← All controls

47 Deny-by-default IP/geo gating

An allow-list posture at the network layer: a Context-Aware Access level enumerates the countries and IP ranges you actually operate from, plus device conditions that keep it from being purely geographic, and it is applied through the three default policies on CAA General settings — Google-owned apps, SAML apps, OAuth apps — so an app enabled next month is covered without anyone remembering to add it. The deny-by-default comes from allowing a short list, not from writing deny rules.

Caveats

Setup steps

  1. open ↗ Security › Access and data control › Context-Aware Access › Access levels

    Basic mode; Condition = IP subnet in CIDR (office/VPN egress) OR Region in {GB, DE, …}; Attribute match = ALL

    Create Context-Aware access levels ↗

  2. open ↗ Security › Access and data control › Context-Aware Access › Access levels
    Device policy
    company-owned / encrypted / screen-lock ON

    Create Context-Aware access levels ↗

  3. open ↗ Security › Access and data control › Context-Aware Access › General settings
    General settings: all three default policies
    the allow level

    Assign access levels to Google-owned apps ↗ Apply a default Context-Aware Access policy for all SAML apps ↗

  4. Security › Access and data control › Context-Aware Access › General settings

    Action ramp: Monitor → (after review) Active

    Assign Context-Aware Access levels to apps ↗

Ongoing maintenance

How to verify

  1. Sign in as a test user via a VPN egress in a non-allowed country — the CAA log must show the block (or the would-block while still in Monitor).

v0.1.2Preventedition Ent Std+, Edu Std+, Frontline Std+, Ent Ess Plus policy #4 · #14 ↗