Control access to apps based on user & device context

Assign Context-Aware access levels to apps

After you create access levels, you’re ready to assign them to apps. Use access levels to define how users can access apps. You can define access by user identity, device security status, IP address, and geographical location. You can also define access for apps attempting to access Google Workspace data through exposed public Application Programming Interfaces (APIs).

When you assign access levels…

  • Enforce endpoint verification so you can review information about users’ devices and control access to apps based on location, device security status, or other attributes.
  • Users are granted access to the app when they meet the conditions specified in one of the access levels you select (it’s a logical OR of the access levels in the list). If you want users to meet the conditions in more than one access level (a logical AND of access levels), create an access level that contains multiple access levels. If you want to assign more than 10 access levels for an app, you can use nested access levels to do so.
  • For mobile apps, if you use integrated Gmail, you can grant or deny access to Gmail, Google Chat, and Google Meet all at once. If Google Chat and Google Meet are implemented as separate apps (not as part of integrated Gmail), you need to grant or deny access to those apps separately.

Assign Context-Aware access levels to an app

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit (to set by department) or a configuration group (to set for users across or within departments).

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenContext-Aware Access.
    ""
  3. Click Assign access levels. You see a list of apps.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
    ""
  5. Find the app and click Assign.
    To assign the same access levels to multiple apps at once, check the boxes next to the apps and, at the top, click Assign.
    ""
  6. Select one or more access levels (up to 10) for the app and click Continue.
    Access levels are shared between Google Workspace and Google Cloud so you might see access levels that you didn’t create.
  7. (Recommended) Check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box to apply the access levels to users of native desktop, Android, and iOS apps and web apps.
  8. (Optional) Check the Block other apps from accessing the selected apps via APIs, if access levels aren't met box to block apps from attempting to access Google Workspace data through exposed public APIs.
  9. (Optional) To exempt trusted apps from being blocked through exposed APIs:
    Available for configuration by organizational unit, not configuration group, even though you can select a group in the Admin console. For details, see Use cases: Exempt trusted third-party apps from being blocked
    1. Check the Exempt allowlisted apps so that they can always access APIs for specific Google services, regardless of access levels box. 
    2. If you don’t see a list of apps or the app you want to exempt, click Go to app access control and complete the steps to trust the app.
      Any third-party apps you mark Trusted on the App Access Control page are listed in the table of allowlisted apps. Some might already be preselected if you marked them trusted and exempt from API enforcement.
    3. If needed, select the apps you want exempted from API enforcement and click Continue.
  10. Click Finish. If a user meets the conditions in at least one of the selected access levels, the user can access the app. The access level name displays in the assigned access levels list next to the app.

App behavior based on access level settings

The following table summarizes the behavior based on whether you check the Block users from accessing Google desktop and mobile apps if access levels aren’t met box and whether you deploy Endpoint verification. The rows in bold underscored text display the recommended settings.

Key terms for this table:

  • Access level applied—Access is granted based on the access levels you set up in the Context-Aware Access configuration.
  • Access allowed—Context-Aware Access is not applied, and all access is allowed.
  • Access blocked—Access is blocked because Context-Aware Access isn't configured, or you don't have endpoint verification turned on.

Access level

CAA enabled

Allow/block (native and web)

   

Mobile

Desktop

   

Mobile native

Mobile web

Desktop web

Desktop native

Endpoint verification deployed?

Access level with only IP/Geo attributes

Block users from accessing Google desktop and mobile apps if access levels aren’t met box checked

Access level applied

Access level applied

Not required

Block users from accessing Google desktop and mobile apps if access levels aren’t met box not checked

Access allowed

Access level applied

Access level applied

Access allowed

Not required

Access level with device attributes

Block users from accessing Google desktop and mobile apps if access levels aren’t met box checked

Access level applied

Access level applied

Yes

Block users from accessing Google desktop and mobile apps if access levels aren’t met box checked

Access level applied

Access blocked

No

Block users from accessing Google desktop and mobile apps if access levels aren’t met box not checked

Access allowed

Access level applied

Access level applied

Access allowed

Yes

Block users from accessing Google desktop and mobile apps if access levels aren’t met box not checked Access allowed Access level applied Access blocked Access allowed No
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
true
Search Help Center
true
true
true
true
true
73010