Control access to corporate data on Chrome, Mac, and Windows devices with endpoint verification
What’s changing
We’re giving admins more control over how devices running endpoint verification can access corporate data in Google Cloud. Specifically, we’ll give admins the ability to:
- Tag endpoint devices running Chrome as approved or blocked — Admins can use the tag to configure access levels with the Access Context Manager
- Decide whether an additional review is needed for newly registered endpoint verification devices before they’re tagged as approved.
This will bring similar functionality to what’s currently available for mobile device management to desktop devices using Chrome OS or Chrome browser.
Who’s impacted
Admins only
Why you’d use it
With the ability to limit G Suite access for devices that use endpoint verification, admins will now get fine-grained control over managing device access beyond just mobile devices.
Now, admins can view the inventory of devices that are access this data, and approve or block access to specific devices based any internal criteria. Examples include, lost devices, which can now be ‘blocked’ from accessing apps, or approving new users who need to access applications as their job titles shift.
How to get started
Admins:
- To set a policy for whether newly registered endpoint verification devices need admin approval, go to Admin Console > Device management > Setup > Device Approvals > Device Approvals.
- Check or uncheck the box to set a policy. This will default to unchecked, meaning that admins will not have to manually approve newly registered devices.
- Optionally, you can also add an email that approval requests will be sent to.
- Note that device access to corporate data can be configured at any time by using the Access Context Manager.
- For desktop devices, Admins will have the option to select Approve or Block, which will tag the device accordingly in the Access Context Manager.
- Approve or block actions on devices will generate an audit event within the Admin Console. For more information on audit logs for devices, see here.
End users: No action needed
Additional details
This launch allows you to control access for devices with endpoint verificationinstalled. This includes Chromebooks and other desktop devices running the Google Chrome browser.
Tag newly registered endpoint verification devices as ‘Approved’ or ‘Blocked’ before setting access
When a new device is registered via Endpoint Verification, admins can turn on access restriction in the Access Context Manager. From there, they can govern device access by selecting ‘Approve’ or ‘Block’.
See image below to see how this will look in the Admin console with the feature ON.
If this policy is OFF, devices will be approved by default and can be blocked later on, for example, if a device is lost or a device is compromised.
Turn individual device access on or off
Admins can approve or remove access for devices in the Admin Console. A new view at Admin console > Device Management > Device Approvals will list all devices in a pending approval state. From this list, they can be tagged as Deviced/Approved — once devices are tagged, further access policies can be configured in the Access Context Manager.
Admins can also get email notifications for when a device is registered but needs admin approval. See our Help Center to learn how to configure email notifications.
Helpful links
- Help Center (end users): Allow an Admin to monitor your computer (Endpoint Verification)
- Help Center (Admins): Turn Endpoint Verification on or off
- Help Center (Admins): Control what devices can access your data
- Help Center (Admins): Devices audit log
Availability
Rollout details
- Rapid Release domains: Full rollout (1-3 days for feature visibility) starting on Feb 28, 2019
- Scheduled Release domains: Full rollout (1-3 days for feature visibility) starting on Feb 28, 2019
G Suite editions
- Available to all G Suite editions.
On/off by default?
- Manual device verification will be OFF by default and can be enabled at the domain and OU level.
- Individual device access controls will be ON by default.