Supported editions for these features (except as noted): Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition
As an administrator, you can decide how people use their work account on managed iPhones and iPads. For example, you can prevent data from being copied from a managed app to an unmanaged app (Data protection), turn off certain apps, and control what work data syncs to built-in iOS apps.
Find the settings
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click a settings category and setting. Learn about the settings in the following section.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Turn on or off the setting.
-
Click Save. Or, you might click Override for an organizational unit .
To later restore the inherited value, click Inherit.
Changes can take up to 24 hours but typically happen more quickly. Learn more
iOS settings index
Basic mobile management
Data protection applies to devices under basic and advanced mobile management.
Advanced mobile management
Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Premium. Compare your edition
To use these settings, set up advanced mobile management for iOS devices.
Some settings apply only to supervised company-owned devices:
All iOS devices under advanced management | Supervised company-owned iOS devices only |
---|---|
|
|
Apple certificates
Apple Push Notification ServiceCreate and manage your organization's Apple push certificates. When you first set up Google endpoint management, you set up a push certificate. When the certificate approaches its expiration date, you can renew an existing certificate.
Renew certificates early so that your iOS users aren't required to enroll their devices again. You can't renew a certificate that already expired.
Connect to your organization's Apple Business Manager or Apple School Manager account so you can manage your company-owned iOS devices. Learn how to set up company-owned iOS device management. When the MDM Server token approaches its expiration date, you can renew the token.
Apple Volume Purchase Program (VPP)
Purchase apps in bulk and distribute them to iOS devices in your organization. You connect Apple Business Manager or Apple School Manager with your Google Workspace or Cloud Identity account. You can purchase app licenses and sync them with your account using a content token. For details, see Distribute iOS apps with Apple VPP.
Account Configurations (Google Workspace only)
Expand section | Collapse all & go to top
Google Account—Auto push configurationThis setting isn't available when you turn on a custom push configuration.
Automatically syncs users’ Google Workspace email, calendars, and contacts with the corresponding built-in iOS apps that are on their device. Check the Push Google Account configuration box to:
- Sync Google Workspace emails with the Apple Mail app.
- Sync Google Workspace calendar events with the Apple Calendar app.
- Sync Google Workspace contacts with the Apple Contacts app.
- Allow users to search your organization’s Directory in the iOS Contacts app.
Users can view email and calendar events in Google mobile apps (recommended) or in iOS apps. For details, go to Enroll my iOS device.
If you don't want users to access their mail in the Apple Mail app, turn off IMAP access. Calendar events and contacts will still sync to iOS apps. For details, see Turn POP & IMAP access on and off. If you turn off IMAP, let users know that they're no longer syncing Google Workspace mail to the Apple Mail app because they might not get a notification on their device. Additionally, if users try to sign in to the Apple Mail app with their Google Account when IMAP is off, the sign-in fails silently.
When you turn on the Google Account setting, users with devices that are already enrolled for management get a notification asking them to add a password for their Google Workspace account. Users can enroll new devices by signing in to their Google Workspace account with a Google mobile app, such as the Google Device Policy app.
Google Workspace email, calendars, and contacts are all managed on the device. Therefore, if you block the device or remove the account, the user’s Google Workspace email, calendar events, and contacts are removed from the device. And, they all stop syncing.
This setting isn't available when you select Auto push configuration.
When turned on, Google Calendar is automatically synced to the iOS Calendar app on a user’s device.
If you decide to use this setting, Google Workspace calendar events are not fully managed on the device. If you remotely wipe the device or account, Google Workspace calendar events stop syncing and all existing events are removed from the device. However, if you block the device or if the device is pending approval, calendar events still sync to the device and existing events stay on the device too.
When you turn on this setting, users need to generate and enter an app password instead of using their Google Workspace password. Then, Google Workspace events sync to the iOS Calendar app. The user can turn off this syncing. For details, see Enroll my iOS device.
When you turn off CalDAV, users can still add their calendars manually.
This setting is not available when the Google Account setting is on.
When turned on, Google Contacts is automatically synced to the iOS Contacts app on a user’s device. This setting also allows users to search your organization’s Directory in the iOS Contacts app.
If you decide to use this setting, Google Workspace contacts are not fully managed on the device. If you remotely wipe the device or account, the user’s contacts stop syncing and existing contacts are removed from the device. However, if you block the device or if it’s pending approval, contacts still sync to the device.
When you turn on CardDAV, users need to generate and enter an app password instead of using their Google Workspace password. Then, Google Workspace contacts sync to the iOS Contacts app. Users can turn off this syncing. For details, see Enroll my iOS device.
If you share only Directory data that’s already visible to the public with apps and APIs, users won’t be able to search your organization’s Directory. For details, see Let third-party apps access Directory data.
When you turn off CardDAV, users can still add their contacts manually.
Enrollment
- Device Enrollment–(Default) Your organization has full control of the device including the ability to wipe all data from it. You can see an inventory of work apps on the device and require that users have a strong device password.
- User Enrollment—Separates work and personal data on iOS devices to give you full control of work data on the device while users retain privacy over their personal data. If you want to apply this setting only to new devices, check the Allow Device Enrollment for existing users box.
- User's choice—(New device registrations only) Let the user choose the enrollment type when they add their work account to the device.
Lock Screen
Expand section | Collapse all & go to top
Control CenterAllows users to access and change settings in the Control Center when their device is locked. The Control Center lets users access settings and apps, such as Wi-Fi, Apple AirDrop, and their camera by swiping the screen.
To block access to Control Center on the lock screen, uncheck the Allow Control Center on lock screen box.
Allows users to open the Notification Center on locked devices. The Notification Center lets users see recent alerts, like a calendar event or a missed call by swiping down from the top of the screen.
To prevent users from opening the Notification Center on locked devices, uncheck the Allow Notifications view on lock screen box. Users can still see new notifications when they arrive.
Allows users to see Today View when their device is locked. Today View shows summary information for that day when a user swipes right from the left side of the screen. The information could include sensitive calendar event names and email subject lines.
To block Today View on the lock screen, uncheck the Allow Today view on lock screen box.
Data sharing
To use most of these settings, you must set up advanced mobile management for iOS devices. However, advanced mobile management isn't required to use the Data actions setting.
Expand section | Collapse all & go to top
Data actionsSupported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition
Allows users to potentially share Google Workspace data from their iOS device with people outside of your organization. When turned on, you can use data exfiltration protection settings to prevent accidental data leaks. However, the settings can’t stop all possible data exfiltration methods, such as copying from Apple Visual Look Up, taking screenshots, or translation extensions. To prevent users from potentially sharing Google Workspace data externally, select Don't allow users to take actions that could share Google Workspace data externally.
Important: Some files might open in a non-Google Workspace app and not be covered by data protection.
For more information, go to Prevent accidental data leaks on iOS devices.
Allows users to trust enterprise apps they install from outside the Apple App Store or Google Device Policy app.
When users are allowed to trust apps from unknown sources (box is checked) and they first open an app from an unknown source, they see a notification that the author of the app isn't trusted on the device. They can establish trust for the app author in their device settings. If the user trusts an author, they can install other apps from the same author and open them immediately.
To prevent users from trusting app authors, uncheck Allow users to trust new enterprise app authors. When you uncheck the box, any app authors a user trusts before this setting is applied to their device remain trusted. The user can install more apps from the same author and open them.
Allows users to open work files and links in unmanaged apps with unmanaged accounts and share them using Apple AirDrop.
To require that work files, attachments, and links open only in managed apps with managed accounts, uncheck the Allow items created with managed apps to open in unmanaged apps box. For example, you can prevent a user from opening a confidential email attachment from their work account in a personal app.
If you don't allow work files and links to open in unmanaged apps, you can still allow users to share these items using Apple AirDrop. To prevent users from sharing files with AirDrop, uncheck the Allow items created with managed apps to be shared using AirDrop box.
Allows managed apps to use Apple iCloud to store data. Data stored in iCloud stays there until the device user removes it.
To prevent work app data from being stored in iCloud, uncheck the Allow managed apps to store data in iCloud box. Users can still use iCloud for their personal data.
Allows users to open personal documents, attachments, and links in managed apps with their managed accounts.
To prevent managed apps from opening personal documents or links, uncheck the Allow items created in unmanaged apps to open in managed apps box. In this case, users can open personal documents and links only in unmanaged apps in their personal accounts.
Allows managed apps to use mobile data to go online. If you allow managed apps to sync using mobile data, you can also decide whether to allow them to sync when roaming. To turn off sync for managed apps while roaming, uncheck Allow managed apps to sync while roaming.
To prevent managed apps from using mobile data at any time, uncheck the Allow managed apps to sync using mobile data box.
Backup and iCloud Sync
Note: iOS device users need to give permission for automatic backup and sync using these settings.
Expand section | Collapse all & go to top
Document syncAllows users to turn document and data syncing of their iOS devices to iCloud on or off. When allowed, data from the user’s various iOS apps is stored in iCloud and synchronized between the user’s supported iOS devices.
To block device sync with iCloud, uncheck the Allow users to sync documents and data with iCloud box.
For iOS 13 and later devices, applies only to supervised company-owned devices. For iOS 12 and earlier, the setting applies to all devices under advanced management.
When checked, forces encryption for all backups to Apple iTunes. When users back up their iOS devices to iTunes, they can see the Encrypt local backup or Encrypt iPhone backup box checked in the iTunes Device Summary screen but they can't uncheck it.
When backup encryption is first turned on, iTunes asks the user to enter a password. An encrypted backup is stored on the user’s computer and they need to enter this password to restore their iOS device.
To allow users to back up their devices unencrypted, uncheck the Require encryption for backups box.
Allows users to automatically back up their iOS devices to iCloud over Wi-Fi every day. The iOS device must be turned on, locked, and connected to a power source during an iCloud backup.
To block device backup to iCloud, uncheck the Allow user to backup device with iCloud box.
Allows users to use iCloud Keychain. With iCloud Keychain, the user's username, password, and credit card number is stored behind 256-bit Advanced Encryption Standard (AES) on iCloud. That data is synchronized between the user’s supported iOS devices.
To prevent users from using iCloud Keychain, uncheck the Allow users to sync keychains with iCloud.
Photos
Expand section | Collapse all & go to top
My Photo StreamAllows the photos in a user’s Camera roll to sync to My Photo Stream in iCloud. Uncheck the box to:
- Erase photos in My Photo Stream from the device.
- Stop Camera roll photos syncing to My Photo Stream.
- Prevent photos and videos in shared streams from being seen on the device.
Note: If there are no other copies of these photos and videos, they might be permanently deleted.
Allows users to keep their photos and videos in iCloud so they can access them from any device.
To block access to iCloud Photo Library, uncheck the Allow iCloud Photo Library box. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from the device.
Allows users to add photos and videos to a shared album in iCloud. It also allows users to invite others to add their own photos, videos, and comments to the album.
To prevent users from subscribing to or publishing shared albums, uncheck the Allow iCloud Photo Sharing box.
Advanced Security
Expand section | Collapse all & go to top
Screen captureAllows users to save a screenshot or recording of their screen.
To block screen captures, uncheck the Allow screenshots and screen recording box.
Allows users to use Siri. To block Siri, uncheck Allow Siri.
If you allow users to use Siri, you can also decide if it responds to users when the device is locked. To block Siri on locked devices, uncheck the Allow Siri on lock screen box.
Allows a user to use an Apple Watch device after they take it off their wrist without unlocking it.
To lock the watch automatically when it’s removed from the user’s wrist, uncheck the Allow use of Apple Watch without wrist detection box. The user can still unlock an Apple Watch that's not on their wrist with its passcode or the paired iPhone.
Allows users to use Apple Handoff to send an app's data between devices so they can start work on one device and continue on another. For example, a user can start reading a document in Safari on their iPad and continue reading it in Safari on their iPhone.
To block Handoff, uncheck the Allow Handoff box.
Safari
Expand section | Collapse all & go to top
Allow Safari (supervised, company-owned only)Allows users to complete online forms in Safari with autofill. When the box is checked, Apple Safari remembers information that users enter in forms, such as name, address, phone number, or email address. That information is automatically completed in online forms later.
To block autofill in Safari, uncheck the Allow autofill in Safari box.
For iOS 13 and later, the setting applies only to supervised company-owned devices. For iOS 12 and earlier, the setting applies to all devices under advanced management.
Warns users when they use Safari to visit a website that’s suspected to be fraudulent.
To turn off the fraudulent website warning, uncheck the Enforce the Safari fraudulent website warning box.
Allows JavaScript in Safari, which websites use for buttons, forms, and other content.
To block JavaScript in Safari, uncheck the Allow JavaScript in Safari box. Some websites can’t work properly if you turn off JavaScript.
Allows pop-up windows to open when users visit or close a web page in Safari. Pop-ups are often used to display ads. However, some websites use pop-up windows for essential content.
To block pop-ups, uncheck the Allow pop-ups in Safari box.
Lets all websites, third parties, and advertisers accessed by Safari to store cookies and other data on the device.
To block cookies and other data from being stored on the device, uncheck the Accept cookies in Safari box. If you turn off cookies, some websites might not work properly.
Company-owned iOS device setup
Company-owned devices only
Expand section | Collapse all & go to top
Device enrollment settings—Allow pairingRequire users on devices with iOS 12 and earlier to install the MDM profile. The MDM profile is always required on devices with iOS 13 and later.
To allow users with iOS 12 and earlier devices to skip profile installation, uncheck the Require MDM profile box. In this case, the device isn't subject to the settings that apply to supervised company-owned devices, only the other advanced management settings.
Device features
Supervised company-owned devices only except for Diagnostics
Expand section | Collapse all & go to top
AirDrop- To turn off password sharing with AirDrop, go to AuthenticationPassword sharing and uncheck .
- To prevent users from sharing files created in managed apps with AirDrop, go to Data sharingOpen docs in unmanaged apps and uncheck Allow items created with managed apps to be shared using AirDrop.
Networks
Supervised company-owned devices only
If you restrict Wi-Fi networks and mobile data, make sure that at least one Wi-Fi network is allowed in your organization's network settings. Otherwise, devices might not be able to sync policies and eventually lock out all users.
Expand section | Collapse all & go to top
App cellular dataApps and services
Supervised company-owned devices only
Expand section | Collapse all & go to top
App installation- Users can't access the App Store.
- Apps purchased on other devices can't download automatically.
- The Google Device Policy app and any apps installed via the Device Policy app (not including private iOS apps) do not get automatic updates.
- Users can still download allowed apps through the Google Device Policy app.
- To block access to the App Store, uncheck the Allow users to install apps from the App Store box. Users can still download allowed apps through the Google Device Policy app.
- To prevent apps purchased on other devices from automatically downloading, uncheck the Allow apps purchased on other devices to download automatically box.
Apple apps
Supervised company-owned devices only
Expand section | Collapse all & go to top
FaceTimeAuthentication
Supervised company-owned devices only
Expand section | Collapse all & go to top
Authenticate for AutoFillConnections
Supervised company-owned devices only
Expand section | Collapse all & go to top
Host pairing- Allow iBeacons to find AirPrint printers—Uncheck to prevent phishing attacks through AirPrint Bluetooth beacons. Devices can still detect AirPrint printers on the same Wi-Fi network when iBeacons are blocked.
- Allow Keychain to store AirPrint credentials—Uncheck to prevent Keychain from storing the username and password for AirPrint.
- Allow AirPrint connections with untrusted certificates—Uncheck to require a trusted certificate for TLS printing.
Keyboard and dictionary
Supervised company-owned devices only
Expand section | Collapse all & go to top
Keyboard autocorrectionWant more mobile device settings?
- Require passwords for managed mobile devices
- Apply universal settings for mobile devices and endpoints
- Apply settings for Android mobile devices
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.