Additional signals for enforcing Context Aware Access for Android

A Zero Trust approach to security can help you safeguard your users, devices, and apps as well as protect your data against unauthorized access or exfiltration.

As part of Google Cloud’s efforts to help organizations adopt Zero Trust, we designed our BeyondCorp Enterprise (BCE) solution to be an extensible platform enabling customers to use a variety of signals from Chrome, desktop operating systems, and mobile devices. BeyondCorp Enterprise, Workspace CAA, and Cloud Identity can now receive critical Android device security signals for both advanced managed devices and, for the first time, basic managed devices.

For example, a customer can now define a rule to block access on devices that have potentially harmful apps installed or have been tampered with (such as if it had been rooted). These signals will be made available in the Workspace Admin Console device management UI, and in the Cloud Identity Devices API, enabling admins to gain observability into the state of devices accessing private apps, SaaS apps, or Workspace data.

The benefits

Context-Aware Access is a security feature that allows admins to deploy granular control policies to enforce user access based on IP address, device posture, time of day, etc. We support five device attributes (screen lock, OS version, encryption, company-owned, and verified boot) for Android devices in basic Access Level mode, with additional device attributes in advanced mode.

The below information highlights the new signals we have added based on customer demand:

Signal Details

Attribute: Verified Boot
Type: boolean
Description: Verified Boot strives to ensure all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or corruption. It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system, vendor, and optionally OEM partitions.

Attribute: Potentially harmful apps
Type: boolean
Description: Google Play Protect checks apps when installed. It also periodically scans devices. This will flag if the device has deployed any apps that are potentially harmful or if an existing app has now been categorized as potentially malicious.

Disallow devices with potentially harmful apps detected.

Attribute: Google Play Protect
Type: boolean
Description: Require devices to have Google Play Protect Verify Apps enabled. This flag ascertains if the Google Play Protect is enabled for the device. Google Play Protect automatically scans all of the apps on Android phones and works to prevent the installation of harmful apps.

Attribute: CTS Compliance Check
Type: boolean
Description: The SafetyNet Attestation API provides a cryptographically signed attestation, assessing the device's integrity. This flag attests that the device is a certified, genuine device that passes CTS.

In addition to CAA rules, you can get visibility of device state including these new signals across your fleet. These additional states are available via APIs as well as in the Admin console. You can see a screenshot of admin console updated with the new signals on device detail page:

Potentially_harmful_apps details are provided in the Installed apps section from the Installed apps field of the Admin Console as shown above

Next steps

We are continuing to add additional signals from Chrome browser, Chrome OS, mobile as well as partners. Reach out to your Google representative if you would like to see additional partners or signals added.

If you’d like to learn more, visit the BeyondCorp Enterprise webpage. You can also follow the steps for setting up CAA rules with BeyondCorp Enterprise here. You can find additional information for all the Android signals here.