Gmail adds enterprise E2EE

Google has added end-to-end encrypted Gmail to the native Android and iPhone apps for eligible Workspace customers, extending a security feature that had been limited outside mobile. (workspaceupdates.googleblog.com) Google said on April 9 that users with a Gmail end-to-end encryption license can now compose and read those messages directly inside the Gmail app on Android and iOS, without a separate app or web portal. The rollout is live on both Rapid Release and Scheduled Release domains. (workspaceupdates.googleblog.com) The feature is available to Google Workspace Enterprise Plus customers with the Assured Controls or Assured Controls Plus add-on, and administrators must enable Android and iOS clients in the client-side encryption settings before users can access it. (workspaceupdates.googleblog.com) End-to-end encryption here means the message is encrypted before it reaches Google’s cloud, with the customer’s organization holding the key instead of Google. Google’s help pages describe that as a step beyond standard Gmail Transport Layer Security, which protects mail in transit but does not keep the provider from accessing content. (support.google.com, support.google.com) Google has been building toward this mobile release for more than two years. In February 2024, it let administrators make client-side encryption the default for new Gmail messages, Calendar events, and Drive uploads on Android and iOS. (workspaceupdates.googleblog.com) The company widened the audience in October 2025, when it said Gmail client-side encryption users could send end-to-end encrypted messages to any recipient, including people on other email providers, through guest accounts instead of traditional Secure/Multipurpose Internet Mail Extensions certificate exchanges. (workspaceupdates.googleblog.com) That guest-account system is still part of the setup for outside recipients. Google’s admin documentation says organizations using the “Encryption with guest accounts” option need a guest identity provider, and external recipients may be prompted to create a guest account to open encrypted mail. (support.google.com) The mobile launch arrived alongside Google’s regular Android patch cycle. Google published its April 2026 Android Security Bulletin on April 6 and said devices on the 2026-04-05 patch level or later address all issues listed there, including a critical Framework flaw that could cause local denial of service without user interaction. (source.android.com) Google’s Pixel support forum separately said the April 2026 Pixel software update had started rolling out to supported devices, tying the Gmail change to a broader week of mobile security updates across Google’s ecosystem. (support.google.com) For Google, the change puts encrypted corporate email on the same screen employees already use for ordinary Gmail. For administrators, it keeps the extra controls — licensing, policy switches, and customer-held keys — in place while moving the feature onto phones. (workspaceupdates.googleblog.com, support.google.com)