Beta: Context-Aware Access overview

This feature is available in the G suite for Enterprise, Cloud Identity Premium, and G Suite Enterprise for Education editions.

Using Context-Aware Access, you can create granular access control policies to apps based on attributes such as user identity, device security status, and IP address.

Context-Aware Access gives you control over which apps a user can access based on their context, such as their location or whether their device complies with your IT policy.

You can still set access policies, such as 2-Step Verification, for all members of an organizational unit. Context-Aware Access provides additional granular and contextual controls for those users.

Context-Aware Access sample use cases

You can use Context-Aware Access when you want to:

  • Allow access to apps only from company-issued devices.
  • Allow access to Drive only if a user device storage is encrypted.
  • Restrict access to apps from outside the corporate network.

You can also combine more than one use case into a policy. For example, you could create an access level that requires app access from devices that are company-owned, encrypted, and meet a minimum OS version.

Context-Aware Access support

Licenses

You can apply Context-Aware Access policies only to users who have one of these licenses:

  • G Suite Enterprise

  • Cloud Identity Premium

  • G Suite Enterprise for EDU

Users with any other type of license (such as G Suite Basic or G Suite Business) can access apps as usual—even if you apply a Context-Aware Access policy to all users in the same organizational unit.

Apps

You can apply Context-Aware Access policies to:
  • Gmail
  • Drive and Docs (Includes Sheets, Slides and Forms)
  • Calendar
  • Keep
You can’t enforce Context-Aware policies on:
  • Mobile apps, such as the Gmail app or the Apple Mail app
  • Desktop apps, such as Drive File Stream

Platform requirements

Platform requirements vary by the type of Context-Aware policy you define.

IP policy

An IP policy specifies an IP address range from which a user can connect to an app.

  • Device type—Desktop, laptop, or mobile device
  • Operating system—Mac, Windows, Chrome
  • Access—Web browser only
  • Software—Any browser

Device policy

A device policy specifies characteristics about the device from which a user accesses an app, such as whether the device is encrypted or requires a password.

  • Device type—Desktop only
  • Operating system—Mac, Windows, Chrome
  • Access—Web browser only
  • Software—Chrome web browser, Chrome Endpoint Verification extension

Admin requirements

Context-Aware Access policies can be set by these admins:
  • Super admin
  • Delegated admin with all of these privileges:
    • Security>Security Settings
    • Services>Service Settings
    • Context Aware Access>Access level management
    • Context Aware Access>Access level enforcement

User experience

When a user tries to access an app and that user doesn’t meet the access level conditions, they see a message that tells them to talk to their admin about getting access.

For example, if you’ve defined a device policy for Gmail access, and a user tries to access Gmail from the Safari browser on a Mac or iPhone, they will see this message.  That’s because device policies allow users to access apps only from the Chrome browser and only from desktops or laptops (not mobile devices).

What's next: create access levels

 

Ces informations vous-ont elles été utiles ?
Comment pouvons-nous l'améliorer ?