This example shows you how to create a Context-Aware Access level to support an IP address enforcement policy for your enterprise, and then assign this policy to apps.
Note: We recommend that if you are a Workspace-only user, do not add or modify Context-Aware Access access levels using the Google Cloud Platform (GCP) console. Doing so can cause this error: Unsupported attributes are being used on Google Workspace and blocked users.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlContext-Aware Access.
- Select Access levels.
- Click Create access level.
- Add an access level name (for this example, a name like IP address enforcement) and an optional description.
- Select Meet attributes. This means that users must satisfy the attributes in the condition to be able to access apps.
- Click Add Attribute to create an access level condition. Basic mode is selected by default.
- Select IP subnet and add an IP address. This is an IPv4 or IPv6 address or routing prefix in CIDR block notation.
- Private IP addresses are not supported (including user's home networks).
- Static IP addresses are supported.
- To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address and the defined static IP address in the access level covers that range, access is granted. Access is denied when the dynamic IP address is not in the defined static IP subnet.
- Click Save. Now you can assign this access level to apps.
- Click Assign to apps. This link appears right after you create an access level. If you want to assign the access level later, navigate to SecurityAccess and data controlContext-Aware Access, and select Assign Access levels.
- Select an organizational unit. The users in this organizational unit are the users who have access to the apps you specify, and at the level defined in the access level you created. For example, select Europe OU to give access to a group of European users.
- Choose apps for users to access. For example, Drive and Docs, Gmail, and Google Chat.
- Click Assign. You may have to scroll to see the Assign button for the app you want. Be sure to assign the access level to the correct app. Be sure not to assign the access level to the Admin console.
- Select the access level to use. In this case, IP address enforcement.
You can select more than one access level, if you need to. Users are granted access to the app when they meet the conditions specified in just one of the access levels you select (it’s a logical OR of the access levels in the list).
If you want users to meet the conditions in more than one access level (a logical AND of access levels),create an access level that contains multiple access levels.
Note: Leave the Apply to Google desktop and mobile apps box checked. - Click Save. Note that if an access level is assigned to an organizational unit or group with a large number of users, it can take up to 24 hours for the access level assignment to show up.
- To ensure proper assignment, look for:
- A grey spot next to organizational unit name.
- The name of the access level listed for the app.
- To customize the messages users get when app access is blocked, navigate to SecurityAccess and data controlContext-Aware Access and click User message. User messages include:
- Remediation messages—These messages are system generated, and correspond to the specific policy violation that blocked the user. Remediation messages present remediation options to the user so they can unblock their app access.
- Custom messages—Messages you add that offer specific help for the user, such as additional advice on getting unblocked or a helpful link to click.
- Default message—An example default message is: Your organization's policy is blocking access to this app. This message displays if you have not specified a remediation message or a custom message.
Go to Allow users to unblock apps with remediation messages in Context-Aware Access for details.