Auto report, block and wipe inactive mobile devices in Google Workspace

Almost everyone in your organization may sign into their Google account and sync their work data on their mobile devices, Android and iOS. Your Google Admin Console > Devices > Mobile page may have hundreds or thousands of devices. Those mobile devices which do not sync for a long time (30 days or 45 days) may put your corporate data in risk. If your user lost their lost phones or they purchased a new phone, they didn't inform you for that. It opens up a security hole for unauthorized access to the corporate data on the original devices.

To mitigate the risk of data leak, there shall be an automated way to report, block and wipe these inactive mobile devices on time. Google is aware of the problem and provides some options.

• Get a report of inactive company devices. You can get a monthly report for unused company-owned Android devices that haven't synced any work data in the last 30 days.
• Auto wipe setting for Android mobile devices. It's a feature to auto wipe Android devices that hasn't synced for the specified number of days.

With that said, these options are limited to certain Google Workspace editions and the features are only available on Android. The security features aren't flexible enough.

This article demonstrates how xFanaticaForesight can help you automate reporting, blocking and wiping inactive mobile devices with your needs.

Video demo

A quick demo can help you understand how it works. In the demo, we set up an automation rule that triggers for inactive mobile device of 171 days old (last sync time). [note: normally it should be a value of 30 days or 45 days]. Then the rule first retrieves the mobile device profile, blocks it from syncing, wipes its work data, and send 2 emails, one to the user of the device, and one to the admins. After we create the rule, the inactive mobile device in the list triggers the rule and is blocked and under account wiping.

Step-by-Step Instructions

1. Sign into Foresight
2. Go to Rules
3. Click the button to create a new rule
4. In the Select trigger step, select Mobile device turned inactive trigger
5. In the Edit trigger > Mobile device turned inactive step,
   1. Sign in with Google
   2. In the Inactivity timeout option, input the exact number of inactive days after which you wish a mobile device is considered as inactive, 15 days, 30 days, 45 days, 60 days etc. Only those mobile devices that haven't synced for the exact number of given days will trigger. If a mobile device's last sync time is older or newer than the specific days, it won't trigger.
   3. Click Next
6. In the Select an action step, click the Get mobile device info
7. In the Edit actions > Get mobile device info step,
   1. Sign in with Google
   2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
   3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
   4. Click ADD NEXT ACTION
8. In the Select an action step, click the Block mobile device
9. In the Edit actions > Block mobile device step,
   1. Sign in with Google
   2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
   3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
   4. Click ADD NEXT ACTION
10. In the Select an action step, click the Wipe mobile device
11. In the Edit actions > Wipe mobile device step,
    1. Sign in with Google
    2. In the Device id option, select the Device ID variable from the drop down. This variable is output from the Mobile device turned inactive trigger. It would populate as the inactive mobile device's device ID after the rule is executed.
    3. In the User primary email option, select the Device User Email variable from the drop down list, output from the Mobile device turned inactive trigger. It would populate as the primary email of user on the inactive mobile device after the rule is executed.
    4. In the Device wipe type option, select Wipe an account from the device. It's equivalent to ACCOUNT WIPE you see in the mobile device list of Google Admin Console. In this demo, we assume all of our devices are user-owned so we only have the ACCOUNT WIPE option available.
    5. Click ADD NEXT ACTION
12. In the Select an action step, click the Email.
13. In the Edit actions > Email step,
    1. Sign in with Google
    2. In the To option, type {{ to populate the variable drop-down menu. Select the Device User Email variable.
    3. In the Subject option, input your subject
    4. In the Email body option, type your email template to the user on an inactive mobile device. If you need dynamic mobile device data, like the user's full name, device model, operating system, type {{ to populate available variables.
    5. Click ADD NEXT ACTION
14. In the Select an action step, click the Email
15. In the Edit actions > Email step,
    1. In the To option, type administrators' emails who would receive these inactive mobile device reports.
    2. The CC and BCC options are optional. Copy to yourself if necessary.
    3. In the Subject option, input your subject
    4. In the Email body option, type your email template to the admins. If you need dynamic mobile device data, like the user's full name, device model, operating system, first sync time, last sync time, type {{ to populate available variables.
16. Click Review
17. Give the rule a name
18. Click Create
19. Your rule looks like this
    

After your rule is created, if there are mobile devices which didn't sync for exact number of days, they will trigger your rule and you will receive notifications within the Foresight app momentarily. Otherwise, you will need to wait for such events to happen in another day. For an inactive mobile device, the user on the device will be email notified, the admins will be email notified, and the mobile device will be blocked and wiped.

Notes

• You can create different rules for different inactivity timeout days. For instance, create a 7 days inactivity rule to Email inform the user the company's mobile device policy. And create a 15 days inactivity rule to block mobile devices. If the users don't react to the warning and still do not turn on and sync their mobile devices, their mobile devices would be blocked.
• If your rule does not trigger, one common cause is the mobile devices' last sync time is not exactly the inactivity timeout you set.
• You can customize the rule to conditionally block or wipe inactive mobile devices using the IF action after the Get mobile device info. The Get mobile device info action outputs many variables, like Device type, Device Status, OS Security Patch Date, Brand, OS Version etc.
• The Wipe mobile device action's Device wipe type is device-specific. Not both options are available. You're recommended to read the Google documentation Remove corporate data from a device.

You may also like

• Schedule to Approve, Block or Wipe mobile devices in Google Workspace
• Automated Welcome Email to Google Workspace New Users
• Automatically Assign New Users to Groups in Google Workspace
• Automatically Suspend Inactive Users in Google Workspace
• How to automate offboarding workflows in Google Workspace 
• Automatically Share Calendars to New Group Members in Google Workspace
• Auto Add members to Groups After Changing User’s OU
• Suspend Google Workspace users by Schedule
• Delete Google Workspace users by schedule