- Enterprise Recon 2.0.28
The instructions here work for setting up the following Google Apps products as Targets:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail
To set up Google Apps products as Targets:
- Configure Google Apps Account
- Set up Google Apps as Target
To scan a specific path in Google Apps, see Edit Google Apps Target Path.
- Proxy Agent host with direct Internet access.
- Cloud service-specific access keys.
Configure Google Apps Account
Before you add Google Apps products as Targets, you must have:
- A Google Apps administrator account for the Target Google Apps domain.
- The Target must be a Google Apps account. Personal Google accounts are not supported.
To configure your Google Apps account for scanning:
- Select a project
- Enable APIs
- Create a Service Account
- Set up Domain-Wide Delegation
Select a project
Log into the Google Developers console.
Click on Select a project ▼. The Select dialog box opens and displays a list of existing projects.
In the Select dialog box, you can:
- Select an existing project.
- (Recommended) Create a new project.
To select an existing project:
- Click on a project.
- Click OPEN.
To create a new project:
- Click on +.
- In the New Project page, enter your Project name and click Create.
To scan a specific Google Apps product, enable the API for that product in your project.
To enable Google Apps APIs:
- Select a project.
In the project Dashboard, click + ENABLE APIS AND SERVICES. This displays the API Library.
Enable the Admin SDK API.
- Under G Suite APIs, click Admin SDK.
Repeat to enable the following APIs:
Target Google Apps Product
Google Mail Gmail API Google Drive Google Drive API Google Tasks Tasks API Google Calendar Google Calendar API
Create a Service Account
Create a service account for ER2:
Click on the menu on the upper-left corner of the Google Developers Console.
Go to IAM & Admin > Service accounts.
Click + CREATE SERVICE ACCOUNT.
In the Create service account dialog box, enter the following:
Field Description Service account name Enter a descriptive label. Role Select Project > Owner. Service account ID:
Enter a name for your service account, or click the refresh button to generate a service account ID.
An example service account ID: service-account-634@project_name-1272.iam.gserviceaccount.com
Furnish a new private key
- Select Furnish a new private key.
- Select P12.
Enable G Suite Domain-wide Delegation Select Enable G Suite Domain-wide Delegation.If prompted, enter a product name for the OAuth consent screen and save your OAuth consent screen settings. The product name should describe your project. For example: "ER2".
Click CREATE. The Service account and key created dialog box displays, and a P12 key is saved to your computer. Keep the P12 key in a secure location.The dialog box displays the private key's password: notasecret. ER2 does not need you to remember this password.
- Click Close.
- Write down the newly created service account's Service account ID and Key ID.
Set up Domain-Wide Delegation
The following is a guide for setting up domain-wide delegation for existing service accounts.
To allow ER2 to access your Google Apps domain with the Service Account, you must set up and enable domain-wide delegation for your Service Account.
To set up domain-wide delegation:
- In the Google Developer's Console, click on the menu.
- Go to API Manager > Credentials.
On the Credentials page, under OAuth 2.0 client IDs, go to the entry for your service account and take note of the Client ID.The Client ID is required when assigning DwD to your Service Account.
Go to the Google Apps Admin console. In the Admin Console, click on Security.
- On the Security page, click Show more.
- Click on Advanced settings to expand it.
Under Authentication, click Manage API client access.
- In Manage API client access, enter:
- Client Name: Your Service account Client ID (For example, 116877825065678775170).
One or More API Scopes: For each Google Apps product that you wish to scan, you must apply a different API Scope.
The following is a list of API Scopes required for ER2 to work with each Google Apps service:
Google Apps service API Scope All (required) https://www.googleapis.com/auth/admin.directory.user.readonly Google Mail https://mail.google.com/ Google Drive https://www.googleapis.com/auth/drive.readonly Google Tasks https://www.googleapis.com/auth/tasks.readonly Google Calendar https://www.googleapis.com/auth/calendar.readonlyYou can apply multiple API Scopes by separating them with commas. For example,
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive.readonlyCopying and pasting
Copying and pasting formatted text into Manage API client access may cause it to display an error. Instead, manually enter the API Scopes as shown above.
- Click Authorize.
Set up Google Apps as Target
- Configure Google Apps Account
From the New Search page, Add Targets.
- In the Select Target Type dialog box, select a Target Google Apps product.
- Fill in the following fields:
Field Description Google Apps Domain
Enter the Google Apps domain you want to scan in the Google Apps Domain field.If your Google Apps administrator email is email@example.com, your Google Apps domain is example.com.
For more information on how to scan specific mailboxes or accounts., see Edit Google Apps Target Path.
Credential Label Enter a descriptive label for the credential set. Username
Enter your Google Apps administrator account email address.
Password Enter your Service account ID e.g. firstname.lastname@example.org Private Key Upload the P12 key associated with your Service account ID. Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
Edit Google Apps Target Path
- Set up Google Apps as Target.
- In the Select Locations section, select the Google Apps Target location and click Edit.
In the Edit Google Apps Location dialog box, enter a Path to scan. Use the following syntax:
Path Syntax User account
Folder in user account
<user_name/folder_name>To scan the user mailbox at email@example.com, enter user_name. To scan the "Inbox" folder in the user mailbox firstname.lastname@example.org, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent.
- Click Test and then Commit to save the path to the Target location.