Workspace ONE offers different deployment models using which you can integrate Google Sync for your organization.
The different deployment methods decides the manner in which the Workspace ONE server communicates with the Gmail server. Workspace ONE server communicates indirectly with Google server through SEG in the Proxy deployment method. The Direct deployment method involves using the Google directory APIs or the password management configurations.
SEG Proxy Integration with and without Password Management
Classic SEG and SEG V2 supports this configuration. This configuration type involves the SEG Proxy server residing between the Workspace ONE server and the Gmail server. The SEG Proxy server ensures security by not allowing the enrolled devices to communicate directly with the Gmail server. With SEG, you get visibility of both the managed and unmanaged devices on the Email Dashboard. You can also leverage the available email policies.
Direct Integration with Directory APIs
In this configuration type, the Workspace ONE server uses Google's directory APIs to manage email access on mobile devices.
Direct Integration using Password Management
Using the password provisioning configuration type, the Workspace ONE server communicates directly with Google. Since the SEG server is not involved, this configuration uses password switching to block non-compliant devices. Based on your security needs, you may either choose to store or purge the password in your database. There are two types of configuration available:
- Integrating with password retention
- Integrating without password retention
Integrating with password retention
Using this configuration, the Workspace ONE server communicates with the Google directly and retains the Google password in the database by default. You can manage and monitor enrolled devices through the Email Dashboard. Devices are deemed compliant or non-compliant based on the email compliance policies configured within the Workspace ONE UEM console (UEM) console .
Whenever a device is non-compliant, Workspace ONE resets the password on the Google server preventing the user to log in using another device. Once the device is back to compliant status, the old password is reset back on the Google server and the user can gain access using the old password. By default, unmanaged devices are blocked.
Integrating without password retention
VMware AirWatch recommends using this configuration. Using this configuration, the Workspace ONE server communicates with Google directly and does not store the user password in database. You can manage and monitor enrolled devices through the Device Dashboard. Devices are deemed compliant or non-compliant based on the device compliance policies configured within the UEM console .
Since the SEG server is not involved, this approach provides a way to block non-compliant devices and ensure password safety. Once a device is detected as non-compliant, Workspace ONE removes the email profile from the device, thus barring the user from receiving emails. Once the device is back to compliant status, Workspace ONE generates a new password and sends it to Google and onto the device through the email profile.