Network Access and Context-Aware Settings

Can we turn off apps if teachers/faculty are not on our network? Can we make this only work when students are at school?

These sorts of questions probably sound very familiar. In education technology, these types of requests are frequent and most settings do have had the ability to be set granularly based on parameters such as OU’s and groups. However, we also know that these granular settings may still not be enough at times.

Context awareness allows us the ability to enable and configure services based on the identity of the user and in turn learn a little bit more about the context of the user and how the request is being made. 

The configuration for Context-Aware Access is located under Security > Overview > Context-Aware Access, which gives access to the three key components for setting up and using Context-Aware Access.

  1. Build out your access levels – what condition(s) are we looking to meet or not meet for a rule to be applied. 

    • Device Policy: set a policy based on the device that is actually connected. Now in order to enforce device policy, the user must use Chrome as their browser and must also have and installed the Endpoint Verification Chrome extension with its associated helper app (required for Windows/Mac/Linux). Some examples of where these policies can be useful is you can have policies that only allows users who are using the most up to date version of their operating system to be able to connect. For example, requiring windows users to have to be at least version 1909.0.0 or making it so Chromebooks running older than version 78 not be able to connect. This can really help force your users to keep up to date and not be able to postpone them!

    • IP Policies (2):  information of the request, such as restricting to an IP address subnet.  You could have a rule that would match if the users request originates from your schools NAT IP address range, or based on geographic region, such as that the request must come from inside the USA.

  2. Once you build these conditions out, a rule can have multiple conditions. You determine if the rule grants access if it meets those listed conditions or if it does not meet the conditions. The easiest way to remember how this should be set is, whatever you have your rule set as, it is true when we apply it, they get access, if the rule is false with the request, it is denied. Remember the underlying service must be on, if it is off, then the user will never get access.

Go to Security > Overview > Context-Aware Access and Assign Access Levels. Here we will say what rules apply to what and to whom. We can apply this to groups or to OUs, then we select the application and apply a rule that we created in the last step.

If the user doesn’t have any rule applying either by group or by OU, they are always granted access. If they have one or more rules applied that they fall under, if any of the rules are true, they are granted access, if not, then they are denied access. The final option in the previous section is where you can also customize the message users (which can also be set differently for each OU) will get if they are getting blocked because of Context-Aware Access.

So what is the criteria for using this and what services does it work on? 

First, this is a Google Workspace for Education Plus feature. For this feature to work the user on which we want the rule to apply, must have an Enterprise license assigned to them. Second, this currently works only with the Google Workspace core services (currently all 13).

What are some good use cases for this? 

Perhaps you can now answer the question of your substitute teachers or other hourly staff and when they can access email, you can now make it so the accounts only work if they originate from your school. Students only being able to access hangouts during the day, so it can be used as an instructional tool but not able to be used at home. Or better yet, something like Google Vault, restrict Google Vault to only being able to be accessed while you are on the school network, further protecting your Vault users.

The use cases of Context-Aware access are just getting started, and while the usage of this Google Workspace feature requires Google Workspace for Education Plus licenses, it is only a subset of the full power you can get, by upgrading your domain to Enterprise. 

What to try Education Plus and test the Context Aware feature? 

Fill out this form and our team will be in touch! 



About the Author

Stephen Gale, Technical Support Analyst
Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering/reformed Gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related. Prior to joining CDW Amplified for Education, Stephen served as a Network Admin in a Therapeutic Boarding School and an IT director, where he implemented Google Workspace for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.

Articles in this section