← All controls

27 Device-trust CAA via MDM

Ties access to sensitive apps to the device it comes from, not just to the account. Endpoint verification collects posture signals — OS version, disk encryption, screen lock, admin-approval state, company-owned flag — into the Context-Aware Access attribute set, and an access level built from those attributes is applied through the three DEFAULT policies (all Google-owned apps, all SAML apps, all OAuth apps), which also cover every app enabled later, where a per-app assignment would leave each new app unprotected. Requiring admin approval for devices is what stops an attacker's own laptop enrolling itself into the trusted population. The signals depend on an agent: the Endpoint Verification helper or Chrome extension has to be deployed and the user signed into the managed Chrome profile, or no device reports anything at all.

Caveats

Setup steps

  1. open ↗ Devices › Mobile & endpoints › Settings › Universal › Data access
    Collect device signals using endpoint verification
    ON
    Collect device signals from Chrome browser
    ON (for the target OU)

    Turn endpoint verification on or off ↗ Turn Chrome signals sharing on or off ↗

  2. open ↗ Devices › Mobile & endpoints › Settings › Universal › Security

    Device approvals = Require admin approval. Applies to user-owned/personal devices; company-owned devices registered by serial number are auto-approved (except Android work-profile devices)

    Require admin approval for device access ↗

  3. open ↗ Security › Access and data control › Context-Aware Access › Access levels
    Access level 'trusted-device': Device policy
    admin-approved AND encrypted storage AND screen lock AND OS version ≥ baseline
    company-owned
    true

    Create Context-Aware access levels ↗

  4. Security › Access and data control › Context-Aware Access › Access levels
    device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED && device.chrome.versionAtLeast("148.0.0.0")

    Use case: Managed Chrome browser enforcement ↗

  5. open ↗ Security › Context-Aware Access › General settings

    General settings: Policy for all Google-owned apps / all SAML apps / OAuth apps = trusted-device; Action = Monitor first, then Block once the monitor log is clean. Do not use Warn (OAuth policies offer only Monitor and Block)

    Assign Context-Aware Access levels to apps ↗ Apply a default Context-Aware Access policy for all SAML apps ↗

Ongoing maintenance

How to verify

  1. From an unmanaged browser, sign in as a test user — the CAA log should show the device failing the level (Blocked, or Access Denied (Monitor mode) while ramping).

  2. From a managed device, confirm the log shows device signals present (no "No Device Signals" / "Device ID: UNKNOWN").

v0.0.3Preventedition Ent Std+ + MDM policy #25 · #4, #7 ↗