Skip to main content

BYOD Demystified for IT Admins with G Suite

Like many organizations, Google quickly adapted the work from home paradigm. To ensure that employees are not only productive but safe, organizations must ensure that their remote workers are using secure devices, regardless of whether the device is personally owned. The need for this level of security means that IT admins are working arduously to keep these devices safe.

At Google, our established zero trust security through our BeyondCorp strategy. This security model comprises of nearly 10 years of building zero trust networks, combined with crowdsourcing ideas. BeyondCorp is leveraged to offer advanced security for users of G Suite to ensure secure access for all their devices. IT Admins can enforce controls across G Suite and all other corporate applications and data for consistent security and enhanced user experience across the organization.  Here are six critical controls that IT admins can utilize within G Suite to help keep their companies safe in a bring your own device (BYOD) scenario.

1. Use Endpoint Management to secure mobile & desktop devices

The variety of BYOD devices are different from company to company, with different OS versions, hardware modes, patches, and more. With all the different elements it’s not possible to rely on a one-size-fits-approach to device management. Use Google endpoint management to support various mobile and desktop devices by enforcing measures like minimum software versions and blocking jailbroken or rooted devices. IT Admins will find that in many situations they can do this without needing full device rights for employee privacy.

G Suite offers both basic and advanced mobile management for managing mobile devices

Basic Mobile Management

By using basic mobile device management, BYOD devices are kept secured with baseline security features with no end-user friction. Admins can enforce a passcode, get a device inventory, wipe Google accounts remotely, and even remotely install applications on Android devices. 

Advanced Mobile Management

Advanced mobile device management allows admins to apply more policy controls over BYOD devices, and Android users can keep their personal data private and separate from their work data with Android Work Profiles. There’s also the ability to allow and manage work apps on iOS and Android devices.

In addition to the above, admins can also manage and secure desktop devices with fundamental device management and enhanced desktop security for Windows. Fundamental device management enables user logs into G Suite through any browser on a Windows, Mac, Chrome, or Linux device. That device will be automatically enrolled with endpoint management. This functionality provides a base level of security to every desktop device that accesses G Suite data. With enhanced desktop security for Windows, admins can easily manage and secure Windows 10 devices through the admin console

2. Enable secure connections without a corporate VPN using context-aware access

Context-aware access offers protection from unwanted access to G Suite services without the need for a VPN and allows admins to set up different access levels based on a user’s identity and the context of the request. This considers factors such as the country, device security status, and IP address of the request. For example, you can require BYOD devices accessing G Suite to meet encryption and password requirements or restrict contractors from accessing G Suite from company-managed Chromebooks.

3. Control data access with app access control

Malicious apps are continuously prowling for vulnerable devices to gain access to corporate date. For this reason, admins must endeavour to protect all devices, whether corporate or BYOD. Admins can do this successfully with app access control, by tricking users into mistakenly granting access to corporate data. With this feature, admins can choose which third-party apps are allowed to access users’ G Suite data by explicitly trusting, limiting, or blocking access for apps.

4. Enforce 2-Step Verification

This is an extremely important control. By using 2-Step Verification, admins can reduce the risk of unauthorized access by asking users for additional proof of identity when signing in. And now with the addition of our Advanced Protection Program, you have our strongest protection against targeted attacks. With the Advanced Protection Program for the enterprise, we’ll enforce a specific set of policies for enrolled users including security key enforcement, blocking access to untrusted apps and enhanced scanning for email threats

If you forgo the use of security keys for any reason, there are a variety of other options to enforce 2-Step Verification on BYOD devices. For Android and iOS, you can use Google promptGoogle Authenticator, text message, or phone call options for a second verification step.

5. Prevent data loss and leakage with data loss prevention

We know admins are heavily tasked with keeping internal information safe and secure. To help prioritize this task, we have developed data loss prevention (DLP) policies to help protect sensitive information in Drive, Docs, Sheets, Slides, and Gmail from loss, misuse, or being accessed by unauthorized users. G Suite DLP allows admins to select which types of data are sensitive and exactly how to protect them. Our controls enable easy detection of a wide variety of common info types. To meet the organization’s needs, administrators can supplement this with custom content detectors. In addition, you can classify files in Drive automatically using DLP rules (beta) to categorize your data by sensitivity levels. DLP works on all the devices in your organization, including BYOD ones, since the protection is at the data and application level. 

In addition to DLP, you can use DXP for iOS devices to restrict the copy/pasting of G Suite data to other accounts, personal or otherwise. DXP for iOS can also restrict users’ ability to drag and drop files from specific apps within their G Suite account. Similarly, you can use Google endpoint management to configure Android devices to prevent data sharing between personal and work profiles.

6. Make retention and eDiscovery possible on all your devices with Vault

To support your organization’s retention and eDiscovery needs, Vault enables corporate data that’s stored in G Suite and accessed by BYOD devices to be available for all your information governance needs. No matter the owner of the device, your organization’s data stored in Gmail, Drive, Chat, Groups, Voice, and Meet are accessible to Vault.

Using the zero-trust security model, the G Suite features above work together to keep your data protected and organization secure across all devices, whether they’re corporate-owned or BYOD.

Enjoy your free 30-day trial of G Suite. Click here to get started. 

For more information about G Suite, contact Mustafa Jaffer.