Documentation Version: er2.0.28-docs-1.1

Google Apps

The instructions here work for setting up the following Google Apps products as Targets:

To set up Google Apps products as Targets:

  1. Configure Google Apps Account
  2. Set up Google Apps as Target

To scan a specific path in Google Apps, see Edit Google Apps Target Path.

Instructions for configuring a cloud service account's security settings are provided here for the user's convenience only. For the most up-to-date instructions, please consult the cloud service provider's official documentation.

General Requirements

Configure Google Apps Account

Before you add Google Apps products as Targets, you must have:

To configure your Google Apps account for scanning:

  1. Select a project
  2. Enable APIs
  3. Create a Service Account
  4. Set up Domain-Wide Delegation
Setting up a Google Apps account as a Target location requires more work than other cloud services because the Google API imposes certain restrictions on software attempting to access data on their services. This keeps their services secure, but makes it more difficult to scan them using ER2.

Select a project

  1. Log into the Google Developers console.

  2. Click on Select a project ▼. The Select dialog box opens and displays a list of existing projects.

In the Select dialog box, you can:

To select an existing project:

  1. Click on a project.
  2. Click OPEN.

To create a new project:

  1. Click on +.
  2. In the New Project page, enter your Project name and click Create.

Enable APIs

To scan a specific Google Apps product, enable the API for that product in your project.

To enable Google Apps APIs:

  1. Select a project.
  2. In the project Dashboard, click + ENABLE APIS AND SERVICES. This displays the API Library.

  3. Enable the Admin SDK API.

    1. Under G Suite APIs, click Admin SDK.
    2. Click ENABLE.

  4. Repeat to enable the following APIs:

    Target Google Apps Product

    API Library

    Google Mail Gmail API
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Create a service account for ER2:

  1. Click on the menu on the upper-left corner of the Google Developers Console.

  2. Go to IAM & Admin > Service accounts.

  3. Click + CREATE SERVICE ACCOUNT.

  4. In the Create service account dialog box, enter the following:

    Field Description
    Service account name Enter a descriptive label.
    Role Select Project > Owner.
    Service account ID:

    Enter a name for your service account, or click the refresh button to generate a service account ID.

    An example service account ID: service-account-634@project_name-1272.iam.gserviceaccount.com

    Furnish a new private key
    1. Select Furnish a new private key.
    2. Select P12.
    Enable G Suite Domain-wide Delegation Select Enable G Suite Domain-wide Delegation.
    If prompted, enter a product name for the OAuth consent screen and save your OAuth consent screen settings. The product name should describe your project. For example: "ER2".
  5. Click CREATE. The Service account and key created dialog box displays, and a P12 key is saved to your computer. Keep the P12 key in a secure location.

    The dialog box displays the private key's password: notasecret. ER2 does not need you to remember this password.
  6. Click Close.
  7. Write down the newly created service account's Service account ID and Key ID.

Set up Domain-Wide Delegation

Set up domain-wide delegation with the administrator account used in Enable APIs.

The following is a guide for setting up domain-wide delegation for existing service accounts.

To allow ER2 to access your Google Apps domain with the Service Account, you must set up and enable domain-wide delegation for your Service Account.

To set up domain-wide delegation:

  1. In the Google Developer's Console, click on the menu.
  2. Go to API Manager > Credentials.
  3. On the Credentials page, under OAuth 2.0 client IDs, go to the entry for your service account and take note of the Client ID.

    The Client ID is required when assigning DwD to your Service Account.
  4. Go to the Google Apps Admin console. In the Admin Console, click on Security.


  5. On the Security page, click Show more.
  6. Click on Advanced settings to expand it.
  7. Under Authentication, click Manage API client access.

  8. In Manage API client access, enter:
    1. Client Name: Your Service account Client ID (For example, 116877825065678775170).
    2. One or More API Scopes: For each Google Apps product that you wish to scan, you must apply a different API Scope.

      The following is a list of API Scopes required for ER2 to work with each Google Apps service:

      Google Apps serviceAPI Scope
      All (required)https://www.googleapis.com/auth/admin.directory.user.readonly
      Google Mailhttps://mail.google.com/
      Google Drivehttps://www.googleapis.com/auth/drive.readonly
      Google Taskshttps://www.googleapis.com/auth/tasks.readonly
      Google Calendarhttps://www.googleapis.com/auth/calendar.readonly

      You can apply multiple API Scopes by separating them with commas. For example, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive.readonly
      Copying and pasting

      Copying and pasting formatted text into Manage API client access may cause it to display an error. Instead, manually enter the API Scopes as shown above.

    3. Click Authorize.

Set up Google Apps as Target

  1. Configure Google Apps Account
  2. From the New Search page, Add Targets.

  3. In the Select Target Type dialog box, select a Target Google Apps product.
  4. Fill in the following fields:

    Field Description
    Google Apps Domain

    Enter the Google Apps domain you want to scan in the Google Apps Domain field.

    If your Google Apps administrator email is admin@example.com, your Google Apps domain is example.com.

    For more information on how to scan specific mailboxes or accounts., see Edit Google Apps Target Path.

    Credential LabelEnter a descriptive label for the credential set.
    Username

    Enter your Google Apps administrator account email address.

    Use the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.
    PasswordEnter your Service account ID e.g. service-account-name-14@adventurer-140703.iam.gserviceaccount.com
    Private KeyUpload the P12 key associated with your Service account ID.
    Agent to act as a proxy hostSelect a Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.

  6. Click Commit to add the Target.

Edit Google Apps Target Path

  1. Set up Google Apps as Target.
  2. In the Select Locations section, select the Google Apps Target location and click Edit.
  3. In the Edit Google Apps Location dialog box, enter a Path to scan. Use the following syntax:

    Path Syntax
    User account

    <user_name>

    Folder in user account

    <user_name/folder_name>

    To scan the user mailbox at user_name@example.com, enter user_name. To scan the "Inbox" folder in the user mailbox user_name@example.com, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent.
  4. Click Test and then Commit to save the path to the Target location.