This article is written for Google Workspace administrators.

Almost everyone in your organization may sign into their Google account and sync their work data on their mobile devices, Android and iOS. Your Google Admin Console > Devices > Mobile page may have hundreds or thousands of devices. Those mobile devices which do not sync for a long time (30 days or 45 days) may put your corporate data in risk. If your user lost their lost phones or they purchased a new phone, they didn't inform you for that. It opens up a security hole for unauthorized access to the corporate data on the original devices.

Inactive mobile devices in Google Workspace is a security risk
Inactive mobile devices in Google Workspace is a security risk

To mitigate the risk of data leak, there shall be an automated way to report, block and wipe these inactive mobile devices on time. Google is aware of the problem and provides some options.

With that said, these options are limited to certain Google Workspace editions and the features are only available on Android. The security features aren't flexible enough.

This article demonstrates how Foresight can help you automate reporting, blocking and wiping inactive mobile devices with your needs.

Video demo

A quick demo can help you understand how it works. In the demo, we set up an automation rule that triggers for inactive mobile device of 171 days old (last sync time). [note: normally it should be a value of 30 days or 45 days]. Then the rule first retrieves the mobile device profile, blocks it from syncing, wipes its work data, and send 2 emails, one to the user of the device, and one to the admins. After we create the rule, the inactive mobile device in the list triggers the rule and is blocked and under account wiping.

Step-by-Step Instructions

  1. Sign into Foresight
  2. Go to Rules
  3. Click the new rule button button to create a new rule
  4. In the Select trigger step, select Mobile device turned inactive trigger
  5. In the Edit trigger > Mobile device turned inactive step,
    1. Click the REQUEST ACCOUNT ACCESS button to connect Foresight with your Google Account. Once you authorize the permissions, the status turns into Access granted.
    2. In the Inactivity timeout option, input the exact number of inactive days after which you wish a mobile device is considered as inactive, 15 days, 30 days, 45 days, 60 days etc. Only those mobile devices that haven't synced for the exact number of given days will trigger. If a mobile device's last sync time is older or newer than the specific days, it won't trigger.
    3. Click Next
  6. In the Select an action step, click the Get mobile device info
  7. In the Edit actions > Get mobile device info step,
    1. Click the REQUEST ACCOUNT ACCESS button to connect Foresight with your Google Account. Once you authorize the permissions, the status turns into Access granted.
    2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
    3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
    4. Click ADD NEXT ACTION
  8. In the Select an action step, click the Block mobile device
  9. In the Edit actions > Block mobile device step,
    1. Click the REQUEST ACCOUNT ACCESS button to connect Foresight with your Google Account. Once you authorize the permissions, the status turns into Access granted.
    2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
    3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
    4. Click ADD NEXT ACTION
  10. In the Select an action step, click the Wipe mobile device
  11. In the Edit actions > Wipe mobile device step,
    1. Click the REQUEST ACCOUNT ACCESS button to connect Foresight with your Google Account. Once you authorize the permissions, the status turns into Access granted.
    2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
    3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
    4. In the Device wipe type option, select Wipe an account from the device. It's equivalent to ACCOUNT WIPE you see in the mobile device list of Google Admin Console. In this demo, we assume all of our devices are user-owned so we only have the ACCOUNT WIPE option available.
    5. Click ADD NEXT ACTION
  12. In the Select an action step, click the Email.
  13. In the Edit actions > Email step,
    1. Click the REQUEST ACCOUNT ACCESS button to connect Foresight with your Google Account. Once you authorize the permissions, the status turns into Access granted.
    2. In the To option, type {{ to populate the variable drop down menu. Select Device User Email variable.
    3. In the Subject option, input your subject
    4. In the Email body option, type your email template to the user on an inactive mobile device. If you need dynamic mobile device data, like the user's full name, device model, operating system, type {{ to populate available variables.
    5. Click ADD NEXT ACTION
  14. In the Select an action step, click the Email
  15. In the Edit actions > Email step,
    1. In the To option, type administrators' emails who would receive these inactive mobile device reports.
    2. The CC and BCC options are optional. Copy to yourself if necessary.
    3. In the Subject option, input your subject
    4. In the Email body option, type your email template to the admins. If you need dynamic mobile device data, like the user's full name, device model, operating system, first sync time, last sync time, type {{ to populate available variables.
  16. Click Review
  17. Give the rule a name
  18. Click Create
  19. Your rule looks like this
    A Foresight workflow to automate reporting, blocking and wiping an inactive mobile device in Google Workspace

After your rule is created, if there are mobile devices which didn't sync for exact number of days, they will trigger your rule and you will receive notifications within the Foresight app momentarily. Otherwise, you will need to wait for such events to happen in another day. For an inactive mobile device, the user on the device will be email notified, the admins will be email notified, and the mobile device will be blocked and wiped.

Notes

  • You can create different rules for different inactivity timeout days. For instance, create a 7 days inactivity rule to Email inform the user the company's mobile device policy. And create a 15 days inactivity rule to block mobile devices. If the users don't react to the warning and still do not turn on and sync their mobile devices, their mobile devices would be blocked.
  • If your rule does not trigger, one common cause is the mobile devices' last sync time is not exactly the inactivity timeout you set.
  • You can customize the rule to conditionally block or wipe inactive mobile devices using the IF action after the Get mobile device info. The Get mobile device info action outputs many variables, like Device type, Device Status, OS Security Patch Date, Brand, OS Version etc.
  • The Wipe mobile device action's Device wipe type is device-specific. Not both options are available. You're recommended to read the Google documentation Remove corporate data from a device.

You may also like