Tag Archives: identity

Automate unmanaged account onboarding with the User Invitation API beta

What’s changing

We’re adding a User Invitation API to the Cloud Identity API. This new API allows you to identify and manage unmanaged accounts.

Unmanaged accounts are users with consumer Google accounts that share your organization's email address. The API will enable you to manage these accounts at scale, and automate sending of invites to these users to transfer their account to a managed state. to a managed state.

The User Invitation API is initially available as an open beta, which means you can use it without enrolling in a specific beta program. See our documentation to learn more about how to use the API.

Who’s impacted

Admins

Why you’d use it

Unmanaged accounts occur when a user registers for a personal Google account using an email address that matches your domain. These accounts generally exist because a user has previously signed up for a personal Google Account using their work or educational email address.

If your organization then signs up for Google Workspace or Cloud Identity and attempts to provision a managed account with the same primary email address, the conflict needs to be resolved.

Previously, you could only manage these existing accounts via the Admin console. The User Invitation API provides another option which can help automate resolution of these conflicts, and can make it easier to manage these conflicts at scale.

Getting started

Admins: Use our developer documentation to learn more about setting up the User Invitation API. Visit our Help Center to learn more about how to find and manage unmanaged accounts.
End users: No end user impact.

Rollout pace

This feature is available now for all users in beta.

Availability

Available to all Google Workspace customers, G Suite Basic and Business customers, and Cloud Identity customers

Resources

Source: Google Workspace Updates

Automatic group membership management with dynamic groups, now generally available

Quick launch summary

Dynamic groups are now generally available. Dynamic groups work the same as other Google Groups, but with the added benefit that their memberships are automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations.

By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins.

See our beta announcement for more details and example use cases for dynamic groups. Note that at launch, you won’t be able to manage policies—like context-aware access policies—using dynamic groups. We are working on adding this functionality in the future, and will announce it on the Workspace Updates blog when it’s available.

This joins our other recent announcements for features that make it easier to manage groups within your organization. You can now also assign groups as security groups, set group membership expiration, and see indirect membership visibility and membership hierarchies via API. We hope these features make it easier to use groups to meet the access, security, and communication needs of your organization.

Getting started

Admins: Dynamic groups will be available to all eligible users with group create and user read privileges. To get started, go to Admin console > Directory > Groups or use the Cloud Identity API. Read our documentation to learn more about managing dynamic groups.
End users: Not available to end users

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on February 17, 2021

Availability

Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Plus, and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Education Fundamentals, or G Suite Basic, Business, and Nonprofits customers

Resources

Source: Google Workspace Updates

Security groups now generally available

Quick launch summary

We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups.

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs.

Getting started

Admins: You can assign a group as a security group through the Cloud Identity Groups API, and then manage these groups through the Admin SDK Groups API, the Admin console, or the Cloud Identity Groups API. See our API documentation to learn how to update a Google Group to a security group.
End users: There is no end user setting for this feature.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on February 9, 2021.

Availability

Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers

Resources

Cloud Identity API documentation: Updating a Google Group to a security group

Source: Google Workspace Updates

Group membership expiration now generally available

Quick launch summary

The Cloud Identity Groups API feature that enables you to set expirations for group memberships is now generally available. It was previously available in beta.

This enables admins to set an amount of time that users and service accounts are members of a group. Once the specified time has passed, users will be removed from the group automatically. Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access.

See our beta announcement for more information and use cases for membership expiry.

This launch is another enhancement to the Cloud Identity Groups API. We recently also made the indirect membership visibility and membership hierarchy APIs generally available. Together, these make it easier to manage permissions and access control in your organization.

Getting started

Admins and developers: Membership expiry is available to use for new and existing groups. Admins with permissions to modify groups memberships can set expiration. To get started, use the Cloud Identity Groups API.
End users: Group owners and managers can set expiration. To get started, use the Cloud Identity Groups API.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on February 8, 2021.

Availability

Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers

Resources

Source: Google Workspace Updates

Indirect membership visibility and membership hierarchy APIs now generally available

Quick launch summary

We’re making it easier to identify, audit, and understand indirect group membership via the Cloud Identity Groups API. Specifically, we’re making the membership visibility and membership hierarchy APIs generally available. These were previously available in beta.

Using “nested” groups to manage access to content and resources can help decrease duplication, simplify administration, and centralize access management. However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access and why. These APIs help provide all of the information you need to understand complex group structures and hierarchies, and can help you make decisions about who to add to or remove from your groups.

See our beta announcement for more information and use cases for the APIs.

Getting started

Admins and developers: See our developer documentation for more details on the Cloud Identity Groups API and the Membership Hierarchy and Visibility API Guide.
End users: End users can use the API within the scope they have to create and manage groups. See our developer documentation for more details on how to use the Cloud Identity Groups API.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on January 28, 2020.

Availability

Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers.
Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers

Resources

Source: Google Workspace Updates

Deploy and manage Google Credential Provider for Windows via the Admin console

What’s changing

You can now deploy and manage Google Credential Provider for Windows (GCPW) in the Admin console. Previously, you had to edit registry entries to manage GCPW. The new, organization-specific installation file and setting management in the Admin console makes it easier to deploy and manage GCPW in your organization.

Who’s impacted

Admins

Why you’d use it

GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can:

Sign in to a Microsoft Windows 10 device using their Google Workspace Account.
Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges.
Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials.

With this launch, you can configure and manage GCPW in the Admin console instead of in each device’s registry settings. This can make setting up and updating GCPW deployments less manual and time-consuming for if you don’t have standard software deployment tools.

Additional details

Device setup and management: To set up GCPW on a new device, download a GCPW installation file customized for your company from the Admin console. After GCPW is installed, you can manage GCPW settings in the Admin console. When a user signs in to a device managed with GCPW, GCPW fetches and applies the settings from in the Admin console. GCPW settings in the Admin console may take up to one hour to be implemented on the device. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console.

Settings available in the Admin console: You can manage most of the settings in the Admin console that you can in registry settings, including offline access, multiple account management, and more.

Working with existing registry settings: Admin console settings supersede registry settings. To continue to use registry settings instead of Admin console settings, leave GCPW settings in the Admin console as “not configured.”

Getting started

Admins: Visit the Help Center to learn more about how to install Google Credential Provider for Windows. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console.
End users: No end user impact until configured by an administrator.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on January 11, 2021

Availability

Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers.

Resources

Source: Google Workspace Updates

Use Secure LDAP to log into MacOS with Google credentials

Quick launch summary

You can now use Secure LDAP on MacOS devices. Once enabled, users can log in to MacOS devices with their Google Workspace or Cloud Identity login credentials.

This can help simplify access management by using a single directory—the Workspace identity and access management (IAM) platform—to manage access to MacOS devices. In turn, this can help improve security by providing a single place to set up identity and access policies, and reduce your dependency on legacy identity infrastructure.

Getting started

Admins: Visit the Help Center to learn more about the Secure LDAP service, and specifically how to configure MacOS clients to the service.
End users: No end-user impact until enabled by an admin.

Rollout pace

Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on Dec 10, 2020

Availability

Available to Google Workspace Business Plus, Enterprise Standard, and Enterprise Plus, G Suite Education and Enterprise for Education, and Cloud Identity premium customers
Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, as well as G Suite Basic, Business, and Nonprofits customers

Resources

Source: Google Workspace Updates

Make specific applications exempt from session length policy

What’s changing

Last year, we launched an open beta that enabled Cloud Identity admins to configure a session length (a.k.a. “reauth”) for Google Console and Cloud SDK. Now, we’re enhancing session length controls by allowing you to exempt specific applications from the reauth policy. We hope this will make it easier to roll out this feature in your domain.

Who’s impacted

Admins

Why you’d use it

The Google Cloud session control feature applies a session length to Google’s own GCP admin tools, as well as customer-owned and third-party applications that use the cloud-platform scope. When the configured session length expires, the application will require the user to reauthenticate to continue operating, analogous to what would happen if an admin revoked the refresh tokens for that application. The reauthentication requirement can help reduce unauthorized access to sensitive data.

We heard your feedback that there are some scenarios that make it difficult to roll this out. For example, some applications do not gracefully handle the reauth scenario, causing confusing application crashes or stack traces. Some other applications are deployed for server-to-server use cases with user credentials instead of the recommended service account credential, in which case there is no user to periodically reauthenticate. Customers impacted by these scenarios are unable to roll out session controls to any applications as it will cause these apps to work improperly.

This update allows you to add these apps to a trusted list, temporarily exempting the apps from session length constraints, while implementing session controls for all other GCP admin surfaces.

The previous session control settings page in the Admin console

The new session control settings page in the Admin console. Note the new “Exempt trusted apps” checkbox.

Getting started

Admins: This feature will be OFF by default and can be enabled manually using the “Exempt Trusted apps” setting. For more information on how to review the apps currently requiring cloud-platform scopes, and how to add those apps to the Trusted list, visit our Help Center.
End users: There is no end user setting for this feature.

Rollout pace

Rapid and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on Monday, November 23, 2020

Availability

Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits, and Cloud Identity customers

Resources

Source: Google Workspace Updates

Introducing two BeyondCorp Alliance partner integrations for improved context-aware access

What’s changing

We’re announcing new integrations with our BeyondCorp Alliance partners Check Point and Lookout. The integrations, initially available in beta, are built using the Devices API and enable customers to use third party signals in context-aware access decisions.

Who’s impacted

Admins

Why it’s important

In the BeyondCorp security model, device inventory, state, and security posture are central to making context-aware access decisions. So far our context-aware access solution obtained these signals from first party (i.e. Google) sources, such as Endpoint Verification. However our vision has always been to help customers to fully leverage their existing investments in security tools and controls, add key functionality and signals to Google’s context-aware access to achieve superior access control security posture for our customers. The BeyondCorp Alliance is a group of partners that share our Zero Trust vision and who are committed to working with us to help our joint customers make it a reality.

Today, we are excited to announce the first integrations (in beta) with our BeyondCorp Alliance partners Check Point and Lookout, to use third party signals in our context-aware access decisions. For example, the mobile threat defence system might detect malware on the device and notify Google about a reduced security assurance, and customer-defined access rules can reduce the level of access allowed from such devices, without impacting access for that user from other devices or for other users. The integrations are built using the new Devices API we announced earlier this year. The API was designed to be used by partners in the BeyondCorp Alliance to add device security metadata, and also by customers to manage their device fleet.

Getting started

Admins: Google customers who use Checkpoint or Lookout as their mobile threat defense solutions can benefit from the integration. Visit our Help Center for more information and to learn more about how to set up third-party partner integrations. You can also see blog posts by our partners to see more about how you can use Check Point or Lookout solutions as part of this integration.
End users: No impact for end users.

Rollout pace

Rapid and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on November 2, 2020

Availability

Available to Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers
Not available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education, and Nonprofits customers

Resources

Source: Google Workspace Updates

Managed Android devices must upgrade to Android Device Policy by October 26, 2021

What’s changing

Last year, we announced that a new Android management client, Android Device Policy, would replace the legacy Google Apps Device Policy client. We’re now discontinuing the legacy client.

To ensure that devices enrolled by users with advanced management will continue to sync and have access to data, users in your organization must switch to Android Device Policy before October 26, 2021. If users still have Google Device Policy on this date, they won't be able to sync their devices or access data.

To switch to Android Device Policy, users must have an Android 6.0 Marshmallow or later device that supports a work profile. For users with devices that don’t meet these requirements, consider switching to basic mobile device management.

Devices enrolled by users with basic management must move to Android 6.0 Marshmallow or later before October 26, 2021 to continue enforcing a screen lock. If a user's device can't be upgraded to Android 6.0 or later, their device will continue to sync and retain access to data, however it will not be able to enforce a screen lock.

Who’s impacted

Admins and end users

Why it’s important

The latest Android devices and operating system (OS) versions provide improved security features. Moving to Android 6.0 (Marshmallow) or newer can help ensure all devices are protected by the latest security features, and can take advantage of improvements in the Android enterprise experience.

Getting started

Admins: Admins can find devices which may need to take action in the Admin console. Visit our Help Center to learn more about the differences between Android Device Policy and Google Apps Device Policy. Different devices may need to take different steps to upgrade:

Advanced management devices:

Find advanced management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Advanced.
Determine which of these devices are currently managed by the Google Apps Device Policy app and support the Android Device Policy app (i.e. devices with Android 6+ and support for a work profile)
Send these instructions to your users to help them migrate to Android Device Policy.

Basic management devices:

Find basic management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Basic.
Instruct users of these devices to upgrade the Android OS to version 6.0 Marshmallow or later.

End users: Affected users can visit our Help Center to learn how to transition devices from Google Apps Device Policy to Android Device Policy.

Rollout pace

Rapid and Scheduled Release domains: All devices must complete the upgrade by October 26, 2021. Android Device Policy is available now for all users.

Availability

Available to Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education, Enterprise for Education, and Nonprofits customers
Not available to G Suite Essentials