Skip to main content
hjkimbrian
hjkimbrian
New Member
March 18, 2026
Question

Context Aware Access Question

  • March 18, 2026
  • 1 reply
  • 106 views

Hello,

We have been using a device policy enforcement which leverage Endpoint Verification Chrome Extension, which limits users access to protected apps on Desktop browsers only.

Some users are starting to use larger Android devices for their day-to-day (BYOD, managed by Google MDM with Android Work Profile), and sometimes clicking on links forces opening the browser instead of the native apps, which prevents users from being able to do the work.

Would using Managed Chrome browser enforcement work here? How would that work with BYOD devices? What would CEL be? 

How does enrolling Chrome browser work for BYOD Android devices? 

https://support.google.com/chrome/a/answer/12120610?hl=en
https://knowledge.workspace.google.com/admin/security/use-case-managed-chrome-browser-enforcement
https://knowledge.workspace.google.com/admin/security/context-aware-access-examples-for-advanced-mode
https://docs.cloud.google.com/access-context-manager/docs/custom-access-level-spec

1 reply

feel
feelGoogle Team
Google Team
March 23, 2026

Hi ​@hjkimbrian, thanks for joining the community and for your questions.

At this time, Endpoint Verification (EV) only reports OS-level signals.

When your Android users click a link and it opens in the browser instead of a native app, Context-Aware Access (CAA) evaluates the browser. Because Chrome on Android cannot send EV signals, CAA blocks the connection.

Enrolling Chrome on Android does allow you to apply administrative policies to the browser, but it does not satisfy your CAA rules.

EV signals like device.chrome.management_state do not exist on Android. Whether a link opens in Chrome or a native app, CAA blocks the request until the policy evaluates native MDM signals instead of desktop EV signals.

To allow users to do their work on these devices, update your CAA policy to accept Android Mobile Device Management (MDM) signals; one way to do this is with an OR (||) condition to evaluate desktops against EV requirements and Android devices against native MDM signals, as Android devices cannot use device.chrome.* attributes.

Here’s an example:

(
  // Desktop checks (Mac/Windows/ChromeOS/Linux) rely on EV
  (device.os_type == OsType.MAC_OS || device.os_type == OsType.WINDOWS || device.os_type == OsType.CHROME_OS || device.os_type == OsType.LINUX) &&
  device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED
)
||
(
  // Android checks rely strictly on MDM signals
  device.os_type == OsType.ANDROID &&
  device.is_secured_with_screenlock == true &&
  device.encryption_status == DeviceEncryptionStatus.ENCRYPTED &&
  device.android_device_security.cts_profile_match == true &&
  device.is_admin_approved_device == true
)

To enroll Chrome for BYOD Android users, push an enrollment token to the app via Google Endpoint Management and Chrome Browser Cloud Management (CBCM).

  1. In the Google Admin console, go to Apps > Web and mobile apps and add Google Chrome.

  2. Go to Chrome browser > Managed browsers and generate an enrollment token.

  3. Open the Google Chrome app settings, create a Managed Configuration, and paste the token into the enrollment token field.

  4. Save and assign the configuration to the BYOD user group. 

Hope this helps!

Tim

Tim Feeley • Chrome Enterprise Premium • Product Management Team
    hjkimbrian
    hjkimbrianAuthor
    New Member
    March 23, 2026

    Thank you ​@feel for the detailed response! I will try the CEL and will report back.

      Terms & ConditionsCookie settingsAccessibility statement