Control access to apps based on user & device context

Use cases: Exempt trusted third-party apps from being blocked

Next: Allow users to unblock apps with remediation messages in Context Aware Access

These examples show you how to exempt allowlisted apps so they can always access Application Programming Interfaces (APIs) for specific Google services, regardless of the access levels assigned.

Use case 1: Trusted apps get blocked through exposed APIs

In this example, we don’t exempt any third-party trusted apps. For Google Keep, we set the Prevent out of corp network access access level for the Temp Worker organizational unit. This results in any apps accessing Google Keep through APIs from outside of your organization's network being blocked.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
Click Assign access levels.
Select the Temp Worker organizational unit.
From the list of apps, select Google Keep and click Assign.
Select Prevent out of corp network access and click Continue.
Check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box.
Check the Block other apps from accessing the selected apps via APIs, if access levels aren't met box.
Click Continue.
Review and click Finish.

Use case 2: Exempt a third-party app

In this example, we exempt the third-party app Box. For Google Drive, we set the Prevent out of corp network access access level for the Temp Worker organizational unit. This results in the third-party app Box being able to access Google Drive even if the API request comes from outside of your organization's network.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
Click Assign access levels.
Select the Temp Worker organizational unit.
From the list of apps, select Google Drive and click Assign.
Select Prevent out of corp network access and click Continue.
Check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box.
Check the Block other apps from accessing the selected apps via APIs, if access levels aren't met box.
Check the Exempt allowlisted apps so that they can always access APIs for specific Google services, regardless of access levels box.
Any third-party apps you mark Trusted on the App Access Control page are listed in the table of allowlisted apps.
Select Box and click Continue.
Review and click Finish.

Use case 3: Exempt another third-party app in the same organizational unit

In this example, we add the Salesforce third-party app to our configuration in the previous use case.

The app exemption list is an organizational unit specific list that applies to all third-party apps exempted in previous Context-Aware Access level assignments and any new Context-Aware Access level assignment. App exemption lists are unique to the organizational unit in which they are defined. Therefore, organizational units have their own app exemption lists.

As a result, in this example, both Box and Salesforce will be able to access Drive and Gmail regardless of the access levels assigned.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
Click Assign access levels.
Select the Temp Worker organizational unit.
From the list of apps, select Gmail and click Assign.
Select the access level, Prevent out of US access and click Continue.
Check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box.
Check the Block other apps from accessing the selected apps via APIs, if access levels aren't met box.
Check the Exempt allowlisted apps so that they can always access APIs for specific Google services, regardless of access levels box.
Any third-party apps you mark Trusted on the App Access Control page are listed in the table of allowlisted apps.
Select the third-party app Salesforce and click Continue.
Review and click Finish.

Groups and organizational unit exemption behavior

Even though group policies supersede organizational unit policies, you can still exempt trusted third-party apps from being blocked though exposed APIs when assigning Contex-Aware Access levels at the group level. However, you cannot define group level exemption lists like you can for organizational units.

If you check Exempt allowlisted apps so that they can always access APIs for specific Google Services, regardless of Access Levels while assigning a group level Context-Aware Access level, then the individuals in the group will be subjected to the organizational unit level exemption lists that they belong to. If individuals belong to different organizational units, then the corresponding exemption lists for those organizational units will apply to them.

If you uncheck Exempt allowlisted apps so that they can always access APIs for specific Google Services, regardless of Access Levels while assigning a group level Context-Aware Access level, then no exemptions will apply to the individuals in the group. Group policies supersede organizational unit policies so any exemptions from previously created Context-Aware Access levels will not apply to individuals in this group.

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?