home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Deploying Lookout with Google Cloud BeyondCorp

Configuring Context Aware Access in Google Admin Console

Once Lookout integration is set up correctly in the Google Admin console, you can set up Context Aware Access to ensure that Lookout devices are activated and secure before accessing corporate data, such as Google Workspace applications.

For more information, see the Google Admin Workspace Help.

To set up Context Aware Access:

  1. Create an access level for devices that have a DeviceHealthScore.
    Because this value is populated by Lookout, the access level applies to all devices that have activated Lookout for Work with your MES Console instance.
    1. In the Google Admin console, navigate to Security > Access and data control > Context Aware Access.
    2. Click CREATE ACCESS LEVEL.
    3. Click the Advanced tab.
    4. Enter the following CEL expression.
      This expression checks for all possible health scores:
      FieldValue
      NameLookout Device Health Score
      CEL Expression 
      (device.os_type == OsType.ANDROID ||  device.os_type == OsType.IOS) && (device.vendors["Lookout"].device_health_score == DeviceHealthScore.VERY_GOOD  || device.vendors["Lookout"].device_health_score == DeviceHealthScore.NEUTRAL || device.vendors["Lookout"].device_health_score == DeviceHealthScore.POOR || device.vendors["Lookout"].device_health_score == DeviceHealthScore.VERY_POOR)
    5. Scroll down and click Save.
  2. Return to Security > Access and Data Control > Context Aware Access.
  3. Create a Basic access level named Lookout Mobile Security Policy that activates when any of four conditions are true:

    Condition 1: Applies to Android Devices with Access Level "Lookout Device Health Score."

    OR

    Condition 2: Applies to iOS Devices with Access Level "Lookout Device Health Score."

    OR

    Condition 3: Applies to all macOS versions

    OR

    Condition 4: Applies to all Windows OS versions

    1. Click CREATE ACCESS LEVEL.
    2. Nex to If you'll be adding more than 1 condition, select how all conditions are joined, select OR.
    3. Create Condition 1, clicking Add Attribute to add each line after the Device OS:


      • Apply condition if users: Meet attributes
      • Device OS > Android > Is > Any version
      • Access level > Must satisfy > Lookout Device Health Score
    4. Click Add another condition and create Condition 2:
      • Apply condition if users: Meet attributes
      • Device OS > iOS > Is > Any version
      • Access level > Must satisfy > Lookout Device Health Score
    5. Click Add another condition and create Condition 3:
      • Apply condition if users: Meet attributes
      • Device OS > macOS > Is > Any version
    6. Click Add another condition and create Condition 4:
      • Apply condition if users: Meet attributes
      • Device OS > Windows > Is > Any version
    7. Scroll down and click Save.
  4. Assign the access levels you just created to any Google Workspace Application, such as Google Drive, Hangouts, or Gmail:
    1. Select the checkbox for each app that should require the access level.
    2. After selecting the desired apps, click Assign.
      The Google Admin Console displays this screen.

    3. Click Save.
  5. Customize the user message that should display when access is denied:
    1. In the Google Admin Console click Security > Access and data control > Context-Aware Access > User message.
    2. Click the Remediation messages tile
    3. Enable the Turn on to show remediation messages with information on how to fix the issue toggle and click Save.
    4. Click the Additional custom message tile.
    5. In the Add a custom message to append to the remediation or default message field, enter your custom message and click Save.


Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.