Google Workspace’s Context-Aware Access feature can be used to restrict access to Google Suite applications (e.g., Google Drive, Gmail, and Google Calendar). Access for Google apps is evaluated continuously after access is granted.
Context-Aware Access can be used to restrict access to any other third-party apps that use Google as the Identity Provider. For example, if your users log in to Zoom with their Google credentials, you can restrict access to Zoom using the Context-Aware Access feature. Access for SAML apps is evaluated on sign-in.
License Requirements
Visit this Google resource to learn more about license requirements.
In order to use the Google Workspace Context-Aware Access feature, you must have one of the following Google workspace editions:
- Frontline Standard
- Enterprise Standard, Enterprise Plus
- Enterprise Essentials Plus
- Education Standard or Education Plus
- Cloud Identity Premium
Frontline Starter, Education Fundamentals, Essentials Starter, Essentials, Enterprise Essentials, all Business editions, and Google Workspace for Nonprofits do not include Context-Aware Access. Find out what edition you have.
Google Resources
- About Context-Aware Access
- Use case: IP address enforcement
- Create Context-Aware access levels
- Deploy Context-Aware Access
Approach
- Create an Access level in Google Workspace for your PCG IP addresses (instructions here).
- Set the access level to “Meet attributes.”
- Add an IP subnet attribute that contains your PCG IP addresses.
- Assign Context-Aware access levels to apps in Google to allow Venn users to access the apps you want to restrict access to if they are connecting from a PCG IP address and block access if they are not (instructions here).
- Select the organizational unit or group you want the restriction to apply to.
- Select the app or apps you want to restrict access to.
- Select the Access level you created in step 1.
- Leave the Access level in “Monitor” mode.
- Set the access to block users from accessing Google apps if access levels aren’t met.
- Once you have assigned the access level, check to make sure it works as intended before changing it to “Active” (instructions here).
Warnings
- Do not assign the access levels to key admin tools like the Google Admin console and Apple Business Manager in order to avoid locking out administrators.
- If Google Workspace is your Venn IdP, do not assign the access levels to the custom Venn app that you created in the Admin console in order to avoid blocking users from being able to log in to Venn’s Workplace app.
- If you are not using Venn’s MDM solution, you should only apply this restriction to devices that users will be using Venn on (Windows and/or Mac), not iOS or Android devices. You can add a Device OS attribute when creating your Access level.
- Keep in mind that there may be use cases and exceptions that you are not aware of or there may be individuals at your organization who were not fully onboarded to Venn.
- Always enable the restrictions in “monitor” mode to test the restriction before blocking access.
- Always notify users before enabling restrictions in order to avoid disruption of business. Leverage the Access Lockdown email template in the Venn Rollout Toolkit to inform your users.
Tips
- If Google is set up as your Venn IdP, consider assigning the access level to the same organizational unit(s) that you use to assign access to Venn’s Workplace app.
- If Google is set up as your Venn IdP, Context-Aware Access can be used to restrict access to any third-party SAML apps that use Google as the Identity Provider. Consider setting up Google SSO for key business applications so that you can improve ease of access for your users and restrict access outside of Venn’s Blue Border (instructions here).