Tag Archives: Security and Compliance

Use phones as security keys in the Advanced Protection Program


What’s changing 


You can now use your mobile phone as a security key in the Advanced Protection Program for the enterprise. This means you can use your Android or iOS device’s built-in security key for 2-Step Verification, which makes it easier and quicker to protect high-risk users with our strongest account security settings.

Users can learn more and sign up for the Advanced Protection Program at g.co/advancedprotection

Who’s impacted 

Admins and end users

Why you’d use it 


The Advanced Protection Program for the enterprise enforces a package of several security policies, which can help protect the accounts of employees who are most at risk for targeted attacks. By adding the option to use your phone as a security key with this program, we hope more G Suite users will be able to take advantage of the protection it offers due to:

  • Simpler enrollment - Users can sign up quickly using devices they already have. 
  • Intuitive user experience - Users are familiar with the phone interface, and often already carry phones with them. 
  • Lower costs - This reduces the need to purchase security keys. 


Additional details 

Targeted attacks describe sophisticated, low volume handcrafted attacks that are often carried out by highly motivated professional or government backed groups. Employees at risk of targeted attacks that may benefit from the program include, for example, IT admins, executives, and employees in regulated industries such as finance or government.

The individual policies currently included in the Advanced Protection Program are also available to G Suite admins and users outside of the program. However, the Advanced Protection Program for the enterprise offers an easy-to-use bundle of our strongest account security settings

Getting started 


Admins: By default, users will be able to sign up for the Advanced Protection Program. You can disable it at the OU level. Visit the Help Center to learn more about managing the Advanced Protection Program in your organization.

End users: Android users can go directly to g.co/advancedprotection to enroll their phone as a security key. iPhone users must first activate the security key with Google’s Smart Lock app, then enroll in the Advanced Protection Program.

Rollout pace 


  • This feature is available now for all users. 


Availability 


  • Available to all G Suite customers 


Resources 


Use an iPhone as a security key for 2-Step Verification

What’s changing

We’re adding an option to use your iPhone as a security key for your Google Account. Security keys provide the strongest form of 2-Step Verification (also known as two-factor authentication or 2FA) to help protect your account against phishing, and are an essential part of the Advanced Protection Program for the enterprise. To use your iPhone as a security key, you need to install the Google Smart Lock app.

Read more about this launch in our Security Blog post, or use our Help Center to learn more about security keys and 2-Step Verification. Also see our other announcement today - Use phones as security keys in the Advanced Protection Program.


Who’s impacted

Admins and end users


Why you’d use it

2-Step Verification adds another layer to your account security, making it more resistant to phishing and account takeover attacks. By adding the option to use iPhones as a security key, we’re making the strongest form of phishing protection more accessible and convenient. As a result, we hope you’ll be able to implement Advanced Protection in your organization more quickly, while also minimizing user training and overall costs.

We previously announced that you can use the security key built into your Android phone, in addition to physical security keys, including Google’s Titan Security Keys.

We also announced today that you can use phones as security keys in the Advanced Protection Program for the enterprise. We hope that these launches bring the added protection of security keys to more users, including making it easier to enrol in the Advanced Protection Program, and helps ensure that all users have access to more convenient forms of security.


Additional details


  • The iPhone security key is enabled through the Google Smart Lock app.
  • Installation of the Google Smart Lock app is only available on devices running iOS 10.0 and up.
  • The security keys on iPhones are compatible with Bluetooth-enabled Chrome OS (version 79 and up), iOS, macOS, or Windows 10 devices with a Chrome browser.


Getting started




Rollout pace

  • This feature is available now for all users

Availability


  • Available to all G Suite customers


Resources





Password recovery for super admins and a new interface for security settings

What’s changing

We’re making it easier for super admins to recover their own passwords, as well as updating the look of some basic security settings in the Admin console.

Going forward, super admins who enable “Super admin account recovery” at Admin console > Security > Account recovery can recover their own accounts by clicking the “Forgot password?” link on the sign-in page (provided they’ve added recovery options to their accounts).

Super admin account recovery setting in the Admin console

In addition, we’re starting to gradually migrate your other security settings to a more streamlined, card-based interface. These changes will take place slowly over time, and most will have no impact on the configuration of your settings themselves. If any updates require changes to your workflows, we’ll let you know on the G Suite Updates blog and/or via email.

Who’s impacted

Admins

Why you’d use it

Previously, super admins in many organizations who were locked out of their accounts had to contact another super admin or Google Support to recover their password. This new setting makes it much easier for super admins to get back into their accounts and back to work.

Getting started

Admins: For most current and all new customers, the Super admin account recovery feature will be OFF by default and can be enabled at the domain, OU, or group level. If you’re an existing customer with fewer than three super admins or 500 users, however, the setting will be ON by default, to match previous behavior. Visit the Help Center to learn more about turning Super admin account recovery on or off for your organization.

Rollout pace


  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on January 13, 2020
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility)] starting on January 13, 2020

Availability


  • Available to all G Suite customers

Resources


Get email alerts and see associated tickets for Access Transparency logs

Quick launch summary 

We’re making two improvements which will make Access Transparency logs more useful for G Suite admins. Specifically you can now:

  • Choose to receive email alerts when specific Access Transparency logs are created. 
  • See any support ticket numbers associated with requests in the Audit log report. 

Access Transparency for G Suite provides more visibility into actions taken by Google staff related to your data. Learn more about how Access Transparency can help increase trust in cloud data security

Access Transparency logs describe the affected resource, the time of the action, the reason for the action, and more. With this launch, you can create automated alerts to get notified via email when specified criteria related to Access Transparency are met and an associated log is created. To get started, create an alert based on the "Event Name = Access" filter.

Learn more about Access Transparency logs, or how to set up alerts.


Sample email alert when an Access Transparency log is created 

You can see support ticket numbers in the Access Transparency audit log 


Getting started 


  • Admins: Email alerts will be OFF by default, support ticket information in the audit log will be ON by default. Learn more about Access Transparency logs, or how to set up alerts
  • End users: Feature is not visible to end users. 

Rollout pace 


  • This feature is available now for all users. 

Availability 


  • Available to G Suite Enterprise and G Suite Enterprise for Education customers. 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits customers. 

Roadmap 





Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

Turning off less secure app access to G Suite accounts

What’s changing 

Starting in June 2020, we’ll limit the ability for less secure apps (LSAs) to access G Suite account data. LSAs are non-Google apps that can access your Google account with only a username and password. They make your account more vulnerable to hijacking attempts. Instead of LSAs, you can use apps that support OAuth—a modern and secure access method.

This is most likely to impact users of legacy email, calendar, and contacts apps—see below for more details. We’ve also emailed your organization’s primary admin with details around this change. That email includes a list of users who are likely to be affected.

Access to LSAs will be turned off in two stages:

  • After June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
  • After February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts. 


This is a continuation of our previously announced process to limit access to less secure apps to protect G Suite accounts. See below for more details on the possible impact of this change, and some recommendations for change management with users of LSAs.

Who’s impacted 

End users

Why this matters 

Many users use non-Google apps, and give those apps permission to access G Suite data. For example, you may give the iOS mail app permission to see your work email. This provides users with more options, and helps users get work done in a way that works well for them.

When account access is provided through an LSA, it puts that account at risk of hijacking. That’s because LSAs provide a non-Google app access to your account through just a username and password, without any other authentication factor. If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA.

However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password. OAuth also helps us enforce G Suite admin defined login policies, such as the use of security keys, as well as other security controls such as whitelisting apps and offering scope-based account access.

As we’re constantly working to improve the security of your organization’s G Suite accounts, we’ve made the decision to remove LSA access by February 15, 2021. Given the many alternative apps and processes available which do use OAuth (outlined below), we hope that this won’t cause significant disruption while increasing your account security.

How to get started 


  • Admins: 
    • See the “Additional details” section below for more information and recommended actions. 
    •  See the email sent to your organization’s primary admin with a subject line of “Switch to apps that use secure OAuth access, as password-based access will no longer be supported” for a list of users who are likely to be affected by the change. 
  • End users: See the “User information and advice” section below for more details and recommended actions, or use our Help Center to learn more about less secure apps and your Google account


Additional details 

Admin and developer information 

Mobile device management (MDM) configuration - If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  • June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users. 
  • February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


Scanners and other devices - No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

Developer instructions - To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


End User information and advice 

If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email 

  • If you are using stand-alone Outlook 2016 or earlier, you can use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. 
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth. 
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, make sure to choose Google as the account type to automatically use OAuth. 


Calendar

  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account. 
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more

Contacts 

  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth. 

Other less secure apps 

  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth. 
  • For any other LSA, contact your admin or ask the developer of the app you are using to start supporting OAuth. 
  • If the developer won’t update their app, you will need to switch to a client that offers OAuth.  


Helpful links 




Availability 

Rollout details - all domains 

  • After June 15, 2020 
    • Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off. 
    • MDM configuration of CalDAV or CardDAV will no longer work for new users. 
  • After February 15, 2021 
    • Access to LSAs will be turned off for all G Suite accounts. 
    • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email. 

G Suite editions 
Applicable to all G Suite editions

On/off by default?
This feature will be ON by default and can’t be turned off.


Stay up to date with G Suite launches

New option to make security codes more secure

What’s changing 

We’re giving you another option to determine how security codes can be used in your organization. A security code is a one-time use code, generated using a security key, that can be used to log in on legacy platforms where security keys aren’t supported directly.

With this launch we’re adding an option to restrict the use of codes to the same device or network that they were generated on.

Who’s impacted 

Admins and end users

Why you’d use it 

Since we introduced security codes in June 2019, we’ve observed that they’re most commonly used with applications that use legacy authentication on devices that are capable of supporting Chrome or other browsers that allow security keys. The new restricted security code option allows that use case to be satisfied while reducing some potential vulnerabilities. Unrestricted codes will still be available for users who need them (such as those using remote servers or virtual machines).

How to get started 

Admins: Customers can turn this feature on at Admin console > Security > Advanced security settings. Use our Help Center to find out more about security codes
End users: No action needed.

Additional details 

Three security code settings available to G Suite admins 
With this launch, there will be three options for security codes:

  • Don't allow users to generate security codes. Users can’t generate security codes. This was previously available, and was the default setting. 
  • Allow security codes without remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN). This is a new option, and replaces the don’t allow security codes as the default setting for new G Suite customers. 
  • Allow security codes with remote access. Users can generate security codes and use them on the same device or local network (NAT or LAN), as well as other devices or networks, such as when accessing a remote server or a virtual machine. The earlier version of security codes was effectively the same as this. 


No impact to existing users 
This launch won’t change the user experience unless an admin changes a setting in the Admin console. Specifically,

  • Users who are currently assigned “Don’t allow security codes” will now be assigned “Don't allow users to generate security codes” and will still not be able to use security codes. 
  • Users who are currently assigned “Allow use of security codes,” will now be assigned “Allow security codes with remote access” and will be able to use security codes in the same way as before. 

Use our Help Center to learn more about security codes and 2-Step Verification.

Security codes and the Advanced Protection Program for the enterprise 
You can control security code use separately for your users in the Advanced Protection Program for the enterprise. Security code settings for those users are determined by controls at Admin console > Security > Advanced Protection Program. Settings for security code use here will override regular settings for those users. Read more about the Advanced Protection Program for the enterprise.

Helpful links 

Help Center: Allow security codes when security keys aren't supported 
G Suite Updates blog: Use security codes to log in where security keys won’t work directly

Availability 

Rollout details 


G Suite editions 

  • Available to all G Suite editions. 

On/off by default? 

  • This feature will be OFF by default and can be customized on the domain, OU, or group level.


Stay up to date with G Suite launches

Manage apps accessing G Suite data with new app access control

This announcement was made at Google Cloud Next ‘19 UK. Check out Next OnAir to tune into the livestream or watch session recordings following the event.



What’s changing 

We’re improving your ability to control access to G Suite data by third-party and domain-owned apps. The new app access control feature will update the interface and controls in the G Suite Admin console to help you search for, research, and control apps using OAuth2 to access G Suite data.

Specifically, app access control will replace the current API Permissions feature to help you:
  • Find: Identify apps being used and see which have been verified to access restricted OAuth2 scopes. 
  • Assess: Understand which apps are being used and get support information about them. 
  • Control: Manage what data each app can access and which users are empowered to use it. 


Who’s impacted 

Admins only

Why it matters 

G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so our customers and partners value controls to manage third-party apps accessing G Suite data.

With app access control, you can have better visibility into the third-party apps your users have approved to access their G Suite data, and you can reduce any risk to your company data by limiting access to trusted apps.

How to get started 




Additional details 


Find: Identify apps being used and see which have been verified for access to restricted OAuth2 scopes. 

The new interface will help you see which apps and Google services are being used. Also, we previously announced that we now block new installs for unverified third-party apps that access Gmail data, unless you trust them in the Admin console. You can now use our app details page to verify apps’ trusted status.


App access control - Apps page 


Assess: Research the risk profile for the app and its developer or publisher. 

You’ll be able to see more details about each app and its publisher or developer. This will include the developer’s support email, privacy policy, and Terms of Service (if available). In addition, if the app is verified, we will show you this information here. This information can help you decide whether to trust/allow or block/limit an app.

App details page 


Control: Manage what data each app can access and which users are empowered to use it. 

You’ll also be able to adjust whether you trust or limit apps accessing G Suite data via OAuth2 scopes. 
With these new controls, you now have an easier way to restrict access to APIs (OAuth2 scopes) for Google services such as Gmail, Drive, and the Admin console.

Please note that this does not cover domain-wide delegation and service accounts. This continues to be managed with the Manage API Client Access page on the Security menu.


App access control - changing access levels for an app 


The Advanced Protection Program can add extra protections for high-risk users. 

The Advanced Protection Program for enterprise, that we announced in general availability today, helps you enforce a set of enhanced security policies for the employees in your organization who are most at risk for targeted attacks. Once users self-enroll, the program enforces an app access control policy—it will automatically block applications that require restricted Gmail and Drive access unless explicitly trusted by the admins—as well as other policies. These include the use of security keys, enhanced email scanning for threats, and download protections in Google Chrome. Find out more about the Advanced Protection Program for enterprise here.

Helpful links 




Availability 

Rollout details 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default for all G Suite domains.

Stay up to date with G Suite launches