Stay organized with collections
Save and categorize content based on your preferences.
This document shows how administrators can set up device approvals to control
the devices that users can use to access their organization's resources.
As an administrator, you can enforce administrator approval for device access,
and approve or block devices from the Google Admin console. By default, all
devices are approved when users log in to their devices by using their Google
Accounts unless you set up administrator approvals for the devices.
Enable administrator approval for device access
If you want to review devices that users use to access their organization's
resources, you can enable the Require admin approval option. After you enable
this option, when users add their corporate account to their device, they see a
message that an administrator must review and approve the device.
To enable administrator approval for device access, do the following:
In the navigation menu, click Mobile & endpoints > Settings
> Universal settings > Security.
From the Organizational Units pane, select your organization unit. To
apply the setting to everyone, select the top organizational unit.
Click Device approvals and then select Require admin approval.
Enter an email address to get notifications when users enroll
their devices.
You can use a group email address that includes all administrators who can
activate devices.
Click Save.
Approve or block devices
Approving or blocking a device adds a device status tag, which you can
use to create admin approval-based
access levels.
Approving or blocking a device doesn't affect the device's ability to access
data.
When a device approval is pending or a device is blocked, the device can still
sync data unless you create access levels to block access based on the device
status tag.
To approve, block, or unblock devices, do the following:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eAdministrators can control device access to organizational resources by setting up device approvals, requiring admin review before a device can be used.\u003c/p\u003e\n"],["\u003cp\u003eEnabling the "Require admin approval" option will prompt users to await administrator approval when adding their corporate account to a device.\u003c/p\u003e\n"],["\u003cp\u003eDevices registered by serial number are automatically approved, regardless of device approval settings.\u003c/p\u003e\n"],["\u003cp\u003eAdministrators can approve or block devices directly from the Google Admin console, which tags them accordingly and can be used in access levels.\u003c/p\u003e\n"],["\u003cp\u003eDevice approval status doesn't directly prevent data syncing unless administrators configure access levels based on device status tags.\u003c/p\u003e\n"]]],[],null,["# Set up device approvals\n\nThis document shows how administrators can set up device approvals to control\nthe devices that users can use to access their organization's resources.\n| **Note:** This feature is available with one of the following Google Workspace editions:\n|\n| - Frontline Starter, Frontline Standard, and Frontline Plus\n| - Business Plus; Enterprise Standard and Enterprise Plus\n| - Education Standard, Education Plus, and Endpoint Education Upgrade\n| - Enterprise Essentials and Enterprise Essentials Plus\n| - G Suite Basic and G Suite Business\n| - Cloud Identity Premium\n|\n| For more information, see [Compare Google Workspace editions](https://support.google.com/a/answer/6043385).\n|\n| To use one of these editions, [contact our sales team](https://workspace.google.com/contact-form/?utm_source=gwsadminhelp&utm_medium=support&utm_campaign=6043385).\n\nAs an administrator, you can enforce administrator approval for device access,\nand approve or block devices from the Google Admin console. By default, all\ndevices are approved when users log in to their devices by using their Google\nAccounts unless you set up administrator approvals for the devices.\n| **Note:** Devices that are registered by serial number are approved automatically, even if you set up device approvals.\n\nEnable administrator approval for device access\n-----------------------------------------------\n\nIf you want to review devices that users use to access their organization's\nresources, you can enable the **Require admin approval** option. After you enable\nthis option, when users add their corporate account to their device, they see a\nmessage that an administrator must review and approve the device.\n\nTo enable administrator approval for device access, do the following:\n\n1.\n\n From the Admin console Home page, go to **Devices**.\n\n [Go to Devices](https://admin.google.com/ac/devices/list)\n\n \u003cbr /\u003e\n\n2. In the navigation menu, click **Mobile \\& endpoints \\\u003e Settings\n \\\u003e Universal settings \\\u003e Security**.\n\n3. From the **Organizational Units** pane, select your organization unit. To\n apply the setting to everyone, select the top organizational unit.\n\n4. Click **Device approvals** and then select **Require admin approval**.\n\n5. Enter an email address to get notifications when users enroll\n their devices.\n You can use a group email address that includes all administrators who can\n activate devices.\n\n6. Click **Save**.\n\n| **Note:** You can also enforce device approval settings by [creating an access level](/endpoint-verification/docs/creating-device-access-level) using the access level attribute [**Require admin approval**](/access-context-manager/docs/access-level-attributes).\n\nApprove or block devices\n------------------------\n\nApproving or blocking a device adds a device status tag, which you can\nuse to create admin approval-based\n[access levels](/access-context-manager/docs/overview#access-levels).\nApproving or blocking a device doesn't affect the device's ability to access\ndata.\n\nWhen a device approval is pending or a device is blocked, the device can still\nsync data unless you create access levels to block access based on the device\nstatus tag.\n\nTo approve, block, or unblock devices, do the following:\n\n1. From the Admin console Home page, go to **Devices**.\n\n [Go to Devices](https://admin.google.com/ac/devices/list)\n2. Click **Endpoints**.\n3. Depending on whether you want to approve, block, or unblock devices, perform\n the appropriate action:\n\n - To allow devices to access data and to tag them\n as approved, select the devices, click **More** more_vert and select **Approve devices**.\n\n - To prevent devices from accessing data and to tag them as blocked,\n select the devices and click **Block Devices**\n block.\n\n - To unblock devices and to tag them as approved,\n select the devices and click **Unblock Devices** check_circle.\n\nWhat's next\n-----------\n\n- [Enforce admin approval by using access levels](/endpoint-verification/docs/creating-device-access-level)\n- [Delete devices](/endpoint-verification/docs/delete-device)"]]
