Workspace ONE UEM manages email access on mobile devices without any password management by using Google's Directory APIs.
- If the enrolled device has an account, Google sends a positive response to Workspace ONE UEM. Workspace ONE UEM then sends an approve command to Google to allow email access.
- After the device enrolls, the profile is already installed on the device, and any attempt to connect, creates a device record in Google. When the Google scheduler runs at a default interval of five minutes, the device is identified and allowed for email access. The Email Dashboard is then updated with the 'Scheduled Sync Update'.
- If the device fails to be identified by the scheduler after two days, then the end user must login to SSP and select Sync Email for the device to receive email access.
- Enable Device Activation on the Google Admin console:
- On the Google Admin console, navigate to
- On the Setup page, select Device Activation.
- Select an organization from the left panel and then select Require admin approval for device activation.
- (Optional) Enter an email address to receive notifications when users enroll their devices. You can also enter a group email address that includes all the administrators who can activate the devices.
- Configure Direct APIs Deployment Type on the UEM console:
- Navigate to Configure.
and select The Email Config Add wizard displays.
- Select Direct for the Deployment Model.
- Select Google Apps with Direct API as the Email Type.
- Click Next.
- In the Deployment Wizard form, enter the following settings:
Setting Description Friendly Name Friendly name for the Gmail deployment. Google Apps Domain Domain address Google Apps Sub-Domain Sub-domain address Google Apps Admin Username Complete email address Service account certificate (*.p12) Upload the Service account certificate. Enter the certificate password when prompted. The certificate password is created while generating the Service Account client ID on the Google console.
The type, validity, and thumbprint of the certificate is displayed.
Directory service account email address Service Account email address. Application Name Project name created earlier. Enable Token Revocation
Toggle Enable to make available the Revoke Google Token action within MDM compliance policies.
The Revoke Google Token message is displayed on the MDM compliance policy page.Note: This option can only be enabled for one MEM configuration at a time.
Automatically revoke when wiping devices Check this box to revoke G Suite token for the user upon unenrollment.
- Navigate to Configure. and select