Security advisor for app access protection

Supported editions for this feature: Frontline Plus; Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition

As an administrator, you can use Security advisor to prevent app access from unsafe devices. Set up app access protection to warn or block your users on unsafe devices that are trying to access core Google Workspace apps like Google Drive or Gmail.

You can control access from the following types of unsafe devices:

  • Devices with an outdated operating system (OS). Applies to Android, iOS Windows, and macOS devices
  • Devices that are missing security updates (Android only)
  • Devices with potentially harmful apps (Android only)
  • Compromised devices—for example, a rooted or jailbroken device (Android and iOS only)
  • Devices with missing disk encryption (macOS and Windows only)
  • Devices with missing screen lock (macOS and Windows only)

What users see

Users who try to access Workspace apps on an unsafe device get a message that explains the device risk and how to eliminate it.

To further protect app access on user devices, use Context-Aware Access.

Before you begin

  • Supported apps—Core Google apps, including Google Calendar, Chat, Keep, Tasks, Drive, and Gmail.
  • Default settings—App access protection is turned on by default (in warn mode) for Android and iOS devices, but it's turned off by default for Windows and macOS devices. Older accounts might have different default configurations.
  • Context-Aware Access conflicts—If you use Context-Aware Access, device attribute access levels might conflict with your app access protection settings. If there's a conflict between a warn setting and a block setting, the block setting generally takes precedence. For example, if an access level blocks users with an outdated iOS version, but there's also an app access protection setting to warn those users, the block action is enforced.
  • Windows and macOS requirements—Users must be signed in to their Chrome profile and you must have Chrome signals sharing turned on. If a user isn't signed in to their Chrome profile or is using a different browser, and app access protection is set to warn or block, the user will either have their Workspace access entirely blocked or get a warning prompting them to fix the problem.
  • Departments and teams—If you need to set up a department or team for this setting, go to Add an organizational unit.

Manage app access protection settings

You must be signed in as a super administrator for this task.

  1. In the Google Admin console, go to Menu and then Security and then Security advisor.

    You must be signed in as a super administrator for this task.

  2. For App access protection, click Expand and then Edit settings.
  3. (Optional) Settings are shown for the top level of your organization. To view or edit settings for specific organizational units, click View another org unit.
    • If you change the settings for an organizational unit from the settings of its parent organizational unit, the settings page shows Parent settings overridden.
    • To reset the organizational unit to its parent unit settings, click Inherit.
  4. To change a setting, click the menu next to an unsafe device type and choose an option:
    • Warn users—users get a warning message, but can still access apps
    • Block users—users get a message that app access is blocked
    • Off
  5. If you change a setting, you're prompted with a message after the setting is updated.

Review access from unsafe devices logs

To get detailed information about app access from unsafe devices in your organization, you can run a search of Device log events directly from Security advisor.

You must be signed in as a super administrator for this task.

  1. In the Google Admin console, go to Menu and then Security and then Security advisor.

    You must be signed in as a super administrator for this task.

  2. For App access protection, click Expand and then View logs for access from unsafe devices.

This search returns a list of devices that meet the following risk criteria: outdated OS, outdated security patch, harmful apps, compromised device, missing disk encryption, and missing screen lock. The results include the device owner, model, and OS version.

Note: Device log information is available for the past 180 days.

Review app access protection log events

You can get detailed information about app access protection events in your organization in Context-Aware Access log events.

You must be signed in as a super administrator for this task.

  1. In the Google Admin console, go to Menu and then Reporting and then Audit and investigation and then Context Aware Access log events.

    Requires having the Audit & Investigation administrator privilege.

  2. To filter events that occurred before or after a specific date, for Date, select Before or After. By default, events from the last 7 days are shown. You can select a different date range or click to remove the date filter.

  3. Click Filter and then Add a filter and then Event.
  4. Choose an option:
    • Click Is and then Access denied (security advisor) and then Apply.
    • Click Is and then User warned (security advisor) and then Apply.
  5. (Optional) To create multiple filters for your search, repeat steps 3 and 4.
  6. Click Search.

For more information, go to Context-Aware Access log events.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.