We currently allow access to personal/BYOD devices to our google workspace; ideally due to access needs we require this to continue. However to protect our data we would like to restrict the ability to download documents from google drive when accessing from a personal computer. We are aware we can restrict access to google workspace to non corporate devices but this isnt something we wish to do due to contract staff and frontline workers requiring access and not having access to corporate devices.
We have been unable to find a solution to this either through our support partner or researching online so wanted to check if anyone has succesfully managed this or has an alternative solution?
Thanks in advance
Steph
Sounds like maybe youโre looking for context aware access? https://support.google.com/a/answer/9275380?hl=en
Hope that helps,
Ian
You can only prevent downloading on the individual file level, which cannot depend on the device. The only option to prevent downloads is BeyondCorp but it won't solve your issue as it does not look at the device attributes it only blocks downloads based on the content of the download.
You are correct CAA prevents access to apps, but once granted access, it does not enforce any other settings. CAA would be a good option if you only want company-owned devices to access Workspace. The users wouldn't be able to download bc they can't access the workspace. This doesn't work for every company, but this is what my company does.
What you are looking for is a solid DLP/CASB solution that will allow checking device posture before permitting certain operations (like downloads from Drive). Those solutions allow you to create a ruleset denying downloads when not signed into a corporate device but still allow other operations like viewing/reading.
Look at vendors like Netskope (they meet your requirements 100%).
While those solutions aren't super cheap, they have the added benefit of increasing your security posture overall (your use case is just a tiny portion of the feature set).
Thats really helpful thank you; I'll check that out !