Target: G Suite Admins who use or are thinking about using G Suite Mobile Device Management (“MDM”)
Objective: Inform Admins of options when enforcing policies on mobile devices, and describe how it will impact users once Google changes the setting across the board on June 18, 2018.
Issue: Announcement that Google is updating all default settings to “Basic”. As a result, Android devices (L or earlier) without the Google Apps Device Policy App will receive prompts for this change.
Changes to MDM for G Suite Administrators.
If you are a G Suite administrator, there are some changes on the horizon that could impact your users. According to Google’s Update Blog, “Stay secure with default-on mobile management,” default settings for Mobile Device Management (“MDM”) will be changing by the end of the year to change the default setting to a “Basic” enforcement setting (defined below). These changes are set to begin in June of 2018, and will be extending until the end of the year, at which point all of G Suite will reflect this change. At Wursta, we have been recommending these settings and this change for years. This change may, however, have significant impact for your Android users.
What is “Basic” Enforcement Settings in MDM and Some Background.
Currently, the default MDM setting on G Suite does not provide any MDM enforcement. “Basic” enforcement settings allows administrators the ability to enable password or screen lock requirements on mobile devices being used with business accounts, as well as the capability to remotely wipe data at a moments notice if a device is lost or stolen. Wursta always recommends that users’ MDM enforcement settings be set to at the very least to “Basic” enforcement. This is critical since your business is allowing mobile devices access to your organization’s data.
Our MDM Recommendations Generally and Potential Issues You May Encounter with Google’s Changes.
Without enabling “Basic” device management, G Suite administrators have no insight into mobile device usage, password or screen lock enforcement, remote wipe capabilities, and overall control and approval of which users are accessing your businesses critical data via mobile devices. If you have never touched your MDM settings before, we recommend doing so soon! We advise selecting the “Basic” enforcement option for your domain, because the previous default domain settings out of the box are less secure than desired.
We frequently instruct clients that make this upgrade to “Basic” enforcement to communicate to their users, especially if policies are to be enforced (like screen lock etc). Both Android users and iOS users may be slightly impacted if you are coming from an environment that has not enabled the MDM Mobile Device settings. iOS users may have a small task of selecting a four digit pin if they do not have one setup previously, and Android users on version M (6.0) or later will have a similar experience, due to the update made by Google about how you can now Manage Android devices without the Google Apps Device Policy app.
Issues may arise for your users on older Android devices that do not have the Google Apps Device Policy App. It would be in your best interest to proceed with getting the “Basic” enforcement enabled prior to this upcoming change, while communicating to users that this is a Google-mandated security update to ease any issues they may have with syncing their G Suite data to their device.
If you would like to get around this issue, there are certain actions that you can take today that you can find in this blog post. Specifically, you can enable the “Basic” enforcement now, without pushing any sort of policies to the device. This will allow you to work as usual, but the security holes will persist. We strongly recommend getting your MDM in tip-top shape, so you can get back to that 1990’s slogan, “No Fear” again.
If you have any questions about your current MDM settings or implementing an effective MDM solution for G Suite, we are here to help at email@example.com.