Find the answers to frequently asked questions for Context-Aware Access
Why aren’t Context-Aware Access policies applied to some users in my company?Users may not all have the same licenses assigned to them. Verify that your users are members of an organizational unit or group that has Context-Aware Access-supported Google Workspace editions. Check Billing in the Admin Console to verify user licenses.
Verify that the access setting in the Context-Aware Access policy is the one you intend - either Meet attributes or Don’t meet attributes.
If you enforce a device policy at an access level, you and your users have to set up endpoint verification. You enable endpoint verification in the Admin console. Go to Set up software and create Context-Aware access levels for details.
If an access level denies a user request but the access level appears to be configured correctly, the user may need to force the server-side device state to refresh. Go to Use mobile devices with access levels - Troubleshooting for details.
Chrome browser users (desktop and mobile), must turn on sync in Chrome browser. Go to Turn sync on and off in Chrome for details.
If Apple Private Relay is configured in iCloud, the device IP address is hidden. Google Workspace receives an anonymous IP address. In this case, if there is a Context-Aware access level assigned as the IP subnet, then access is denied to Safari. Fix this by turning off Private Relay, or by removing the access level that contains IP subnets.
Google recommends that you do not use the Google Cloud console interface to add or modify Context-Aware access levels if you are a Workspace-only customer. If you add or change access levels using a method other than the Context-Aware access interface, this error message may result: Unsupported attributes are being used on Google Workspace, and users can be blocked.
Even if you don’t apply a restriction to the app, Workspace apps can be blocked due to access-level evaluations for related APIs. For example, Gmail's access to the Calendar, Drive, and Meet APIs is evaluated based on Calendar API restrictions. To identify blocked connections, review Blocked API access events in the Context-Aware Access log events.
Google Apps Script projects connected to Workspace apps are subject to Context-Aware Access policies assigned to those apps. Scripts trying to access data from Context-Aware Access-restricted Workspace apps might encounter access denied errors. The error occurs because the scripts are not run on a user's device. Therefore, the required security context cannot be validated. To avoid access errors and maintain API access, each Apps Script project must be exempted from Context-Aware Access policies.
