[Update - October 15, 2024]: Rollout for this update has been paused for the remainder of the year and will resume in January 2025. In the interim, GoogleSync and Less Secure Apps will continue to function as usual. We’ll share another update here when rollout resumes.
What’s changing As part of our commitment to user safety, Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. This antiquated sign-in method, known as Less Secure Apps (LSAs), puts users at an additional risk since it requires sharing Google Account credentials with third-party apps and devices that can make it easier for bad actors to gain unauthorized access to your account.
Instead, you’ll need to use the option to Sign-In with Google, which is a safer and more secure way to sync your email to other apps. Sign-in with Google leverages industry standard and more secure OAuth method of authentication already used by the vast majority of third-party apps and devices.
Access to Less Secure Apps (LSA) will be turned off in two stages:
Beginning June 15, 2024: The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect during this time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP. The IMAP enable/disable settings will be removed from users’ Gmail settings. If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024. Beginning September 30, 2024: As part of this change, Google Sync will also be sunsetted:
Beginning June 15, 2024: New users will not be able to connect to Google Workspace via Google Sync.September 30, 2024: Existing Google Sync users will not be able to connect to Google Workspace. Here is how you can transition your organization off Google Sync . To find Google Sync usage in your organization, please go to the Admin Console, navigate to Devices > Mobile & Endpoints > Devices, and filter by Type: Google Sync .
See below for more specific guidance for admins, end users, and developers regarding this change.
Who’s impacted Admins and end users
Getting StartedAdmins
Preparing your end users
In order for your end users to continue using these types of apps with their Google Workspace accounts, they must
switch to a more secure type of access called OAuth . You’ll receive more information via email with affected users in your organization in the coming months. We recommend that you
share the user instructions (included below) to help them make the necessary changes.
Mobile Device Management (MDM) Impact
If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, POP or Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:
June 15, 2024
MDM push of password based IMAP, CalDAV, CardDAV, STMP, POP and Exchange ActiveSync (Google Sync) will no longer work for customers who try to connect to an LSA for the first time.
If you use Google Endpoint Management, you will not be able to turn on "Custom Push Configuration" settings for CalDAV and CardDAV.
September 30, 2024
MDM push of password based IMAP, CalDAV, CardDAV, SMTP and POP will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.
MDM push of password based Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.
If you use Google Endpoint Management, “Custom push configuration-CalDAV” and “Customer push configuration-CardDAV” (more details about the settings here ) will stop being effective.
Scanners and other devices
If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.
End users
If you are using an app that accesses your Google Account with only a username and password, take one of the following actions to continue to access your email, calendar, or contacts. If you do not take one of the following actions by September 30, 2024, you will begin receiving an error message that your username-password combination is incorrect and you will not be able to log in.
Email Applications
Outlook 2016 or Earlier
Move to Microsoft 365 (formerly known as Office 365, a web-based version of Outlook) or Outlook for Windows or Mac, both of which support OAuth access.
Alternatively you can use Google Workspace Sync for Microsoft Outlook .
Thunderbird or another email client
Re-add your Google Account and configure it to use IMAP with OAuth.
The mail app on iOS or MacOS, or Outlook for Mac and use only a password to login
You’ll need to remove and re-add your account. When you add it back, select “Sign in with Google” to automatically use OAuth.
MacOS:
iOS:
Calendar Applications
If you use an app that uses password based CalDAV to give access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web /iOS /Android ] as the most secure app to use with your Google Workspace account. If your Google Workspace account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more .
Contacts Applications
If your Google Workspace account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More . If your Google Workspace account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.
All Other Applications
Developers
Users with personal Google accounts: In the coming weeks we will be removing the IMAP enable/disable toggle from your Gmail settings. IMAP access is always enabled over OAuth and your current connections will not be impacted. No action is required of users.
Availability This change impacts all Google Workspace customers.
Resources