Mobile device management (MDM) improves security. When a device is lost, erase everything–or, in Google Apps lingo, “wipe device.” When an employee leaves the organization, erase organizational data and leave personal photos, contacts, apps, and files untouched–or “wipe account.” Both “wipe device” and “wipe account” help a Google Apps administrator protect an organization’s data.

Google improved remote management of organizational apps and data for iOS devices in September 2015 (Figure A). The update allowed people to separate organizational apps and data from personal apps and data on iOS devices (Google offers similar features on Android, as part of Android for Work). The changes make Google Apps even more friendly for use in a BYOD environment.

Figure A

Google Apps mobile app management options enable a “wipe account” option for iOS devices.

Now, a remote “wipe account” command sent to a connected iPhone or iPad will remove apps and data installed with the Google Device Policy app. No other apps or data on the device will be affected. Personal photos remain and organizational data disappears from the device.

The new mobile application management features for iOS require some setup. You’ll need to make changes both in the Google Apps Admin console and on each connected iOS device.

Configure Google Apps Admin settings

You’ll need to be a Google Apps administrator to configure the following three items for your organization’s Google Apps account.

1. Connect Google Apps to Apple push notifications

You’ll first need to connect your Google Apps account to Apple’s push notification system. Essentially, you create a certificate signing request from Google Apps, then login and upload the certificate request file to Apple. Then, Apple creates a push certificate file, which you download from Apple, then upload into your Google Apps account. This connects Google Apps and Apple to allow iOS device management.

Login to your Google Apps Admin account and navigate to Device management, then Mobile (from the left menu), and choose “Set Up Apple Push Certificate.” If a certificate already exists, you’ll see “Manage Apple Push Certificate” instead of “Set up….” The process takes a few minutes and will require an active Apple ID account to login to Apple’s system (Figure B).

Figure B

First, a Google Apps admin must connect Google Apps to Apple push notifications and configure MDM settings.

2. Configure Device management settings

Next, navigate to your Device management settings in Google Apps (i.e., from the Admin console: Device management | Mobile | Device management settings).

Under the General settings section, make sure the following options are both checked (Figure C):

  • Enable iOS Sync for users
  • Enforce policies on iOS devices

I suggest you also select the box to “Enable device activation” and add your administrator email address in the box. This allows you to individually review and approve each mobile device connection request. Admittedly, this adds work and slows the connection process for new devices, but the extra effort improves your organization’s security.

Figure C

Enable both options under iOS Sync.

3. Add Whitelisted iOS apps

Finally, add any free iOS app to your organization’s “Whitelisted iOS app” list (from the Admin console, go to Device management | Mobile | Whitelisted iOS Apps). Google populates the list with six apps by default: Gmail, Google Calendar, Drive, Docs, Sheets, and Slides. Select the circular action button in the lower right portion of the screen, search for the name of an iOS app, then add it.

You may add any free iOS app to the list. You could add the Chrome browser and encourage people to use Chrome on iOS for work browsing and Safari on iOS for personal browsing.

Keep in mind that any apps added to an iOS device from the Google Device Policy app are ones that will be deleted in the event of a remote “wipe account” trigger. For example, if you add the LastPass app, a remote “wipe account” would not only remove Google Apps info, it would also delete LastPass account information from the device.

Setup each iOS device

Each person who wants to connect an iOS device to your organization’s Google Apps account will need to complete the following steps.

1. Install the app

On your iOS device, install the Google Device Policy app (Figure D). You’ll need to login with your Google Apps account and allow the app to install a Google Apps Device Policy profile on your system. You also may have to wait for your Google Apps administrator to approve your device registration.

Figure D

Install and configure the Google Device Policy app on each iOS device you want to manage.

2. Install apps

After your device is approved, open the Google Device Policy app and choose any of the listed apps to install (Figure E). These apps will automatically connect with your Google Apps account data. Apps installed this way will help isolate and secure your organization’s data from your personal iTunes account and apps.

Figure E

Select apps to install from within the Device Policy app. A remote “wipe account” will remove only these apps and data, and will preserve all other device data.

After all of the above steps, if you ever send a remote “wipe account” command to the device, all of the apps installed from the Device Policy app–and their related data–will be deleted. But all of the personal apps and data will remain undisturbed on the device.

Have you configured and deployed Google’s mobile application management Device Policy app for your iOS device? What apps have you added? Share your experience in the discussion thread below.