Enterprise Recon 2.6.1
This section covers the following topics:
- Configure G Suite Account
- Set Up and Scan a G Suite Target
- Edit G Suite Target Path
The instructions here work for setting up the following G Suite products as Targets:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail
To set up G Suite products as Targets:
To scan a specific path in G Suite, see Edit G Suite Target Path.
For Sitewide Licenses, all scanned G Suite Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, G Suite Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
|TCP Allowed Connections||Port 443|
Configure G Suite Account
Before you add G Suite products as Targets, you must have:
- A G Suite administrator account for the Target G Suite domain.
- A G Suite account. Personal Google accounts are not supported in ER2.
To configure your G Suite account for scanning:
Select a Project
- Log in to the Google API Console.
- From the projects list, select a project to scan with
- Select an existing project, or
- (recommended) Create a new project.
To scan a specific G Suite product, enable the API for that product in your selected project.
To enable G Suite APIs:
- Select a Project.
- In the APIs & Services page, click + ENABLE APIS AND SERVICES.
In the API Library page, search for and click ENABLE for the following APIs:
Target G Suite Product API Library All Admin SDK API Google Mail Gmail API Google Drive Google Drive API Google Tasks Tasks API Google Calendar Google Calendar API
Create a Service Account
Before adding G Suite products as a Target, you must create a Google service account for use with ER2. The service account must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your G Suite workspace.
To create a service account for use with ER2:
- Log in to the Google Cloud Console.
- From the projects list, select the project that you want to scan with
- Click the hamburger icon to expand the navigation menu and go to IAM & Admin > Service Accounts.
- Click +CLICK SERVICE ACCOUNT.
In the Service account details section, fill in the following fields:
Field Description Service account name
Enter a descriptive name for the service account.
(Optional) Service account ID
Edit the default ID for the service account, or click the button to generate a service account ID.
(Optional) Description Provide a description for the new service account.
- Click CREATE AND CONTINUE.
- In the Grant this service account access to the project section, click on the Select a role dropdown and select Project > Owner.
- Click CONTINUE and DONE.
- Back in the Service accounts page, click on the newly created service account.
- In the DETAILS tab, take down the:
- Email for the service account (e.g. email@example.com). This is required when you want to Set Up and Scan a G Suite Target.
- Unique ID (or OAuth 2 Client ID) for the service account (e.g. 123456789012345678901). This is required when you Set up Domain-Wide Delegation.
- In the KEYS tab, click ADD KEY > Create new key.
- In the Create private key for '<service account>' dialog box, select "P12" Key type and click CREATE.
Save the created P12 private key file to a secure location on your computer. This is required when you want to Set Up and Scan a G Suite Target.The dialog box displays the private key's password: notasecret. does not need you to remember this password.
- Click Close.
Set up Domain-Wide Delegation
To allow ER2 to access your G Suite domain with the Service Account, you must set up and enable domain-wide delegation after creating a service account.
To set up domain-wide delegation:
- Log in to the Google Admin Console.
- Click the hamburger icon to expand the navigation menu and go to Security > Access and data control > API controls.
- Click MANAGE DOMAIN WIDE DELEGATION and Add New.
- In the Client ID field, enter the Unique ID or OAuth 2 Client ID (e.g. 123456789012345678901) for the service account. See Create a Service Account - Step 10 for more information.
In the OAuth scopes (comma-delimited) field, enter a comma-separated list of Google API scopes for each G Suite service that you want to scan with ER2.
G Suite service Google API OAuth 2.0 Scope All (required) https://www.googleapis.com/auth/admin.directory.user.readonly Google Mail https://mail.google.com/ Google Drive https://www.googleapis.com/auth/drive.readonly Google Tasks https://www.googleapis.com/auth/tasks.readonly Google Calendar https://www.googleapis.com/auth/calendar.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly, https://mail.google.com/, https://www.googleapis.com/auth/drive.readonly
- Click Authorize.
Set Up and Scan a G Suite Target
- Configure G Suite Account.
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, click on G Suite and
select one of the following G Suite products:
- Google Drive
- Google Tasks
- Google Calendar
- Google Mail
Fill in the following fields:
Field Description G Suite Domain
Enter the G Suite domain you want to scan.If your G Suite administrator email is firstname.lastname@example.org, your G Suite domain is example.com.
For more information on how to scan specific mailboxes or accounts, see Edit G Suite Target Path.
New Credential Label Enter a descriptive label for the G Suite credential set. New Username
Enter your G Suite administrator account email address.
Example: email@example.comUse the same administrator account used to Enable APIs and Set up Domain-Wide Delegation.
Enter your G Suite service account email address.
See Create a Service Account - Step 10 for more information.
Upload the private key (*.p12) associated with the G Suite service account.
See Create a Service Account - Step 13 for more information.
Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
- Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.
- Click Next.
- On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.
- Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Edit G Suite Target Path
- Set Up and Scan a G Suite Target.
- In the Select Locations section, select the G Suite Target location and click Edit.
In the Edit G Suite Location dialog box, enter a (case sensitive) Path to scan. Use the following syntax:
Path Syntax User account <user_name> Folder in user account <user_name/folder_name>To scan the user mailbox at firstname.lastname@example.org, enter user_name. To scan the "Inbox" folder in the user mailbox email@example.com, enter user_name/inbox; to scan the "Sent Mail" folder, enter user_name/sent.
- Click Test and then Commit to save the path to the Target location.