G Suite is now able to manage your Windows 10 devices. This is a great feature that became GA in May/2020.
I believe this is one of many features they will announce in the near future to allow admins to easily manage devices connected to their network. For now the new features are not too much, however they are a good start for anyone who is looking to have some control over devices from the G Suite admin console.
So to start with, I will briefly list the features below:
- Apply Windows settings
- Remove corporate data from a device
- Unenroll a device from Windows device management
- Sign users out of their Google Account on Windows 10 devices
Also please note that this feature is only available for G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium for now. So if you are using G Suite Business or Basic, then you will need to either upgrade to Enterprise, or just add Cloud Identity Premium on your existing account.
How to enable the management in G Suite
So to enable the Windows 10 Management you will have to go through a few steps to enable the setting in the admin console, then enroll your devices.
Turn on the setting in G Suite Admin Console
First of all you will have to enable the setting which comes disabled by default. To do that you have to open your admin console with the super admin of your G Suite account.
Once you are inside the admin console, you need to go to device management page, then go to “Windows Settings” under the “Desktop Settings” on the left side menu.
Once inside the “Windows Settings” page, then enable the setting “Enhanced desktop security“
Now you are ready to move to the next step, which is enrolling a device!
Enroll a Windows device
Before you begin the process you need to be aware that the device must have Windows 10 Professional, Business, Enterprise, or Education version 1803 or later.
Then once you confirm that point, you need to decide how you want to do the enrollment. There are 2 methods for this, you can either install Google Credential Provider for Windows, which is going to allow users to sign into their devices using G Suite accounts, or you can enroll a device manually as explained below.
To manually enroll a device, then you just follow these steps:
- Sign in to your Microsoft Windows® 10 device.
- Open https://deviceenrollmentforwindows.googleapis.com/v1/deeplink in a Chrome or Edge browser.
- In the message that asks whether you meant to switch apps, click Yes.
- Enter the Google email address you would like to use for this feature.
- Click Next to start device enrollment.
- Sign in to your managed Google Account.
Now the device is enrolled, you can start managing it!
Manage you Windows 10 devices from G Suite
The below section I actually just copied from this help article on G Suite Admin Help site because it is really well summarized and to the point.
After users’ Microsoft®Windows® 10 devices are enrolled in Windows device management, you can manage those devices, as follows.
Apply settings to devices
You can use enhanced desktop security for Windows (beta) to remotely apply Windows settings on users’ devices:
- Set users’ administrative permission level for Windows
- Configure automatic Windows updates
- Configure BitLocker
- Apply custom Windows settings
You can use organizational units to apply different settings to specific sets of users. For example, you might want to apply a custom setting for some employees but not managers. Note that settings apply to the user, not to specific devices. This means that if the user has multiple managed devices, a setting applies to all of those devices. Learn more about applying user policies.
Remove corporate data or accounts
With enhanced desktop security for Windows, you can remotely remove all corporate data or accounts from enrolled devices. For details, go to Remove corporate data from a mobile device.
If device enrolled in Windows management, you can unenroll it to remove all settings that were pushed to the device. Unenrolling a device doesn’t affect any other corporate or personal data on the device. For details, go to Unenroll a device from Windows device management.
Remotely sign a user out from their Google Account
If a user’s device is lost or stolen, or they forgot to sign out of their Google Account, you can sign them out remotely. For details, go to Sign users out from Windows 10 devices.
Having the ability to manage Windows 10 from the same console as we do to manage G Suite is really a great feature. I came across many requirements for enterprises who are migrating to G Suite and stopped at this point where they did not want to keep paying for Microsoft licenses, but at the same time they were locked in their environment because of the many Windows 10 devices.
We usually offer them alternatives to manage their Windows 10 devices, or just offer solutions to move them out of Windows such as the use of CloudReady or any other ChromiumOS, or we just suggest the purchase of Chrome Devices.
With this addition to device management it is now an easy choice for organizations who decide to migrate to G Suite and want to keep using Windows 10 for the first period of their migration and transformation process.
Hopefully we will see more settings added to the existing set of settings.
Checkout my other blog posts here.
Check out my channel on Youtube and subscribe :-):
Note: the G Suite and Windows 10 logos are trademarks for their respective owners which I am not for any of those. I am just using them under the fair use policy.