Admins can use the Volume Purchasing Program to efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform. To further streamline the enrollment and app distribution process, we’re automatically installing mandatory apps during enrollment for company-owned devices. This latest update makes it easier for admins to deploy apps across various device types in their organization.
Additional details
Please note that Apple ID sign-in won't be needed in the company-owned iOS devices flow after configuring apps with VPP.
The automatic installation of mandatory apps during onboarding applies to all enrollment types and devices that violate mandatory apps compliance will be immediately blocked until the required app(s) are installed.
Creating the app configuration using XML information
Applying the configuration
Who’s impacted
Admins and end users
Why it’s important
Prior to this update, mobile app configuration was only available for managed Android devices. Beginning today, Workspace admins can use Managed App Configuration to set custom app configurations and deploy them to manage iOS devices across their organization. This gives admins the flexibility they need to create safety parameters that align with the various needs of users across their organization.
End users: The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.
Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on March 7, 2024 with anticipated completion by the end of the month.
Availability
Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers.
Cross-device policy application: Whether it’s a company-owned or personal device, Chrome User Policies can be applied when a user signs into the Chrome browser with their managed account. This ensures a consistent and secure browsing experience across all devices.
Management notice for end-users: Managed end-users will begin seeing a management notice, informing them that their organization manages the account they are signing into. This transparency not only fosters trust but also keeps users informed about the security measures in place to protect their data.
Admin console integration: Admins can easily activate this functionality through the Admin console under the "Chrome on iOS" Browser setting. This centralized control allows admins to tailor policies to meet the specific needs of their organization, ensuring a customized and secure browsing environment for all users.
Getting started
Admins: In the Admin console, navigate to Chrome browser > Settings > Chrome on iOS to start applying policies and preferences. Visit the Help Center to learn more about setting Chrome policies for users or browsers.
Moving forward, we’re adjusting a few components to how this grace period operates to boost compliance and prevent inadvertent circumvention. Specifically:
Grace Period
Situation
Next Steps
None
-The managed apps policy violation is detected during the device enrollment.
-The managed apps policy violation by an app is detected after 24 hrs from the moment the admin changes the policy.
The managed apps policy violation by an app is detected within the 24hrs from the moment the admin changes the policy.
Who’s impacted
Admins and end users
Why it’s important
Improving these safeguards helps ensure that only managed applications can access sensitive organization information. If the managed applications do not meet the requirements of the access policies set by admins, managed application access to Workspace data is deactivated until users take the proper steps.
Available to Google Workspace Frontline Starter and Frontline Standard, Business Plus, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus; Enterprise Essentials and Enterprise Essentials Plus and Cloud Identity Premium customers
All devices with the Google Apps Device Policy will lose access during March 2023 if they have not already upgraded. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on the legacy Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. Admins can act directly from the alert in the Admin console to identify users who need to upgrade.
Find advanced management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Advanced.
Determine which of these devices are currently managed by the Google Apps Device Policy app and support the Android Device Policy app (i.e. devices with Android 6+ and support for a work profile)
Send these instructions to your users to help them migrate to Android Device Policy.
Basic management devices:
Find basic management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Basic.
[2024]: We have completely rolled back this feature on web and there are no plans to relaunch this feature at this time. We will provide an update if and when one becomes available.
[February 2, 2022]: We have temporarily paused the rollout for this feature. We apologize for the delay and we will share an update once rollout resumes.
PPTX file limit increase in Google Slides
You can now import PPTX files up to 300MB into Google Slides using Office Editing mode — previously, 100MB was the maximum. Once imported, you can save back your edits to the underlying PPTX file. | Available to all Google Workspace customers and users with personal Google accounts. | Learn more.
Previous announcements
The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.
Use a new enterprise certificate condition to set context-aware access rules for company-managed devices
When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more.
This feature is now available for all eligible users.
Availability
Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business, and Cloud Identity Free customers
We will remove support for iOS 11 in the first release of the Device Policy app beginning September 2021. Therefore please ensure your users upgrade their devices by the end of August 2021 to avoid any disruption to their work.
Previously, admins had a limited set of actions they could perform with basic management—they could wipe an account or delete the device from inventory. However, they couldn’t block apps on those devices from accessing organizational data in the way that they could for devices with advanced mobile management. This launch makes that possible, helping to keep your organization’s data secure.
While the blocking action is the same for devices with basic and advanced management, advanced management allows you to proactively block devices based on the Require Admin Approval setting. With basic management, you can only do this on a per-device basis.
Getting started
Admins: This feature will be available by default. To use it, navigate to a device page in the Admin console and click block device. Visit the Help Center to learn more about blocking and unblocking devices.
End users: If a user’s device is blocked by an admin, the user will be signed out of all Google Workspace mobile apps. If they try to sign in again, they will see a message indicating that they do not have access to the app, and that they should contact their administrator for help.
New option to block a device available for devices with basic management
Once a device is manually blocked, admins can unblock the device
Those trying to access Google Workspace apps on a blocked device will see a message to contact the administrator for help
Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers
Use our Help Center to learn more about managing MDM rules for your organization. Note that any previously created rules will continue to function as before. However, you’ll be able to use the new flow and options if you update the rules.
Available to Google Workspace Enterprise Standard, and Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers
In the BeyondCorp security model, device inventory, state, and security posture are central to making context-aware access decisions. So far our context-aware access solution obtained these signals from first party (i.e. Google) sources, such as Endpoint Verification. However our vision has always been to help customers to fully leverage their existing investments in security tools and controls, add key functionality and signals to Google’s context-aware access to achieve superior access control security posture for our customers. The BeyondCorp Alliance is a group of partners that share our Zero Trust vision and who are committed to working with us to help our joint customers make it a reality.
Today, we are excited to announce the first integrations (in beta) with our BeyondCorp Alliance partners Check Point and Lookout, to use third party signals in our context-aware access decisions. For example, the mobile threat defence system might detect malware on the device and notify Google about a reduced security assurance, and customer-defined access rules can reduce the level of access allowed from such devices, without impacting access for that user from other devices or for other users. The integrations are built using the new Devices API we announced earlier this year. The API was designed to be used by partners in the BeyondCorp Alliance to add device security metadata, and also by customers to manage their device fleet.
Getting started
Admins: Google customers who use Checkpoint or Lookout as their mobile threat defense solutions can benefit from the integration. Visit our Help Center for more information and to learn more about how to set up third-party partner integrations.
You can also see blog posts by our partners to see more about how you can use Check Point or Lookout solutions as part of this integration.
Available to Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers
Not available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Enterprise Standard, as well as G Suite Basic, Business, Education, and Nonprofits customers
Android apps. This was previously at Admin console > Devices > Mobile settings > App management > Manage apps for Android devices. Learn more about mobile app management.
iOS apps. This was previously at Admin console > Devices > Mobile settings > App management > Manage apps for iOS devices. Learn more about mobile app management.
You’ll no longer be able to manage apps in the previous locations. However, you’ll still manage the Android available apps and system apps settings in Admin console > Devices > Mobile settings.
Who’s impacted
Admins
Why it’s important
By reducing the locations you need to use to manage different categories of apps and creating simplified and consistent workflows, it will be quicker and simpler to manage app use and deployment for your organization.
Additional details
New location for web and mobile apps:
New and consistent experience to add web and mobile apps:
Unified settings and quick controls to view access and manage apps:
Getting started
Admins: Find the new app management location at Admin console > Apps > Web and mobile apps. Visit the Help Center to learn more about managing Android and iOS apps, and SAML apps for your organization.
Available to Business Plus; Enterprise; Education and Enterprise for Education; G Suite Basic and Business; and Nonprofits customers
Not available to Business Starter, Essentials, and Enterprise Essentials customers.
SAML app management:
Available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers
March 7, 2023: All devices with the Google Apps Device Policy will lose access during March 2023. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. See below for more information and instructions.
January 26, 2022:The new user registration flow on Google Apps Device Policy will be blocked and users may see errors during the registration process.
October 21, 2021: We have adjusted the timing for this change. Now, Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. Existing Google Apps Device Policy app users must switch to Android Device Policy before March 19, 2022 to continue syncing work data. Previously, we stated that users must switch before October 26, 2021.
To ensure that devices enrolled by users with advanced management will continue to sync and have access to data, users in your organization must switch to Android Device Policy before March 19, 2022. Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. If users still have Google Device Policy on this date, they won't be able to sync their devices or access data.
Devices enrolled by users with basic management must move to Android 6.0 Marshmallow or later before March 19, 2022 to continue enforcing a screen lock. If a user's device can't be upgraded to Android 6.0 or later, their device will continue to sync and retain access to data, however it will not be able to enforce a screen lock.
Who’s impacted
Admins and end users
Why it’s important
The latest Android devices and operating system (OS) versions provide improved security features. Moving to Android 6.0 (Marshmallow) or newer can help ensure all devices are protected by the latest security features, and can take advantage of improvements in the Android enterprise experience.
Rapid and Scheduled Release domains: All devices must complete the upgrade by March 19, 2022. Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. Android Device Policy is available now for all users.
Availability
Available to Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers
We will remove support for iOS 10 in the first release of the Device Policy app in 2021. Therefore please ensure your users upgrade their devices before the end of the year to avoid any disruption to their work.
The new Devices API enables you to manage mobile and desktop devices within your organization. It is intended to fully replace the existing Mobiledevices endpoint of the Admin SDK Directory API, and provides some significant additional functionality as described below. The Mobiledevices endpoint (aka “old API”) will continue to be supported.
The device management API implements the following new functionality not found in the Mobiledevices endpoint of the Directory API:
Support for desktop devices
Add company owned devices to the device inventory
Manage company-owned devices inventory
Manage desktop device inventory
Ability to manage devices under all management modes (Fundamental, Basic or Advanced)
Create and manage custom state with each user account on a device. This custom state can be used in making context-aware access decisions.
In addition, the following main functionality from the older API is also available in the new API:
Manage BYOD inventory for Android and iOS devices
Manage organizational user accounts on devices
Devices under Basic or Advanced management can be managed
Perform actions such as wipe on devices and organizational user accounts on devices
Search devices and organizational user accounts on devices
The new API is part of the Cloud Identity API, and will eventually replace the Admin SDK Directory API used to manage mobile devices.
Who’s impacted
Admins and developers
Why you’d use it
The new API includes all the capabilities of the Admin SDK Directory API it will replace. In addition, it adds these new features over and above the Admin SDK:
Ability to create and manage company owned devices
Ability to manage Windows devices registered with the Google Credential Provider for Windows
Ability to manage desktop services such as those with the “Endpoint Verification” extension or those with Drive File Stream installed on them
The integration will enable G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, and Cloud Identity Premium customers to set Google endpoint management as an MDM server on Apple Business Manager.
Who’s impacted
Admins
Why you’d use it
With the integration between Google endpoint management and Apple Business Manager:
Admins can manage company-owned iOS devices directly from the Admin console, in the same location as they manage other devices that access their organization’s data.
End users: There is no end user setting for this feature. Once provisioned by an admin, users can follow the device setup wizard steps to enroll the device. Once the setup wizard is complete, the Google Device Policy app will automatically install and the user should sign in to it with their G Suite or Cloud Identity account.
In the Google Cloud Community, connect with Googlers and other Google Workspace admins like yourself. Participate in product discussions, check out the Community Articles, and learn tips and tricks that will make your work and life easier. Be the first to know what's happening with Google Workspace.
On the “What’s new in Google Workspace?” Help Center page, learn about new products and features launching in Google Workspace, including smaller changes that haven’t been announced on the Google Workspace Updates blog.