Enterprise Recon 2.6.0

G Suite

This section covers the following topics:

Overview

The instructions here work for setting up the following G Suite products as Targets:

  • Google Drive
  • Google Tasks
  • Google Calendar
  • Google Mail

To set up G Suite products as Targets:

  1. Configure G Suite Account
  2. Set Up and Scan a G Suite Target

To scan a specific path in G Suite, see Edit G Suite Target Path.

Licensing

For Sitewide Licenses, all scanned G Suite Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, G Suite Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Configure G Suite Account

Before you add G Suite products as Targets, you must have:

  • A G Suite administrator account for the Target G Suite domain.
  • A G Suite account. Personal Google accounts are not supported in ER2.

To configure your G Suite account for scanning:

Select a Project

  1. Log in to the Google API Console.
  2. From the projects list, select a project to scan with ER2.
    Select project in Google Cloud Console
    1. Select an existing project, or
    2. (recommended) Create a new project.

Enable APIs

To scan a specific G Suite product, enable the API for that product in your selected project.

To enable G Suite APIs:

  1. Select a Project.
  2. In the APIs & Services page, click + ENABLE APIS AND SERVICES.
  3. In the API Library page, search for and click ENABLE for the following APIs:

    Target G Suite Product API Library
    All Admin SDK API
    Google Mail Gmail API
    Google Drive Google Drive API
    Google Tasks Tasks API
    Google Calendar Google Calendar API

Create a Service Account

Before adding G Suite products as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your G Suite workspace.

To create a service account for use with ER2:

  1. Log in to the Google Cloud Console.
  2. From the projects list, select the project that you want to scan with ER2.
    Select project in Google Cloud Console
  3. Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
  4. Click +CLICK SERVICE ACCOUNT.
    Create service account for project in Google Cloud Console
  5. In the Service account details section, fill in the following fields:

    Field Description
    Service account name

    Enter a descriptive name for the service account.

    Example: enterprise-recon-sa

    (Optional) Service account ID

    Edit the default ID for the service account, or click the button to generate a service account ID.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    (Optional) Description Provide a description for the new service account.
  6. Click CREATE AND CONTINUE.
  7. In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
  8. Click CONTINUE and DONE.
  9. Back in the Service accounts page, click on the newly created service account.
  10. In the DETAILS tab, take down the:
    • Email for the service account (e.g. enterprise-recon-sa@project-id.iam.gserviceaccount.com). This is required when you want to Set Up and Scan a G Suite Target.
    • Unique ID (or OAuth 2 Client ID) for the service account (e.g. 123456789012345678901). This is required when you Set up Domain-Wide Delegation.
  11. In the KEYS tab, click ADD KEY > Create new key.
  12. In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
  13. Save the created P12 private key file to a secure location on your computer. This is required when you want to Set Up and Scan a G Suite Target.

  14. Click Close.

Set up Domain-Wide Delegation

To allow ER2 to access your G Suite domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.

To set up domain-wide delegation:

  1. Log in to the Google Admin Console.
  2. Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
  3. Click MANAGE DOMAIN WIDE DELEGATION and Add New.
  4. In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. See Create a Service Account - Step 10 for more information.
  5. In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each G Suite service that you want to scan with ER2.

    G Suite service Google API OAuth 2.0 Scope
    All (required) https://www.googleapis.com/auth/admin.directory.user.readonly
    Google Mail https://mail.google.com/
    Google Drive https://www.googleapis.com/auth/drive.readonly
    Google Tasks https://www.googleapis.com/auth/tasks.readonly
    Google Calendar https://www.googleapis.com/auth/calendar.readonly

    https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly

  6. Click Authorize.

Set Up and Scan a G Suite Target

  1. Configure G Suite Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, click on G Suite and select one of the following G Suite products:
    • Google Drive
    • Google Tasks
    • Google Calendar
    • Google Mail
  4. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a G Suite Target.

    Field Description
    G Suite Domain

    Enter the G Suite domain you want to scan.

    For more information on how to scan specific mailboxes or accounts, see Edit G Suite Target Path.

    New Credential Label Enter a descriptive label for the G Suite credential set.
    New Username

    Enter your G Suite administrator account email address.

    Example: admin@example.com

    New Password

    Enter your G Suite service account email address.

    Example: enterprise-recon-sa@project-id.iam.gserviceaccount.com

    See Create a Service Account - Step 10 for more information.

    Private Key

    Upload the private key (*.p12) associated with the G Suite service account.

    See Create a Service Account - Step 13 for more information.

    Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.

  8. Click Next.
  9. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  10. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  11. Click Next.
  12. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit G Suite Target Path

  1. Set Up and Scan a G Suite Target.
  2. In the Select Locations section, select the G Suite Target location and click Edit.
  3. In the Edit G Suite Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Path Syntax
    User account <user_name>
    Folder in user account <user_name/folder_name>
  4. Click Test and then Commit to save the path to the Target location.