Using remediation messages and custom messages in Context-Aware Access, you can help users unblock themselves when a policy prevents them from accessing an app. These optional (but recommended) messages can help get users back to productivity and reduce support calls for admins.
For example, say that a user on a mobile device is using Gmail in the office successfully during the day, but is blocked when they try to access Gmail at home in the evening. When remediation messages are enabled, they will see guidance on how to address the reason they are blocked.
Remediation and custom messages are supported for access levels created in both Basic mode and Advanced mode. Also, they are supported for both Core Services and SAML apps.
When blocked, your users can encounter:
- Default message—Displays if you have not added remediation messages or custom messages. An example default message is: Your organization's policy is blocking access to this app.
- Remediation messages—Replaces the default message. The messages are system generated, and correspond to the specific policy violation that blocked the user.
Remediation messages can present several remediation options to the user, which they can expand by clicking Show more options. In the case of several remediation options, the user needs to complete the steps for any one of the available options to unblock themselves.
- Custom message—Adds specific help for the user, such as additional advice on getting unblocked or a helpful link to click. You add custom messages as needed. A custom message can appear in conjunction with the default message, or with remediation messages.
This table shows the interactivity of these messages:
|Remediation messages turned on?||Custom message added?||Messages the user sees|
|No||No||Default message only|
|Yes||No||Remediation messages only. In some cases the default message might display if the remediation messages can’t be generated.|
|No||Yes||Default message and custom message|
|Yes||Yes||Remediation messages and custom message|
Understand remediation messages
Each remediation action corresponds to an attribute which is causing access to be denied. The following table summarizes possible remediation messages that the user might see. The messages are created systematically depending on the policy that was violated.
Note that different messages can be shown for the same attribute according to the expectation in the access level. For example, if the access level is device.screen_lock_enabled == true, the message is Set a screen password on your device. If access level is device.screen_lock_enabled == false, the message is Remove the screen password from your device. Note, that removing a screen password could be less secure, so the user should confirm this action with the admin.
Actual messages may differ from the messages displayed below.
|Region code||You can't access this app from your current location. Contact your admin to learn more.|
|Screen lock||Set a screen password on your device.|
|Remove the screen password from your device. Note, this could be less secure, so you may want to confirm this with your admin.|
|Verified Chrome OS||Install a verified Chrome OS on your device.|
|You can’t access this app with a verified Chrome OS.|
|Admin approval||Switch to a device approved by your organization. Contact your admin if you don’t have access to one.|
|Switch to a device that’s not associated with your organization. Note, this could be less secure, so you may want to confirm this with your admin.|
|Company owned device||Switch to a device owned by your organization. Contact your admin if you don’t have access to one.|
|Switch to a device that’s not owned by your organization.|
|Encryption||Switch to a device that has one of the following encryption statuses: [status1, status2].|
|Switch to a device that doesn’t have the following encryption status: [status]|
|OS type||Switch to a device that uses one of the following: [os1, os2]|
|Switch to a device that doesn’t use: os1|
|OS version||Update your device to [OS version X] or higher|
|Update your device to an OS version lower than [OS version X]|
|IP address||You can't access this app from your current IP subnetwork. Contact your admin to learn more.|
|Partner Attributes||Install [PARTNER NAME] on your device. 1|
|Your device isn't meeting some requirements, based on information from [PARTNER NAME]. 2|
1 Make sure the partner security app (for example, Lookout) is installed on the device. If it’s installed but the user is still seeing this message, the device might not be properly enrolled into the partner MDM. Check the partner dashboard to verify if this is the case. If required, contact the partner to resolve the issue.
2 Check the partner app on the device for more details. If required, contact the partner to resolve the issue.
As an administrator, you can integrate supported third-party partners (those that are part of the BeyondCorp Alliance) with Google endpoint management in Google Admin console. This informational text displays in the remediation message interface to explain that partner messages can be available to users:
For example, from Lookout:
For details, go to Set up third-party partner integrations.
Common errors to resolve before remediation or custom messages can be seen by the user
These errors must be cleared before users can view remediation messages:
Your device can’t be recognized. There may be different steps depending on your device type.
Google doesn’t recognize the login device. The remediation step depends on the platform.
- Desktop devices—Users must use a Chrome profile with the SecureConnect extension installed. Users can’t login to Google Workspace apps through incognito, guest, or personal profiles. Note that this error message can display when a user tries to sign in to a new device for the first time. In that case, the user must sync with the SecureConnect extension and refresh the browser.
- Mobile devices—A device might need to be synced before Google can recognize where the login occurred. See the next error message for details. Also, verify that device management is enabled on the Admin console.
Sync your device
For desktop devices, users must sync with the SecureConnect extension. In the case of mobile devices managed using Advanced mode, users can try syncing from the device policy application. For basic managed devices, users can wait for the regular sync or re-login into any Google app. Let the user know that device sync can take some time.
Implement remediation or custom messages
Turn on remediation messages
- From the Admin console Home page, go to Security Access and data controlContext-Aware Access.
- Select User message.
- Under Remediation messages, click OFF and slide right to turn the messages ON. You’ll see a check mark.
- Click Save.
You can also add a custom message at this point.
Add a custom message
- From the Admin console Home page, go to SecurityAccess and data control Context-Aware Access.
- Select User message.
- Under Additional custom message, enter your message.
- Click Preview to see what the user will see.
- Click Save.
User experience for remediation and custom messages
Default message only
This is an example of a message the user sees if no remediation messages or custom message is configured.
Default message and custom message
This is an example of a message the user sees if no remediation messages are configured, but the custom message is provided.
Remediation message only
This is an example of a message the user sees if remediation messages are configured with no custom message. The user clicks Show more options to expand the remediation steps.
Remediation and custom message
This is an example of a message the user sees if both remediation messages and the custom message are configured. The user clicks Show more options to expand the remediation steps.
Context-Aware Access remediation and custom messages FAQCan remediation cause any additional Access Denied cases?
The user doesn't get access until the device syncs with the Google servers. The user can try to force a sync in certain cases:
- Desktop—Sync from SecureConnect extension on Chrome
- Mobile (advanced management)—Sync from device policy app
- Mobile (basic management)—Re-login for basic managed devices
Additionally, if the device is not compliant with the Beyondcorp Alliance partner, try to sync from the partner application. Note that in certain cases manual sync may not work, so the user should wait until a sync occurs.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.