Using Google's Directory APIs, Workspace ONE manages email access on mobile devices without any password management. Before you configure the deployment type on the UEM console , there are certain options that you must also enable on the Google Admin console if using the Directory APIs model.
Enable Device Activation
Apart from configuring the deployment type on the UEM console , you need to first enable the Device Activation option on the Google Admin console. Enabling this option blocks any unmanaged devices from accessing email.
Workspace ONE recommends you not to enable Device Activation setting until you are ready to go live with the email integration. Enabling this before the integration will block new devices and cause related problems.
To enable Device Activation, do the following:
- On the Google Admin console, navigate to Device management > Mobile > Setup.
- On the Setup page, select Device Activation.
- Select an organization from the left panel and then select the Require admin approval for device activation check box.
- (Optional) Enter an email address to receive notifications when users enroll their devices. You can also enter a group email address that includes all the administrators who can activate the devices. Select Save.
Workspace ONE checks with Google for a device account during enrollment when the profile is pushed onto the device:
- If the enrolled device has an account, Google sends a positive response to Workspace ONE. Workspace ONE then sends an approve command to Google to allow email access.
- If your device does not have a Google account setup before enrolling in Workspace ONE, then Google sends a negative response and Workspace ONE updates the Email Dashboard as 'Update Failed' for that device. After the device enrolls, the profile is already installed on the device, and any attempt to connect, creates a device record in Google. When the Google scheduler runs at a default interval of five minutes, the device is identified and allowed for email access. The Email Dashboard is then updated with the 'Scheduled Sync Update'.
- If the device fails to be identified by the scheduler after two days, then the end user must login to SSP and select Sync Email for the device to receive email access.
Configure Deployment on UEM Console
After you have enabled the options on the Google Admin console, configure the DIrect APIs deployment type on the UEM console .
To configure the deployment:
- Navigate to Email > Email Settings and select Configure.The Email Config Add wizard displays.
- In the Platform wizard form:
- Select Direct as the Deployment Model.
- Select Google Apps with Direct API as the Email Type.
- Select Next.
- In the Deployment wizard form:
Setting Description Friendly Name Enter a friendly name for the Gmail deployment. Google Apps Settings Google Apps Domain Enter the registered Google Apps Domain address. Google Apps Sub-Domain Enter the Google Apps sub domain address. Authentication Google Apps Admin Username Enter the full email address in the Google Apps Admin username field. Google Apps Directory APIs Integration Service account certificate (*.p12) Upload the Service account certificate. Enter the certificate password when prompted. The certificate password is created while generating the Service Account client ID on the Google console. Directory service account email address Enter the Service Account email address. Application Name Enter the project name that you created earlier.