devices with fundamental device management will be listed alongside devices that use other agents to provide admins with details about devices accessing corporate data. Admins can filter the endpoint list by “Management Type” to see devices with a specific device management type, such as fundamental, endpoint verification, or Drive File Stream.

You can filter for “Fundamental” managed devices at Admin console > Device management > Devices 

A device page with information provided through fundamental device management 


Limitations of fundamental device management and other endpoint verification options 
Fundamental device management is designed to be an agentless, lightweight information collection tool. Its goal is to provide a basic data set, which can help admins make some decisions and add some controls to devices accessing their data.

Google provides other services, which offer more detailed data and enable more comprehensive controls to admins, including endpoint verification, Chrome device management, Drive File Stream, and Google Mobile Management.

New Endpoint Verification filter helps deploy Endpoint Verification and Context-Aware Access

We’re also adding the ability to filter for devices without endpoint verification in the device list at Admin console > Device management > Devices. This can help admins to identify devices which are accessing corporate data without endpoint verification, and see if they’d like to install endpoint verification on any of them. This can also improve the deployment of Context-Aware Access, which relies on Endpoint Verification. By seeing users and devices without Endpoint Verification installed, admins can identify and avoid potential user disruption before turning on Context-Aware Access. 

Helpful links 



Availability 

Rollout details 

  • Rapid and Scheduled Release domains
    • Extended rollout (longer than 15 days for feature visibility) starting on October 29, 2019. 
    • Rollout could take up to 6 months to reach all domains. 
    • When it reaches your domain, you’ll see the banner pictures below, and there will be a new “Management Type > Fundamental” filter option available in the endpoint devices list. 

When the rollout reaches your domain, you’ll see this banner when you go to Admin console > Device management > Devices 

When the rollout reaches your domain, you’ll see the “Fundamental” management type filter option at Admin Console > Device Management > Devices. 


G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be enabled by default.


Stay up to date with G Suite launches

Google Device Policy app ending support for iOS 9.0 soon

Quick launch summary 

The Google Device Policy app won’t support mobile devices running iOS version 9.0 or lower after the end of 2019. If your organization has advanced mobile device management (MDM) enabled, users must upgrade to iOS version 10.0 or higher to access new MDM features or to download the Device Policy app for the first time.

We will remove support for iOS 9.0 in the first release of the Device Policy app in 2020. Therefore please ensure your users upgrade their devices before the end of the year to avoid any disruption to their work.

Use our Help Center to find more information on minimum device requirements for Google mobile management.


Stay up to date with G Suite launches

See encryption status and security patch level for devices with basic mobile management

What’s changing 

We will now show more information about devices with basic mobile management in the G Suite Admin console. Specifically, admins will now be able to see the encryption state and the security patch level for Android devices. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

Encryption state and security patch level are important pieces of information for assessing device security. There is less risk of a data leak from a lost or stolen mobile device if that device is encrypted and password protected. Devices with more recent security patch levels are typically less susceptible to attacks than devices with older patch levels.

By making this information available for more devices, we hope you can better understand potential security vulnerabilities, better track the progress of security improvement initiatives, and make access-level decisions and rules to help ensure data is secure in your organization.

How to get started 




Additional details 

Encryption status is available for Android devices with API level 11 (Android 3.0) and up, and security patch level is available for Android devices with API level 23 (Android M) and up.

  • You can see both encryption status and security patch level on the device detail page for each device in the Admin console. This is available to all G Suite customers. 
  • You can also see the security patch level in the devices audit logs at Admin console > Reports > Devices. Note that the devices audit log is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 
  • You can set up rules based on this information to automate mobile management tasks


See encryption status and security patch level for devices with basic mobile management 

Helpful links 



Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.


Stay up to date with G Suite launches

See OS version for devices with basic mobile management

What’s changing 

Admins will be able to see the operating system (OS) version for devices with basic mobile management. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

OS version is an important piece of information for assessing device security. This is because devices with older OS versions may not receive all security patches and can be more prone to threats. With visibility into the OS versions used by more devices in your organization, you can better understand potential security vulnerabilities and take actions to make sure devices with access to corporate data are using OS versions you see as appropriate.

How to get started 

  • Admins: To see OS version for basic devices, go to Admin console > Device Management > Devices
  • End users: No action needed. 


Additional details 

Admins will be able to see OS information in several places:

  1. On the devices list page (Admin console > Device Management > Devices) in the OS column. Previously this would have been blank for basic devices. On this page, admins will be able to filter devices with a specific OS to find devices with specific vulnerabilities or see what impact an OS update policy may have. 
  2. In the device detail page for each device. 
  3. In the audit logs at Admin console > Reports > Devices. Note that this is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 


See and filter by OS version in the devices list view 

Helpful links 

Help Center: Set up basic mobile device management 

Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on April 4, 2019. 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on April 4, 2019. 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be ON by default.

Stay up to date with G Suite launches

Manage and distribute Android apps when using basic mobile management

What’s changing 

You can now manage Android apps for your users when using basic mobile management. Previously, you could only do this if you used advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

With basic mobile management you can now:
  • Organize apps in the managed Google Play store 
  • Automatically install apps on users' devices 
  • Create web apps 
  • Create private apps 

See below for more info.

How to get started 

  • Admins: Go to Admin console > Device management > App Management > Manage apps for Android devices, to start to whitelist and manage Android apps
  • End users: No action needed. Users in basic mobile management domains will now see a “Work apps” section in the managed Google Play store. The section contains the default G Suite apps and other apps that are whitelisted from the Admin console

Additional details 


Organize apps in the managed Google Play store: 
To help your users find the apps they need, you can organize apps into collections. These collections appear on devices in the “Work apps” section in the managed Google Play store.

Automatically install apps: 
With basic mobile management you can now automatically install apps on your users’ devices. Use our Help Center to find out how to manage app preferences. Note that preventing users from uninstalling apps, and some other advanced features, require advanced mobile management.

Create web apps 
You can now create and manage web apps in the Admin console. Web apps look like native apps and can make web pages easier to find and simpler to use on mobile devices. You can also distribute web apps the same way you distribute native apps–by adding them to collections in a managed Google Play store or automatically installing them on users’ devices.

Create private apps 
You can now create private Android apps directly from the Admin console. Simply upload the APK and give the app a title. The app will appear in the managed Google Play store within minutes. You can also install the app directly on your users’ devices (see above). Previously, it took several hours to create and publish an app, and you had to create a Play Console account, provide a credit card, and fill in many other fields before the app would be available to your users.


The ‘Work Apps’ tab in the managed Google Play store has the G Suite apps and other apps whitelisted by admins. 

Helpful links 


Availability 

Rollout details 

G Suite editions:
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default until app management is set up, and can be enabled at the domain, OU, or group level.

Stay up to date with G Suite launches
  • Get G Suite product update alerts by email
  • See the G Suite launch release calendar
  • Subscribe to the RSS feed of these updates

    • View company-owned desktop and mobile devices in one place

    With this launch, we’re making it possible for G Suite admins to view a more complete picture of the desktop and mobile devices used by employees in their organization.

    Add and view device info in the Admin console 

    To see a list of the devices your organization owns, you simply need to upload a CSV file listing those devices and their serial numbers in the Admin console. Previously, you could only upload Android devices; you can now add Endpoint Verification devices (Mac, Windows, and Chrome) as well.


    These devices will then appear in the company-owned devices list and show as company-owned when you click for more device details.



    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions: 

    • Uploading Endpoint Verification devices available to all G Suite editions 
    • Uploading Android devices available to G Suite Business, Education, Enterprise, and Enterprise for Education editions only 


    Rollout pace: 
    Gradual rollout (up to 15 days for feature visibility)

    Impact: 
    Admins only

    Action: 
    Admin action suggested/FYI

    More Information
    Help Center: Add company-owned devices 



    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Reset passwords for and lock company-owned Android devices

    G Suite admins in domains with Google Mobile Management enabled can already take actions to protect the data on their users’ mobile devices. For example, they can require devices to have screen locks and wipe devices when they’re lost or stolen. With this launch, we’re giving admins additional capabilities—they can now remotely reset the password on a company-owned Android device or lock the device entirely.


    Reset device password

    If a user forgets their device password, you may want to reset it for them.


    Check out the Help Center for instructions on how to reset the password on a user’s device.

    Lock device

    If a user loses their device, you may want to lock it until it’s found. This will force users to enter the device’s password before using it.


    Check out the Help Center for more info on locking user devices.

    Please note that the reset password and lock functions can only be used in domains that have advanced mobile management enabled.

    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions:
    Available to G Suite Business and Enterprise editions, as well as Cloud Identity Premium

    Rollout pace:
    Extended rollout (potentially longer than 15 days for feature visibility)

    Impact:
    Admins only

    Action:
    Admin action suggested/FYI

    More Information
    Help Center: Lock a device and reset its password


    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Better insight into the managed mobile devices in your organization

    As a G Suite admin, it’s important that you can easily view and obtain critical information about the mobile devices your organization manages. That’s why we’re making those details easier to find and utilize with our updated mobile device list in the Admin console.

    Filter for key characteristics, take bulk actions, and more

    This list, located at Device management > Mobile devices, is not only faster and easier to scan, it allows you to do the following:

    • Filter by several categories (e.g. user name, last sync date, compromised devices, etc.), and save the URL to apply the same filters later.
    • Search by keyword or serial number.
    • Add and remove columns, and increase the number of rows shown per page.
    • Download selected columns, export them to Google Sheets, and view the progress of that task.
    • Take action on multiple devices at once and directly from the device details page.

    The mobile device list now shows all assigned mobile devices (both company-owned and personal) in one view.


    More details about individual devices

    Depending on the type of mobile management (advanced or basic) you have enabled for your organization, you can take some of the following actions when you click on a specific mobile device in the list:

    • Block, wipe, or delete the device or account.
    • See all of the apps installed on that device, and identify those that may be harmful.
    • Email the device’s user directly.
    • Learn if a device isn’t compliant and why.


    Visit the Help Center to learn more about the new and improved mobile devices list, and the ways it can help you manage mobile devices in your organization.

    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions:
    Available to all G Suite editions

    Rollout pace:
    Extended rollout (potentially longer than 15 days for feature visibility)

    Impact:
    Admins only

    Action:
    Admin action suggested/FYI

    More Information
    Help Center: View and manage mobile devices


    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Google Device Policy app ending support for iOS 8.0 soon

    The next release of the Google Device Policy app (version 3.04) won’t support mobile devices running iOS version 8.0 or lower. If your organization has advanced mobile device management (MDM) enabled, your users must upgrade to iOS version 9.0 or higher to access new MDM features or if they need to download the Device Policy app for the first time.

    We’re planning to release version 3.04 of the Device Policy app as early as next week. Please encourage your users to upgrade their iOS devices as soon as possible to avoid any disruption to their work.

    More Information
    Help Center: Minimum device requirements 

    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Making it easier to set up Android devices as company-owned

    When employees set up their phones and tablets as company-owned devices, they give your organization full control over those devices—allowing you to apply policies regarding app installation, network settings, security options, and more. This helps protect your users and your corporate data.

    If you have advanced mobile device management but don’t register your company-owned devices in the Admin console, your users must choose to set up their devices as company-owned.

    To encourage more users to make this choice, we’ll start showing the screen below to all users who add their G Suite account to a new Android device before adding their personal account.

    This change will start rolling out on September 19th, 2018; please note that it may take several weeks for it to take effect for all users.


    Starting on September 19th, users will be asked if they own the device they’re setting up. Unless they explicitly state that they own the device personally, ownership will be auto-assigned to your organization.

    Currently, your users only see this choice if your organization has Device Owner mode enabled. That option will disappear from the Admin console on September 19th.

    Note that users will only see the screen and option above on new (and recently factory-reset) devices running Android 6.0 or higher.

    Allowing users to install any app from the managed Google Play store

    In addition to the change outlined above, we’re making it easier to install apps on company-owned Android devices and work profiles.

    Currently, you have to actively whitelist apps to make them available to your users. Starting on September 19th, users with company-owned Android devices and work profiles will be allowed to install any app from the managed Google Play store by default. If you don’t want your users to do this, you can choose to restrict app availability to whitelisted apps.

    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release on September 19th, 2018

    Editions:
    Available to all G Suite and Cloud Identity Premium editions

    Rollout pace:
    Extended rollout (potentially longer than 15 days for feature visibility)

    Impact:
    All end users

    Action:
    Change management suggested/FYI

    More Information
    Help Center: Set up Android devices your company owns


    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates