Tag Archives: MDM

Distribute certificates for mobile devices via MDM

What’s changing 

We’re making it possible to issue digital certificates to iOS and Android devices for secure access even when those devices are not connected to the corporate network. This will make it easier to provide new mobile devices with identification, authentication, and access to G Suite and other corporate resources. This is available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers using Google Endpoint Management via an on-premises connector.

Who’s impacted 

Admins

Why it’s important 

Certificates are an important way to identify and authenticate mobile devices so they are able to securely access corporate resources. These resources can include G Suite, enterprise WiFi hotspots, and more.

Some customers include a requirement for devices to be on-premise and protected by a firewall in order to distribute device certificates. As some users can no longer access corporate locations and networks, customers need a way to issue these certificates remotely.

By providing this feature, we are helping these customers keep their employees connected and productive even when they’re not in the office.

Getting started 



Rollout pace 


  • This feature is available now. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Revamped My Devices page will help users find and manage their devices

Quick launch summary 

We’re making some updates to the My Devices page. Users can go to the page to see the devices they’ve used to log in to G Suite and then manage those devices. It includes detailed device information, an option to log out of the device, and an option to wipe the device. You may notice:

  • A new URL, as the page is now found at mydevices.google.com, rather than google.com/apps/mydevices. Soon, we’ll start to redirect users from the old site to the new site. 
  • The page now includes both mobile and desktop devices. The old page only showed mobile devices. 
  • Detailed device information. This is the same as the previous site. 
  • Options to manage device access and wipe the device if desired. This is the same as the previous site. 


The new My Devices page at mydevices.google.com 


The old My Devices page at google.com/apps/mydevices 

Availability 

Rollout details 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.

Stay up to date with G Suite launches

Fundamental device management brings basic coverage to all desktop computers

What’s changing 

With this launch, all desktop devices that log in to G Suite will get fundamental device management by default. This means that when a user logs in to G Suite through any browser on a Windows, Mac, Chrome, or Linux device, the device will be registered with endpoint management. This will happen automatically upon login and does not require any other user actions or software to be installed on the device.

When a device is registered with fundamental device management, admins can see the device type, operating system, first sync time, and last sync time in the Admin console. They can also sign the user out from that device.

This provides the basic benefits of device management without additional costs or requiring installation of agents or profiles. We’re also making enhancements to the filters available in the device list that will strengthen our endpoint verification and Context-Aware Access functionality. See more information below.

Who’s impacted 

Admins only

Why you’d use it 

Fundamental device management provides a base level of security to every desktop device that accesses G Suite data. The device data collected can help admins make more informed security and policy decisions about how to manage the devices in their organization. More specifically, the feature will help admins to:
  • Get a clearer picture of all the devices that are accessing corporate data. 
  • Use more comprehensive data to analyze device access in the organization through reports and the security center. For example, you could use it to identify devices that require OS updates. 
  • Take remedial action to remotely sign out a user when a device is lost, stolen, or compromised.
  • Improve Context-Aware Access controls. The device inventory will be more comprehensive, and admins can use a new “Exclude Endpoint Verification” filter, which will enable admins to see which devices would not be able to access G Suite when context-aware access is deployed. 


How to get started 



Additional details 


Fundamental desktop management provides device information without apps or agents 

When fundamental device management is enabled, the admin will get information about a limited set of device properties: device type, device model, OS version, first sync, and last sync.

This will be visible in two places in the Admin console:

  • The devices list found at Admin console > Device management > Devices > Endpoints
  • The audit section found at Admin console > Reporting > Audit > Devices

Information about devices with fundamental device management will be listed alongside devices that use other agents to provide admins with details about devices accessing corporate data. Admins can filter the endpoint list by “Management Type” to see devices with a specific device management type, such as fundamental, endpoint verification, or Drive File Stream.

You can filter for “Fundamental” managed devices at Admin console > Device management > Devices 

A device page with information provided through fundamental device management 


Limitations of fundamental device management and other endpoint verification options 
Fundamental device management is designed to be an agentless, lightweight information collection tool. Its goal is to provide a basic data set, which can help admins make some decisions and add some controls to devices accessing their data.

Google provides other services, which offer more detailed data and enable more comprehensive controls to admins, including endpoint verification, Chrome device management, Drive File Stream, and Google Mobile Management.

New Endpoint Verification filter helps deploy Endpoint Verification and Context-Aware Access

We’re also adding the ability to filter for devices without endpoint verification in the device list at Admin console > Device management > Devices. This can help admins to identify devices which are accessing corporate data without endpoint verification, and see if they’d like to install endpoint verification on any of them. This can also improve the deployment of Context-Aware Access, which relies on Endpoint Verification. By seeing users and devices without Endpoint Verification installed, admins can identify and avoid potential user disruption before turning on Context-Aware Access. 

Helpful links 



Availability 

Rollout details 

  • Rapid and Scheduled Release domains
    • Extended rollout (longer than 15 days for feature visibility) starting on October 29, 2019. 
    • Rollout could take up to 6 months to reach all domains. 
    • When it reaches your domain, you’ll see the banner pictures below, and there will be a new “Management Type > Fundamental” filter option available in the endpoint devices list. 

When the rollout reaches your domain, you’ll see this banner when you go to Admin console > Device management > Devices 

When the rollout reaches your domain, you’ll see the “Fundamental” management type filter option at Admin Console > Device Management > Devices. 


G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be enabled by default.


Stay up to date with G Suite launches

Google Device Policy app ending support for iOS 9.0 soon

Quick launch summary 

The Google Device Policy app won’t support mobile devices running iOS version 9.0 or lower after the end of 2019. If your organization has advanced mobile device management (MDM) enabled, users must upgrade to iOS version 10.0 or higher to access new MDM features or to download the Device Policy app for the first time.

We will remove support for iOS 9.0 in the first release of the Device Policy app in 2020. Therefore please ensure your users upgrade their devices before the end of the year to avoid any disruption to their work.

Use our Help Center to find more information on minimum device requirements for Google mobile management.


Stay up to date with G Suite launches

See encryption status and security patch level for devices with basic mobile management

What’s changing 

We will now show more information about devices with basic mobile management in the G Suite Admin console. Specifically, admins will now be able to see the encryption state and the security patch level for Android devices. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

Encryption state and security patch level are important pieces of information for assessing device security. There is less risk of a data leak from a lost or stolen mobile device if that device is encrypted and password protected. Devices with more recent security patch levels are typically less susceptible to attacks than devices with older patch levels.

By making this information available for more devices, we hope you can better understand potential security vulnerabilities, better track the progress of security improvement initiatives, and make access-level decisions and rules to help ensure data is secure in your organization.

How to get started 




Additional details 

Encryption status is available for Android devices with API level 11 (Android 3.0) and up, and security patch level is available for Android devices with API level 23 (Android M) and up.

  • You can see both encryption status and security patch level on the device detail page for each device in the Admin console. This is available to all G Suite customers. 
  • You can also see the security patch level in the devices audit logs at Admin console > Reports > Devices. Note that the devices audit log is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 
  • You can set up rules based on this information to automate mobile management tasks


See encryption status and security patch level for devices with basic mobile management 


Helpful links 



Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.


Stay up to date with G Suite launches

See OS version for devices with basic mobile management

What’s changing 

Admins will be able to see the operating system (OS) version for devices with basic mobile management. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

OS version is an important piece of information for assessing device security. This is because devices with older OS versions may not receive all security patches and can be more prone to threats. With visibility into the OS versions used by more devices in your organization, you can better understand potential security vulnerabilities and take actions to make sure devices with access to corporate data are using OS versions you see as appropriate.

How to get started 

  • Admins: To see OS version for basic devices, go to Admin console > Device Management > Devices
  • End users: No action needed. 


Additional details 

Admins will be able to see OS information in several places:

  1. On the devices list page (Admin console > Device Management > Devices) in the OS column. Previously this would have been blank for basic devices. On this page, admins will be able to filter devices with a specific OS to find devices with specific vulnerabilities or see what impact an OS update policy may have. 
  2. In the device detail page for each device. 
  3. In the audit logs at Admin console > Reports > Devices. Note that this is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 


See and filter by OS version in the devices list view 

Helpful links 

Help Center: Set up basic mobile device management 

Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on April 4, 2019. 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on April 4, 2019. 

G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be ON by default.

Stay up to date with G Suite launches

Manage and distribute Android apps when using basic mobile management

What’s changing 

You can now manage Android apps for your users when using basic mobile management. Previously, you could only do this if you used advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

With basic mobile management you can now:
  • Organize apps in the managed Google Play store 
  • Automatically install apps on users' devices 
  • Create web apps 
  • Create private apps 

See below for more info.

How to get started 

  • Admins: Go to Admin console > Device management > App Management > Manage apps for Android devices, to start to whitelist and manage Android apps
  • End users: No action needed. Users in basic mobile management domains will now see a “Work apps” section in the managed Google Play store. The section contains the default G Suite apps and other apps that are whitelisted from the Admin console

Additional details 


Organize apps in the managed Google Play store: 
To help your users find the apps they need, you can organize apps into collections. These collections appear on devices in the “Work apps” section in the managed Google Play store.

Automatically install apps: 
With basic mobile management you can now automatically install apps on your users’ devices. Use our Help Center to find out how to manage app preferences. Note that preventing users from uninstalling apps, and some other advanced features, require advanced mobile management.

Create web apps 
You can now create and manage web apps in the Admin console. Web apps look like native apps and can make web pages easier to find and simpler to use on mobile devices. You can also distribute web apps the same way you distribute native apps–by adding them to collections in a managed Google Play store or automatically installing them on users’ devices.

Create private apps 
You can now create private Android apps directly from the Admin console. Simply upload the APK and give the app a title. The app will appear in the managed Google Play store within minutes. You can also install the app directly on your users’ devices (see above). Previously, it took several hours to create and publish an app, and you had to create a Play Console account, provide a credit card, and fill in many other fields before the app would be available to your users.


The ‘Work Apps’ tab in the managed Google Play store has the G Suite apps and other apps whitelisted by admins. 

Helpful links 


Availability 

Rollout details 

G Suite editions:
Available to all G Suite editions.

On/off by default? 
This feature will be OFF by default until app management is set up, and can be enabled at the domain, OU, or group level.

Stay up to date with G Suite launches
  • Get G Suite product update alerts by email
  • See the G Suite launch release calendar
  • Subscribe to the RSS feed of these updates
  • View company-owned desktop and mobile devices in one place

    With this launch, we’re making it possible for G Suite admins to view a more complete picture of the desktop and mobile devices used by employees in their organization.

    Add and view device info in the Admin console 

    To see a list of the devices your organization owns, you simply need to upload a CSV file listing those devices and their serial numbers in the Admin console. Previously, you could only upload Android devices; you can now add Endpoint Verification devices (Mac, Windows, and Chrome) as well.


    These devices will then appear in the company-owned devices list and show as company-owned when you click for more device details.



    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions: 

    • Uploading Endpoint Verification devices available to all G Suite editions 
    • Uploading Android devices available to G Suite Business, Education, Enterprise, and Enterprise for Education editions only 


    Rollout pace: 
    Gradual rollout (up to 15 days for feature visibility)

    Impact: 
    Admins only

    Action: 
    Admin action suggested/FYI

    More Information
    Help Center: Add company-owned devices 



    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Reset passwords for and lock company-owned Android devices

    G Suite admins in domains with Google Mobile Management enabled can already take actions to protect the data on their users’ mobile devices. For example, they can require devices to have screen locks and wipe devices when they’re lost or stolen. With this launch, we’re giving admins additional capabilities—they can now remotely reset the password on a company-owned Android device or lock the device entirely.


    Reset device password

    If a user forgets their device password, you may want to reset it for them.


    Check out the Help Center for instructions on how to reset the password on a user’s device.

    Lock device

    If a user loses their device, you may want to lock it until it’s found. This will force users to enter the device’s password before using it.


    Check out the Help Center for more info on locking user devices.

    Please note that the reset password and lock functions can only be used in domains that have advanced mobile management enabled.

    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions:
    Available to G Suite Business and Enterprise editions, as well as Cloud Identity Premium

    Rollout pace:
    Extended rollout (potentially longer than 15 days for feature visibility)

    Impact:
    Admins only

    Action:
    Admin action suggested/FYI

    More Information
    Help Center: Lock a device and reset its password


    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates

    Better insight into the managed mobile devices in your organization

    As a G Suite admin, it’s important that you can easily view and obtain critical information about the mobile devices your organization manages. That’s why we’re making those details easier to find and utilize with our updated mobile device list in the Admin console.

    Filter for key characteristics, take bulk actions, and more

    This list, located at Device management > Mobile devices, is not only faster and easier to scan, it allows you to do the following:

    • Filter by several categories (e.g. user name, last sync date, compromised devices, etc.), and save the URL to apply the same filters later.
    • Search by keyword or serial number.
    • Add and remove columns, and increase the number of rows shown per page.
    • Download selected columns, export them to Google Sheets, and view the progress of that task.
    • Take action on multiple devices at once and directly from the device details page.

    The mobile device list now shows all assigned mobile devices (both company-owned and personal) in one view.


    More details about individual devices

    Depending on the type of mobile management (advanced or basic) you have enabled for your organization, you can take some of the following actions when you click on a specific mobile device in the list:

    • Block, wipe, or delete the device or account.
    • See all of the apps installed on that device, and identify those that may be harmful.
    • Email the device’s user directly.
    • Learn if a device isn’t compliant and why.


    Visit the Help Center to learn more about the new and improved mobile devices list, and the ways it can help you manage mobile devices in your organization.

    Launch Details
    Release track:
    Launching to both Rapid Release and Scheduled Release

    Editions:
    Available to all G Suite editions

    Rollout pace:
    Extended rollout (potentially longer than 15 days for feature visibility)

    Impact:
    Admins only

    Action:
    Admin action suggested/FYI

    More Information
    Help Center: View and manage mobile devices


    Launch release calendar
    Launch detail categories
    Get these product update alerts by email
    Subscribe to the RSS feed of these updates