This page describes the basic concepts of Endpoint Verification.
Available to all Google Cloud, Cloud Identity, G Suite Business, and G Suite Enterprise customers, Endpoint Verification is a product that allows you, as an admin or security operations professional, to build an inventory of devices that are accessing your organization's data. Endpoint Verification also provides critical device trust and security-based access control as a part of the BeyondCorp Enterprise solution.
When to use Endpoint Verification
Use Endpoint Verification when you want an overview of the security posture of your organization's laptop, desktop, and mobile devices.
The device inventory Endpoint Verification provides valuable information that you can use to maintain security. When paired with BeyondCorp Enterprise offerings, Endpoint Verification helps enforce fine-grained access control on your Google Cloud resources.
How Endpoint Verification works
Endpoint Verification consists of a Chrome extension, although a native helper app is also required for Linux devices and for Mac and Windows devices not using Chrome 80 or higher. Chrome OS devices only require the Chrome extension.
Once enabled through the G Suite Google Admin console, you can deploy the Endpoint Verification Chrome extension to corporate devices. Employees can also install it on their unmanaged, personal devices. This extension gathers and reports device information, constantly syncing with Google Cloud.
Using the details collected from the Chrome extension, Endpoint Verification creates an inventory of devices running Chrome OS and Chrome Browser that access your organization's data. For example, once an employee installs the Endpoint Verification extension, Endpoint Verification populates information about the device the employee used to access Google Cloud resources. As an admin, you can review information including encryption status, OS, and user details.
Collected device information
The following table describes the properties and attributes collected from the devices accessing corporate resources.
|Category||Property name||Description||Supported devices|
|Device compliance||Status||Device's management status: Approved or unknown||
|User details||Name||The user's name||
|The user's email ID and aliases||
|Policy profile||First sync||Date and time the user first synchronized corporate data on the device||
|Last sync||Date and time of the most recent sync||
|Screenlock status||Whether the device has a screen lock set.
Note: This property doesn't report whether the device has any other type of password (such as a firmware password for Mac).
|Encryption status||Whether the device is encrypted||
|Device properties||Device ID||Unique number associated with the user's device.||
|Serial number||Serial number of the device||
|Type||Make of device||
|OS||Name of the operating system||
|Verified Access||Indicates whether Chrome OS adheres to your organization's policies
Endpoint Verification is a part of the BeyondCorp Enterprise approach to securing Google Cloud, on-premises apps and resources, and Google Workspace apps. The attributes Endpoint Verification collects can be used by Access Context Manager to control access to Google Cloud and Google Workspace resources.
Access Context Manager references the device attributes gathered by Endpoint Verification to enforce fine grained access control with access levels. You can also tag individual devices and mark company-owned devices.
Manual device tagging is enforced by creating a device access level that requires device approval. Company-owned devices are enforced by creating a device access level that requires company-owned devices.