Google BeyondCorp Configuration

Integrate Ivanti EPMM with Google BeyondCorp for conditional access. Ivanti EPMM sends the device compliance status signal to Google BeyondCorp, and this ensures that only compliant devices under Ivanti EPMM can access Google Workspace applications.

Before you begin 

  • For Ivanti EPMM, you must have an Ivanti Professional Plus or Premium license.

  • For Google, you must have the BeyondCorp Enterprise, Google Workspace Enterprise, or Cloud Identity Premium license.

Procedure (Google)

  1. Log in to the Google Admin console with admin credentials.
  2. Go to Devices > Mobile & Endpoints > Settings > Third-party integrations.
  3. Click Security and MDM partners > Manage.
  4. In the Manage Partner Connections window, select Ivanti On-Prem.

  5. Click Open Connection.

    You will be redirected to the Ivanti EPMM BeyondCorp Integration pane with a unique Customer ID in the Your Customer ID field.

  6. Click Copy, to copy the unique Customer ID.

    Do not tamper with the unique Customer ID.

 

Procedure (Ivanti EPMM)

  1. In the Ivanti EPMM Admin Portal, go to Settings > Google BeyondCorp Beta > Device Compliance for iOS & Android.

  2. Enter the unique Customer ID in the Google BeyondCorp Customer ID field.

    Do not tamper with the unique Customer ID that you have copied or noted.

  3. Click Save.

  4. To add a new Google BeyondCorp policy, go to Policies & Configs > Policies > Add New > Google BeyondCorp Policy.

    The Add New Google BeyondCorp Policy pane appears.

  5. Enter the Name of the policy.

  6. Select one of the following from the Status field:

    • Active

    • Inactive

  7. Select one of the following from the Priority field:

    • Higher than

    • Lower than

  8. Enter the Description of the policy.

  9. Select the Report Compliance Status for iOS and Android devices checkbox to make sure that the compliant devices can access Google Workspace applications in Ivanti EPMM.

  10. Click Save.

Syncing the Google BeyondCorp Compliance Status

Administrators can sync the Compliance status of any device(s) from Ivanti EPMM to Google BeyondCorp. For the sync to run, at least one tenant must be connected. Syncing the Device Compliance works only when the device is associated with a Google ID and registered in the Ivanti EPMM.

When the administrator performs a manual sync, a detailed Audit Log is generated for the device(s). Ivanti EPMM will automatically sync devices whenever their state changes, in accordance with the compliance rules. Additionally, Ivanti EPMM will sync the devices when a device with a Google ID reports for the first time.

Procedure 

  1. In the Admin Portal, go to Devices & Users > Devices.

  2. Select the device and choose Actions > Sync BeyondCorp Compliance Status.

  3. Ivanti EPMM displays the message "Sync BeyondCorp Compliance Status action submitted successfully".

  4. To view the compliance status of the device, go to the Device Details tab > Google BC Device Compliance Status.