Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Cloud Identity Premium. Compare your edition
As an administrator, you can integrate supported third-party partners (those that are part of the BeyondCorp Alliance) with Google endpoint management in Google Admin console. These integrations allow you to use unified endpoint management (UEM) providers and mobile threat defense services in conjunction with your Google Workspace, Cloud Identity, and Identity-Aware Proxy-protected Google Cloud services. After you create a connection and enable the service for an organizational unit, the third-party service can send details about the devices that you can review in the device inventory and use in Context-Aware Access rules.
Note: Google is not responsible for accuracy of device data generated by third-party partners. Data provided to Google by the third-party partner is stored as-is. Any inaccuracies or personally identifiable information (PII) reported by the third party partner are the sole responsibility of the partner.
When you create a connection to the third-party service, the service is available for all organizational units in your organization. However, the third-party service doesn't apply until you enable it for an organizational unit.
BeyondCorp Alliance Partners
- Check Point
- CrowdStrike
- Jamf
- Lookout
- Microsoft Intune (desktop devices only)
- Omnissa
Requirements
- For mobile devices, set up basic mobile management or turn on advanced mobile management. If you're not sure which one to use, ask your third-party partner.
- For computers, turn on endpoint verification.
Step 1: Connect to the BeyondCorp Alliance partner
-
Sign in with a super administrator account to the Google Admin console.
If you aren’t using a super administrator account, you can’t complete these steps.
- Click Security and MDM partners
Manage.
- In the row for the partner you want to connect to, click Open connection.
- Complete the connection process in the partner's website when it opens:
- If you already have a subscription with that partner, the partner confirms the connection.
- If you don't have a subscription, you might be directed to set one up.
-
In your Admin console, close the Manage partner connections dialog to return to the setting page. The connected partner now appears in the list.
Step 2: Enable the partner's services for an organizational unit
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Click Security and MDM partners.
-
(Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Check the box for the partner whose service you want to enable. You can select more than one.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
The partner's service is now applied to accounts in the selected organizational unit.
Step 3. Use service status data in context-aware access levels
Each service sends Google data about devices, which you can use to define context-aware access levels.
Note: For context-aware access levels based on third-party service status to apply to iOS device users, iOS users must be signed in to a Google app other than Chrome Browser (such as YouTube or Gmail) with their work or school account. Learn more
- Find out what values the third-party service sends to Google by reviewing the service's documentation.
- In the Google Cloud console, set up a custom access level based on the partner values. For instructions, see Creating a custom access level.
For the step when you enter Conditions, you enter a
device.vendors
attribute that corresponds to a status value. For example,device.vendors["some_vendor"].data["status_value"] == true
, wheresome_vendor
is the partner name (Checkpoint
orLookout
) andstatus_value
is the status key defined by the partner. For details, refer to the vendors section of this reference table. - Assign Context-Aware access levels to apps.
Troubleshoot a third-party service integration
If the integration doesn't work as expected, go through the following steps to identify the problem.
Expand section | Collapse all & go to top
Change third-party service integration settings
Expand section | Collapse all & go to top
Changes can take up to 24 hours but typically happen more quickly. Learn more
Related topics
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.