Mobile device management – 8 Google Workspace configurations to help protect employees’ phones

A mobile device management solution is included in every Google Workspace plan, so by using this suite of office productivity tools, you don’t have to invest in third-party MDM solutions. As an administrator, you can secure corporate data on personal devices and those belonging to your organization using the endpoint management settings in the Google Admin console. Security features for an MDM software provide better account privacy, detailed access control, and data protection.

Risks associated with unmanaged mobile devices

Remote employees process just as much critical customer and company data as stationary workers, but their business devices are far less secure than those left locked in an empty office overnight. Laptops and mobile phones that are taken off-site are vulnerable to, among other things: 

• Loss, 
• Theft,
• Connection to a public Wi-Fi network,
• Third-party access (e.g., employee’s friends and children),

Threats that are not related to the location of the device include:

• Installation of untrusted programs and applications, 
• Phishing attempts, 
• Malicious websites, 
• Connecting untrusted storage devices (e.g. flash drives),
• Easy-to-guess passwords or even lack of any screen blockade.

Each of these threats can, in certain circumstances, become a direct cause of data leakage. Such breaches entail not only reputational problems and loss of customer trust but often also high financial penalties for violations of GDPR or other security regulations.

What is mobile device management? 

Mobile Device Management (MDM for short) is about connecting all laptops, computers, tablets and mobile phones that access corporate data to a system that allows administrators to monitor their activity and settings. MDM is an essential part of the EMM strategy (enterprise mobility management) next to mobile applications management, mobile content management, BYOD, and mobile information management.

There are many brands of mobile device management software. However, Google Workspace customers don’t have to implement external solutions, as this all-in-one service includes numerous security configurations. 

Two mobile device management levels in Google Workspace 

You can tailor the degree of interference with security settings on employee devices within MDM service to meet your organization’s needs by selecting basic or advanced control options. The availability of advanced options depends on the plan your company is using. 

Basic features of managing mobile devices

The standard MDM feature set will come in handy for any business, as it allows you to set up fundamental barriers to unauthorized access, as well as quickly respond to theft or loss of a device. This level of security in Google Workspace is customizable and includes: 

• An inventory of all devices on which employees have logged into the business Google account,
• The ability to enforce using a password or screen lock on devices,
• Protection against hacking attacks and malware for device data,
• Remote user logout and deletion of company data from the device,
• Lists of safe apps on Android,
• Mobile device reports to help detect suspicious activity,
• Forcing a re-login on the device.

The basic MDM system gives administrators partial remote control over access to the company data processed on employees’ mobile phones and laptops. These essential features are customizable, turned on by default, and available in every Google Workspace plan. 

Advanced mobile device management

If you want to ensure a high standard of data protection on mobile devices, configure advanced MDM features to manage mobile devices. These can be applied to user accounts with Google Workspace licences in Business Plus, Enterprise, Education Standard, Education Plus, and accounts subscribed to Cloud Identity Premium. 

This level of MDM equips administrators with an arsenal of features such as:

• Enforcement of strong access credentials,
• Option to approve new devices in the administration console, 
• Full remote device memory wipe,
• Application management for iOS,
• Extended reporting that includes app and security information for mobile security,
• Security policies for encryption, file transfers, camera use and data synchronization.

To implement some of these functionalities, you may need to install an additional application, such as Google Device Policy or Android Device Policy. MDM settings vary by OS version. 

How to connect mobile devices to the Google Admin console? 

Automatic registration

When does a mobile device become visible in the administration panel? As soon as the user logs in on it to the Google Workspace service. It means that the administrator does not have to take any steps to have an overview of the number of laptops and phones on which the company’s data is processed. Most mobile device management rules can be deployed remotely also on employees’ personal devices if they use them to access business mail and files or if your company works in BYOD (Bring Your Own Device) model. 

Administrative registration of company-owned devices with MDM

Company devices should be registered in the console even before they are distributed among end-users. Administrators can do this in two ways: 

• Manual registration – the administrator prepares an inventory of devices by importing a list of serial numbers. This way, new employee logins do not need to be verified, and the administrator can receive notifications about devices that don’t show activity.   
• Zero-touch enrolment – whenever the device is turned on (even if factory settings have been restored), it automatically logs into the MDM system and remains under the company’s control. This feature is available on Android devices only. 

It is worth noting that MDM settings do not have to be implemented globally across the company. You can gradate the strictness of security by setting different conditions for each organizational unit in Google Workspace. 

8 MDM configurations in the Google Workspace console that will secure employees’ phones

Let’s discuss the most important settings that an administrator can adjust in the Google Workspace console to provide greater security for company data handled on employees’ mobile devices.

1. Require strong passwords

With basic MDM options, you can enforce setting a screen lock or password on managed mobile devices to help protect your organization’s data from prying eyes. While using the advanced mobile device management features, you have even more control – you can specify detailed password requirements such as: 

• Minimum number of characters, 
• Password validity period, 
• Preventing re-use of an expired password, 
• You can even set an automatic device memory wipe after a specified number of failed login attempts.

2. Manage mobile apps in your organization

You can decide which Android or iOS apps users can find and download on their devices by creating a list of allowed web and mobile apps in the Google Admin console. It can include public apps, as well as private apps. On the list, you can specify settings for managed apps, such as automatic installation on devices and whether users can or cannot uninstall it themselves.

3. Force device encryption

You can make encryption of data obligatory on devices when locked. It ensures that content stored on the phone can only be read when the device is unlocked. Forcing encryption will help reduce the risk of data leakage if a user’s mobile device is lost, stolen or sold.

4. Block mobile devices with compromised security

Hackers can breach a phone’s security in many ways, and things like an unlocked bootloader, custom ROM or a superuser binary file make it much easier. You can prevent users from accessing company account data on mobile devices that show signs of being hacked. Google Workspace or Cloud Identity data will be inaccessible on such devices.

5. Get reports on mobile device inactivity

When it comes to company-owned devices, one of the most suspicious activities is inactivity. Google Workspace can generate a monthly report for you about company-owned Android devices that have not synced any business data for the last 30 days. All super administrators and other recipients added to the console will receive an automatic email with the report. The file contains a list of idle devices and information about who has logged on to them recently.

6. Set automatic data wipe for inactive devices

Inactivity is easy to miss if you don’t monitor the device inventory regularly. In mobile device management in Google Workspace, the first administrative steps can be taken automatically if a device hasn’t been syncing data for too long. Auto wipe remotely removes business account data and managed applications from  Android devices that show no activity for a certain number of days.

7. Configure automatic blockade of Android devices that don’t comply with your organization’s policies

If a device is no longer compliant with any of your organization’s policies, you can automatically lock or completely wipe it, preventing it from accessing corporate data. You can set scope, conditions, and actions. Users get a notification when their devices are affected by this rule. 

Blockades can be triggered by states and activities such as: 

• Account registration change
• Device action event
• Device application change
• Device compliance status (Android only)
• Device compromise (Android only)
• Device OS update
• Device ownership (Android only)
• Device settings change (Android only)
• Device sync
• Failed screen unlock attempts (Android only)
• Suspicious activity
• Work profile support (Android only)

8. Use context-dependent access settings

Context-aware access is an advanced configuration available in Google Workspace Enterprise (for enterprise mobile devices), Education Standard and Plus. It allows you to set different levels of access to data depending on the identity of the user and the context of the request. It checks attributes such as:

• IP subnetwork,
• Geographical location, 
• Device policies, 
• Device operating system.

How to use this feature in practice? As an administrator, you can, for example:

• Block a mobile device’s access to Google apps (web and mobile) if the device is outside a specific country or region, or if it does not meet encryption and password requirements;
• Create an access level for Gmail that requires users to connect from a specific range of IP addresses and their devices to be encrypted;
• Allow access to applications only from corporate devices and on the corporate network;
• And many other combinations.

Get unified endpoint management in Google Workspace

FOTC is a team of Google Certified Cloud Engineers who are always ready to support you in overcoming challenges during the configuration of your company’s data protection systems. With our help, you can build a better online hybrid collaboration environment for your employees. Working with a Google Cloud partner will also allow you to optimize your Google Workspace expenses with discounts that aren’t available anywhere else. 

Let’s talk about the needs of your company. We will prepare a personalized offer for the implementation and data migration from the current solution to Google Workspace. You can also transfer licences to FOTC to pay less than directly at Google.