Setting up device approvals

As an admin you can review and approve each Endpoint Verification device that accesses corporate data. By default all devices are approved once users connect their Google accounts. You can tag these devices as approved or blocked.

Access Context Manager uses these tags to configure admin approval based access levels.

Devices that are registered by serial number are approved automatically, even if you set up device approvals. See Configuring company owned devices for more information.

Enabling admin approval

Before you can tag devices, admin approval must be enabled.

  1. Open the Google Workspace Admin Console and log in to your admin account.

    Open the Google Workspace Admin Console

  2. From the Admin console home page, go to Devices.

  3. On the left, click Setup.

  4. Click Device Approvals.

  5. Optional. To customize device approvals across organizational units, on the left, select an organization.

  6. Select Requires Admin approval.

  7. Optional. Enter an email address to get notifications when users enroll their devices. You can use a group email address that includes all admins who can activate devices.

  8. Click Save.

Approving and blocking devices

  1. Open the Google Workspace Admin Console and log in to your admin account.

    Open the Google Workspace Admin Console

  2. From the Admin console Home page, go to Devices.

  3. Click Endpoint Verification.

  4. Select the checkbox next to devices you want to approve or block.

  5. Choose an option:

    1. To allow devices to access corporate data and to tag Endpoint Verification devices as approved, at the top of the page click More and Approve devices.
    2. To prevent devices from accessing corporate data and to tag Endpoint Verification devices as blocked, at the top of the page click Block .

When an employee adds a corporate account to their device, they see a message that an administrator needs to activate the device.

Enforcing admin approval

Approving or blocking a device doesn't change a device's ability to access corporate data. Instead, it adds a tag to the device that can be used to configure access levels with Access Context Manager. Follow the process below to enforce device approval settings.

  1. Secure your resources with IAP.
  2. Create an access level that sets the Device policy > Require admin approval attribute to Yes.
  3. Apply your access level to resources.