Setting up device approvals

As an admin you can review and approve each Endpoint Verification device that accesses corporate data. By default all devices are approved once users connect their Google accounts. You can tag these devices as approved or blocked.

Access Context Manager uses these tags to configure admin approval based access levels.

Devices that are registered by serial number are approved automatically, even if you set up device approvals. See Configuring company owned devices for more information.

Enabling admin approval

Before you can tag devices, enable admin approval.

  1. Open the Google Workspace Admin Console and log in to your admin account.

    Open the Google Workspace Admin Console

  2. From the Admin console home page, go to Devices.

  3. In the navigation menu, click Mobile and endpoints > Universal settings > Security.

  4. Optional: To customize device approvals across organizational units, select an organization from the Organizational units pane.

  5. Click on the Security card.

  6. In the Device approvals section, select Requires admin approval.

  7. Optional: Enter an email address to get notifications when users enroll their devices. You can use a group email address that includes all admins who can activate devices.

  8. Click Save.

Approving and blocking devices

  1. Open the Google Workspace Admin Console and log in to your admin account.

    Open the Google Workspace Admin Console

  2. From the Admin console Home page, go to Devices.

  3. Click Endpoints.

  4. Depending on whether you want to approve or block devices, perform the appropriate action:

    • To allow devices to access corporate data and to tag Endpoint Verification devices as approved, select the devices, click More and select Approve devices.

    • To prevent devices from accessing corporate data and to tag Endpoint Verification devices as blocked, select the devices, click Block .

When an employee adds a corporate account to their device, they see a message that an administrator needs to activate the device.

Enforcing admin approval

Approving or blocking a device doesn't change a device's ability to access corporate data. Instead, it adds a tag to the device that can be used to configure access levels with Access Context Manager. Follow the process below to enforce device approval settings.

  1. Secure your resources with IAP.
  2. Create an access level that sets the Device policy > Require admin approval attribute to Yes.

  3. Apply your access level to resources.