Skip navigation

Trusted Endpoints - Google G Suite Managed Device Deployment

Last Updated: October 17th, 2019

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

Before enabling the Trusted Endpoints policy on your applications, you'll need to configure your managed mobile devices. This guide walks you through Google G Suite configuration for Android mobile devices.

Note that this G Suite management integration and the Duo Mobile management integration for verifying endpoints are mutually exclusive. You won't be able to use G Suite for verification if a management integration for Duo Mobile exists.


Create the G Suite Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate G Suite in the listed integrations and click the Select this integration link to the right.

The new G Suite integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Keep the Duo Admin Panel open in your browser. You'll need to refer back to the G Suite management integration page to complete the configuration steps.

Enable Advanced Mobile Management

  1. Log on to the G Suite Admin console as an administrator and click on Device management.

  2. Click the Setup link under "MOBILE" on the left side of the console and then click Mobile Management.

  3. Enable the Enable Mobile Management option and then select the Advanced option.

    G Suite Mobile Management Settings

  4. Click Save to apply the new mobile settings.

  5. Scroll down to "Android App Management" and verify that the status of "Manage Android Apps" is Enabled.

Add Duo Mobile as a Managed Application

  1. Return to the G Suite Device management page.

  2. Click the App Management link under "MOBILE" on the left side of the console.

  3. Click on Manage apps for Android devices and then click MANAGE WHITELISTED APPS.

  4. Click the + "Add Application" icon on the bottom right of the G Suite admin console to add a new managed application.

  5. Search for Duo Mobile. Click on the search result for Duo Mobile and then click APPROVE. Click APPROVE again to accept the app permissions.

  6. You may change the approval and notification options if you wish. Click Save when done to add Duo Mobile to the set of approved managed applications.

    Duo Mobile Approved in G Suite

Create a Managed Configuration for Duo Mobile

  1. Click on Duo Mobile in the list of managed applications.

  2. Click Managed Configurations at the bottom of the Duo Mobile page, and then click CREATE A NEW MANAGED CONFIGURATION. Give the configuration a name.

  3. Return to your G Suite management integration page in the Duo Admin Panel.

  4. Copy the "Secret Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DBpyowo7l1dXaPdljkoYsRhBtorOoylaltj1ovsH). Paste this in G Suite as the Trusted Endpoint Identifier value.

  5. Copy the "Trusted Endpoints Configuration Key" value from the "Create a Managed Configuration" section of your G Suite management integration (it will look similar to DPK0W0KLPJLOGSKHTDD). Paste this in G Suite as the Trusted Endpoints Configuration Key value. Click Save after filling in both fields.

    Duo Mobile Managed Configuration

  6. Click App Distribution and Configuration on the Duo Mobile page.

  7. Click the menu button on the right side of the table to open the menu, then click Edit Configuration.

  8. In the "Managed Configuration" section, select the managed configuration you just created and then click UPDATE.

    Duo Mobile Configuration

Finish Trusted Endpoints Deployment

Once your G Suite managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the G Suite trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.

Enable Trusted Endpoints Management Integration

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed.

Removing the Google G Suite Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Google G Suite integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Google G Suite.

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.


Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.