Google BeyondCorp Enterprise Integration

Google BeyondCorp Enterprise allows organizations to ensure that only trusted users, from compliant computers, are accessing organizational resources. The macOS BeyondCorp Enterprise Integration between Jamf Pro and BeyondCorp enables admins to build a compliance and security framework around end user devices rather than using a network perimeter.
Integrating with BeyondCorp Enterprise allows you to do the following:
  • Share the Jamf determined compliance state with BeyondCorp.

  • Restrict access to applications protected by BeyondCorp Enterprise Context-Aware policies.

General Requirements

You must have the following to complete the BeyondCorp Enterprise Integration:
  • A Google Workspace Customer account

  • A Google Workspace Enterprise SKU or Cloud Identity Premiums SKU

  • A Google Admin account

  • A Jamf Pro User account with Conditional Access and Smart Group privileges for users

  • Google Chrome with the Endpoint Verification extension installed

Important:

A BeyondCorp Enterprise license is needed if access level policies on cloud-based and on-premises applications and VMs running on Google Cloud Platform leveraging Google Cloud Identity Aware Proxy will be applied.

Step 1: Creating BeyondCorp Enterprise Smart Groups

Jamf Pro allows you to create smart groups for managed computers and users. The BeyondCorp Enterprise Integration requires you to create both an Applicable Group and a Compliance Group to successfully complete the integration.
  • Applicable Group

    Smart group containing all devices that Jamf Pro will use to send a compliance status to Google BeyondCorp, regardless of whether they are compliant or not.

  • Compliance Group

    Smart group containing all devices whose status is compliant that Jamf Pro will send to Google BeyondCorp.

Create a smart group for your BeyondCorp Applicable Group and your BeyondCorp Compliance Group. For more information, see Smart Groups.

Step 2: Enabling the BeyondCorp Enterprise Integration

  1. Navigate to the Devices payload on the Google Admin web page.
  2. Click Mobile & endpoints.
  3. Click Settings.
  4. Click Third-party integrations.
  5. Click the Edit icon in the Security and MDM partners pane.
  6. Click Manage.
  7. Click Open connection for Jamf.
    Note:

    You will be redirected to the Jamf web page. The Customer ID will be displayed in the URL. Save your Customer ID.

  8. In Jamf Pro, click Settings in the top-right corner of the page.
  9. In the Global Management section, click macOS BeyondCorp Enterprise Integration.
  10. Use the switch to enable integration.
  11. Copy and paste your Google Customer ID from the Jamf URL above into the Customer ID field.
  12. Select the Compliance Group.
  13. Select the Applicable Group.
  14. Click Save .
  15. Navigate back to Google Admin > Devices > Mobile & endpoints on the Google Admin web page and select your device.

Step 3: Registering a Device with Google

Note: Google Chrome and the Endpoint Verification extension are used to register a device. There are several methods to manage Google Chrome extensions as an administrator. Jamf recommends leveraging Google’s Chrome Browser Cloud Management. For more information, see Jamf's Definitive Guide to Google Chrome for the Apple Enterprise Fleet.
  1. Sign on to the Endpoint Verification extension with your Google Identity.
  2. Click Turn on sync in the Endpoint Verification tab.
  3. Sign in to your device account.
  4. Navigate back to the Devices payload on the Google Admin web page.
  5. Click Mobile & endpoints.
  6. Click Devices.
    Note: Your device should be displayed on the Devices page.

Step 4: Creating and Assigning a Context-Aware Policy

  1. Navigate to your Google Admin account.
  2. Click the Security payload.
  3. Click Access and data control
  4. Click Context-Aware Access.
  5. Click Access Levels.
  6. Click Create access level.
  7. Enter a unique name and description for your new access level.
  8. In the Conditions pane, click the Advanced tab, and enter your condition.
    Jamf recommends the following condition as a starting point:
    !has(device.vendors.Jamf) || device.vendors["Jamf"].is_compliant_device == true
    Note:

    For more information on conditions, see Google's Custom access level specification.

    Important: Jamf only shares device compliance and device management state with Google. No inventory data is made available to Google.
  9. Navigate back to the Context-Aware Access pane.
  10. Click Assign access levels.
  11. Assign access levels to one or more applications.
  12. Click Assign.
  13. Select the checkbox wth the policies you want to apply the access levels to.
  14. Click Save.
  15. Click Third-party services and confirm your device is now managed by Jamf and marked compliant.