Create Context-Aware Access Policies

The final step is to create a context awareness policy which limits access to Google Workspace applications as well as the Google Reverse Proxy As A Service application.

For Google Workspace Applications, you would limit access from non-Netskope IP addresses. These of course will vary based on the features in the tenant such as the Egress IP feature.

For the Google Reverse Proxy As A Service, we would limit access to this application from Netskope IP addresses.

The net effect is that we are funneling people to use the Google Reverse Proxy As A Service when the client is disabled, connected to another tenant, or access is attempted from a personal device.

Just like setting up the Google Reverse Proxy As A Service application in Google Workspace, there are a number of steps required for this to work.

Enable Endpoint Verification

The following OSes are supported for endpoint verification, mobile devices excluded from this discussion.

Apple Mac OS X El Capitan (10.11) and later
Devices running ChromeOS
Linux Debian and Ubuntu, CPU must support AES instructions
Microsoft Windows 7, 8, 8.1, 10, and 11

Go to the the Google Admin console at https://admin.google.com
Go to Menu > Devices > Mobile & endpoints > Settings > Universal.
Click Endpoint Verification.
Click Endpoint Verification again.
Click on the checkbox for Monitor which devices access organization data, and then click Save.

Validate Endpoint Verification

Endpoint verification must be set up by going to the the Google Admin console at https://admin.google.com.
Go to Menu > Devices > Overview.
Click Endpoints.
Click Add a filter.
Enter a Management Type, select Endpoint Verification, and click Apply.
Confirm that devices have endpoint verification enabled by reviewing the list of filtered devices.

Turn on Context-Aware Access

Go to the the Google Admin console at https://admin.google.com
Go to Menu > Security > Access and data control and click Context-Aware Access.
Click Turn On.
Context Aware-Access Access will be turned on.

Create an Access Level

On the right-hand side of the page, click Create the access level.
Name the access level. In the context conditions section, select Basic, use the radio button to enable Meets all attributes (AND), and use the dropdown to see the IP subnet.
Log in to the Netskope tenant and go to Settings > Security Cloud Platform > Reverse Proxy > SAML, and click Netskope IP Addresses.

Note
FedRAMP High IPs are different that those shown here. The current list can be found here: https://support.netskope.com/s/article/NewEdge-Consolidated-List-of-IP-Range-for-Allowlisting (a Support account is required).
Convert these addresses to a routing prefix in CIDR notation. A good site to convert the ranges is https://www.subnet-calculator.com/cidr.php. It’s important to note that each tenant may be different. However, the address ranges above have been converted and located below.
222.126.156.128/26
117.50.129.64/26
113.31.158.128/26
222.126.168.192/26
8.39.144.0/24
31.186.239.0/24
163.116.128.0/17
8.36.116.0/24
Add the IP subnets in a routing prefix in CIDR notation to the IP subnet section.
Click Create in the lower right-hand corner.
Assign the access level to applications by clicking on assign to apps.
Assign the context level access to all of the applications which will have access restricted to access using devices that are not steered by Netskope, ie a Netskope Client or IPSec tunnel. Click assign at the top of the list of applications.
Confirm the list of applications to have a context aware access policy applied and click Continue.
In the other enforcement settings, select the check box for block users from accessing Google desktop and mobile apps if access levels aren’t met. Click Continue on the lower right hand side of the page.
Click Assign.