Workspace ONE UEM offers different deployment models to integrate Google Sync for your organization.

Types of Integration

Depending on the deployment method you choose, the Workspace ONE UEM server communicates with the Gmail server one of the following ways:
  • Proxy deployment - The Workspace ONE UEM server communicates indirectly with the Google server through Secure Email Gateway(SEG.)
  • Direct deployment - The Workspace ONE UEM server uses the Google directory APIs or the password management configurations.

SEG Proxy Integration With and Without Password Management

SEG V2 supports this configuration. This configuration type involves the SEG Proxy server residing between the Workspace ONE UEM server and the Gmail server. The SEG Proxy server ensures security by not allowing the enrolled devices to communicate directly with the Gmail server. With SEG, you get visibility of both the managed and unmanaged devices on the Email Dashboard. You can also leverage the available email policies.

Direct Integration with Directory APIs

In this configuration type, the Workspace ONE UEM server uses Google's directory APIs to manage email access on mobile devices.

Direct Integration using Password Management

Using the password provisioning configuration type, the Workspace ONE UEM server communicates directly with Google. Since the SEG server is not involved, this configuration uses password switching to block non-compliant devices. Based on your security needs, you may either choose to store or purge the password in your database. There are two types of configuration available:

  • Integrating with password retention - Using this configuration, the Workspace ONE UEM server communicates with the Google server directly and retains the Google password in the database by default. You can manage and monitor enrolled devices through the Email Dashboard. Devices are deemed compliant or non-compliant based on the email compliance policies configured within the Workspace ONE UEM console console .

    Whenever a device is non-compliant, Workspace ONE UEM resets the password on the Google server preventing the user to log in using another device. Once the device is back to compliant status, the old password is reset back on the Google server and the user can gain access using the old password. By default, unmanaged devices are blocked.

  • Integrating without password retention: VMware AirWatch recommends using this configuration. Using this configuration, the Workspace ONE UEM server communicates with Google directly and does not store the user password in database. You can manage and monitor enrolled devices through the Device Dashboard. Devices are deemed compliant or non-compliant based on the device compliance policies configured within the UEM console .

    Since the SEG server is not involved, this approach provides a way to block non-compliant devices and ensure password safety. Once a device is detected as non-compliant, Workspace ONE UEM removes the email profile from the device, thus barring the user from receiving emails. Once the device is back to compliant status, Workspace ONE UEM generates a new password and sends it to Google and onto the device through the email profile.