Assign mobile device management admin privileges based

Assign mobile device management admin privileges based on organizational unit

Google giving admins more granular control over how mobile device management privileges are delegated. Specifically, admins can be assigned privileges for specific organizational units (OUs), adding another layer of security by scoping access only to necessary OUs.

Previously available in beta, google now making this feature generally available, with improvements to the way devices are displayed to help admins view and manage their devices more efficiently.

Example experience for an admin with OU-level permissions

Getting started

Admins: Visit the Help Center to learn more about administrator roles and delegating device management administrator privileges.
End users: There is no end user impact or action required.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on June 29, 2026

Availability

Available to all Google Workspace customers

Resources

Google Workspace Admin Help: Create an admin role for an organizational unit
Google Workspace Admin Help: Delegate device management administrator privileges

To assign granular Mobile Device Management (MDM) administrative privileges based on specific Organizational Units (OUs) in Google Workspace, you must create a custom admin role and restrict its scope. [1]

Step 1: Create a Custom MDM Role

Sign in to the Google Admin console using a Super Administrator account.
Navigate to Menu > Account > Admin roles.
Click Create new role.
Enter a clear name (e.g., Regional MDM Manager) and description, then click Continue.
Scroll down to the Privileges tab. Under Services > Mobile Device Management, check the box for Manage Devices and Settings.
Click Continue, then click Create role. [2, 3]

Step 2: Assign the Role and Scope by OU

From your newly created role’s page, click Assign members (or Assign role).
Select or enter the user or admin group you want to grant permissions to.
Crucial Step: Instead of assigning the role to the entire organization, locate the Organizational Unit (OU) selector.
Select the specific target OU (e.g., Sales Department or UK Branch) to limit their access.
Click Save or Assign. [2, 4, 5, 6, 7]

Important Considerations

Inheritance: The assigned admin will have control over the selected OU and any nested sub-OUs underneath it, but cannot view or modify devices in sibling or parent OUs. [4]
iOS Limitations: Delegated admins assigned strictly to an OU cannot configure advanced iOS management or manage Apple Push Certificates, as those actions still require universal Super Admin rights. [2]
UI Filtering: The designated admin’s console will automatically filter the dashboard, showing them only the device fleet they are authorized to manage. [1, 4]