Control access to apps based on user & device context

Allow users to unblock apps with remediation messages in Context Aware Access

Use remediation messages to help users unblock themselves

Using remediation messages and custom messages in Context-Aware Access, you can help users unblock themselves when a policy prevents them from accessing an app. These optional (but recommended) messages can help get users back to productivity and reduce support calls for admins.

For example, say that a user on a mobile device is using Gmail in the office successfully during the day, but is blocked when they try to access Gmail at home in the evening. When remediation messages are enabled, they will see guidance on how to address the reason they are blocked.

Remediation and custom messages are supported for access levels created in both Basic mode and Advanced mode. Also, they are supported for both Core Services and SAML apps.

Use remediation messages and custom messages to help your users unblock themselves

When blocked, your users can encounter:

  • Default message—Displays if you have not added remediation messages or custom messages. An example default message is: Your organization's policy is blocking access to this app.
  • Remediation messages—Replaces the default message. The messages are system generated, and correspond to the specific policy violation that blocked the user.
    Remediation messages can present several remediation options to the user, which they can expand by clicking Show more options. In the case of several remediation options, the user needs to complete the steps for any one of the available options to unblock themselves.
  • Custom message—Adds specific help for the user, such as additional advice on getting unblocked or a helpful link to click. You add custom messages as needed. A custom message can appear in conjunction with the default message, or with remediation messages. 

This table shows the interactivity of these messages:

Remediation messages turned on? Custom message added? Messages the user sees
No No Default message only
Yes No Remediation messages only. In some cases the default message might display if the remediation messages can’t be generated.
No Yes Default message and custom message
Yes Yes Remediation messages and custom message

Understand remediation messages

Each remediation action corresponds to an attribute which is causing access to be denied. The following table summarizes possible remediation messages that the user might see. The messages are created systematically depending on the policy that was violated.

Note that different messages can be shown for the same attribute according to the expectation in the access level. For example, if the access level is device.screen_lock_enabled == true, the message is Set a screen password on your device. If access level is device.screen_lock_enabled == false, the message is Remove the screen password from your device. Note, that removing a screen password could be less secure, so the user should confirm this action with the admin.

Actual messages may differ from the messages displayed below.

Attribute Message
Region code You can't access this app from your current location. Contact your admin to learn more.
Screen lock Set a screen password on your device.
Remove the screen password from your device. Note, this could be less secure, so you may want to confirm this with your admin.
Verified Chrome OS Install a verified Chrome OS on your device.
You can’t access this app with a verified Chrome OS.
Admin approval Switch to a device approved by your organization. Contact your admin if you don’t have access to one.
Switch to a device that’s not associated with your organization. Note, this could be less secure, so you may want to confirm this with your admin.
Company owned device Switch to a device owned by your organization. Contact your admin if you don’t have access to one.
Switch to a device that’s not owned by your organization.
Encryption Switch to a device that has one of the following encryption statuses: [status1, status2].
Switch to a device that doesn’t have the following encryption status: [status]
OS type Switch to a device that uses one of the following: [os1, os2]
Switch to a device that doesn’t use: os1
OS version Update your device to [OS version X] or higher
Update your device to an OS version lower than [OS version X]
IP address You can't access this app from your current IP subnetwork. Contact your admin to learn more.
Partner Attributes Install [PARTNER NAME] on your device. 1
Your device isn't meeting some requirements, based on information from [PARTNER NAME]. 2

1 Make sure the partner security app (for example, Lookout) is installed on the device. If it’s installed but the user is still seeing this message, the device might not be properly enrolled into the partner MDM. Check the partner dashboard to verify if this is the case. If required, contact the partner to resolve the issue.

2 Check the partner app on the device for more details. If required, contact the partner to resolve the issue.

Understand remediation messages and third-party partner integrations

As an administrator, you can integrate supported third-party partners (those that are part of the BeyondCorp Alliance) with Google endpoint management in Google Admin console. This informational text displays in the remediation message interface to explain that partner messages can be available to users:

""

For example, from Lookout:

""

For details, go to Set up third-party partner integrations.

Common errors to resolve before remediation or custom messages can be seen by the user

These errors must be cleared before users can view remediation messages:

Your device can’t be recognized. There may be different steps depending on your device type.

Google doesn’t recognize the login device. The remediation step depends on the platform.

  • Desktop devices—Users must use a Chrome profile with the SecureConnect extension installed. Users can’t login to Google Workspace apps through incognito, guest, or personal profiles. Note that this error message can display when a user tries to sign in to a new device for the first time. In that case, the user must sync with the SecureConnect extension and refresh the browser.
  • Mobile devices—A device might need to be synced before Google can recognize where the login occurred. See the next error message for details. Also, verify that device management is enabled on the Admin console.

Sync your device

For desktop devices, users must sync with the SecureConnect extension. In the case of mobile devices managed using Advanced mode, users can try syncing from the device policy application. For basic managed devices, users can wait for the regular sync or re-login into any Google app. Let the user know that device sync can take some time.

Implement remediation or custom messages

Turn on remediation messages

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security and thenAccess and data controland thenContext-Aware Access.
  3. Select User message.
  4. Under Remediation messages, click OFF and slide right to turn the messages ON. You’ll see a check mark.
  5. Click Save.
    You can also add a custom message at this point.

Add a custom message

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenAccess and data control and thenContext-Aware Access.
  3. Select User message.
  4. Under Additional custom message, enter your message.
  5. Click Preview to see what the user will see.
  6. Click Save.

User experience for remediation and custom messages

Default message only

This is an example of a message the user sees if no remediation messages or custom message is configured.

""

Default message and custom message

This is an example of a message the user sees if no remediation messages are configured, but the custom message is provided.

""

Remediation message only

This is an example of a message the user sees if remediation messages are configured with no custom message. The user clicks Show more options to expand the remediation steps.

""

Remediation and custom message

This is an example of a message the user sees if both remediation messages and the custom message are configured. The user clicks Show more options to expand the remediation steps.

""

Context-Aware Access remediation and custom messages FAQ

Expand all  |  Collapse all

Can remediation cause any additional Access Denied cases?
No. Enabling or disabling remediation messages does not affect the access status. If the system does not generate remediation messages, the existing screen displays a default message.
Why don’t the remediation messages reflect the current policies?
If remediations don't reflect the correct policies, wait for a couple of minutes after changing the policy in the Admin console. Also, it can take a few minutes for remediation messages to reflect a new access level or remediation setting.
How long does it take for the user to get access after completing the remediation actions?

The user doesn't get access until the device syncs with the Google servers. The user can try to force a sync in certain cases:

  • Desktop—Sync from SecureConnect extension on Chrome
  • Mobile (advanced management)—Sync from device policy app
  • Mobile (basic management)—Re-login for basic managed devices

Additionally, if the device is not compliant with the Beyondcorp Alliance partner, try to sync from the partner application. Note that in certain cases manual sync may not work, so the user should wait until a sync occurs.

Why do Users still see the same remediation options after completing the remediation action?
Remediation options don't change until the device syncs. Refer to the previous FAQ answer for sync options.
Why do remediation message options change without any action on the device?
Though this usually doesn’t happen, different remediation options can be shown for the same device state when access levels are complex. Also, if access levels and/or remediation have been updated recently, it may take a few minutes for the updated setting to fully propagate. Until then the remediation options may change by itself on browser refresh.
Why are remediation messages missing even though they are enabled?
This can be caused by an unsatisfiable access level (for example,  os = ‘windows’ && os = ‘mac’).
Do users see the custom user message if remediation is enabled?
The custom message displays only if enabled by the admin. If enabled, the custom user message displays below the remediation message options.
How do I enable remediations for Device policies?
The remediation messages don’t cover the access denial because of device policies. They show remediation for Context-Aware Access policies only.
Why does the Your device can’t be recognized remediation message display if the SecureConnect extension is syncing?
Verify that the account used to access apps is the account that is syncing in the SecureConnect extension. If the Chrome profile belongs to some other user, SecureConnect might be syncing with that user.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false