Control access to apps based on user & device context

Use case: Device policy enforcement

This example shows you how to create a Context-Aware Access level to support device policy for your enterprise, and then assign this policy to apps.

Note: We recommend that if you are a Workspace-only user, do not add or modify Context-Aware Access access levels using the Google Cloud Platform (GCP) console. Doing so can cause this error: Unsupported attributes are being used on Google Workspace and blocked users.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenContext-Aware Access.
  3. Select Access levels.
  4. Click Create access level.
  5. Add an access level name (for this example, a name like Device policy for Finance) and an optional description.
  6. Select Meet attributes. This means that users must satisfy the attributes in the condition to be able to access apps.
  7. Click Add Attribute to create an access level condition. Basic mode is selected by default.
  8. Select these attributes for the access level:
    • Device policy—Screen lock
    • Device OS—iOS 9.10.0
    • Device OS—Android 8.0.0
  9. Click Save. Now you can assign this access level to apps.
  10. Click Assign to apps. This link appears right after you create an access level. If you want to assign the access level later, navigate to Securityand thenAccess and data controland thenContext-Aware Access, and select Assign Access levels.
  11. Select an organizational unit. The users in this organizational unit are the users who have access to the apps you specify, and at the level defined in the access level you created. For example, select Finance to give access to a group of users in the Finance group.
  12. Choose apps for users to access. For example, Google Data Studio, Google Vault, Groups for Business, and Jamboard. 
  13. Click Assign. You may have to scroll to see the Assign button for the app you want. Be sure to assign the access level to the correct app. Be sure not to assign the access level to the Admin console.
  14. Select the access level to use. In this case, Device policy for Finance.
    You can select more than one access level, if you need to. Users are granted access to the app when they meet the conditions specified in just one of the access levels you select (it’s a logical OR of the access levels in the list).
    If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels.
    Note: Leave the Apply to Google desktop and mobile apps box checked.
  15. Click Save. Note that if an access level is assigned to an organizational unit or group with a large number of users, it can take up to 24 hours for the access level assignment to show up.
  16. To ensure proper assignment, look for:
    • A grey spot next to organizational unit name.
    • The name of the access level listed for the app.
  17. To customize the messages users get when app access is blocked, navigate to Security > Access and data control > Context-Aware Access and click User message. User messages include:
    • Remediation messages—These messages are system generated, and correspond to the specific policy violation that blocked the user. Remediation messages present remediation options to the user so they can unblock their app access.
    • Custom messages—Messages you add that offer specific help for the user, such as additional advice on getting unblocked or a helpful link to click.
    • Default message—An example default message is: Your organization's policy is blocking access to this app. This message displays if you have not specified a remediation message or a custom message.
      Go to Allow users to unblock apps with remediation messages in Context-Aware Access for details.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu