根據使用者和裝置情境來控管應用程式存取權

Create Context-Aware access levels

The first step in setting up Context-Aware access is to create access levels that combine conditions and values that define a user or device context. Access levels define the context within which users can access apps.

For example, you can create an access level for accessing Gmail that requires users to connect from a specific IP address range and require their devices to be encrypted.  

Let’s say that Mary is using Gmail on her laptop in the corporate office and then walks to a nearby coffee shop where she plans to continue using Gmail. Because her IP address changed, she won’t be able to access Gmail at the coffee shop if you specify that users connect to Gmail from a corporate IP address range.

Step 1: Set up endpoint verification

If you enforce a device policy in an access level, you and your users have to set up endpoint verification. You enable endpoint verification in the Admin console.

Chrome Browser, the endpoint verification extension, and a native helper app (Mac and Windows only) must be installed on the computers you want to monitor.

Turn on endpoint verification

  1. Turn on Endpoint verification in the Admin console.
  2. Deploy the Chrome endpoint verification extension to company computers or tell your Mac and Windows users to manually install it from the Chrome Web Store.
  3. From the Admin console home page, go to Device Management>Endpoint management.
    You see a list of devices with the Chrome Endpoint Verification extension.

Upload your device inventory of company-owned devices

If you plan to enforce a device policy that requires company-owned devices, Google needs a list of serial numbers for your company-owned devices.

Follow the instructions in “Add devices to your inventory.” under “Manage your inventory” in Inventory company-owned devices. You’ll see how to get a  list of company-owned devices and how to add devices to the list.

Approve or block devices

If you plan to enforce a device policy that requires approved devices, first you have to approve or block devices using endpoint verification.

Step 2: Create an access level

Make sure Context-Aware Access is on

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Verify Context-Aware Access is “ON for everyone”. If not, click Turn On.
Define access levels 
Access levels consist of one or more conditions that you define and which users must meet to access apps. Access level conditions contain attributes you can select, such as device policy, IP subnet, or another access level.
  1. Select Access levels.
    You see a list of defined access levels.​ ​Access levels are a shared resource between G Suite, Cloud Identity, and Google Cloud Platform (GCP) so you might see access levels you didn’t create in the list. To indicate which team created an access level, consider making the platform, such as “gcp,” part of the access level name.
  2. On the top right, select Create access level.
    You’ll define the access level by adding one or more conditions to it. Then define each condition by specifying one or more attributes.
  3. For the access level condition you add, specify if the condition applies when users:
    • Meet these conditions—Users must satisfy all the attributes in the condition.
    • Don’t meet these conditions—Users don’t meet any of the attributes in the condition.
      This option specifies the opposite of the condition and is most frequently used for IP subnet attributes. For example, if you specify an IP subnet and “don’t meet,” only users with IP addresses outside of the specified range will match the condition. 
  4. Click Add Attribute to add one or more attributes to the access level condition.
    Attribute Options
    IP subnet IPv4 or IPv6 address or a routing prefix in CIDR block notation
    Device policy Select one or more device policy options:
      Device password required (yes, no)
      Device encryption (not supported, not encrypted, encrypted)
     

    Windows policy (minimum OS version)

    Blank—Devices with any Windows OS version can access the app (default)
    - (hyphen)—All Windows OS versions are blocked, no Windows devices can access the app

     

    Mac OS policy (minimum OS version)

    Blank—Devices with any Mac OS version can access the app (default)
    - (hyphen)—All Mac OS versions are blocked, no Apple devices can access the app

     

    Chrome OS policy (minimum platform version)
    Settings>About Chrome OS>
    Detailed Build information>Platform
    example: 11151.113.0

    Blank—Devices with any Chrome OS version can access the app (default)
    - (hyphen)—All Chrome OS versions are blocked, no Chrome devices can access the app

      Verified Chrome OS (required, not required)
    If required, the Chrome device must be enrolled and have verified access.
      Company-owned device (required, not required)
    See “Upload your device inventory of company-owned devices” in step 1.
    If required, the Chrome device must be enrolled.
      Admin approval (required, not required)
    If required, the device must be approved.
    Geographic origin Countries where the user is accessing G Suite services
    Access level An existing access level
  5. To add another condition to the access level, click Add condition and add attributes to it.
  6. Indicate the conditions users must meet:
    • And—Users must meet the first condition and the added condition.
    • Or—Users must meet only one of the conditions.
  7. When you’ve finished adding access level conditions, save the access level definition by selecting Create Access Level on the bottom right. Now you can assign this access level to apps.

Block a device type with the minimum OS device policy option

You can set the minimum OS device policy option to a specific operating system version, blank, or “-” (hyphen). Using “-”, you can selectively block all device access to an app from a specific device type. For example, you can block all Windows device access while allowing access from Mac devices and Chrome OS devices. 

If you set all OS versions (Windows, Mac OS, and Chrome OS) to ”-”, the system ignores these settings when it evaluates the condition. Setting all OS versions to “-” has the same result as leaving all OS versions blank, which means that devices with any OS version can access the app.

Example 1

All Windows, Mac, and Chrome OS devices can access the app if the devices have a password.

Device password required = yes
Windows policy = -
Mac OS policy = -
Chrome OS policy = -

Example 2

Only Mac devices with a Mac OS version of 10.14.0 or later and a password can access the app. Windows and Chrome OS devices are blocked (even if they have a password).

Device password required = yes
Windows Policy = -
Mac OS policy = 10.14.0
Chrome OS policy = -

Sample access level

This example shows an access level called “corp_access.” If “corp_access” is applied to Gmail, users can access Gmail only from an encrypted and company-owned device, and only from the US or Canada.
Access level name corp_access
A user gets access if they Satisfy all the attributes in the condition
Condition 1 attribute

Device policy
   Device encryption = encrypted
   Company-owned device = required

Join condition 1 and condition 2 with AND
A user gets access if they Satisfy all the attributes in the condition
Condition 2 attribute

Geographic origin
   Countried = US, Canada

 

For more examples, see Context-Aware Access examples.

What's next: assign access levels to apps

 

 

這對您有幫助嗎?
我們應如何改進呢?