Google Workspace

BeyondCorp Alliance Partners: Third-Party Guide

Learn how to manage third-party integrations via BeyondCorp Alliance Partners in Google Workspace. Step-by-step guide for Australian IT admins.

Ash Ganda

12 min read

Your endpoint detection platform knows the device is compromised. Your mobile device management solution has already flagged it. But Google Workspace has no idea. The user's credentials are valid, the session token is fresh, and access is granted — to Drive, Gmail, Vault, and every other service that holds your business-critical data.

This is the gap that BeyondCorp Alliance Partners close. Google's BeyondCorp Enterprise does not operate in isolation. Through a curated set of technology partnerships, it can ingest real-time device signals from the security tools you already have — CrowdStrike, VMware, Tanium, Jamf, and others — and use those signals to make dynamic access decisions. A device that your EDR tool flags as high-risk gets access revoked or restricted in real time, even mid-session.

For Australian IT admins managing a hybrid workforce across managed laptops, BYODs, and remote sites, this is one of the most powerful security capabilities available in the Google Workspace ecosystem. This guide explains what BeyondCorp Alliance Partners are, how the integration works in practice, and how to configure it in your environment.

What this guide covers:
- What BeyondCorp Enterprise is and how it fits into zero-trust architecture
- Which Alliance Partners are available and what signals each one contributes
- Step-by-step setup for the most common integrations
- Real-world use cases for Australian SMBs
- Best practices for managing a multi-vendor BeyondCorp environment

What Is BeyondCorp Enterprise?

BeyondCorp Enterprise is Google's zero-trust access solution, built on the principle that no device or user should be inherently trusted based on network location alone. It replaces the traditional perimeter model — where being on the corporate network grants implicit trust — with continuous verification of identity, device health, and context for every access request.

In the Google Workspace context, BeyondCorp Enterprise powers Context-Aware Access policies. When a user attempts to access Gmail, Drive, or any other Workspace application, BeyondCorp evaluates a set of conditions in real time. If the conditions are met, access is granted. If they are not, the user is blocked or given restricted access.

The native signals available in BeyondCorp Enterprise include:

  • Device OS and version: Is the device running a supported, up-to-date operating system?
  • Screen lock status: Does the device have a PIN, password, or biometric lock enabled?
  • Disk encryption: Is the device's storage encrypted?
  • Device ownership: Is this a company-owned or personal device?
  • IP address and geographic location: Is the access request coming from an expected location?
  • Endpoint verification status: Has the Google Endpoint Verification extension reported in recently?

These native signals are useful, but they have limits. Google's Endpoint Verification can tell you whether a device has a screen lock and is running a recent OS. It cannot tell you whether the device has active malware, whether its EDR agent is healthy, or whether the device is currently in the middle of an incident response investigation. That is where Alliance Partners come in.

Licence Requirements

BeyondCorp Enterprise features are available on:

  • Google Workspace Enterprise Standard and Enterprise Plus: Full BeyondCorp capabilities, including Alliance Partner integrations.
  • Chrome Enterprise Premium (formerly BeyondCorp Enterprise standalone): The dedicated BeyondCorp licence that provides full functionality independently of the Workspace tier.

For Australian organisations on Business Standard or Business Plus, native Context-Aware Access is available but third-party partner integrations require the Enterprise tier or a Chrome Enterprise Premium add-on. Enterprise Standard starts at approximately AU$35 per user per month (based on ~1.57 USD→AUD conversion) and Enterprise Plus at approximately AU$47 per user per month.

BeyondCorp Alliance Partners: Who They Are and What They Contribute

Google has established the BeyondCorp Alliance as a formal partner program for security and endpoint management vendors. Each partner integrates with BeyondCorp Enterprise via a standardised API that allows them to push device signals and risk scores into Google's access policy evaluation engine.

CrowdStrike Falcon

CrowdStrike's Falcon platform is an industry-leading endpoint detection and response (EDR) solution. The BeyondCorp integration allows Falcon's Zero Trust Assessment (ZTA) score to be used as a signal in Context-Aware Access policies.

What it contributes:
- A real-time Zero Trust Assessment (ZTA) score for each device, updated continuously based on EDR telemetry
- Device prevention policy status (is CrowdStrike actually running and protecting the device?)
- Sensor health and connectivity status
- Whether the device is currently under an active threat investigation

Why it matters for Australian IT admins: CrowdStrike is widely deployed across Australian enterprise and mid-market organisations. If you already have Falcon deployed, the BeyondCorp integration lets you leverage that investment directly in your access control decisions. A device that Falcon rates as high-risk — because it has a missing patch, a disabled sensor, or active suspicious behaviour — can be automatically denied access to sensitive Workspace applications without any manual intervention.

VMware Workspace ONE

VMware Workspace ONE is a unified endpoint management (UEM) platform used by many Australian organisations to manage both corporate-owned and BYO devices across Windows, macOS, iOS, and Android.

What it contributes:
- Device compliance status from Workspace ONE's compliance engine
- Mobile device management (MDM) enrolment status
- Application management and configuration status
- Device risk score based on Workspace ONE Intelligence's behavioural analytics

Why it matters: Many organisations that use Workspace ONE for device management do not yet have a direct path from their compliance policies to their Google Workspace access controls. This integration creates that path. A device that fails a Workspace ONE compliance check — because its OS is out of date, required apps are not installed, or it has been jailbroken — can trigger a corresponding access restriction in Google Workspace in near real time.

Tanium

Tanium provides endpoint management and security operations capabilities used primarily in larger enterprise environments, including several Australian government agencies and financial institutions.

What it contributes:
- Real-time device inventory and patch compliance data
- Software vulnerability status
- Endpoint configuration compliance against defined baselines
- Risk signals derived from Tanium's continuous device assessment

Why it matters: Tanium's strength is its ability to query device status in real time across large, complex environments. For Australian organisations in regulated industries — finance, health, government — where patch compliance is a hard requirement, Tanium integration means that an unpatched device is not just flagged in your patch management dashboard but is also denied access to Workspace resources until it is remediated.

Jamf Pro

Jamf Pro is the dominant MDM solution for Apple-device-centric environments. Many Australian professional services, creative, and education organisations manage their Mac, iPad, and iPhone fleets with Jamf.

What it contributes:
- macOS and iOS device compliance status
- Jamf enrolment verification
- Device configuration profile compliance
- Software patch status for Apple devices

Why it matters: For organisations that run an Apple-first or mixed-Apple environment, Jamf integration fills a gap in Google's native device signals. The Endpoint Verification Chrome extension provides basic macOS device data, but Jamf integration provides richer, MDM-authoritative compliance status that carries more weight in access policy decisions.

Lookout and Zimperium (Mobile Threat Defence)

Both Lookout and Zimperium provide Mobile Threat Defence (MTD) capabilities specifically for iOS and Android devices. Where traditional MDM signals tell you about device configuration, MTD signals tell you about active mobile threats.

What they contribute:
- Mobile device risk level based on threat detection (malware, phishing, network attacks)
- Jailbreak and root detection
- Operating system risk assessment
- App risk analysis

Why it matters for Australian organisations: Mobile devices are the most difficult endpoint category to secure. BYO devices in particular exist outside your MDM envelope and present a significant blind spot. MTD integration from Lookout or Zimperium allows you to evaluate the live threat status of a mobile device before permitting it to access your Workspace environment — even if that device is not enrolled in your MDM.

Step-by-Step: Configuring a BeyondCorp Alliance Partner Integration

The integration process follows a consistent pattern regardless of which partner you are connecting. This walkthrough uses CrowdStrike as the example, but the steps are equivalent for other partners.

Prerequisites

Before you begin:

  • You must have a Chrome Enterprise Premium licence or a Google Workspace Enterprise Standard/Plus plan with BeyondCorp Enterprise enabled.
  • You must have administrative access to both the Google Admin Console and your partner platform (e.g., CrowdStrike Falcon admin access).
  • Confirm that Endpoint Verification is enabled in your Google Admin Console under Devices > Mobile & endpoints > Settings > Universal settings.

Step 1: Access the BeyondCorp Partner Connectors

  1. Sign in to the Google Admin Console at admin.google.com with a Super Admin account.
  2. Navigate to Devices > BeyondCorp Enterprise.
  3. Select Partner connectors from the left-hand menu.
  4. You will see a list of available partner integrations. Each card shows the partner name, a brief description of the signals contributed, and a setup button.

Step 2: Configure the CrowdStrike Connector

  1. Click CrowdStrike Falcon from the partner connector list.
  2. Click Set up connector.
  3. Google will prompt you to authorise the integration. You will need to provide:
  4. Your CrowdStrike Customer ID (CID): Found in the Falcon console under Support > API Clients and Keys > Customer ID.
  5. An API Client ID and Secret: Create a dedicated API client in CrowdStrike with the Zero Trust Assessment (Read) permission scope. Go to Support > API Clients and Keys > Add new API client, name it something like Google BeyondCorp Integration, and select the ZTA read scope only.
  6. Enter the Customer ID, API Client ID, and API Client Secret in the Google Admin Console connector configuration.
  7. Click Connect. Google will verify the credentials and establish the integration.
  8. Once connected, you will see a status indicator showing that the connector is active and receiving device data.

Important: The CrowdStrike API client you create should have the minimum necessary permissions — ZTA read only. Do not use an existing API client with broader permissions. This follows the principle of least privilege and limits the impact if the credentials are ever compromised.

Step 3: Verify Device Signal Ingestion

After connecting the partner, Google needs time to ingest device signals. This typically takes 30 to 60 minutes for initial population.

  1. Navigate to Devices > Endpoint verification in the Admin Console.
  2. Click on an individual device to view its details.
  3. Look for the Third-party signals section. If the integration is working, you should see the CrowdStrike ZTA score and other signals listed alongside Google's native endpoint data.
  4. If signals are not appearing after 60 minutes, verify that:
  5. The Falcon sensor is installed and reporting on the device.
  6. The API credentials are correct and the client has the ZTA read permission.
  7. The device appears in CrowdStrike's device inventory.

Step 4: Create an Access Level Using Third-Party Signals

Now you connect the third-party signals to your access policies.

  1. Navigate to Security > Access and data control > Context-Aware Access.
  2. Click Access Levels and then Create Access Level.
  3. Name it descriptively. For example: CrowdStrike-High-ZTA-Score.
  4. Under Conditions, you will now see a Third-party signals option alongside Google's native signals. Click it.
  5. Select CrowdStrike Falcon as the provider.
  6. Configure the condition. For example:
  7. ZTA Score is greater than or equal to: 70 (on CrowdStrike's 0–100 scale, 70+ is generally considered an acceptable threshold for standard access).
  8. CrowdStrike Sensor is active: True.
  9. You can combine this third-party condition with Google's native signals. For example: ZTA score ≥ 70 AND device is company-owned AND IP is within Australia.
  10. Click Save.

Step 5: Apply the Access Level to Applications

  1. Navigate to Security > Access and data control > Context-Aware Access > App assignments.
  2. Select the Google service you want to protect. For example, Google Drive.
  3. Select the relevant organisational unit — your finance team, or your entire organisation.
  4. Under Access level, select CrowdStrike-High-ZTA-Score (or your combined access level).
  5. Click Assign.

From this point, any device connecting to Google Drive will need to present a CrowdStrike ZTA score of 70 or above and an active Falcon sensor. A device that is compromised or has a disabled agent will fail this check and be denied access — automatically, in real time.

Real-World Use Cases for Australian Organisations

Use Case 1: Incident Response Isolation

Your security operations team detects a compromised device during business hours. Normally, isolating that device means revoking access manually across multiple systems — a process that takes time and human action.

With BeyondCorp + CrowdStrike integration, when CrowdStrike's detection engine quarantines a device or drops its ZTA score in response to an active threat, Google Workspace access is automatically revoked. The device is isolated from both the network (via CrowdStrike's network containment) and your cloud collaboration tools simultaneously, without an admin having to touch the Google Admin Console.

Use Case 2: BYOD Without Full MDM Enrolment

Many Australian SMBs allow personal devices to access Google Workspace but are reluctant to require full MDM enrolment on personal phones and laptops. Lookout or Zimperium MTD provides a middle path: install the MTD agent on the device (which is much less invasive than MDM), and use the resulting risk score as a BeyondCorp signal. Personal devices with no detected threats can access Workspace. Devices with active mobile threats are denied — without ever needing full MDM control.

Use Case 3: Patch Compliance Enforcement

Your security policy requires all company devices to have critical patches applied within 14 days of release. Historically, enforcing this has meant manually checking patch reports and chasing non-compliant device owners. With Tanium integration, a device that exceeds your patch compliance threshold fails its BeyondCorp access level check. The user receives an access denied message that explains why they are blocked, motivating self-remediation faster than any policy reminder email.

Use Case 4: Mac-Centric Creative Agency

A Sydney design agency runs a 100% Apple fleet managed with Jamf Pro. They use Google Workspace for collaboration. Without the Jamf integration, their BeyondCorp access policies can only rely on basic Endpoint Verification signals. With Jamf integration, policies can require Jamf enrolment, current macOS version, FileVault encryption, and application compliance — ensuring that every Mac connecting to their Workspace meets the same security standard.

Best Practices for Managing BeyondCorp Alliance Partner Integrations

Start With Monitoring Before Enforcement

When you first configure a partner connector and create access levels that use third-party signals, do not immediately enforce them. Run in monitoring mode for two to four weeks. Review the audit logs under Reporting > Audit and investigation to understand which devices would be denied access under your new policies. Resolve device enrolment gaps and signal ingestion issues before moving to enforcement.

Use the Minimum Effective Signal

More signals are not always better. If CrowdStrike's ZTA score is doing the job, you do not need to add Jamf compliance status, Lookout risk level, AND a geographic restriction to the same access level. Complex conditions are harder to troubleshoot when something goes wrong and harder to explain to users who are unexpectedly denied access. Start simple, validate, then layer in additional signals if the first layer proves insufficient.

Build a Break-Glass Process

In any zero-trust architecture, you need a defined process for legitimate edge cases — a travelling executive whose device score drops unexpectedly, or a developer who needs emergency access during an incident but their device is non-compliant. Define a break-glass procedure: which admins can temporarily grant access, how the exception is documented, and how long the exception lasts before it is reviewed. Store this process in your runbooks.

Monitor API Credential Health

The partner integrations depend on API credentials that can expire, be rotated, or be inadvertently revoked. Build a monitoring check into your quarterly security review: verify that each partner connector in the Admin Console is showing as active and that device signals are current. Set a calendar reminder to review API client credentials 30 days before they expire.

Align With the ASD Essential Eight

BeyondCorp Alliance Partner integrations directly support several Essential Eight strategies:

  • Application control: Only devices that meet your partner-defined compliance criteria can access Workspace applications.
  • Patch operating systems: Tanium and CrowdStrike integrations enforce patch compliance as an access precondition.
  • Restrict administrative privileges: Context-Aware Access policies applied to the Admin Console can require partner-validated device health for any admin access.
  • Multi-factor authentication: BeyondCorp evaluates identity alongside device health, supporting a defence-in-depth approach to MFA.

Document these mappings for your compliance assessments. Australian cyber insurers are increasingly asking for evidence of technical controls aligned to the Essential Eight, and BeyondCorp integration logs provide a clear audit trail.

Communicate Changes to End Users

When a device fails a BeyondCorp access check, the error message the user sees should be clear and actionable. By default, Google shows a generic access denied page. Work with your communications or IT support team to customise the message to explain what the user needs to do — install a pending update, contact IT, or raise a support ticket. Clear error messages reduce helpdesk load and speed up remediation.

Affiliate & Resources

If you are considering upgrading your Google Workspace plan to access BeyondCorp Enterprise features and Alliance Partner integrations, the following is worth bookmarking:

  • Google Workspace Referral Program: https://referworkspace.app.goo.gl/ — Enterprise Standard and Enterprise Plus plans unlock the full BeyondCorp partner connector capabilities covered in this guide. The referral program allows you to earn rewards when referring other Australian businesses to Google Workspace.

For partner-specific documentation and integration guides, refer to each vendor's official documentation:
- CrowdStrike: Search "BeyondCorp integration" in the Falcon documentation portal.
- VMware Workspace ONE: The BeyondCorp connector is documented under Workspace ONE Intelligence integrations.
- Jamf: The Google BeyondCorp integration is available in Jamf's trust partner ecosystem documentation.

Wrapping Up

BeyondCorp Alliance Partners turn your existing security investments into active gatekeepers for your Google Workspace environment. The EDR platform you already pay for, the MDM you already manage, and the mobile threat defence solution you already deploy can all contribute real-time device signals to Google's access decisions — closing the gap between what your security tools know and what your collaboration platform acts on.

The implementation path is well-defined. Enable Endpoint Verification, connect your partner via the BeyondCorp connector interface, create access levels that incorporate third-party signals alongside Google's native conditions, and apply those levels to the services and organisational units that carry the most risk. Run in monitoring mode first, validate that signals are flowing correctly, and then move to enforcement.

For Australian IT admins, the compliance value is just as significant as the security value. Documented, enforced, and auditable access controls that draw on continuous device health signals are exactly the kind of "reasonable steps" the Privacy Act expects you to take, and the kind of technical controls the Essential Eight framework recommends you implement.

If you take one action from this guide today, connect your primary endpoint security platform to BeyondCorp Enterprise and validate that device signals are flowing into the Admin Console. Even before you create a single access policy, that visibility will reveal things about your device estate that you did not know — and that knowledge is where every effective security programme starts.

Need help configuring BeyondCorp Enterprise for your organisation? Contact our team for a consultation tailored to Australian compliance requirements.

Read more