Configuring Context Aware Access in Google Admin Console
Once Lookout integration is set up correctly in the Google Admin console, you can set up Context Aware Access to ensure that Lookout devices are activated and secure before accessing corporate data, such as Google Workspace applications.
For more information, see the Google Admin Workspace Help.
To set up Context Aware Access:
- Create an access level for devices that have a
DeviceHealthScore
.Because this value is populated by Lookout, the access level applies to all devices that have activated Lookout for Work with your MES Console instance.- In the Google Admin console, navigate to Security > Access and data control > Context Aware Access.
- Click CREATE ACCESS LEVEL.
- Click the Advanced tab.
- Enter the following CEL expression.This expression checks for all possible health scores:
Field Value Name Lookout Device Health Score CEL Expression (device.os_type == OsType.ANDROID || device.os_type == OsType.IOS) && (device.vendors["Lookout"].device_health_score == DeviceHealthScore.VERY_GOOD || device.vendors["Lookout"].device_health_score == DeviceHealthScore.NEUTRAL || device.vendors["Lookout"].device_health_score == DeviceHealthScore.POOR || device.vendors["Lookout"].device_health_score == DeviceHealthScore.VERY_POOR)
- Scroll down and click Save.
- Return to Security > Access and Data Control > Context Aware Access.
- Create a Basic access level named Lookout Mobile Security Policy that activates when any of four conditions are true:
Condition 1: Applies to Android Devices with Access Level "Lookout Device Health Score."
OR
Condition 2: Applies to iOS Devices with Access Level "Lookout Device Health Score."
OR
Condition 3: Applies to all macOS versions
OR
Condition 4: Applies to all Windows OS versions
- Click CREATE ACCESS LEVEL.
- Nex to If you'll be adding more than 1 condition, select how all conditions are joined, select OR.
- Create Condition 1, clicking Add Attribute to add each line after the Device OS:
- Apply condition if users: Meet attributes
- Device OS > Android > Is > Any version
- Access level > Must satisfy > Lookout Device Health Score
- Click Add another condition and create Condition 2:
- Apply condition if users: Meet attributes
- Device OS > iOS > Is > Any version
- Access level > Must satisfy > Lookout Device Health Score
- Click Add another condition and create Condition 3:
- Apply condition if users: Meet attributes
- Device OS > macOS > Is > Any version
- Click Add another condition and create Condition 4:
- Apply condition if users: Meet attributes
- Device OS > Windows > Is > Any version
- Scroll down and click Save.
- Assign the access levels you just created to any Google Workspace Application, such as Google Drive, Hangouts, or Gmail:
- Select the checkbox for each app that should require the access level.
- After selecting the desired apps, click Assign.The Google Admin Console displays this screen.
- Click Save.
- Customize the user message that should display when access is denied:
- In the Google Admin Console click Security > Access and data control > Context-Aware Access > User message.
- Click the Remediation messages tile
- Enable the Turn on to show remediation messages with information on how to fix the issue toggle and click Save.
- Click the Additional custom message tile.
- In the Add a custom message to append to the remediation or default message field, enter your custom message and click Save.