This article explains how you can block the use of personal Google accounts on managed devices, or allow the use of personal Google accounts, but just block their access to the public Google Play store. Also as similar methods can be used to deny account modification, which is also shown as an alternative.
When are restrictions on the use of personal Google accounts needed?
The typical scenario is that your organization has defined an enterprise app store to manage Android devices using managed Google Play. The managed Google Play store is basically a more controlled version of the public (consumer) Google Play store, letting your IT admins decide which apps are available for device users in the store.
Although the managed Google Play store is present, device users can, by default, also access the public Google Play store using a personal Google account - which may be considered to negate the benefits of having the enterprise app store.
In order to address this loophole, you can deny the use of personal Google accounts on Android devices entirely, or allow their use but just block access to the consumer version of the Play Store. The latter option is viable if you, for example, want to allow the users to configure their personal Gmail accounts to the device.
- Premium subscription of Miradore
- Applicable to Android devices which have either Android Enterprise Work Managed Device (Full enrollment) or Work Profile mode (Light enrollment) of management enabled through Miradore
- Miradore Client version 2.7.9 or later
Steps to restrict the use of personal Google accounts
- In Miradore, navigate to Management > Configuration profiles and use the blue Add button to create a new configuration profile. Select Android platform.
- Scroll down and choose Restrictions and press Next.
- Go to the Account Management tab. There you can configure what the device user(s) are allowed or forbidden to do on the device. Account modification: Set this to "Denied" if you want to prevent the device user(s) from making any changes to the accounts configured for the device. This is the strictest restriction. Deny account management types: With this setting, you can prevent the device user(s) from managing certain types of accounts on the device. For example. "com.google" would block device user(s) from adding a personal Google account to the device. Other examples:
- com.google.android.gm.pop3 (deny adding/modifying POP3 accounts)
- com.google.android.gm.legacyimap (deny adding/modifying IMAP accounts)
- com.google.android.gm.exchange (deny adding/modifying Exchange accounts)
- com.facebook.auth.login (deny adding/modifying Facebook accounts)
- com.google.work (Deny adding/modifying managed Android Enterprise accounts)
- com.samsung.android.email (deny adding/modifying samsung email accounts)
- com.samsung.android.exchange (deny adding/modifying Samsung Exchange accounts)Play store for unmanaged accounts: If you're looking to restrict the use of personal Google accounts set this to "Denied" if you want to prevent device users from accessing the consumer version of the Google Play store using their personal Google Accounts. In this case, they can only access the managed Google Play store. This restriction allows the device users to add their personal Google account to the device if they want to use other Google services with the personal account. The example configuration is in the picture below. You can then skip to step four.If instead, you're looking to deny account modification you can alternatively set Account modification to Denied as seen below.
- Click Next and give a name and description for the profile. After that, you can distribute the restriction to desired devices using the Deploy on the configuration profile. Here denying the account modification is used as an example. Select the profiles to deploy first and then press Deploy.
When deploying the configuration file you will be first asked to confirm the profiles and then press Deploy.
The third step is just confirming the deployments.
If you then try to add an account you will get the following message on your device.
Also on Samsung devices accessing the Samsung account will be blocked as seen below.
Worth noting that you can check the device management mode and client version from the Client version and Management type columns of the Devices page.
Device owner = Work Managed Device
Profile owner = Work profile