Managing company devices (overview)
An overview of Google Workspace's mobile device management (MDM) tools — how to enforce security policies on phones and computers used to access company data.
When your team uses phones and computers to access company email and files, those devices become a security concern. If a device is lost or stolen, someone could access your business data. Google Workspace includes tools to manage and protect these devices.
Quick summary
Google Workspace includes basic device management for free — it lets you remotely wipe a lost phone, enforce screen locks, and see what devices are accessing your account. Advanced controls (called advanced endpoint management) are available on higher plans and let you enforce more granular policies.
What is mobile device management?
Mobile Device Management (MDM) — also called endpoint management in Google Workspace — lets an admin:
- See which devices are signed in to company accounts
- Require a screen lock or passcode on phones
- Remotely lock or wipe a lost or stolen device
- Block devices that don't meet security requirements
- Enforce policies like encryption
Google Workspace's built-in MDM is called "Basic mobile management." More advanced controls are called "Advanced mobile management" or "Endpoint management."
What's included in basic mobile management (all plans)
Basic mobile management is on by default for all Google Workspace plans. It lets you:
- See a list of mobile devices that have synced with your organization
- Remotely wipe a lost device (wipe removes the Google account and its data from the device — not necessarily everything else)
- Block specific devices from accessing Workspace
- Require screen locks
What's included in advanced management (Business Plus and Enterprise)
Advanced endpoint management adds:
- Enforce strong passcodes across all devices
- Require device encryption
- Block jail-broken or rooted devices
- Deploy and manage apps remotely
- Set up work profiles (separate work and personal apps on Android)
- Audit login activity and suspicious device behavior
Accessing device management
Go to admin.google.com and sign in.
Click Devices in the left sidebar.
Click Mobile & endpoints to see a list of devices that have accessed your organization.
Click on any device to see details: owner, device type, last sync time, and whether it's approved.
Wiping a lost device
If a device is lost or stolen:
In the Admin console → Devices → Mobile & endpoints, find the device.
Click on the device, then look for Wipe device or Remove account.
Choose between:
- Remove account — removes the work Google account and data from the device, but leaves personal data (safer if the person had personal data on a BYOD device)
- Wipe device — factory resets the entire device (only use if the organization owns the device, or the employee consents)
Confirm. The action takes effect the next time the device connects to the internet.
Remote wipe only works when the device is online
A remote wipe is queued until the device connects to the internet. If the thief immediately disables Wi-Fi and mobile data, the wipe won't happen right away. Act quickly after a device is reported lost or stolen.
Enrolling devices
For basic management, devices enroll automatically when a user signs in to their Google account on the device. For advanced management, you may need to deploy a Device Policy app or use Android Enterprise enrollment.
Your admin settings control what enrollment is required before a device can access Workspace.
BYOD vs. company-owned devices
| Bring Your Own Device (BYOD) | Company-owned | |
|---|---|---|
| Wipe approach | Remove account only (protect personal data) | Full factory reset may be appropriate |
| Policy enforcement | Limited — employees may resist strict policies on personal phones | Full control |
| Cost | Lower (no device purchase) | Higher (hardware costs) |
For small teams with BYOD, "Remove account" is usually the right wipe option — it protects the business data without wiping the employee's personal phone.
Common questions
Related guides
- Key security settings
- Turning on 2-step verification
- The Google Admin console, explained
- Google Workspace on your phone
Need a hand?
Learn more
Exporting your Workspace data
How to export and download a copy of your organization's Google Workspace data using Google Takeout and the Admin console data export tool.
Microsoft 365 — the complete client guide
Everything you need to manage your Microsoft 365 account, from adding users and setting up Outlook to securing your team and understanding your bill.