No-brainer for Every Google Workspace Admin: Context-Aware Access
This is a second post for the No-brainer for Every Google Workspace Admin series. See the first post below for more information on some of the pre-requisites.
Do you have concerns about users accessing corporate data from unmanaged devices, or users using unsupported browsers, or would like to ensure that everyone signs into Chrome regardless of what devices they might be using? Context-Aware Access (CAA) can help (available on Enterprise Standard, Enterprise Plus, and Cloud Identity Premium)
Platform requirements for device policies outline that it requires two things: 1. Chrome Browser (macOS, Windows, ChromeOS)
2. Endpoint Verification Chrome Extension
If you have any users that may be using Linux, you would want to exclude them in the later step.
First, you would want to create an access level using a device policy.
You can then assign the access level to a group or an organizational unit. You can pick and choose the core Google Workspace applications, as well as any SAML applications that you configure.
If you use groups to enforce the CAA policies, you can use existing groups, or create configuration groups. If you use configuration groups, Google has some recommendations on naming conventions. At the time of writing, security groups and dynamic groups cannot be used as configuration groups, but nesting inside an admin-created group may work.
Once it has been configured and the group members added, users who are using supported browsers and have the endpoint verification installed (force-installed on browser sign-in) will be able to continue using the services. The users using unsupported browsers, however, will be met with an error message, which is customizable.
Google recommends three-step approach:
1. Discover (force install Endpoint Verification for all users)
2. Remediate (identify users and proactively reach out to users to use Chrome and sign-in)
3. Enforce (turn on enforcement by OU or group)
Using Chrome browser with Google Workspace has other additional benefits such as Chrome Browser Cloud Management, and BeyondCorp Data and Threat Protection, which I will write about in greater detail in future posts.
