March 10, 2020
Can we turn off apps if teachers/faculty are not on our network? Can we make this only work when students are at school?
These sort of questions probably sound very familiar. In education technology, these types of requests are frequent and most settings do have had the ability to be set granularly based on parameters such as OU’s and groups. However, we also know that these granular settings may still not be enough at times.
Last October Google released Context-Aware Access out of closed beta to generally available for Google Workspace for Education Plus domains. Context awareness will now allow us the ability to enable and configure services based on the identity of the user and in turn learn a little bit more about the context of the user and how the request is being made.
The configuration for Context-Aware Access is located under Security > Context-Aware Access, which gives access to the three key components for setting up and using Context-Aware Access.
Build out your access levels – what condition(s) are we looking to meet or not meet for a rule to be applied.
Device Policy: set a policy based on the device that is actually connected. Now in order to enforce device policy, the user must use Chrome as their browser and must also have and installed the Endpoint Verification Chrome extension with its associated helper app (required for Windows/Mac/Linux). Some examples of where these policies can be useful is you can have policies that only allows users who are using the most up to date version of their operating system to be able to connect. For example, requiring windows users to have to be at least version 1909.0.0 or making it so Chromebooks running older than version 78 not be able to connect. This can really help force your users to keep up to date and not be able to postpone them!
IP Policies (2): information of the request, such as restricting to an IP address subnet. You could have a rule that would match if the users request originates from your schools NAT IP address range, or based on geographic region, such as that the request must come from inside the USA.
- Once you build these conditions out, a rule can have multiple conditions. You determine if the rule grants access if it meets those listed conditions or if it does not meet the conditions. The easiest way to remember how this should be set is, whatever you have your rule set as, it is true when we apply it, they get access, if the rule is false with the request, it will be denied. Remember the underlying service must be on, if it is off, then the user will never get access.
Go to Security -> Context-Aware Access and Assign Access Levels. Here we will say what rules apply to what and to whom. We can apply this to groups or to OUs, we select the application and apply a rule that we created in the last step.
If the user doesn’t have any rule applying either by group or by OU, they are always granted access. If they have one or more rules applied that they fall under, if any of the rules are true, they are granted access, if not, then they will be denied access. The final option in the previous section is where you can also customize the message users (which can also be set differently for each OU) will get if they are getting blocked because of Context-Aware Access.
So what is the criteria for using this and what services does it work on? First is this is a Google Workspace for Education Plus feature, in order for this feature to work the user on which we want the rule to apply, must have an Enterprise license assigned to them. Second is this currently works only with the Google Workspace core services (currently all 13).
What are some good use cases for this? Perhaps you can now answer the question of your substitute teachers or other hourly staff and when they can access email, you can now make it so the accounts only work if they originate from your school. Students only being able to access hangouts during the day, so it can be used as an instructional tool but not able to be used at home. Or better yet, something like Google Vault, restrict Google Vault to only being able to be accessed while you are on the school network, further protecting your Vault users.
The use cases of Context-Aware access are just getting started, and while the usage of this Google Workspace feature requires Google Workspace for Education Plus licenses, it is only a subset of the full power you can get, by upgrading your domain to Enterprise.
What to try Education Plus and test the Context Aware feature? Fill out this form and our team will be in touch!
Google for Education Consultant
About the Author:
Andrew Giggey has been a Google Workspace for Education Consultant for Amplified IT since 2018. Prior to joining Amplified IT, Andrew has spent time working for school districts as a network and systems administrator. His hobby is having hobbies and has tried just about everything. Utilizing his tinkering and computer science knowledge, Andrew is constantly working to discover things hiding in plain sight and help inform the community of uncovered issues. Andrew continues to try to find unique problems that school districts face and finding them the best possible solution.