Control access to apps based on user & device context

Apply recommended access levels

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

If you do not already use Context-Aware Access, you can apply predefined access levels that are tailored to your organization. If we detect gaps in your organization’s security, we give you insights and recommendations that prevent risky devices from accessing sensitive data. For example, we might recommend that you set up an access level to block outdated Android devices. Super administrators get an email every 90 days with access level recommendations for securing access to your organization’s data.

Before you begin

Desktop devices that don’t have endpoint verification installed might not be recognized by Google Workspace. Make sure that desktop users install endpoint verification to avoid being inadvertently blocked. For details, see Set up endpoint verification.

Step 1: Try recommended access levels

You can try access levels in monitor mode first to check the effects of enforcing an access level without blocking user access.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenContext-Aware Access.
  3. Verify that Context-Aware Access is on. If it's off, click Turn On.
  4. Click View recommendations.
  5. Find a recommendation to address and click Review recommendation
  6. Review the access level details. If you want to make changes, click Edit, make your changes, and click Save.
  7. Click Assign.

The access level is assigned to the organizational unit and Google Workspace apps that were specified in the access level details.

Step 2: Review access-level assignments in monitor mode

  • You can review logs that specify users who will lose access if the recommended access level is assigned in Active mode. Learn more
  • If necessary, you can make changes to the access level. Learn more

Step 3: Activate recommended access levels

Recommended access levels are set to Monitor mode by default. This ensures that you don’t inadvertently block users when you turn on an access level. To start applying it, change the access level to Active mode.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenContext-Aware Access.
  3. Under Assign Access Levels, click View all assignments in Monitor mode.
  4. Find the access level, and select Edit assignment from the Actions list. 
  5. Uncheck the Monitor box and check the Active box. 
  6. Click Continue and make any other changes to the access-level settings.
  7. Click Continueand thenAssign.

Related topics

 

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
12701993887706176052
true
Search Help Center
true
true
true
true
true
73010
false
false