Use Compliance Data in Google BeyondCorp Context Aware Access

You can integrate Workspace ONE UEM with Google BeyondCorp to enable context aware access to individual Google supported apps such as Gmail, Google Drive, Google Calendar, and so on. Android, iOS, Mac, and Windows devices support this feature.

Workspace ONE UEM only passes managed, unmanaged, compliant, and non-compliant attributes to Google BeyondCorp.

Prerequisites

  • Workspace ONE UEM 2209 or later.
  • You must opt-in to Workspace ONE Intelligence.
    • Navigate to an organization group of type ‘Customer’, then navigate to Monitor > Intelligence to learn more and to get started.
  • Workspace ONE Intelligent Hub version 2209 or later installed on Android and iOS devices.
  • Workspace ONE Intelligent Hub version 2306 or later installed on Mac devices.
  • Workspace ONE Intelligent Hub version 2310 or later installed on Windows Devices.
  • If you plan to use Google native apps and SAML apps on Google Workspace, the license required is either Google Workspace Enterprise or Cloud Identity Premium. For more information, see Set up third-party partner integrations.
  • If you plan to use on premise apps and apps that are deployed on Google Cloud Platform, you must have a BeyondCorp Enterprise License.

Integrate Google BeyondCorp and Workspace ONE UEM Steps

Follow the steps below to integrate Workspace ONE UEM with Google BeyondCorp.

1. Configure Google Admin Console

  1. To set up context-aware access in the Google Admin console, see Protect your business with Context-Aware Access.
  2. In Google Admin Console, create a new access level.

    1. Select Conditions > Advanced and enter a condition using the following code as an example:
    !(device.os_type in [OsType.IOS, OsType.ANDROID]) || (device.vendors["VMWare"].is_compliant_device == true)
    

    The code example above ensures that only Android and iOS devices are assigned context aware policies.

    1. Configure an end user message that includes a redirect URL to the remediation page. The remediation URL is based on the Workspace ONE Intelligence URL. The syntax is:
    https://{Intelligence_URL}/#/compliance/tenants/UEM_Tenant_UUID/google/remediation
    

    Note: You must replace {Intelligence_URL} with your Workspace ONE Intelligence URL. You can find this URL by simply launching Workspace ONE Intelligence by navigating to Monitor > Intelligence in the Workspace ONE UEM console.

  3. Enable VMware as a third party BeyondCorp partner by navigating to Devices > Mobile & endpoints > Settings > Third-party integrations. For detailed instructions, see steps 1 and 2 in Set up third-party partner integrations.

2. Configure Google Cloud Platform

  1. Generate and download your Service Account credentials from the Google Cloud Console and save them to your computer. Later in this integration setup, you must import this saved JSON file into the Workspace ONE UEM console.
  2. Ensure that the Cloud Identity API is enabled on the customer-owned project that is used to call Devices API. For detailed instructions, see Enabling the API and setting up credentials. Note: Ensure billing is enabled for your Google Cloud project.
  3. Ensure that Domain-wide delegation is enabled for your service account and scopes are defined in API control. For detailed instructions on enabling domain-wide delegation, see Control API access with domain-wide delegation. The scope that is needed for the Google BeyondCorp integration is:
https://www.googleapis.com/auth/cloud-identity.devices

3. Integrate With Workspace ONE UEM console

Note: The integration with Google BeyondCorp can only be configured at an Organization Group of type ‘Customer’.

  1. Log in to Workspace ONE UEM console.
  2. Navigate to Groups & Settings > Integrations

    This partial screenshot shows the main integration screen for Workspace ONE UEM including the Google BeyondCorp panel

  3. Select Setup and then select Get started.

  4. Enter your Customer ID, which can be found on the Google Admin Console. For detailed instructions on how to find the customer ID, see Find your customer ID.
  5. Enter Admin Email Address. The admin account entered must have privileges at or above the Mobile Admin level. For more information about administrator role definitions, see Pre-built administrator roles.
  6. Import the Google Service Account JSON File. This is the file that you downloaded earlier from the Google Cloud Console. Finish the setup by clicking on Connect to Google BeyondCorp.
  7. (OPTIONAL STEP) Push down the Google applications from the console. For more information, see Deploy Public Applications on Your Devices. Alternatively, you can let the end-user download the application from the app store or play store.

Once the above steps are completed, the integration between Workspace ONE UEM and Google BeyondCorp is complete.

4. Recommended Instructions for the End User

  1. Direct the end user to enroll their device using Workspace ONE Intelligent Hub as a managed device.
  2. Direct the end user to install mobile Google applications (such as Gmail, Google Drive, etc.) on mobile devices (iOS, Android).
  3. Direct the end user to install the Chrome Endpoint Verification Extension on desktop devices (Mac, Windows).
  4. Mobile: The user must launch the Google application
  5. Desktop: Navigate to a Google app in the Chrome browser on desktop.
  6. When the user attempts to sign in, the user will be blocked and directed to a Google Custom Error message (configured as part of the context aware policy earlier). The user can click on the remediation URL which redirects the user to VMware’s remediation page. Once the user is redirected to VMware’s remediation page, they see two options.
    1. Connect Now - If the end user’s device already has Intelligent Hub installed and the device is enrolled, the end-user must click on Connect Now. If the device is already enrolled, the user can click on Connect Now to launch Intelligent Hub.
    2. Download Hub - If the device is not enrolled, the end-user must download Intelligent Hub and enroll the device.
  7. The end user is prompted to provide Intelligent Hub access to their Google account to register the device with Google. The user must accept this prompt.
  8. Once the user sees a successful message prompt in Workspace ONE Intelligent Hub, they can retry accessing the mobile Google app. If the device is compliant and managed by Workspace ONE UEM, the user will be granted access to the app.

Unsupported Use Cases

  • Registered mode (unmanaged) devices are not supported.
  • Passing the device ownership type to Google BeyondCorp’s Context-Aware Access is not supported.
  • Launching the remediation flow before launching the native application is not supported. If the remediation flow is launched first, two device records will be created in the Google console, which impacts the Context-Aware integration for that device.
  • FedRAMP environments are not supported for this integration.
  • Shared device use cases are not currently supported. This includes Check In/ Check Out flows.
check-circle-line exclamation-circle-line close-line
Scroll to top icon