Network access and Context-Aware settings

context aware settings header

March 10, 2020

Can we turn off Apps if teachers/faculty are not on our network? Can we make this only work when students are at school?

These sort of questions probably sound very familiar. In Educational technology, these types of requests are frequent and most settings do have had the ability to be set granularly based on parameters such as OU’s and groups. However, we also know that these granular settings may still not be enough at times.

Last October Google released Context-Aware Access out of closed beta to generally available for G Suite Enterprise for Education domains. Context Awareness will now allow us the ability to enable and configure services based on the identity of the user and in turn learn a little bit more about the context of the user and how the request is being made. 

 

The configuration for Context-Aware Access is located under Security > Context-Aware Access, which gives access to the three key components for setting up and using Context-Aware Access.

  1. Build out your access levels – what condition(s) are we looking to meet or not meet for a rule to be applied. 

    • Device Policy: set a policy based on the device that is actually connected. Now in order to enforce device policy, the user must use Chrome as their browser and must also have and installed the Endpoint Verification Chrome Extension with its associated helper app (Required for Windows/Mac/Linux). Some examples of where these policies can be useful is you can have policies that only allows users who are using the most up to date version of their operating system to be able to connect. For example, requiring windows users to have to be at least version 1909.0.0 or making it so Chromebooks running older than version 78 not be able to connect. This can really help force your users to keep up to date and not be able to postpone them!

    • IP Policies (2):  information of the request, such as restricting to an IP address subnet.  You could have a rule that would match if the users request originates from your schools NAT IP address range, or based on geographic region, such as that the request must come from inside the USA.