To manage Google users, Workspace ONE requires a Gmail administrator account with specific privileges. Either a super user account or an administrator account with specific privileges can be used.

Note: If you choose to use a super admin account, skip to step 5. 2. Use a service account if you do not want Workspace ONE to change or revoke the admin password from the Google console.
  1. Log into your Google dashboard and navigate to Admin Roles.

    Google admin console dashboard screen

  2. Select Create A NEW ROLE.

    Result: Create New Role form displays. Admin roles screen in the Google admin console dashbaord

  3. Enter the Name and Description for the role, and then select Create.

    Create a new role screen in the Google admin console dashboard

  4. On the Privileges tab, select the privileges for the new role.

    The required privileges include:

    • Admin console Privileges

      • Organization Units - Read
      • Users - Read
      • Update - Rename users, Move users, Reset Password, Force Password, Add or Remove Aliases, Suspend Users
      • Security - To allow an admin with a custom role to revoke G tokens, enable the User Security Management on both Admin console privileges and Admin API privileges.
      Admin console privileges for the new role
    • Admin API Privileges
      • Organization Units - Read
      • Users - Read
      • Update - Rename users, Move users, Reset Password, Force Password, Add/Remove Aliases, Suspend Users
      • Groups - To allow an admin with a custom role to revoke G tokens, enable the User Security Management on both Admin console privileges and Admin API privileges.
      Admin API privileges for the new role
  5. Select Save.
  6. Select the Admins tab and then Assign admins to assign the created role to an administrator and then select Confirm Assignment.
  7. Assign admin roles screen

Enable the Google API

Use the Google control panel to enable the Google API.

For Workspace ONE UEM to provision the users' passcodes, enable the Google API using the Google control panel. This is optional for Direct Integration with Directory API type of configuration.

Procedure

  1. Sign in to the Google Admin console.
  2. Once logged in, navigate to Security > API Reference.
  3. Check Enable API access.
  4. Click Save.

    Enable Google API access using the Google control panel

Create a Service Account Certificate

The Service Account Certificate is required to use the Google APIs. You can create the certificate from the Google Admin console and then upload it on the UEM console while configuring the email integration.

Procedure

  1. Navigate to https://console.developers.google.com and log in using your super admin credentials. The API Dashboard page is displayed.

    Google APIs dashboard

  2. Select the projects list drop-down menu and then select + to create a project.
  3. Enter the Project name and select Create. The project ID is generated.

    Google API new project

    Note: The project ID cannot be changed once the project is created. In case you wish to change the project ID, select Edit before you create the project.
  4. Select Enable API.

    Google APIs dashbaord enable API screen

  5. Select Library from the API Manager sidebar.The list of Google APIs is displayed.
  6. Select Admin SDK available under G Suite APIs and then select Enable.
  7. Select Credentials from the API Manager sidebar.
    1. On the Credentials page, elect Create credentials and then select Service account key.
    2. Select New service account from the Service account drop-down menu and provide the Service account name, Service account ID, and the Role for the service account email address.
    3. Select P12 as the Key type.
    4. Select Create. The new service account has been created. Save the .p12 certificate with private key to your machine. Please make a note of the generated password for the private key.
  8. Select Manage service accounts on the credentials page.

    Manage service account keys

  9. Select the service account you created and then select Edit from the corresponding menu.

    Edit service account

  10. Check Enable G Suite Domain-wide Delegation check box. Click Save.

    Enable G Suite domain-wide delegation and create a service account

    Now, the Client ID is generated and the View Client ID appears under the Options for your service account in the Service accounts page. Currently, there is no way to delete a Client ID once the ID is generated. The only alternative is to delete and re-create the whole project. Select View Client ID to view the generated Client ID and the service account email address.

  11. Navigate to the Google Admin Console https://admin.google.com and login with your super admin credentials.
  12. Select Security > Advanced Settings.
  13. Select Manage API client Access hyperlink from the Advanced settings pop-up menu.

    Manage API client access advance settings

  14. Enter the previously generated Client ID (as mentioned in step 8 of On the Google Developer console section) in the Client Name field.
  15. Authorize your client ID for the required API scopes. Enter the API scopes for the applications as listed in the One or More API Scopes field and then select Authorize
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/admin.directory.user.readonly,
    https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
    https://www.googleapis.com/auth/admin.directory.device.mobile.action,
    https://www.googleapis.com/auth/admin.directory.user.security
    .
    Note: The API Scopes must be added as a comma-delimited string containing no spaces.

    Manage API client access