Enhance security with automated actions

This article is written for Google Workspace administrators.

Almost everyone in your organization may sign into their Google account and sync their work data on their mobile devices, Android and iOS. Your Google Admin Console > Devices > Mobile page may have hundreds or thousands of devices. Those mobile devices which do not sync for a long time (30 days or 45 days) may put your corporate data in risk. If your user lost their lost phones or they purchased a new phone, they didn't inform you for that. It opens up a security hole for unauthorized access to the corporate data on the original devices.

Inactive mobile devices in Google Workspace is a security risk

To mitigate the risk of data leak, there shall be an automated way to report, block and wipe these inactive mobile devices on time. Google is aware of the problem and provides some options.

Get a report of inactive company devices. You can get a monthly report for unused company-owned Android devices that haven't synced any work data in the last 30 days.
Auto wipe setting for Android mobile devices. It's a feature to auto wipe Android devices that hasn't synced for the specified number of days.

With that said, these options are limited to certain Google Workspace editions and the features are only available on Android. The security features aren't flexible enough.

This article demonstrates how Foresight can help you automate reporting, blocking and wiping inactive mobile devices with your needs.

Video demo

A quick demo can help you understand how it works. In the demo, we set up an automation rule that triggers for inactive mobile device of 171 days old (last sync time). [note: normally it should be a value of 30 days or 45 days]. Then the rule first retrieves the mobile device profile, blocks it from syncing, wipes its work data, and send 2 emails, one to the user of the device, and one to the admins. After we create the rule, the inactive mobile device in the list triggers the rule and is blocked and under account wiping.

Step-by-Step Instructions

Sign into Foresight
Go to Rules
Click the button to create a new rule
In the Select trigger step, select Mobile device turned inactive trigger
In the Edit trigger > Mobile device turned inactive step,
1. Sign in with Google
2. In the Inactivity timeout option, input the exact number of inactive days after which you wish a mobile device is considered as inactive, 15 days, 30 days, 45 days, 60 days etc. Only those mobile devices that haven't synced for the exact number of given days will trigger. If a mobile device's last sync time is older or newer than the specific days, it won't trigger.
3. Click Next
In the Select an action step, click the Get mobile device info
In the Edit actions > Get mobile device info step,
1. Sign in with Google
2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
4. Click ADD NEXT ACTION
In the Select an action step, click the Block mobile device
In the Edit actions > Block mobile device step,
1. Sign in with Google
2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
4. Click ADD NEXT ACTION
In the Select an action step, click the Wipe mobile device
In the Edit actions > Wipe mobile device step,
1. Sign in with Google
2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
4. In the Device wipe type option, select Wipe an account from the device. It's equivalent to ACCOUNT WIPE you see in the mobile device list of Google Admin Console. In this demo, we assume all of our devices are user-owned so we only have the ACCOUNT WIPE option available.
5. Click ADD NEXT ACTION
In the Select an action step, click the Email.
In the Edit actions > Email step,
1. Sign in with Google
2. In the To option, type {{ to populate the variable drop-down menu. Select the Device User Email variable.
3. In the Subject option, input your subject
4. In the Email body option, type your email template to the user on an inactive mobile device. If you need dynamic mobile device data, like the user's full name, device model, operating system, type {{ to populate available variables.
5. Click ADD NEXT ACTION
In the Select an action step, click the Email
In the Edit actions > Email step,
1. In the To option, type administrators' emails who would receive these inactive mobile device reports.
2. The CC and BCC options are optional. Copy to yourself if necessary.
3. In the Subject option, input your subject
4. In the Email body option, type your email template to the admins. If you need dynamic mobile device data, like the user's full name, device model, operating system, first sync time, last sync time, type {{ to populate available variables.
Click Review
Give the rule a name
Click Create
Your rule looks like this

After your rule is created, if there are mobile devices which didn't sync for exact number of days, they will trigger your rule and you will receive notifications within the Foresight app momentarily. Otherwise, you will need to wait for such events to happen in another day. For an inactive mobile device, the user on the device will be email notified, the admins will be email notified, and the mobile device will be blocked and wiped.

Notes

You can create different rules for different inactivity timeout days. For instance, create a 7 days inactivity rule to Email inform the user the company's mobile device policy. And create a 15 days inactivity rule to block mobile devices. If the users don't react to the warning and still do not turn on and sync their mobile devices, their mobile devices would be blocked.
If your rule does not trigger, one common cause is the mobile devices' last sync time is not exactly the inactivity timeout you set.
You can customize the rule to conditionally block or wipe inactive mobile devices using the IF action after the Get mobile device info. The Get mobile device info action outputs many variables, like Device type, Device Status, OS Security Patch Date, Brand, OS Version etc.
The Wipe mobile device action's Device wipe type is device-specific. Not both options are available. You're recommended to read the Google documentation Remove corporate data from a device.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. This cookie is installed the first time a visitor enters the website through a browser. When the visitor comes back to the website through the same browser, the cookie will consider them to be the same visitor. Only in the event that the visitor changes browser, will they be deemed to be a different visitor.
_gat_gtag-###	1 minute	This cookie is installed by Google Analytics. It is used to analyze visitor browsing habits, flow, source and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__Secure-1PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising
__Secure-1PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
_gcl_au	3 months	This cookie is set by Google Analytics to take information in advert clicks and store it in a 1st party cookie so that conversions can be attributed outside of the landing page.
1P_JAR	1 month	This cookie is installed by Google Ads. This cookie is used to collect site statistics and track conversion rates.
APISID	2 years	This cookie is used by Google to store user preferences and information while viewing Youtube videos on this site.
HSID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
LOGIN_INFO	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
PREF	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
SID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
SIDCC	1 year	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
SSID	2 years	This cookie is used to save the user's preferences and other information.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	This cookie is used by YouTube to remember user input and associate a user’s actions. This cookie lasts for as long as the user keeps their browser open.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Auto report, block and wipe inactive mobile devices in Google Workspace

Video demo

Step-by-Step Instructions

Notes

Products & Services

Company

Contact

Follow us