SaaS Security - Activating Google Workspace (Gmail and Google Drive)

Minimum Requirements

Prerequisites

To activate Google Workspace, you must have these:

  • You have Administrator access to activate Google Workspace.
  • Additional Google Workspace license to integrate with Avanan. (Integration is not supported for clients on the free G-Suite license tiers.)
  • You have the minimum supported SaaS license.
  • If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, you must create exclusion rules for these user groups.
    • avanan_inline_policy
    • avanan_inline_outgoing_policy
    • avanan_monitor_policy
    • avanan_monitor_outgoing_policy
      For more information, see GCDS Exclusion Rules.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

Possible workarounds:

  • Perform the Google Workspace activation using a non-Chrome browser.
  • Sign out (switch to Guest) any logged-in Chrome user before you continue.

While onboarding Google Workspace (Gmail / Google Drive), Avanan creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin console.

  • Go to Authentication Settings of the root organizational unit and check these settings.
    • The Allow users to turn on 2-Step Verification check-box is selected.
    • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.

Notes:

If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these.

  • If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again.
  • Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Activating Gmail

To activate Gmail:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Start for Gmail.
  3. Enable the I Accept Terms Of Service checkbox.
  4. If you need to limit the license consumption and protection to a specific group of users:
    1. Enable the Restrict inspection to a specific group (Groups Filter) checkbox and click OK.
    2. In the Gmail - Group Selection pop-up, select Specific group.
      SaaS-Group-Selection
    3. Enter the group name you need to protect with Avanan.
      Note - The group name must have an associated email address.
    4. Click OK.
  5. Log in to the Google Workspace Marketplace using your Google administrator credentials.
  6. After successful authentication, you will be redirected to the Avanan Cloud Security app installation page.
    Click Admin Install.
  7. In the Admin install pop-up that opens, click Continue.
  8. Avanan Cloud Security app requests permission to access your data.
    Select Everyone at you organization, accept the terms of service and click Finish.
  9. Click Google-app  in the Google Workspace Marketplace. Scroll down and select the Avanan Cloud Security app.
    If prompted, enter the Google administrator credentials, and you are redirected to the Avanan portal.
    Note - After installing the Avanan Cloud Security app, a new Super Admin account is created in
    your Google Admin console.
  10. Navigate to Configuration > SaaS Applications and click Start for Gmail.
    After successful authentication, Avanan starts scanning the users and emails from Gmail.

Note - After activating Gmail, Avanan performs retroactive scan of its content. For more information, see Backward Scanning.

Configuring GCDS Exclusion Rules

After activating Google Workspace, Avanan automatically creates four user groups.

  • avanan_inline_policy
  • avanan_inline_outgoing_policy
  • avanan_monitor_policy
  • avanan_monitor_outgoing_policy

You can view these user groups under Groups in your Google Admin console.

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these Avanan groups. Though this will not impact the email delivery, Avanan cannot scan the emails, and no security events are generated.

Before activating Google Workspace, you must create exclusion rules for these user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be avanan_inline_policy@mycompany.com and avanan_monitor_policy@mycompany.com, where mycompany is the name of your company.

Note - If you have activated Google Workspace without creating exclusion rules, contact Avanan Support.

For more information about Google Workspace footprint, see Google Workspace Footprint.