Skip to main content
TDX, the developer conference for the AI agent era is happening now. Watch live on Salesforce+ for exclusive digital content, a revolutionary keynote, and more.

Implement Application Security

Learning Objectives

After completing this unit, you’ll be able to:

  • Configure trusted applications for your organization.
  • Configure access to trusted applications to prevent malicious attacks.

Control App Access

Google Workspace is designed to work with a variety of applications, from cloud-based enterprise tools to custom solutions. The responsibility of integrating these applications securely falls on the admin’s shoulders. In this unit, you explore how this is done via the Admin SDK API and the console.

Control Access Using the Admin SDK API

Google Workspace has many APIs that allow third-party applications to interact with Google Workspace services such as Gmail, Calendar, Contacts, and so on. An example of usage might be a locally installed application which syncs a local contacts database with your Google Workspace contacts. This application would likely use the People API to sync data.

In addition to APIs that access user data, Google Workspace includes the Admin SDK API. This is specifically designed to allow developers to interact with the admin console and objects such as users, calendar resources, groups, OUs, and so on.

Admin SDK API access is enabled by default via the Google Workspace Admin service. Restrict access to this service if you don't have applications that specifically require it. So, let’s disable Admin SDK API access.

  1. Sign in to your domain as the administrator at admin.google.com.
  2. Navigate to Security | Access and data control | API controls.
  3. Click the MANAGE GOOGLE SERVICES link.
  4. Hover over the Google Workspace Admin service and click Change access.
  5. Select Restricted: Only trusted apps can access a service.
  6. Then, click Change.
  7. Click RESTRICT.

Now, the Google Workspace Admin service is listed as Restricted in the services list.

Manage Connected Apps

There are many third-party applications that interact with Google Workspace using the Google Workspace APIs. These might be traditional desktop or mobile apps.

Before an application can get access to a Google Workspace user's managed account, the application must request access to the data (stating what access it requires) and the user must grant that access. This is done during application installation and this flow is known as 3-legged authorization (3LO). Once authorized, the application receives a token that it uses to access that particular user's account. These tokens are known as OAuth 2.0 tokens.

Each API has one or more scopes which determine the precise access allowed. For example, the Gmail API includes the https://www.googleapis.com/auth/gmail.labels scope which allows the application to manage labels only. Other scopes exist that allow messages to be read, inserted, and sent. It's important that each application only requests access to the data it needs.

As a Google Workspace administrator you can:

  • Enable and disable access to each API.
  • Create a list of trusted apps that you allow to use disabled APIs.

Let’s block Calendar API access to all applications except for a single application that you trust, plus any applications developed by your organization.

  1. Sign in to your domain as the administrator at admin.google.com.
  2. Navigate to Security | Access and data controls | API controls.
  3. In the Settings section, ensure that Trust internal apps is selected.
  4. Click MANAGE THIRD-PARTY APP ACCESS.
  5. Click Add app | Android.
  6. Enter Calendar Sync and click SEARCH.
  7. Hover over an app in the search results, then click Select.
  8. On the Scope page, click CONTINUE.
  9. Select Trusted: App can request access to all Google data.
  10. Then click CONTINUE.
  11. After reviewing the settings you configured, click FINISH.
  12. Go back to the API controls page and click MANAGE GOOGLE SERVICES. Hover over the 'Calendar' row, then click Change access.
  13. Select 'Restricted: Only trusted apps can access a service', then click CHANGE.
  14. Click RESTRICT to confirm.

Now that you've disabled Calendar access, only the app you previously trusted plus any internal apps are allowed to use the Calendar API.

Note

Keep in Mind

  • If you intend to disable API access but you want to trust some currently installed applications, add these applications to the trusted list before you disable API access to ensure these applications are not blocked.
  • After blocking the API/scopes, any already installed apps cease working and tokens are revoked.
  • When a user tries to install an app that has a blocked scope, they see the error message that you define on the App access control card.
  • Any applications you allow in the Google Workspace Marketplace, Android, and iOS settings pages are also automatically trusted.

Explore the Google Workspace Marketplace

The Google Workspace Marketplace offers a wide range of enterprise apps that add functionality and features to native Google Cloud apps. Anyone with a Google Workspace account can use the marketplace.

As the administrator, you can install apps for your users, and authorize which apps users can install for themselves. Once installed, apps are accessible through the App launcher alongside Google Workspace apps such as Gmail, Calendar, and Drive.

The marketplace is available at apps.google.com/marketplace. Administrators can also access the marketplace from the admin console.

Install a marketplace app for your entire organization and create an apps allowlist ensuring that your users can only install the apps which your company has approved.

  1. If you aren't already signed in, sign in to your domain as the administrator at admin.google.com.
  2. Click the Apps icon,
  3. Then click the Google Workspace Marketplace apps | Apps list.
  4. Click INSTALL APP.
  5. Locate Google Analytics in the list of apps and click the app icon. You now have the option of installing the app for your entire organization or installing it for your own account.
  6. Click Domain Install.
  7. Read the notification and click CONTINUE. You’re prompted to authorize the application for your organization.
  8. Review the scopes that the app is requesting access to and if you are happy, check the I agree to the application's Terms of Service and Google Workspace Marketplace Terms of Service box.
  9. Then, click ALLOW, and then click DONE.
  10. Return to the Marketplace page in the Admin console. You should see Google Analytics listed. If the list is empty, refresh the page.

Note that it can take 24 hours for the app to become fully available to your users.

Create An Allowlist of Marketplace Apps for Your Users

Now, let's see how you can control what individual users can install onto their devices. Do this by creating a marketplace allowlist.

Start by restricting apps that users can install to only apps that are allowed.

  1. Return to the home page in the Admin console, and click the Apps icon.
  2. Click the MANAGE link on the Google Workspace Marketplace apps card.
  3. Set Allow Install to Allow users to install only allowed applications from Google Workspace Marketplace.
  4. Click SAVE.
  5. Click the Manage allowlist link.
  6. Click the Add the app to allowlist link.
  7. Search for Google Apps Script in the list of apps, hover over it in the results and click ADD TO THE ALLOWLIST.

Verify the Allowlist

It can take some time for apps to become available to your users, but let’s see if a user in your organization can see the changes you have just made.

  1. Sign out and sign back in to Google Workspace at apps.google.com/user/hub as samantha.morse@yourdomain. Can you see Google Apps Script in the Approved apps section?
  2. Open apps.google.com/marketplace and click any app to try and install it. You should see a message in the top right advising you that the app cannot be installed because it has not been allowed.
Note

Keep In Mind

  • It can take 24 hours for the app to become fully available to your users.
  • Creating an allowlist doesn't uninstall previously installed apps from the user's devices.
  • Just like a Google service, marketplace apps can be turned on and off at the OU level.

In this unit, you learned how to securely integrate apps with Google Workspace. As the administrator, you’re responsible for ensuring these apps follow your company’s security protocols. The capabilities of the Admin SDK API and the console help you do this easily.

In the next unit, navigate the Google Workspace alert center, logging, and reporting.

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback