Workspace ONE UEM offers different deployment models to integrate Google Sync for your organization.
Types of Integration
- Proxy deployment - The Workspace ONE UEM server communicates indirectly with the Google server through Secure Email Gateway(SEG.)
- Direct deployment - The Workspace ONE UEM server uses the Google directory APIs or the password management configurations.
SEG Proxy Integration With and Without Password Management
SEG V2 supports this configuration. This configuration type involves the SEG Proxy server residing between the Workspace ONE UEM server and the Gmail server. The SEG Proxy server ensures security by not allowing the enrolled devices to communicate directly with the Gmail server. With SEG, you get visibility of both the managed and unmanaged devices on the Email Dashboard. You can also leverage the available email policies.
Direct Integration with Directory APIs
In this configuration type, the Workspace ONE UEM server uses Google's directory APIs to manage email access on mobile devices.
Direct Integration using Password Management
Using the password provisioning configuration type, the Workspace ONE UEM server communicates directly with Google. Since the SEG server is not involved, this configuration uses password switching to block non-compliant devices. Based on your security needs, you may either choose to store or purge the password in your database. There are two types of configuration available:
- Integrating with password retention - Using this configuration, the Workspace ONE UEM server communicates with the Google server directly and retains the Google password in the database by default. You can manage and monitor enrolled devices through the Email Dashboard. Devices are deemed compliant or non-compliant based on the email compliance policies configured within the Workspace ONE UEM console console .
Whenever a device is non-compliant, Workspace ONE UEM resets the password on the Google server preventing the user to log in using another device. Once the device is back to compliant status, the old password is reset back on the Google server and the user can gain access using the old password. By default, unmanaged devices are blocked.
- Integrating without password retention: VMware AirWatch recommends using this configuration. Using this configuration, the Workspace ONE UEM server communicates with Google directly and does not store the user password in database. You can manage and monitor enrolled devices through the Device Dashboard. Devices are deemed compliant or non-compliant based on the device compliance policies configured within the UEM console .
Since the SEG server is not involved, this approach provides a way to block non-compliant devices and ensure password safety. Once a device is detected as non-compliant, Workspace ONE UEM removes the email profile from the device, thus barring the user from receiving emails. Once the device is back to compliant status, Workspace ONE UEM generates a new password and sends it to Google and onto the device through the email profile.
Configure Secure Email Gateway V2 With Workspace ONE UEM console
Integrating SEG (V2) Proxy with Google is a two-step process.
You must first configure the SEG (V2) Proxy using the UEM Console and then configure the IP restriction on the Google admin console.
Configure the various SEG (V2) settings such as email, external and server settings, and security information.
You must have downloaded the SEG server SSL certificate.
- Navigate to Configure. The Add Email Configuration wizard displays. and select
- Select Add. The wizard displays the Platform tab.
- From Deployment Model, select Proxy.
- From Gateway Platform, select V2.
- From Email Type, select Google and then select Next.The Deployment tab opens and displays the basic settings.
- Select the Friendly Name text box and enter a unique name.
- Configure the External Settings. Select the External URL and Port text box and enter the external URL and the port number to which Workspace ONE sends policy updates.The supported format is https://<external seg url>:<external port>.
- Configure the Server Settings.
- Enter the web listener port for SEG . By default, the port number is 443. If SSL is enabled for SEG, the SSL certificate is bound to this port.
- (Optional): From Terminate SSL on SEG, select Enable to bind the SSL certificate to the port.
- Select Upload Locally to upload the SSL certificate during installation. Use this setting when you do not have the certificate during MEM configuration. See, Configure the SEG V2 section in the Secure Email Gateway (SEG) V2 guide.The UEM console supports uploading the certificate locally for easy OTA installation. The certificate can also be provided during run-time.
- From SEG Server SSL Certificate, select Upload to add the certificate.The SSL certificate can be installed automatically, instead of providing it locally. This setting is useful for larger SEG deployments. An SSL certificate in the .pfx format with full certificate chain and private key included must be uploaded. See, Configure the SEG V2 section in the Secure Email Gateway (SEG) V2 guide.
- Configure the Email Server Settings. Select Email Server URL and Port and enter the Google server URL: https://m.google.com.This is the Google address to which the SEG will proxy ActiveSync requests.
- Configure Security Settings.
- From Ignore SSL Errors between SEG and email server, select Enable to ignore the Secure Socket Layer (SSL) certificate errors between the email server and SEG server.
- From Ignore SSL Errors between SEG and Workspace ONE UEM server, select Enable to ignore Secure Socket Layer (SSL) certificate errors between the Workspace ONE UEM server and SEG server.Establish a strong SSL trust between Workspace ONE UEM and SEG server using valid certificates.
- From Allow email flow if no policies are present on SEG , select Enable to allow the email traffic if SEG is unable to load the device policies from the Workspace ONE UEM APIs.By default, SEG blocks email requests if no policies are locally present.
- Configure Cluster Settings. From Enable Clustering, select Enable if you want to enable clustering of SEG servers. For more information, see Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
- (Optional): Configure the Automatic Password Provision setting in Google Apps. Skip this step if you provide the Google password to your device users or if they are provided with their SSO password that is the same as the Google password.The Automatic Password Provision setting is deactivated by default because it is considered to be more stable when the Google password is managed within your organization.
- If you do not provide native passwords to device users, or if they are only provided with SSO password and the primary directory is not Google, select Enabled.When enabled, the UEM console provisions the Google for your users.
- Enter the following information for the UEM console to provision the Google password:
Setting Description Google Apps Domain Google Apps domain address. Google Apps Sub-Domain Google Apps sub-domain address. Google Apps admin username Complete URL as the Google Apps Admin user name. Service account certificate Click Upload to upload to the Service account certificate. Enter the certificate password when prompted. The certificate password is created when generating the client ID on the Google console. Directory service account email address Directory service account email address that is generated while creating the Service Account Certificate. Application Name Specify the project name created earlier. Google User Email Address Certificate attribute which holds the email address of the user.
- Enter the required settings in the Profiles tab and click Next.
For more information on the settings in the Profiles tab, see the Configure the V2 Platform section of the VMware AirWatch Secure Email Gateway guide.
- Click Finish.
What to do next
Configure IP Restriction on the Google Admin Console to complete the integration of SEG (V2) proxy with Google.
Configure Advanced Settings
Configure advanced settings to complete the process of integrating SEG Proxy with Google Sync.
Complete the SEG Proxy settings configuration before configuring the advanced settings.
- Navigate to Email > Settings page and then select the icon next to the required Google Sync deployment.
Note: By default, the Use Recommended Settings check box is enabled to capture all SEG traffic information from devices. If not enabled, you can specify what information and how frequently the SEG should log for devices.
- Select the Enable Real-time Compliance Sync option to enable the UEM console to remotely provision compliance policies to the SEG Proxy server.
- Click Save.
Configure IP Restriction on Google Admin Console
Configure Google Sync to accept traffic only from SEG. This restricts the communication to SEG and ensures that the devices that attempt to bypass SEG are blocked.
You must have configured SEG V2 settings on the UEM console.
- Log into the Google Admin console and navigate to
- Select the Google Sync IP Whitelist text box and enter the external SEG IPs that you want to allowlist.
- Click Save.
Integrate Direct Model using Password Management
While configuring your Gmail deployment using the Password Management approach, you can choose to retain or not retain the Google password in the Workspace ONE database.
The non-compliant devices are blocked depending on whether you chose to retain the password or not. The devices are blocked either by resetting the password on the Google server or by removing the email profile from the device.
- From the UEM console main menu, navigate to Configure. , and then select
- Set these requirements in the Platform wizard form.
- Select Direct as the Deployment Model.
- Select Google Apps using Password Provisioning as the Email Type.
- Select With Password Retention or Without Password Retention as the Google Deployment Type.
- Select Next.
- In the Deployment wizard form, complete the following options.
Setting Description Friendly Name Enter a friendly name for the Gmail deployment. Google Apps Domain Enter the registered Google Apps domain address. Google Apps Sub-Domain Enter the Google Apps sub domain address, if applicable. Google Apps Admin Username Enter the full email address in the Google Apps Admin Username field. Service Account Certificate (*.p12) Upload the Service account certificate. Enter the certificate password when prompted. The certificate password is created while generating the Service Account client ID on the Google console. Directory service account email address Enter the Service Account email address that was generated while creating the Service Account Certificate. Application Name Enter the project name that you had created earlier.
- Select Next.
- In the Profiles wizard form, create a new profile or associate an existing profile. Select Next. Result: The MEM Config Summary form provides a quick overview of the basic configuration you have just created for the Gmail deployment.
- Save the settings.
What to do next
After configuring your Gmail deployment, configure the advanced settings for the deployment.
Configure Gmail Deployment With Password Retention
If you have chosen to retain the password, then you can configure the settings to set up the preferred password length.
You must have configured the initial Gmail deployment settings.
Workspace ONE UEM does not provision passwords for newly enrolled devices or modifies the password for the devices that change status when the email compliance policies are deactivated.
- Navigate to the .
- Deactivate the Use Default Settings to enter the preferred length of the password in the Google Random Password Length field.
By default, the Use Default Settings check box is enabled. Minimum accepted character is 8 and maximum is 100.
- Select the Rotate Profiles on Unenrollment check box to automatically rotate the password and profiles of the existing devices whenever a device is unenrolled.
Also, if an administrator needs to manually rotate profiles and passwords outside of enrollment or compliance, then navigate to the MORE ACTIONS, and select the Rotate G Suite password option., select a user, click
- Click Save.
Configure Gmail Deployment Without Password Retention
If you have chosen not to retain the password in the Workspace ONE UEM database, deactivate the default settings which encrypts and stores the Google password in the Workspace ONE UEM database.
The Email Compliance policies are not applicable for this type of integration. By default, unmanaged devices are blocked.
You must have configured the initial Gmail settings.
- Navigate to .
- Deactivate the Use Recommended Settings check box to configure the Google Apps Settings options. By default, this option is enabled to encrypt and to store the Google password in the Workspace ONE UEM database.
If a user has two devices enrolled and one of the devices unenrolls, the Google password resets and a new generated password is pushed to the device that is enrolled.
- Once you deactivate the Use Default Settings check box, configure the options.
Setting Description Google Random Password Length Enter the preferred random password length. Minimum accepted character is 8 and maximum is 100. Password Retention Period Enter the number of hours the password should be retained temporarily for management purposes. The retention ensures that all the enrolled devices belonging to a user receives the password. The default value is 48. The minimum accepted character is 1 and maximum is 100. Auto-rotate Google Password Select this check box to reset the password once within the specific period. The Scheduler runs to check if any user's password need to be reset within the specified period. The minimum accepted character is 1 and maximum is 90. Auto-rotate Google Password Period Enter the specific period to reset the Google password. The default period is 30 days.
- Click Save.
Integrate Direct Model Using Directory APIs
Workspace ONE UEM manages email access on mobile devices without any password management by using Google's Directory APIs.
Enabling device activation blocks any unmanaged devices from accessing email. Workspace ONE UEM checks with Google for a device account during enrollment when the profile is pushed onto the device:
- If the enrolled device has an account, Google sends a positive response to Workspace ONE UEM. Workspace ONE UEM then sends an approve command to Google to allow email access.
- After the device enrolls, the profile is already installed on the device, and any attempt to connect, creates a device record in Google. When the Google scheduler runs at a default interval of five minutes, the device is identified and allowed for email access. The Email Dashboard is then updated with the 'Scheduled Sync Update'.
- If the device fails to be identified by the scheduler after two days, then the end user must login to SSP and select Sync Email for the device to receive email access.
You can also revoke access for Google accounts if an account violates compliance using the Token Revocation option on the Email Settings page.
Your device must have a Google account. If your device does not have a Google account setup before enrolling in Workspace ONE UEM, then updates cannot be completed successfully and the Email Dashboard on Workspace ONE UEM is updated with a "Failed" message.
- Enable Device Activation on the Google Admin console:
- On the Google Admin console, navigate to
- On the Setup page, select Device Activation.
- Select an organization from the left panel and then select Require admin approval for device activation.
- (Optional): Enter an email address to receive notifications when users enroll their devices. You can also enter a group email address that includes all the administrators who can activate the devices.
- Configure Direct APIs Deployment Type on the UEM console:
- Navigate to Configure.The Email Config Add wizard displays. and select
- Select Direct for the Deployment Model.
- Select Google Apps with Direct API as the Email Type.
- Click Next.
- In the Deployment Wizard form, enter the following settings:
Setting Description Friendly Name Friendly name for the Gmail deployment. Google Apps Domain Domain address Google Apps Sub-Domain Sub-domain address Google Apps Admin Username Complete email address Service account certificate (*.p12) Upload the Service account certificate. Enter the certificate password when prompted. The certificate password is created while generating the Service Account client ID on the Google console.The type, validity, and thumbprint of the certificate is displayed. Directory service account email address Service Account email address. Application Name Project name created earlier. Enable Token Revocation
Toggle Enable to make available the Revoke Google Token action within MDM compliance policies.
The Revoke Google Token message is displayed on the MDM compliance policy page.Note: This option can only be enabled for one MEM configuration at a time.
Automatically revoke when wiping devices Check this box to revoke G Suite token for the user upon unenrollment.
What to do next
If you have enabled token revocation, and the MDM policy is also set to revoke G Suite tokens under Edit Device Policy, the token will be revoked for a non-compliant user. If you have also enabled the Automatically revoke when wiping devices option, the G Suite token will be revoked for the device when the device is unenrolled. See the Mobile Email Management guide.