Tag Archives: identity

Distribute certificates for mobile devices via MDM

What’s changing 

We’re making it possible to issue digital certificates to iOS and Android devices for secure access even when those devices are not connected to the corporate network. This will make it easier to provide new mobile devices with identification, authentication, and access to G Suite and other corporate resources. This is available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers using Google Endpoint Management via an on-premises connector.

Who’s impacted 

Admins

Why it’s important 

Certificates are an important way to identify and authenticate mobile devices so they are able to securely access corporate resources. These resources can include G Suite, enterprise WiFi hotspots, and more.

Some customers include a requirement for devices to be on-premise and protected by a firewall in order to distribute device certificates. As some users can no longer access corporate locations and networks, customers need a way to issue these certificates remotely.

By providing this feature, we are helping these customers keep their employees connected and productive even when they’re not in the office.

Getting started 



Rollout pace 


  • This feature is available now. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Enhanced security for Windows 10 devices now generally available

Quick launch summary 

You can now manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. This also means you can enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices. This was previously available in beta.

Now, all G Suite admins can now use Google Credential Provider for Windows to:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO. 
  • Protect user accounts with Google’s anti-hijacking and suspicious login detection technologies. 

Additionally, G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers can now also:

  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network. 

This can help simplify device management, help to increase data security, and reduce the hurdles and logins users need to access applications and get work done. See our previous announcement for more details on the Windows 10 management features and benefits.

See our Help Center to learn more about enhanced desktop security for Windows. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.


Getting started 




Admin controls available for Windows 10 devices 

Rollout pace 



Availability 

Login and SSO features associated with Google Credential Provider for Windows:

  • Available to all G Suite and Cloud Identity customers 


Device management for Windows 10 devices:

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Context-Aware Access for SAML apps available in beta

What’s changing 

We’re enhancing Context-Aware Access (CAA) with a beta that enables admins to use it to control SAML apps. This gives admins the ability to control access to SAML apps based on the user, the device, and the context they are in when they are trying to access an app.

CAA for SAML apps will work for customers that use Google as the primary identity provider (IdP) to enable access to third party apps from pre-integrated SAML apps or custom SAML apps. It’s available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers only. See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Who’s impacted 

Admins only

Why you’d use it 

Using Context-Aware Access, you can create granular access control policies to apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. Some ways you could use CAA for SAML include:

  • Only allow access to your CRM app when the user is on the corporate network. 
  • Only allow access to a cloud storage app if the user has an up to date operating system and an encrypted device. 
  • Only permit IT admins to access certain tools from a remote location. 
  • Only permit users in a specific country to access certain apps. 


Additional details 


Builds on the CAA for G Suite infrastructure 
Controlling CAA for SAML apps will use the same infrastructure and admin console interface as CAA for G Suite. That means you can use any pre-configured access levels, user groups, and end-user messaging for CAA to SAML. Use our Help Center to find out more about managing context aware access in G Suite.

CAA for SAML only enforced at time of sign-in 
CAA for SAML apps is only enforced at the time of sign-in. This is different from CAA for G Suite applications, which offers a higher level of control. G Suite applications are built by Google and CAA controls are enabled for continuous evaluation of context (IP, device attribute, etc) during use. As SAML apps are non-Google applications using Google sign-in, we’re only able to evaluate context at the point where a user signs into these applications using Google sign-in. After that sign-in, the context is not evaluated again until the session is terminated and users try to sign-in again with Google.

Getting started 


  • Admins: This is an open beta, so the controls will automatically become available to you if you are a G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, or Drive Enterprise customer. 
  • End users: No end-user impact until turned on by the admin. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers. 

Resources 


New data exfiltration protections for G Suite data on iOS devices

What’s changing 

We’re adding new security controls that admins can use to protect sensitive company data on iOS devices. Admins can now choose to:

  • Restrict copy and paste on data belonging to G Suite accounts to other accounts. This can prevent corporate data from being exfiltrated to personal accounts. 
  • Restrict the ability for users to drag and drop files from specific apps within their G Suite account. 

At launch, admin controls will apply to five G Suite iOS apps: Gmail, Drive, Docs, Sheets, and Slides. This feature is available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers. Users will still be able to copy and paste and drag and drop from personal accounts to G Suite accounts. Protections are available to devices managed with G Suite’s basic or advanced mobile device management, as well as devices with basic mobile management alongside a separate enterprise mobility management (EMM) solution.

Who’s impacted 

Admins

Why it’s important 

Without these features, there are limitations in the controls admins have to prevent users moving corporate data between corporate and personal accounts on the same iOS device. While admins can prevent sharing files between managed and unmanaged apps, users can still share data between accounts when apps support multiple accounts or via cut/copy/paste actions. For example, iOS users can copy the text of a corporate email into a personal account. This introduces the potential for data leaks and reduces the overall security of your corporate data on iOS.

The admin controls introduced in this launch will help increase protections and make it more difficult for corporate data to be accidentally or intentionally shared to a personal account. Similar protections are already available on Android devices through Work Profiles.

See our post on the Cloud Blog to learn how this and other launches can help G Suite customers stay secure.

Getting started 


  • Admins: This feature will be OFF by default and can be enabled at the organizational unit (OU) level. Visit the Help Center to learn more about data protection on iOS devices
  • End users: There is no end-user setting for this feature. If a user tries to perform a restricted copy and paste action, the text “This info can only be shared within your organization’s G Suite apps” will paste instead of the text they copied. 


Admin controls for data exfiltration protection on iOS 

Rollout pace 


  • This feature is already available for all domains. 

Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education customers and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits customers, and Cloud Identity Free customers 

Resources 


Less secure app turn-off suspended until further notice

Last December, we announced that we’d be turning off less secure app (LSA) access to G Suite accounts, and that you should migrate to OAuth authentication instead. The first phase of the LSA turn-down was scheduled for June 15, 2020. As many organizations deal with the impact of COVID-19 and are now focused on supporting a remote workforce, we want to minimize potential disruptions for customers unable to complete migrations in this timeframe.

As a result, we are suspending the LSA turn-off until further notice. All previously announced timeframes no longer apply. 

This applies to all categories of applications and protocols outlined in our original blog post, including Google Sync for iOS Mail. We’ll announce new timelines on the G Suite Updates blog at a later date.

Despite these timing adjustments, Google does not recommend the use of any application that does not support OAuth. We recommend that you switch to using OAuth authentication whenever possible for your organization. OAuth helps protect your account by helping us identify and prevent suspicious login attempts, and allows us to enforce G Suite admin-defined login policies, such as the use of security keys. See our original blog post for details and instructions on migrating to OAuth

Getting started 


  • Admins: No action required. However, we do recommend switching to OAuth authentication. See our original blog post for details on migrating to OAuth.
  • End users: No end user impact.
  • Developers: Update your app to use OAuth 2.0 as soon as possible.

Use groups to manage Context Aware Access for G Suite

What’s changing 

You can now use groups to manage context-aware access for your organization. You could previously only manage them by organizational unit (OU). Context-aware access lets you control access based on user identity and context. Managing this with groups provides extra flexibility, so you can make sure the right users have the right levels of access at the right time.

Use our Help Center to find out how to manage context-aware access.

Who’s impacted 

Admins

Why you’d use it 

With context-aware access, you can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). This can help you provide granular access controls without the need for a VPN, and give users access to G Suite resources based on organizational policies. Find out more about context-aware access.

Using groups enables more granular access controls while minimizing the amount of work required to create and manage different OUs. For example, groups may make it easier to set up different policies for:

  • Users at different organizational levels (e.g. executives) 
  • Users in specific roles (e.g. admins) 
  • Users with different employment statuses (e.g. full-time employees or temporary workers) 


Getting started 



Admins: There will be no change to existing context-aware access policies, but you can now set policies at the group level. Visit the Help Center to get an overview of context-aware access, or learn how to customize context-aware access with groups.

End users: There is no end user setting for this feature.

Rollout pace 




Availability 


  • Available to G Suite Enterprise, G Suite Enterprise for Education, Cloud Identity Premium, and Drive Enterprise customers. See more details
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 


Resources 


Manage Windows 10 devices through the G Suite Admin console

What’s changing 

We’re enabling enhanced desktop security for Windows with a new beta. This will allow you to manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices today. It will also enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices.

With these new controls G Suite admins can:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO 
  • Protect user accounts with anti-phishing, anti-hijacking, and suspicious login detection technologies 
  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without specific network requirements 

Sign up for the beta here.

Who’s impacted 

Admins

Why you’d use it 

Automatic device registration, the ability to secure all of your devices in a single Admin console, and cloud-based policy and device configuration deployment will simplify device management and security for your organization. Additionally, the ability to remotely wipe devices can help increase your organization’s data security.

Additionally, this makes life easier for users by reducing the hurdles and logins needed to access applications and get work done. Users need to log in just once to their Windows 10 device using their G Suite login credentials, and they’ll be able to access Google apps and any other enterprise cloud applications with SSO enabled without further logins.

How to get started 




Additional details 


Set policies, push configurations to devices, and wipe devices as needed 

Admins can deploy policies and device configuration updates from the cloud, removing any network or other restraints for installing these updates on user devices. Policies and updates that can be applied by admins include BitLocker, Windows Update, and desktop customization. Additionally, admins can block or wipe devices if needed from the device page in the Admin console.



Availability 

G Suite editions 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Beta sign up 
Find more information and sign up for the beta here.

Use phones as security keys in the Advanced Protection Program


What’s changing 


You can now use your mobile phone as a security key in the Advanced Protection Program for the enterprise. This means you can use your Android or iOS device’s built-in security key for 2-Step Verification, which makes it easier and quicker to protect high-risk users with our strongest account security settings.

Users can learn more and sign up for the Advanced Protection Program at g.co/advancedprotection

Who’s impacted 

Admins and end users

Why you’d use it 


The Advanced Protection Program for the enterprise enforces a package of several security policies, which can help protect the accounts of employees who are most at risk for targeted attacks. By adding the option to use your phone as a security key with this program, we hope more G Suite users will be able to take advantage of the protection it offers due to:

  • Simpler enrollment - Users can sign up quickly using devices they already have. 
  • Intuitive user experience - Users are familiar with the phone interface, and often already carry phones with them. 
  • Lower costs - This reduces the need to purchase security keys. 


Additional details 

Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.

The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers an easy-to-use bundle of our strongest account security settings

Getting started 


Admins: By default, users will be able to sign up for the Advanced Protection Program. You can disable it at the OU level. Visit the Help Center to learn more about managing the Advanced Protection Program in your organization.

End users: Android users can go directly to g.co/advancedprotection to enroll their phone as a security key. iPhone users must first activate the security key with Google’s Smart Lock app, then enroll in the Advanced Protection Program.

Rollout pace 


  • This feature is available now for all users. 


Availability 


  • Available to all G Suite customers 


Resources 


Use an iPhone as a security key for 2-Step Verification

What’s changing

We’re adding an option to use your iPhone as a security key for your Google Account. Security keys provide the strongest form of 2-Step Verification (also known as two-factor authentication or 2FA) to help protect your account against phishing, and are an essential part of the Advanced Protection Program for the enterprise. To use your iPhone as a security key, you need to install the Google Smart Lock app.

Read more about this launch in our Security Blog post, or use our Help Center to learn more about security keys and 2-Step Verification. Also see our other announcement today - Use phones as security keys in the Advanced Protection Program.


Who’s impacted

Admins and end users


Why you’d use it

2-Step Verification adds another layer to your account security, making it more resistant to phishing and account takeover attacks. By adding the option to use iPhones as a security key, we’re making the strongest form of phishing protection more accessible and convenient. As a result, we hope you’ll be able to implement Advanced Protection in your organization more quickly, while also minimizing user training and overall costs.

We previously announced that you can use the security key built into your Android phone, in addition to physical security keys, including Google’s Titan Security Keys.

We also announced today that you can use phones as security keys in the Advanced Protection Program for the enterprise. We hope that these launches bring the added protection of security keys to more users, including making it easier to enrol in the Advanced Protection Program, and helps ensure that all users have access to more convenient forms of security.


Additional details


  • The iPhone security key is enabled through the Google Smart Lock app.
  • Installation of the Google Smart Lock app is only available on devices running iOS 10.0 and up.
  • The security keys on iPhones are compatible with Bluetooth-enabled Chrome OS (version 79 and up), iOS, macOS, or Windows 10 devices with a Chrome browser.


Getting started




Rollout pace

  • This feature is available now for all users

Availability


  • Available to all G Suite customers


Resources





Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches