You can migrate from the Classic SEG that is integrated with Google to SEG V2. SEG V2 does not support the credential impersonation as Classic SEG. Instead, SEG V2 uses the IP restriction that is configured in the Google Admin console. To support use-cases where users do not know their passwords, Workspace ONE can still provision passwords directly to devices. The information provided in this section helps you migrate from Classic SEG to SEG V2 with Google without service interruptions for your users.


  • Upgrade MEM configuration to SEG V2.
  • Install SEG V2.
  • Classic SEG services are not switched.

    For more information about migrating to SEG V2, see the Migration to SEG (V2 Platform) section of the VMware AirWatch Secure Email Gateway Guide.

Configure IP Restriction on Google Admin Console

Configure Google Sync to accept traffic only from SEG. Restricting the communication to SEG ensures that the devices that attempt to bypass SEG are blocked.

  1. Log into the Google Admin console.
  2. Navigate to Device Management > Advanced Settings > Google Sync .
  3. Select the IP Whitelist text box and enter the external SEG IPs that you want to whitelist.
  4. Select Save.

Configure Automatic Password Provision and Sync Passwords

When migrating from Classic SEG with Google to SEG V2 with Google, you are provided with an Automatic Password Provision feature. You can enable or disable the Password Provision as per your requirement.

  1. Navigate to Email > Email Settings and select Configure.The Add Email Configuration wizard displays.
  2. Select Add. The wizard displays Platform tab.
    1. From Deployment Model, select Proxy.
    2. From Gateway Platform, select V2.
    3. From Email Type, select Google and select Next. The Deployment tab opens and displays the basic settings.
  3. In the Google Apps Settings section, you can see that the Automatic Password Provision is in Enabled mode. This is because Classic SEG uses Automatic Password Provision when integrating with Google.
    1. If you are providing the SSO password and Google password to your device users, select Disable. The users must enter their credentials to access Google. When the automatic password management is disabled, the Google Sync password is managed within your organization, which provides more flexibility and control over the devices accessing Google.
    2. If you want to use password provision using the UEM console, keep the Automatic Password Provision Enabled. The information you have entered when configuring Classic SEG with Google is used to provision the Google Sync Password. The password provisioning works without any interruptions to the user experience.
  4. After selecting the required Automatic Password Provision setting, select Next to navigate through the wizard and select Finish.
  5. If you have disabled the Automatic Password Provision setting, navigate to the device List View and select Actions drop-down menu.
  6. Select Sync Passwords to synchronize the passwords on the device and Google Sync server. If you have kept the Automatic Password Provision enabled, the Sync Passwords function is not available from the Actions drop-down menu.
  7. To switch to SEG V2 with Google, restart the SEG service. For more information on stopping Classic SEG and starting SEG V2 service, see Migration to SEG (V2 Platform).