Workspace ONE UEM manages email access on mobile devices without any password management by using Google's Directory APIs.

Enabling device activation blocks any unmanaged devices from accessing email. Workspace ONE UEM checks with Google for a device account during enrollment when the profile is pushed onto the device:
  • If the enrolled device has an account, Google sends a positive response to Workspace ONE UEM. Workspace ONE UEM then sends an approve command to Google to allow email access.
  • After the device enrolls, the profile is already installed on the device, and any attempt to connect, creates a device record in Google. When the Google scheduler runs at a default interval of five minutes, the device is identified and allowed for email access. The Email Dashboard is then updated with the 'Scheduled Sync Update'.
  • If the device fails to be identified by the scheduler after two days, then the end user must login to SSP and select Sync Email for the device to receive email access.
Note: You can also revoke access for Google accounts if an account violates compliance using the Token Revocation option on the Email Settings page.


Your device must have a Google account. If your device does not have a Google account setup before enrolling in Workspace ONE UEM, then updates cannot be completed successfully and the Email Dashboard on Workspace ONE UEM is updated with a "Failed" message.


  1. Enable Device Activation on the Google Admin console:
    1. On the Google Admin console, navigate to Device Management > Mobile > Setup
    2. On the Setup page, select Device Activation.
    3. Select an organization from the left panel and then select Require admin approval for device activation.
    4. (Optional) Enter an email address to receive notifications when users enroll their devices. You can also enter a group email address that includes all the administrators who can activate the devices.
  2. Configure Direct APIs Deployment Type on the UEM console:
    1. Navigate to Email > Email Settings and select Configure.
      The Email Config Add wizard displays.
    2. Select Direct for the Deployment Model.
    3. Select Google Apps with Direct API as the Email Type.
    4. Click Next.
    5. In the Deployment Wizard form, enter the following settings:
      Setting Description
      Friendly Name Friendly name for the Gmail deployment.
      Google Apps Domain Domain address
      Google Apps Sub-Domain Sub-domain address
      Google Apps Admin Username Complete email address
      Service account certificate (*.p12) Upload the Service account certificate. Enter the certificate password when prompted. The certificate password is created while generating the Service Account client ID on the Google console.

      The type, validity, and thumbprint of the certificate is displayed.

      Directory service account email address Service Account email address.
      Application Name Project name created earlier.
      Enable Token Revocation

      Toggle Enable to make available the Revoke Google Token action within MDM compliance policies.

      The Revoke Google Token message is displayed on the MDM compliance policy page.

      Note: This option can only be enabled for one MEM configuration at a time.
      Automatically revoke when wiping devices Check this box to revoke G Suite token for the user upon unenrollment.

What to do next

If you have enabled token revocation, and the MDM policy is also set to revoke G Suite tokens under Edit Device Policy, the token will be revoked for a non-compliant user. If you have also enabled the Automatically revoke when wiping devices option, the G Suite token will be revoked for the device when the device is unenrolled. See the Mobile Email Management guide.