This announcement was made at Google Cloud Next ‘19 UK. Check out Next OnAir to tune into the livestream or watch session recordings following the event.
What’s changing
We’re improving your ability to control access to G Suite data by third-party and domain-owned apps. The new app access control feature will update the interface and controls in the G Suite Admin console to help you search for, research, and control apps using OAuth2 to access G Suite data.Specifically, app access control will replace the current API Permissions feature to help you:
- Find: Identify apps being used and see which have been verified to access restricted OAuth2 scopes.
- Assess: Understand which apps are being used and get support information about them.
- Control: Manage which apps you trust and what data third-party apps can access.
Who’s impacted
Admins onlyWhy it matters
G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, will conform to every enterprise customer’s security policy, so our customers and partners value controls to manage third-party apps accessing G Suite data.With app access control, you can have better visibility into the third-party apps your users have approved to access their G Suite data, and you can reduce any risk to your company data by limiting access to trusted apps.
How to get started
- Admins: Find the new app access control features at Admin Console > Security > App Access Control. This replaces the prior “API Permissions” feature. All admins with Security privileges can access it. Use our Help Center to learn how to Manage OAuth based access to connected apps.
- End users: No action needed.
Additional details
Find: Identify apps being used and see which have been verified for access to restricted OAuth2 scopes.
The new interface will help you see which apps and Google services are being used. Also, we previously announced that we now block new installs for unverified third-party apps that access Gmail data, unless you trust them in the Admin console. You can now use our app details page to verify apps’ trusted status.
App access control - Apps page
Assess: Research the risk profile for the app and its developer or publisher.
You’ll be able to see more details about each app and its publisher or developer. This will include the developer’s support email, privacy policy, and Terms of Service (if available). In addition, if the app is verified, we will show you this information here. This information can help you decide whether to trust/allow or block/limit an app.
App details page
Control: Manage which apps you trust and what data third-party apps can access.
You’ll also be able to adjust whether you trust or limit apps accessing G Suite data via OAuth2 scopes.
With these new controls, you now have an easier way to restrict access to APIs (OAuth2 scopes) for Google services such as Gmail, Drive, and the Admin console.
Please note that this does not cover domain-wide delegation and service accounts. This continues to be managed with the Manage API Client Access page on the Security menu.
App access control - changing access levels for an app
The Advanced Protection Program can add extra protections for high-risk users.
The Advanced Protection Program for enterprise, that we announced in general availability today, helps you enforce a set of enhanced security policies for the employees in your organization who are most at risk for targeted attacks. Once users self-enroll, the program enforces an app access control policy—it will automatically block applications that require restricted Gmail and Drive access unless explicitly trusted by the admins—as well as other policies. These include the use of security keys, enhanced email scanning for threats, and download protections in Google Chrome. Find out more about the Advanced Protection Program for enterprise here.
Helpful links
Availability
Rollout details- Rapid Release domains: Gradual rollout (1–15 days for feature visibility) starting on November 21, 2019
- Scheduled Release domains: Gradual rollout (1–15 days for feature visibility) starting on November 21, 2019
G Suite editions
Available to all G Suite editions
On/off by default?
This feature will be ON by default for all G Suite domains.
Stay up to date with G Suite launches