Enterprise Recon 2.1

G Suite

This section covers the following topics:

Overview

The instructions here work for setting up the following G Suite products as Targets:

  • Google Drive
  • Google Tasks
  • Google Calendar
  • Google Mail

To set up G Suite products as Targets:

  1. Configure G Suite Account
  2. Set up G Suite as Target

To scan a specific path in G Suite, see Edit G Suite Target Path.

Licensing

For Sitewide Licenses, all scanned G Suite Targets consume data from the Sitewide License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • Cloud service-specific access keys.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Configure G Suite Account

Before you add G Suite products as Targets, you must have:

  • A G Suite administrator account for the Target G Suite domain.
  • The Target must be a G Suite account. Personal Google accounts are not supported.

To configure your G Suite account for scanning:

Select a Project

  1. Log into the Google Developers Console.
  2. Click on Select a project ▼. The Select dialog box opens and displays a list of existing projects.

In the Select dialog box, you can:

  • Select an existing project.
  • (Recommended) Create a new project.

Select a project in the Google Developers Console to enable G Suite APIs.

To select an existing project:

  1. Click on a project.
  2. Click OPEN.

To create a new project:

  1. Click on +.
  2. In the New Project page, enter your Project name and click Create.

Enable APIs

To scan a specific G Suite product, enable the API for that product in your project.

To enable G Suite APIs:

  1. Select a Project.
  2. In the project Dashboard, click + ENABLE APIS AND SERVICES. This displays the API Library.
  3. Enable the Admin SDK API.
    1. Under G Suite APIs, click Admin SDK.
    2. Click ENABLE.
  4. Repeat to enable the following APIs:

    Target G Suite Product API Library
    Google Mail Gmail API
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Create a service account for ER2:

  1. Click on the menu on the upper-left corner of the Google Developers Console.
  2. Go to IAM & Admin > Service accounts.
    Create a service account in the Google Developers Console to use for Enterprise Recon 2.1 scans.
  3. Click + CREATE SERVICE ACCOUNT.
    Click on "Create service account button" in Google Developers Console.
  4. In the Create service account dialog box, enter the following:
    Field Description
    Service account name Enter a descriptive label.
    Role Select Project > Owner.
    Service account ID

    Enter a name for your service account, or click the refresh button to generate a service account ID.

    An example service account ID: service-account-634@project_name-1272.iam.gserviceaccount.com

    Furnish a new private key
    1. Select Furnish a new private key.
    2. Select P12.
    Enable G Suite Domain-wide Delegation Select Enable G Suite Domain-wide Delegation.
  5. Click CREATE. The Service account and key created dialog box displays, and a P12 key is saved to your computer. Keep the P12 key in a secure location.

  6. Click Close.
  7. Write down the newly created service account’s Service account ID and Key ID.

Set up Domain-Wide Delegation

The following is a guide for setting up domain-wide delegation for existing service accounts.

To allow ER2 to access your G Suite domain with the Service Account, you must set up and enable domain-wide delegation for your Service Account.

To set up domain-wide delegation:

  1. Click on the menu on the upper-left corner of the Google Developers Console.
  2. Go to API Manager > Credentials.
  3. On the Credentials page, under OAuth 2.0 client IDs, go to the entry for your service account and take note of the Client ID.
    Credentials page in Google Developers Console displaying the OAuth 2.0 client ID for created service accounts.

  4. Go to the G Suite Admin Console. In the Admin Console, click on Security.
    Select Security to manage security features in the G Suite admin console.
  5. On the Security page, click Show more.
  6. Click on Advanced settings to expand it.
  7. Under Authentication, click Manage API client access.
    Select "Manage API client access" under Authentication in Advanced settings on G Suite admin console.
  8. In Manage API client access, enter:
    1. Client Name: Your Service account Client ID (For example, 116877825065678775170).
    2. One or More API Scopes: For each G Suite product that you wish to scan, you must apply a different API Scope.
      The following is a list of API Scopes required for ER2 to work with each G Suite service:

      G Suite service API Scope
      All (required) https://www.googleapis.com/auth/admin.directory.user.readonly
      Google Mail https://mail.google.com/
      Google Drive https://www.googleapis.com/auth/drive.readonly
      Google Tasks https://www.googleapis.com/auth/tasks.readonly
      Google Calendar https://www.googleapis.com/auth/calendar.readonly
    3. Click Authorize.

Set up G Suite as Target

  1. Configure G Suite Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, click on G Suite and select one of the following G Suite products:
    • Google Drive
    • Google Tasks
    • Google Calendar
    • Google Mail
  4. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a G Suite Target.

    Field Description
    G Suite Domain

    Enter the G Suite domain you want to scan in the G Suite Domain field.

    For more information on how to scan specific mailboxes or accounts, see Edit G Suite Target Path.

    New Credential Label Enter a descriptive label for the credential set.
    New Username

    Enter your G Suite administrator account email address.

    New Password Enter your Service account ID, e.g. service-account-name-14@adventurer-140703.iam.gserviceaccount.com
    Private Key Upload the P12 key associated with your Service account ID.
    Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.

Edit G Suite Target Path

  1. Set up G Suite as Target.
  2. In the Select Locations section, select the G Suite Target location and click Edit.
  3. In the Edit G Suite Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Path Syntax
    User account <user_name>
    Folder in user account <user_name/folder_name>
  4. Click Test and then Commit to save the path to the Target location.