For the enterprise, different deployment models for integrating Google Sync are offered by Workspace One.
Table of Contents
Types Of Integration
The Workspace ONE UEM server communicates with the Gmail server in one of the following ways Depending on the deployment method chosen.
- Proxy Deployment: Through Secure Email Gateway(SEG.), the Workspace ONE UEM server communicates indirectly with the Google server
- Direct Deployment: The Workspace ONE UEM server uses the password management configurations or the Google directory APIs.
With and Without Password Management SEG Proxy Integration
This configuration is supported by SEG V2. Situated between the Workspace ONE UEM server and the Gmail server, this configuration type involves the SEG Proxy server. By prohibiting the enrolled devices to communicate directly with the Gmail server, the SEG Proxy server ensures security. On the Email Dashboard, with SEG, the admin gets visibility of both the managed and unmanaged devices. Optionally leverage the available email policies.
Direct Integration with Directory APIs
To manage email access on mobile devices, the Workspace ONE UEM server uses Google’s directory APIs in this configuration type,
Direct Integration using Password Management
The Workspace ONE UEM server interacts directly with Google using the password provisioning configuration type. This configuration utilizes password switching to block non-compliant devices since the SEG server is not involved. Either choose to purge or store the password in the enterprise database based on enterprise security needs.
- Integrating with password retention: By default, in the database, the Workspace ONE UEM server interacts with the Google server directly and keeps the Google password using this configuration. Through the Email Dashboard, manage and monitor enrolled devices. Depending on the email compliance policies configured within the Workspace ONE UEM console, devices are deemed compliant or non-compliant.
Whenever a device is non-compliant, the user is prevented from logging in from another device as the password on the Google server is reset by Workspace ONE UEM. The old password is reinitialized back on the Google server, and the user can gain access using the old password once the device is back to compliant status. unmanaged devices are blocked by default.
- Integrating without password retention: This configuration is recommended by VMware AirWatch. No user password is stored in the database, and the Workspace ONE UEM server communicates with Google directly using this configuration. Through the Device Dashboard, manage and monitor enrolled devices. Depending on the device compliance policies configured within the UEM console, Devices are deemed compliant or non-compliant. This method provides a way to block non-compliant devices and ensure password safety since the SEG server is not involved. Workspace ONE UEM deletes the email profile from the device once a device is detected as non-compliant, thus barring the user from receiving emails. Workspace ONE UEM generates a new password once the device is back to compliant status and directs it to Google and onto the device using an email profile.
Workspace ONE UEM console Configure Secure Email Gateway V2
Incorporating SEG (V2) Proxy with Google is a two-step process where the SEG (V2) Proxy using the UEM Console is first configured and then configured the IP restriction on the Google admin console. The various SEG (V2) settings such as external, Email and server settings and security information can be customized as well.
- Go to Email, navigate to Email Settings and click on Configure. The Add Email Configuration wizard pops up.
- Add is selected. The wizard shows the Platform tab.
- Select Proxy from the Deployment Model option.
- Select V2 from the Gateway Platform option.
- Select Google from Email Type, and then click Next. The Deployment tab pops up and shows the basic settings.
- The Friendly Name text box is selected, and a unique name is provided.
- The External Settings are customized. The External URL and Port text box are selected, and the external URL and the port number are entered to which Workspace ONE sends policy updates. https://<external seg url>:<external port> is the supported format.
- The Server Settings are configured.
- The web listener port for SEG is provided. The port number is 443, by default. The SSL certificate is confined to this port if SSL is enabled for SEG.
- (Optional): Select Enable from Terminate SSL on SEG to bind the SSL certificate to the port.
- To upload the SSL certificate during installation, click on Upload Locally. When the admin does not have the certificate during MEM configuration, use this setting. For easy OTA installation, the UEM console supports uploading the certificate locally. The certificate can as well be provided during run-time.
- Select Upload to add the certificate from SEG Server SSL Certificate. Instead of providing it locally, the SSL certificate can be installed automatically. For larger SEG deployments, this setting is useful. The admin must upload an SSL certificate in the .pfx format with a full certificate chain, and private key included.
- The Email Server Settings can be customized. Email Server URL and Port are selected, and the Google server URL: https://m.google.com is entered. This address provides the Google address to which the SEG will proxy ActiveSync requests.
- Customize Security Settings.
- Toggle Enable from ignoring SSL Errors between SEG and email server to ignore the Secure Socket Layer (SSL) certificate errors between the SEG server and the email server.
- Toggle Enable from ignoring SSL Errors between SEG and Workspace ONE UEM server to disregard Secure Socket Layer (SSL) certificate errors betwixt the Workspace ONE UEM server and. Establish a strong SSL trust between the SEG server and Workspace ONE UEM using valid certificates.
- Toggle Enable from Allow email flow if no policies are present on SEG if SEG is unable to load the device policies to allow the email traffic
- From the Workspace ONE UEM APIs. If no policies are locally present, by default, SEG blocks email requests.
- Cluster Settings can be customized. Toggle Enable from Enable Clustering if the admin wants to allow clustering of SEG servers.
- (Optional): The Automatic Password Provision configuration in Google Apps can be customized. If the admin provides the Google password to device users or if they have furnished with their SSO password that is equivalent to the Google password, skip this step. It is considered to be more balanced when the Google password is managed within enterprise organization; therefore, the Automatic Password Provision setting is disabled by default:
- Toggle enabled if the primary directory is not Google and the admin does not allow native passwords to device end users, or if they are only allowed with SSO password. When toggled enabled, Google is provisioned for your users by the UEM console.
- The following information for the UEM console is entered to provision the Google password:
Google Apps Domain: Provide the Google Apps domain address.
Google Apps Subdomain: Provide the Google Apps sub-domain address.
Google Apps admin username: URL as the Google Apps Admin user name is completed.
Service account certificate: To upload to the Service account certificate, click on Upload. The certificate password is entered when prompted. When issuing the client ID on the Google console, the certificate password is created.
Directory service account email address: While creating the Service Account, the Certificate Directory service account email address that is generated is the Directory service account email address.
Application Name: The project name is provided, which was created earlier.
Google User Email Address: The email address of the user linked to the Certificate attribute which holds it.
- In the profile tab, required settings are entered and then click on next.
- Select finish
Configure Advanced Settings
To finish the process of integrating SEG Proxy with Google Sync, advanced settings can be configured.
- Go to Email, navigate to the Settings page and then click the icon next to the Google Sync deployment, which is required.
Note: To capture all SEG traffic information from devices, by default, the Use Recommended Settings check box is enabled. The admin can specify what information and how frequently the SEG should log for devices if not enabled.
- The Enable Real-time Compliance Sync option is selected to allow the UEM console to remotely provision compliance policies to the SEG Proxy server.
- Click on Save.
Configure IP Restriction on Google Admin Console
To accept traffic only from SEG, configure Google Sync. This ensures that the devices that attempt to bypass SEG are blocked and restricts the communication to SEG.
- Open and Log in to the Google Admin console and go to Device Management, navigate to Advanced Settings and then click on Google Sync.
- The IP Whitelist text box is selected, and the external SEG IPs are entered that the admin wants to whitelist.
- Click on Save.
Integrate Direct Model using Password Management
Using the Password Management approach while configuring the Gmail deployment, the admin can choose to not retain or retain the Google password in the Workspace ONE database.
Depending on whether the admin chooses to retain the password or not, the non-compliant devices are blocked. The devices are blocked either by removing the email profile from the device or resetting the password on the Google server.
Note: All the Gmail models require an EAS profile irrespective of the type of email client for password provisioning to take place. Associating an EAS profile is mandatory for new installations. The admin has to manually link an EAS profile to the MEM configuration for the upgrades after completing the upgrade process.
- Under the UEM console main menu, go to Email, navigate to Email Settings, and then click on Configure.
- These requirements should be configured in the Platform wizard form.
- Direct should be selected as the Deployment Model.
- Using Password Provisioning, select Google Apps as the Email Type.
- With Password Retention or Without Password Retention should be selected as the Google Deployment Type.
- Click on Next.
- Complete the following options in the deployment wizard form:
Friendly Name: A friendly name should be entered for the Gmail deployment.
Google Apps Domain: The registered Google Apps domain address is provided.
Google Apps Sub-Domain: The Google Apps subdomain address is provided, if applicable.
Google Apps Admin Username: The full email address in the Google Apps Admin Username field is provided.
Service Account Certificate: Upload The Service account certificate. When prompted, provide the certificate password. While generating the Service Account client ID on the Google console, the certificate password is created.
Directory service account email address: The Service Account email address is provided that was generated when the Service Account Certificate is generated.
Application Name: The project name that the admin had created earlier is provided.
- Click on Next.
- Create a new profile or associate an existing profile in the Profiles wizard form. Click on Next. Result: A quick overview is provided by the MEM Config Summary form of the basic configuration the admin has just created for the Gmail deployment.
- Save the settings.
Configure Gmail Deployment With Password Retention
If the admin chooses to retain the password, then the settings can be configured to set up the preferred password length.
For newly enrolled devices, Workspace ONE UEM does not provide passwords or modifies the password for the devices that change status when the email compliance policies are disabled.
- Go to the Email, and navigate to Settings and click on the wrench icon.
- The Use Default Settings are disabled to provide the preferred length of the password in the Google Random Password Length field.
The Use Default Settings check box is allowed by default. The maximum accepted character is 100, and the minimum is 8.
- The Rotate Profiles on Unenrollment check box is selected to automatically rotate the profiles of the existing devices and passwords whenever a device is unenrolled.
Go to the Accounts, navigate to Users, a user is selected, click on MORE ACTIONS, and click on the Rotate G Suite password option if an administrator needs to manually rotate profiles and passwords outside of enrollment or compliance.
- Click Save.
Configure Gmail Deployment Without Password Retention
Disable the default settings if the admin has chosen not to retain the password in the Workspace ONE UEM database, which encrypts and stores the Google password in the Workspace ONE UEM database.
By default, unmanaged devices are blocked, and the Email Compliance policies are not applicable for this type of Integration.
Note: Regardless of the MEM settings, Workspace ONE UEM provisions passwords to devices during enrollment. The approach is determined by the MDM compliance policies.
- Go to Email, navigate to Settings and click the icon.
- The Use Recommended Settings check box is disabled to customize the Google Apps Settings options. This option is enabled to encrypt by default, and the Google password is stored in the Workspace ONE UEM database.
The Google password resets, and a new password that is generated is pushed to the device that is onboarded if a user has two devices enrolled and one of the devices un-enrolls.
- The options can be configured once the admin disables the Use Default Settings check box.
Google Random Password Length: The preferred random password length is provided. The maximum accepted character is 100, and the minimum is 8.
Password Retention Period: The number of hours is provided for which the password should be retained temporarily for management purposes. All the enrolled devices which belong to a user who receives the password is ensured by retention. 48 is the default value. The maximum accepted character is 100, and the minimum is 1.
Auto-rotate Google Password: This check box is toggled to reset the password once within a specific period. If any user’s password needs to be reset, it is checked by The Scheduler within the specified period. The maximum accepted character is 90, and the minimum is 1.
Auto-rotate Google Password Period: The specific period to reset the Google password is provided. 30 days is the default period
- Click on Save.
Integrate Direct Model Using Directory APIs
Email access is managed by Workspace ONE UEM on mobile devices without any password management by using Google’s Directory APIs.
Any unmanaged devices are blocked from accessing Email by enabling device activation. During enrollment, when the Profile is deployed onto the device, Workspace ONE UEM checks with Google for a device account:
- Google directs a positive response to Workspace ONE UEM if the enrolled device has an account. To allow email access, Workspace ONE UEM then sends an approve command to Google.
- The Profile is installed on the device after the device enrolls, and any attempt to connect creates a device record in Google. The device is recognized and allowed for email access when the Google scheduler runs at a default interval of five minutes. The ‘Scheduled Sync Update’ is used to update the Email Dashboard.
- The end-user must log in to SSP and select Sync Email for the device to receive email access if the device fails to be identified by the scheduler after two days,
Note: if an account violates compliance using the Token Revocation option on the Email Settings page, the admin can also revoke access for Google accounts.
- Device Activation is enabled on the Google Admin console:
- Navigate to Device Management on the Google Admin console, go to Mobile, click on Setup.
- Within the Setup page, click on Device Activation.
- From the left panel, choose an organization and then choose Required admin approval for device activation.
- (Optional): To accept notifications when users enroll their devices, provide an email address. The admin can also provide a group email address that includes all the administrators who can activate the devices.
- Customize Direct APIs Deployment Type within the UEM console:
- Go to Email, navigate to Email Settings and click on Configure. The Email Config Add wizard pops up.
- For the Deployment Model, select direct.
- With Direct API as the Email Type, select Google Apps.
- Click on Next.
- Within the Deployment Wizard form, configure the following settings:
- Friendly Name: Friendly name is provided for the Gmail deployment.
- Google Apps Domain: Provide the Domain address
- Google Apps Subdomain: Provide Sub-domain address
- Google Apps Admin Username: Provide the complete email address
- Service account certificate (*.p12): The Service account certificate has to be uploaded. Provide the certificate password when prompted. While issuing the Service Account client ID on the Google console, the certificate password is created. The thumbprint, type, and validity of the certificate are shown.
- Directory service account email address: Provide Service Account email address.
- Application Name: Enter the Project name created earlier.
- Enable Token Revocation: To make available the Revoke Google Token action, toggle Enable within MDM compliance policies. On the MDM compliance policy page, the Revoke Google Token message is shown. Note: For one MEM configuration at a time, this option can be only used.
- When wiping devices, Automatically revoke: This box has to be checked to revoke the G Suite token for the user upon unenrollment.