Adding a Google Workspace device manager
Use this task to configure Google Workspace as your device manager.
Before you begin
Note: The mtlsidaas global tenants for device managers are now deprecated and will
be removed after March 2024. Go to Obtaining a vanity hostname to request a
vanity domain. For more information, see Adding a device manager.
- You must have administrative permission to complete this task.
- Log in to the IBM® Security Verify administration console as an Administrator.
Procedure
- Select Authentication > Device managers.
- Select Add device manager.
- Select the Google Workspace as the type of device manager that you want to set up.
- Select Next.
- On the General settings page, provide the following
information.
- Enter the Device manager name in the provided field.
- Select the Identity provider from the menu.
- Select the Trust type from the menu. For
Device trust selection, the users need to login with their configured first
factor authentication mechanism. Device trust only confirms if the authentication is done from
managed device or not.Note: The Device trust feature CI-114829 can be enabled upon request. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. Create a support ticket if you have permission. IBM Security Verify trial subscriptions cannot create support tickets.
- Select whether to enable just-in-time provisioning for user accounts.Note: The Just-in-Time (JIT) provisioning for user accounts is only applicable in case of User and device trust selection.
- Select the Client certificate validity period. By default, the selection is 3 years.
- Specify the maximum number of certificates for each device.
- Specify how many minutes that the user and device information is kept.
- Select Next.
- On the API credentials page, enter the API details of your
application in Google Workspace.
- If you already have the application, select Form only.
- Provide the application ID, secret, and the tenant name.
- Select
Unique user identifier
from a predefined list of attributes, or select Custom Rule to specify attribute mappings. If you select to use a custom rule, you can add custom attributes and a rule. Type the rule to compute the attribute value. For example,requestContext.email[0].split('@')[0]
Note: The custom rule selection is not applicable to Device trust. However, you can enter the appropriate attribute in the provided field. - Select Test credentials to verify your credentials.
- Select Next.
- If you are creating an application, select Show with steps and follow
the instructions.
- Go to https://support.google.com/a/answer/7378726
to create a service account.Note: Complete steps 1, 2, and 4 on the Create a service account page.
- Tun on the APIs for the service account.
- Check the box that is net to your new project.
- Click APIs & Services and then Library. You might have to click Menu first.
- For each API you require, click the API name and then enable: Admin SDK.
- If you can't find the API, specify the API name in the search box.
- Go to https://support.google.com/a/answer/7378726
to create a service account.
- Delegate domain-wide authority to a service account.
A super administrator of the Google Workspace domain must complete the following steps.- From your Google Workspace domain's Admin console, go to Main menu > Security > Access and data control > API controls.
- In the Domain wide delegation page, select Manage Domain Wide Delegation.
- Click Add new.
- In the Client ID field, enter the service account's client ID.Note: You can find your service account's client ID in the Service accounts page.
- In the OAuth scopes field, enter the list of scopes that you application can be granted access to. Enter: https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly.
- Click Authorize.
- If you already have the application, select Form only.
- Click Next.
- On the User properties page (opens in case of
User and device trust selection) or Device properties (opens in case of Device
trust selection), map the device manager attributes to IBM Security Verify attributes. Map at least one attribute to an IBM Security Verify attribute and specify how to store the attribute.Note: Attribute names are case-insensitive and duplicate attributes are not allowed.
- Specify the attribute name in InTune.
- Optional: Select a transform from the menu.
- Required: Select the Verify attribute that you want to map the attribute to.
- Select how you want to store the attribute in the user's profile.
- Optional: Click Add attributes. If you select to use a custom rule, you can add custom attributes one at a time and a rule. Type the rule to compute the attribute value. For example,
Click Run test to make sure the rule works.idsuser.email[0].split('@')[0]
- Click OK.
- Click Next.
- Create the root certificate profile. Follow the instructions that are provided.
- Download the following root and intermediate certificate .zip files that are provided.
- In your Google Admin console (at admin.google.com), go to Menu > Devices > Networks > Certificates > .
- Extract the trusted-certificates.zip file that is downloaded from the IBM Security Verify tenet in the previous steps.
- Note: To apply the setting to everyone, leave the parent organizational unit selected. Otherwise, select a child organizational unit.Click Add Certificate. Certificate name: <Provide a descriptive name>.
- Upload the root certificate profile that you downloaded in Step 1.
- In the certificate authority section, select enabled checkbook for Chromebook.
- Click Add.
- Repeat steps 2-7 for the intermediate certificate.
- Select Next.
- On the SCEP certificate profile page, enter the API details of your
application.
- If you already have a SCEP certificate profile, select Values only
and use the following vales to create the SCEP certificate profile.
- Common name.
- Company name.
- Orgazatioal unit.
- ChromeOS SCEP URL.
- Select Next.
- If you are creating a SCEP certificate profile, select Show with
steps and follow the instructions.
- In your Google Admin console (at admin.google.com), Go to Menu > Devices > Networks.
- Click the section that is associated with Secure SCEP.
- Click ADD SECURE SCEP PROFILE.
- Use the following configuration settings:
- Device platforms
- Chromebook (user)
- SCEP profile name
- A descriptive name for the profile. The name is shown in the list of profiles.
- Subject name format
- Select Fully Distinguished Name and provide the configuration values:
-
- Subject alternative name
- The default is none. To specify email, select Custom, and click the Add attribute button. Select Subject alternative name type as RFC822 and provide a value as ${USER_EMAIL}
- Single algorithm
- SHA256withRSA
- Key usage
- Key encipherment, Digital signature.
- Key size (bits)
- 2048
- Security
- Select Strict or Relaxed.
- SCEP server attributes
- SCEP server URL
- Use the SCEP URL value that is provided by your Verify tenant.
- Certificate validity period
- Specify a suitable validity period or leave it with the default value.
- Renew within days
- Specify a suitable validity period or leave it with the default value.
- Challenge type
- Select the Static checkbox and provide a suitable password.
- Certificate authority
- Select the intermediate certificate profile created in the previous step.
- Click Save.
- If you already have a SCEP certificate profile, select Values only
and use the following vales to create the SCEP certificate profile.
- Select Next.
- Configure Google Cloud Certificate Connector. Follow step 1 mentioned in the link: https://support.google.com/chrome/a/answer/11053129?hl=en
- Test the configuration. Follow the instructions.
-
Select Complete setup.
- Review your settings.
- Select Save changes.