Enterprise Recon 2.6.0
G Suite
This section covers the following topics:
- Overview
- Licensing
- Requirements
- Configure G Suite Account
- Set Up and Scan a G Suite Target
- Edit G Suite Target Path
Overview
The instructions here work for setting up the following G Suite products as Targets:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail
To set up G Suite products as Targets:
To scan a specific path in G Suite, see Edit G Suite Target Path.
Licensing
For Sitewide Licenses, all scanned G Suite Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, G Suite Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
Requirements | Description |
---|---|
Proxy Agent |
|
TCP Allowed Connections | Port 443 |
Configure G Suite Account
Before you add G Suite products as Targets, you must have:
- A G Suite administrator account for the Target G Suite domain.
- A G Suite account. Personal Google accounts are not supported in ER2.
To configure your G Suite account for scanning:
Select a Project
- Log in to the Google API Console.
- From the projects list, select a project to scan with
ER2.
- Select an existing project, or
- (recommended) Create a new project.
Enable APIs
To scan a specific G Suite product, enable the API for that product in your selected project.
To enable G Suite APIs:
- Select a Project.
- In the APIs & Services page, click + ENABLE APIS AND SERVICES.
-
In the API Library page, search for and click ENABLE for the following APIs:
Target G Suite Product API Library All Admin SDK API Google Mail Gmail API Google Drive Google Drive API Google Tasks Tasks API Google Calendar Google Calendar API
Create a Service Account
Before adding G Suite products as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your G Suite workspace.
To create a service account for use with ER2:
- Log in to the Google Cloud Console.
- From the projects list, select the project that you want to scan with
ER2.
- Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
- Click +CLICK SERVICE ACCOUNT.
-
In the Service account details section, fill in the following fields:
Field Description Service account name Enter a descriptive name for the service account.
Example: enterprise-recon-sa
(Optional) Service account ID Edit the default ID for the service account, or click the button to generate a service account ID.
Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com
(Optional) Description Provide a description for the new service account. - Click CREATE AND CONTINUE.
- In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
- Click CONTINUE and DONE.
- Back in the Service accounts page, click on the newly created service account.
- In the DETAILS tab, take down the:
- Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to Set Up and Scan a G Suite Target.
- Unique ID (or OAuth 2 Client ID) for the service account (e.g. 123456789012345678901). This is required when you Set up Domain-Wide Delegation.
- In the KEYS tab, click ADD KEY > Create new key.
- In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
-
Save the created P12 private key file to a secure location on your computer. This is required when you want to Set Up and Scan a G Suite Target.
The dialog box displays the private key's password: notasecret. does not need you to remember this password. - Click Close.
Set up Domain-Wide Delegation
To allow ER2 to access your G Suite domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.
To set up domain-wide delegation:
- Log in to the Google Admin Console.
- Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
- Click MANAGE DOMAIN WIDE DELEGATION and Add New.
- In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. See Create a Service Account - Step 10 for more information.
-
In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each G Suite service that you want to scan with ER2.
G Suite service Google API OAuth 2.0 Scope All (required) https://www.googleapis.com/auth/admin.directory.user.readonly Google Mail https://mail.google.com/ Google Drive https://www.googleapis.com/auth/drive.readonly Google Tasks https://www.googleapis.com/auth/tasks.readonly Google Calendar https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly
- Click Authorize.
Set Up and Scan a G Suite Target
- Configure G Suite Account.
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, click on G Suite and
select one of the following G Suite products:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail
-
Fill in the following fields:
Field Description G Suite Domain Enter the G Suite domain you want to scan.
If your G Suite administrator email is admin@example.com, your G Suite domain is example.com.For more information on how to scan specific mailboxes or accounts, see Edit G Suite Target Path.
New Credential Label Enter a descriptive label for the G Suite credential set. New Username Enter your G Suite administrator account email address.
Example: admin@example.com
Use the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.New Password Enter your G Suite service account email address.
Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com
See Create a Service Account - Step 10 for more information.
Private Key Upload the private key (*.p12) associated with the G Suite service account.
See Create a Service Account - Step 13 for more information.
Agent to act as a proxy host Select a Proxy Agent host with direct Internet access. - Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
-
(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.
- Click Next.
- On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
-
On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.
- Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Edit G Suite Target Path
- Set Up and Scan a G Suite Target.
- In the Select Locations section, select the G Suite Target location and click Edit.
-
In the Edit G Suite Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:
Path Syntax User account <user_name> Folder in user account <user_name/folder_name> To scan the user mailbox at user_name@example.com, enter user_name. To scan the "Inbox" folder in the user mailbox user_name@example.com, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent. - Click Test and then Commit to save the path to the Target location.