Set up third-party partner integrations

Supported editions for this feature: Enterprise; Education Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can integrate supported third-party partners (those that are part of the BeyondCorp Alliance) with Google endpoint management in Google Admin console. These integrations allow you to use unified endpoint management (UEM) providers and mobile threat defense services in conjunction with your Google Workspace, Cloud Identity, and Identity-Aware Proxy-protected Google Cloud Platform services. After you create a connection and enable the service for an organizational unit, the third-party service can send details about the devices that you can review in the device inventory and use in Context-Aware Access rules.

When you create a connection to the third-party service, the service is available for all organizational units in your organization. However, the third-party service doesn't apply until you enable it for an organizational unit.

Available partners

BeyondCorp Alliance partners

  • Check Point
  • Lookout

Requirements

To apply third-party services to devices:

Step 1: Connect to the BeyondCorp Alliance partner

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Settingsand thenThird-party integrationsand thenSecurity and MDM partnersand thenManage.
  4. In the row for the partner you want to connect to, click Open connection. The partner's website opens.
    • If you already have a subscription with that partner, the provider will confirm the connection.
    • If you don't have a subscription, you might be directed to set one up 
  5. Close the Manage partner connections dialog to return to the setting page. The connected partner now appears in the list.

Step 2: Enable the partner's services for an organizational unit

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Settingsand thenThird-party integrationsand thenSecurity and MDM partners.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Check the box for the partner whose service you want to enable. You can select more than one.
  6. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

The partner's service is now applied to accounts in the selected organizational unit.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Step 3. Use service status data in context-aware access levels

Each service sends Google data about devices, which you can use to define context-aware access levels.

Note: For context-aware access levels based on third-party service status to apply to iOS device users, iOS users must be signed in to a Google app other than Chrome Browser (such as YouTube or Gmail) with their work or school account. Learn more

  1. Find out what values the third-party service sends to Google by reviewing the service's documentation.
  2. In Cloud Console, set up a custom access level based on the partner values. For instructions, see Creating a custom access level.

    For the step when you enter Conditions, you enter a device.vendors attribute that corresponds to a status value. For example, device.vendors["some_vendor"].data["status_value"] == true, where some_vendor is the partner name (Checkpoint or Lookout) and status_value is the status key defined by the partner. For details, refer to the vendors section of this reference table.

  3. Assign Context-Aware access levels to apps.

Troubleshoot a third-party service integration

If the integration doesn't work as expected, go through the following steps to identify the problem.

Open all  |  Close all

1. Verify the connection from Google and from the partner

From Google

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Settingsand thenThird-party integrationsand thenSecurity and MDM partners.
  4. Next to Partners, click Manage.
  5. In the row for the partner, confirm that the available action is Close connection. If the action is Open connection, click it and follow the instructions in Step 1: Connect to the BeyondCorp Alliance partner.

From the partner

Review the partner's documentation and confirm that the partner service is ready for integration.

2. Make sure the user belongs to an organizational unit with the connection enabled

Make sure the connection is set up for the user. Connections are enabled by organizational unit and work only for users in organizational units that have the connection enabled.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Settingsand thenThird-party integrations.
  4. At the left, click the organizational unit the user belongs to.
  5. Next to Security and MDM partners, review the app integrations enabled for that organizational unit.
  6. If the integration isn't listed, click Security and MDM partners and check the box next to the partner. If the partner isn't listed, you must first open the connection. For instructions, see Step 1: Connect to the BeyondCorp Alliance partner.
3. Verify Google is getting the user's device data from the third-party service

Integration partners send data about a user's device to Google. You can confirm that Google is getting that data in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. At the left, click Devices.
  4. Find the user's device. To filter the list, enter their email address in the search bar and add a filter by device type.
  5. Click the device to open its details page.
  6. Find the Third party services section. If you can't find it, then the partner connection might not be configured correctly. Review the first two troubleshooting steps.
  7. Find the row for the partner service and confirm that the values for Health score, Managed state, and Compliance state aren't Unspecified. If the values aren't what you expect, contact the partner for support.
4. Verify the custom access level is defined correctly
  1. In Cloud Console, go to the Access Context Manager.
  2. Find the custom access level and confirm the following:
    1. The conditions use the correct third-party name. This name is specified in the third-party documentation.
    2. The conditions use a value that matches the value received from the third-party.

If these aren't correct, review how to use service status data in context-aware access levels.

5. Verify that the custom access level is applied to the correct Google Workspace service or Google Cloud resource
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenContext-Aware Access.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click Assign, then Assign access levels.
    You see a list of apps.
  4. Review which apps and services the custom access level is applied to.

Change third-party service integration settings

Disable a partner for an organizational unit
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Third-party integrationsand thenSecurity and MDM partners.
  4. Click the organizational unit you want to update.
  5. Uncheck the box for the partner you want to disable.
  6. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Disconnect a partner
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. Click Third-party integrationsand thenSecurity and MDM partnersand thenManage.
  4. In the row for the partner, click Close connection. The partner's services no longer applies to any devices in your organization, and the partner doesn't show as an option to enable.

If you close and reopen the connection to a partner, the partner's service is automatically re-enabled for any organizational units that had the partner enabled.

Changes typically take effect in minutes, but can take up to 24 hours. For details, see How changes propagate to Google services.  

Related articles


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue