Set up third-party partner integrations

From Google

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Mobile & endpoints > Settings > Third-party integrations.
3. Click Security and MDM partners.
4. Next to Partners, click Manage.
5. In the row for the partner, confirm that the available action is Close connection. If the action is Open connection, click it and follow the instructions in Step 1: Connect to the BeyondCorp Alliance partner.

From the partner

Review the partner's documentation and confirm that the partner service is ready for integration.

Make sure the connection is set up for the user. Connections are enabled by organizational unit and work only for users in organizational units that have the connection enabled.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Mobile & endpoints > Settings > Third-party integrations.
3. Click Security and MDM partners.
4. At the left, click the organizational unit the user belongs to.
5. Next to Security and MDM partners, review the app integrations enabled for that organizational unit.
6. If the integration isn't listed, click Security and MDM partners and check the box next to the partner. If the partner isn't listed, you must first open the connection. For instructions, see Step 1: Connect to the BeyondCorp Alliance partner.

Integration partners send data about a user's device to Google. You can confirm that Google is getting that data in your Admin console.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Mobile & endpoints > Devices.
3. Find the user's device. To filter the list, enter their email address in the search bar and add a filter by device type.
4. Click the device to open its details page.
5. Find the Third party services section. If you can't find it, then the partner connection might not be configured correctly. Review the first two troubleshooting steps.
6. Find the row for the partner service and confirm that the values for Health score, Managed state, and Compliance state aren't Unspecified. If the values aren't what you expect, contact the partner for support.

1. In the Google Cloud console, go to the Access Context Manager.
2. Find the custom access level and confirm the following:
   1. The conditions use the correct third-party name. This name is specified in the third-party documentation.
   2. The conditions use a value that matches the value received from the third-party.

If these aren't correct, review how to use service status data in context-aware access levels.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Context-Aware Access.

   Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges.

3. Click Assign, then Assign access levels.
   You see a list of apps.
4. Review which apps and services the custom access level is applied to.

In some cases, enrolling devices with a third-party service partner can result in duplicate entries for the same device in the Admin console. This in turn can cause Context-aware access rules to incorrectly block a managed device from accessing Google services.

Follow these steps to remove duplicate devices:

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Directory > Users.
3. Locate the user of the duplicate device, then click the user name to open the User details page.
4. On the Security tab, click Connected applications.
5. Delete all listed applications.

On the user device:

6. Sign out from and remove all Google accounts.
7. In Safari, go to the web page for a Google service (for example, gmail.com), and verify that the user is not signed in.
8. Reinstall and sign in to a Google application, such as Gmail or Drive. (Don’t access a Google application through its web page on Safari.)

   Context-aware access rules will block access to the Google app, and display a link to resolve the app blocking.

9. Click the remediation link, then follow steps to re-enroll the device to the service partner.
10. Close and reopen the Google service. Access should no longer be blocked.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Mobile & endpoints > Settings > Third-party integrations.
3. Click Security and MDM partners.
4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
5. Uncheck the box for the partner you want to disable.
6. Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit. 

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to  Menu  Devices > Mobile & endpoints > Settings > Third-party integrations.
3. Click Security and MDM partnersManage.
4. In the row for the partner, click Close connection. The partner's services no longer applies to any devices in your organization, and the partner doesn't show as an option to enable.

If you close and reopen the connection to a partner, the partner's service is automatically re-enabled for any organizational units that had the partner enabled.