Tag Archives: Admin Console

View data for only selected call participants in the Meet Quality Tool

Quick launch summary

You can now select specific participants when viewing meetings in the Meet Quality Tool. This allows you to display data and statistics for just a subset of the participants. When viewing calls with many participants, this helps limit the amount of information displayed on the screen at one time. By fitting just the most relevant information into the view, pagination can often be avoided even for very large meetings.

Getting started

Admins: This feature will be available by default when using the Meet Quality Tool. To select participants, use the participant list on the left-hand side of the Meeting Details page. As selections are made, the information displayed to the right will update accordingly.

End users: This feature has no impact on end users.

Rollout pace

Availability

  • Available to all G Suite customers

Resources


Manage Windows 10 devices through the G Suite Admin console

What’s changing 

We’re enabling enhanced desktop security for Windows with a new beta. This will allow you to manage and secure Windows 10 devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices today. It will also enable SSO so users can more easily access G Suite and other SSO-enabled applications on Windows 10 devices.

With these new controls G Suite admins can:

  • Enable their organization to use existing G Suite account credentials to login to Windows 10 devices, and easily access apps and services with SSO 
  • Protect user accounts with anti-phishing, anti-hijacking, and suspicious login detection technologies 
  • Ensure that all Windows 10 devices used to access G Suite are updated, secure, and within compliance 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without specific network requirements 

Sign up for the beta here.

Who’s impacted 

Admins

Why you’d use it 

Automatic device registration, the ability to secure all of your devices in a single Admin console, and cloud-based policy and device configuration deployment will simplify device management and security for your organization. Additionally, the ability to remotely wipe devices can help increase your organization’s data security.

Additionally, this makes life easier for users by reducing the hurdles and logins needed to access applications and get work done. Users need to log in just once to their Windows 10 device using their G Suite login credentials, and they’ll be able to access Google apps and any other enterprise cloud applications with SSO enabled without further logins.

How to get started 




Additional details 


Set policies, push configurations to devices, and wipe devices as needed 

Admins can deploy policies and device configuration updates from the cloud, removing any network or other restraints for installing these updates on user devices. Policies and updates that can be applied by admins include BitLocker, Windows Update, and desktop customization. Additionally, admins can block or wipe devices if needed from the device page in the Admin console.



Availability 

G Suite editions 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 

Beta sign up 
Find more information and sign up for the beta here.

Grant SAML app access to specific groups

Quick launch summary 

You can now enable SAML apps for specific groups of users in your organization. You could previously only enable them by organizational unit (OU). This provides extra flexibility, as you can now turn apps on or off for sets of users without changing your organizational structure.

SAML apps enable users to access enterprise cloud applications after signing in just once through Single-Sign-On (SSO). You can easily enable SAML with many pre-integrated applications in our third-party apps catalog, or you can set up custom SAML applications.

Use our Help Center to find out how to configure SAML applications.

Getting started 


  • Admins: This feature will be available by default and can be controlled at the group level. Visit the Help Center to learn more about how to configure SAML apps for G Suite
  • End users: There is no end-user setting for this feature. 

Control SAML apps by groups 

Rollout pace 


Availability 



  • Available to all G Suite customers

Password recovery for super admins and a new interface for security settings

What’s changing

We’re making it easier for super admins to recover their own passwords, as well as updating the look of some basic security settings in the Admin console.

Going forward, super admins who enable “Super admin account recovery” at Admin console > Security > Account recovery can recover their own accounts by clicking the “Forgot password?” link on the sign-in page (provided they’ve added recovery options to their accounts).

Super admin account recovery setting in the Admin console

In addition, we’re starting to gradually migrate your other security settings to a more streamlined, card-based interface. These changes will take place slowly over time, and most will have no impact on the configuration of your settings themselves. If any updates require changes to your workflows, we’ll let you know on the G Suite Updates blog and/or via email.

Who’s impacted

Admins

Why you’d use it

Previously, super admins in many organizations who were locked out of their accounts had to contact another super admin or Google Support to recover their password. This new setting makes it much easier for super admins to get back into their accounts and back to work.

Getting started

Admins: For most current and all new customers, the Super admin account recovery feature will be OFF by default and can be enabled at the domain, OU, or group level. If you’re an existing customer with fewer than three super admins or 500 users, however, the setting will be ON by default, to match previous behavior. Visit the Help Center to learn more about turning Super admin account recovery on or off for your organization.

Rollout pace


  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on January 13, 2020
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on January 13, 2020

Availability


  • Available to all G Suite customers

Resources


Manage Hangouts Meet and classic Hangouts video calls with one setting

What’s changing

Video calling from Hangouts Meet and classic Hangouts is now controlled by the same setting. This means that the setting in the Admin console that controls classic Hangouts video calling now also controls Hangouts Meet.

Who’s impacted

Admins

Why it matters

By combining these settings, we’re making it easier for you to manage all video calling within your organization.

Getting started

Admins: You can find the new, consolidated setting in the Admin console at Apps > G Suite > Settings for Google Hangouts > Meet settings. Learn more in the Help Center. The new setting will respect your previous setting. For new G Suite customers, video calling will be enabled by default.

End users: There is no end user setting for this feature.

Rollout pace



Availability


  • Available to all G Suite customers

Resources




New controls for displaying sender attribution for shared mailboxes

What’s changing 

We’re adding new controls for how the “Sender Attribution for Shared Mailboxes” is displayed. Currently, sender attribution is always enabled — this will remain the default setting unless disabled by the admin or the end user.

For end users, there’s a new setting in Gmail where you can specify what information is included in the email header of messages sent by delegates.

For admins, there’s a new setting in the admin console that allows you to hide all attribution for shared mailboxes in your domain or organizational unit (OU). This will override and disable the user setting in Gmail.

Who’s impacted

Admins and end users


Why you’d use it 

Organizations use shared mailboxes in Gmail in multiple ways. For example, if an executive admin is responding on behalf of a CEO, from the CEO’s mailbox, sender attribution makes it clear who specifically drafted and sent the email.

Or, if you use an [email protected] mailbox to communicate with customers, customers will view all responses as equally valid, without knowing whether they were sent by [email protected], or [email protected]

With these new settings, you can now control and customize how attribution is handled for your domain, by OU, or on an individual user level.

Getting started 

Admins: Sender attribution is on by default and can be disabled at the OU or domain level. The new setting can be found in the Admin console under Apps > G Suite > Gmail > User settings > Mail Delegation. Note that the default setting will be “Allow users to customize this setting” and “Show the account owner and delegate who sent the email.”

Settings for Mail Delegation in the Admin console

End users: Sender attribution is ON by default. You can view and set sender attribution parameters by going to Settings > Account > Grant access to your account in Gmail. If your admin has hidden sender attribution for your domain or OU, no action can be taken.

End user settings for sender attribution in Gmail


If disabled at the OU or domain level, end users can take no action in Gmail

Rollout pace


Availability

  • Available to all G Suite customers

Resources 



Get email alerts and see associated tickets for Access Transparency logs

Quick launch summary 

We’re making two improvements which will make Access Transparency logs more useful for G Suite admins. Specifically you can now:

  • Choose to receive email alerts when specific Access Transparency logs are created. 
  • See any support ticket numbers associated with requests in the Audit log report. 

Access Transparency for G Suite provides more visibility into actions taken by Google staff related to your data. Learn more about how Access Transparency can help increase trust in cloud data security

Access Transparency logs describe the affected resource, the time of the action, the reason for the action, and more. With this launch, you can create automated alerts to get notified via email when specified criteria related to Access Transparency are met and an associated log is created. To get started, create an alert based on the "Event Name = Access" filter.

Learn more about Access Transparency logs, or how to set up alerts.


Sample email alert when an Access Transparency log is created 

You can see support ticket numbers in the Access Transparency audit log 


Getting started 


  • Admins: Email alerts will be OFF by default, support ticket information in the audit log will be ON by default. Learn more about Access Transparency logs, or how to set up alerts
  • End users: Feature is not visible to end users. 

Rollout pace 


  • This feature is available now for all users. 

Availability 


  • Available to G Suite Enterprise and G Suite Enterprise for Education customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits customers. 

Roadmap 





Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches