Restricting International Access in Google

Context-Aware Access in Google Admin Console has been around for awhile, but it still seems underused and new to me. There are some good scenarios to think through and play out with Context-Aware Access. For this article, let’s unpack how to use it to restrict users to the USA. I.E. Gmail can only be accessed within the USA. We’ll also explain how to make an override to this. I.E. When your boss takes a vacation to Mexico. I lifted this from Mark in the K12TechPro Community. Thanks, Mark! If you work in a K12 tech department and haven’t joined it yet, you should, like, now. 

Here goes…

If you’d like to implement a rule in Google Workspace that restricts all of your accounts to USA (unless a manual override on the user profile is done), check this out. 

Example: You have a lot of accounts, all of your organization units (OUs) are managed automatically. 

Important note: Be careful if you use OUs to accomplish this; you may find the “override” function does not work if you use OUs.

1. Create a security group that includes all accounts in your domain. You can do this multiple ways, but an easy method is to create a dynamic query for all users with an ancestor unit of your highest OU. Just name this “All Users” and make sure to remove all permissions.

2. Create your override security group. Again, make sure to turn off all permissions on this group. You have two options:

  • Option 1: Create a security group that you manually update with users as they request access. This is the easiest way, but it may not scale up.
  • Option 2: Create a security group that dynamically updates using a custom attribute. Start by creating a custom attribute for “International Access” that’s just a yes/no field. Go here in the admin console and create a custom attribute at the bottom that looks like this.

Option 1 is probably the best bet. This gives the ability to add staff as managers of the group so they can add/remove students.

3. Once you have that custom attribute, you can create a security group that uses a dynamic query to add users if this custom attribute is “Yes.” You could also add other requirements, such as requiring two-step verification to be enabled, by adding more conditions. If you’re going to add parameters, remember that they will be locked out of their account, so you can’t tell them to turn on two-step if they’re already locked out.

4. Check this out before moving on to the next step by checking off the custom attribute on a user profile and making sure the user is added to this override group.

5. Next, go to context aware access (https://admin.google.com/ac/security/context-aware/access-levels) and create two levels of access. It’s important to point out that context aware access does not work in the same way as other functions in the Google Admin Console. You need two levels of access: one with just your country and another with a list of allowable countries.

The “International Access” level is going to have up to 100 countries that you allow a user to travel to. Google limits this to 100 countries.

6. Finally, put this all together by assigning access levels. In the groups section, set the first group in the list to be your override security group (i.e., International Access), then set your “All Users” group to be only your country. This means everybody will be in the “All Users” group and have access to your home country by default. If they are placed in the “International Access” group, that rule takes priority and gives them access to the larger list of countries.

Note: Maybe try it out after you’ve set this up using a VPN on your phone.

And that’s it. I did this for my school district and it’s working well. I went with the manual Google Group option for overrides.

2 thoughts on “Restricting International Access in Google”

  1. We use manually created google OU’s, could we create a security group called “CA Override” and any user placed in that group would have context aware restrictions overriden?

    Reply
  2. Just curious if you’re willing to have a conversation regarding this setup. I followed everything but right now I have it set to Monitor so I don’t mess up anything and it’s showing that even the US is being denied. I’m not sure what I did wrong. If you’re willing to assist I would greatly appreciate it.

    Reply

Leave a Comment