Use cases: Exempt trusted third-party apps from being blocked

These examples show you how to exempt allowlisted apps so they can always access Application Programming Interfaces (APIs) for specific Google services, regardless of the access levels assigned.

Use case 1: Trusted apps get blocked through exposed APIs

In this example, we don’t exempt any third-party trusted apps. For Google Keep, we set the Prevent out of corp network accessaccess level for the Temp Workerorganizational unit. This results in any apps accessing Google Keep through APIs from outside of your organization's network being blocked.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Context-Aware Access .

   Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges .

3. Click Assign access levels.
4. Select the Temp Workerorganizational unit.
5. From the list of apps, select  Google Keep and click Assign. 
6. Select Prevent out of corp network accessand click Continue.
7. Check the Block users from accessing Google desktop and mobile apps if access levels aren’t metbox.
8. Check the Block other apps from accessing the selected apps via APIs, if access levels aren't metbox.
9. Click Continue.
10. Review and click Finish. 

Use case 2: Exempt a third-party app

In this example, we exempt the third-party app Box. For Google Drive, we set the Prevent out of corp network accessaccess level for the Temp Workerorganizational unit. This results in the third-party app Boxbeing able to access Google Driveeven if the API request comes from outside of your organization's network.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Context-Aware Access .

   Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges .

3. Click Assign access levels.
4. Select the Temp Workerorganizational unit.
5. From the list of apps, select Google Driveand click Assign. 
6. Select Prevent out of corp network accessand click Continue.
7. Check the Block users from accessing Google desktop and mobile apps if access levels aren’t metbox.
8. Check the Block other apps from accessing the selected apps via APIs, if access levels aren't metbox.
9. Check the Exempt allowlisted apps so that they can always access APIs for specific Google services, regardless of access levelsbox. 
   Any third-party apps you mark Trustedon the App Access Control page are listed in the table of allowlisted apps.
   Note: Each new Google Apps Script must be explicitly added to the exemption list.
10. Select  Boxand click Continue.
11. Review and click Finish. 

Use case 3: Exempt another third-party app in the same organizational unit

In this example, we add the Salesforcethird-party app to our configuration in the previous use case.

The app exemption list is an organizational unit specific list that applies to all third-party apps exempted in previous Context-Aware Access level assignments and any new Context-Aware Access level assignment. App exemption lists are unique to the organizational unit in which they are defined. Therefore, organizational units have their own app exemption lists.

As a result, in this example, both Boxand Salesforcewill be able to access Driveand Gmailregardless of the access levels assigned.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Context-Aware Access .

   Requires the Data security access level and rule management privileges and the Admin API groups and users read privileges .

3. Click Assign access levels.
4. Select the Temp Workerorganizational unit.
5. From the list of apps, select Gmailand click Assign. 
6. Select the access level, Prevent out of US accessand click Continue.
7. Check the Block users from accessing Google desktop and mobile apps if access levels aren’t metbox.
8. Check the Block other apps from accessing the selected apps via APIs, if access levels aren't metbox.
9. Check the Exempt allowlisted apps so that they can always access APIs for specific Google services, regardless of access levelsbox. 
   Any third-party apps you mark Trustedon the App Access Control page are listed in the table of allowlisted apps.
10. Select the third-party app Salesforceand click Continue.
11. Review and click Finish. 

Groups and organizational unit exemption behavior

Even though group policies supersede organizational unit policies, you can still exempt trusted third-party apps from being blocked though exposed APIs when assigning Contex-Aware Access levels at the group level. However, you cannot define group level exemption lists like you can for organizational units.

• If you check Exempt allowlisted apps so that they can always access APIs for specific Google Services, regardless of Access Levelswhile assigning a group level Context-Aware Access level, then the individuals in the group will be subjected to the organizational unit level exemption lists that they belong to. If individuals belong to different organizational units, then the corresponding exemption lists for those organizational units will apply to them.

• If you uncheck Exempt allowlisted apps so that they can always access APIs for specific Google Services, regardless of Access Levelswhile assigning a group level Context-Aware Access level, then no exemptions will apply to the individuals in the group. Group policies supersede organizational unit policies so any exemptions from previously created Context-Aware Access levels will not apply to individuals in this group.