Wednesday, June 12, 2019

Take action by July 8, 2019, to ensure your users can continue to use third-party apps accessing Gmail data

What’s changing

Security and privacy are extremely important to Google. To better protect your data, we’ve made an important update to our policies governing third-party apps (web, Android, iOS, Chrome, and other apps) accessing Gmail data using G Suite APIs and OAuth2.

We previously announced that apps accessing user data for non-enterprise accounts using certain Gmail APIs had to be verified to ensure compliance with new privacy and security requirements using our OAuth API Application Verification. Starting on July 8, 2019, we’ll apply similar requirements for apps you may use within your domain.

Who’s impacted

Admins and end users

Why it matters

While existing unverified apps will continue to work for users who installed them before July 8, after this date we’ll block new installs for unverified third-party apps that access Gmail data and that you don’t explicitly trust (whitelist) in the G Suite Admin console.

How to get started


  • Admins:
    • Review unverified apps in your environment: Please review the unverified apps currently in use in your organization’s G Suite environment and decide which apps you want to trust and allow users to continue to install. The primary admin contact at your organization will receive an email by June 21, 2019, with a list of those unverified apps, including the number of users and whether or not you have trusted them in API Permissions.
    • Trust apps that you want to allow users to continue to install: To trust an app, use our API Permissions (OAuth apps whitelisting) feature in the Security section of the Admin console. Trusting an app also means that, if users consent, the app will have access to some G Suite user data (OAuth2 scopes) that you’ve otherwise restricted using this same tool. For example, if you’ve generally blocked access to Gmail OAuth2 scopes, trusted apps will have access for accounts where users consent.


Additional details

Below is a list of frequently asked questions.

  • Why would an app be unverified? Apps may not have completed the verification process for numerous reasons, some of the more common ones being an unsupported Application Type or using data in a way that is incompatible with Limited Use requirements. We’ve implemented this verification process to help provide users both confidence and consistency with their privacy expectations.
  • If I‘m an app developer as well as a user, how do I get an app verified? Review the OAuth API Application Verification FAQ and submit a request for verification from the API Developer Console.
  • What will happen to unverified apps after July 8? Users who’ve installed unverified apps before July 8 will continue to have access to them, unless you restrict access to G Suite APIs in the Security section of the Admin console. New users will not be able to install unverified apps unless you trust them using the API Permissions (OAuth apps whitelisting) feature.
  • What happens when I trust an app? Users who haven’t already installed it before July 8 will now be able to install it, whether or not the app is verified by Google. Additionally, the app will have access to any G Suite APIs (OAuth2 scopes) that you’ve restricted using the API Permissions settings.
  • What if I don’t want to trust any apps? If you take no action, new users will be blocked from accessing unverified third-party apps that access Gmail data beginning July 8. Additionally, you can further restrict, limit, or block access by all apps, including previously installed apps, to Gmail by using API Permissions.
  • Do I need to trust Apps Script and App Maker apps in my domain to keep using them? No. These apps, including Apps Script projects created by users within the domain and apps associated with the organization in the Google Cloud Platform Console owned by the domain, are excluded from this enforcement action.


Helpful links

Help Center: Authorize unverified third-party apps
Help Center: Whitelist connected apps
OAuth API Verification FAQ

Availability

Rollout details


G Suite editions

  • Impacts all G Suite editions

On/off by default?

  • These restrictions will apply to all domains by default starting on July 8, 2019.

Stay up to date with G Suite launches