Activating Google Workspace (Gmail and Google Drive)

Prerequisites

To activate Google Workspace, you must have these:

  • You have the Administrator access to activate Google Workspace.

  • Additional Google Workspace license to integrate with Avanan. (Integration is not supported for clients on the free G-Suite license tiers.)

  • You have the minimum supported SaaS license. See Minimum License Requirements to Activate SaaS Applications.

  • If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, before activating Google Workspace, you must create exclusion rules for these user groups.

    • avanan_inline_policy

    • avanan_inline_outgoing_policy

    • avanan_monitor_policy

    • avanan_monitor_outgoing_policy

    For more information, see User Groups.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

Possible workarounds:

  • Perform the Google Workspace activation using a non-Chrome browser.

  • Sign out (switch to Guest) any logged-in Chrome user before you continue.

While onboarding Google Workspace (Gmail / Google Drive), Avanan creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin console.

  • Go to Authentication Settings of the root organizational unit and check these settings.

    • The Allow users to turn on 2-Step Verification check-box is selected.

    • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.

Notes:

If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these.

  • If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again.

  • Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Activating Gmail

To activate Gmail:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Start for Gmail.

  3. Select the mode of operation:

    • Automatic mode

      Avanan performs the necessary configurations to your Google Workspace environment and operates in Monitor only mode.

    • Manual mode

      You must manually configure the necessary settings in the Google Admin Console before linking the application to your Gmail account and every time you add or edit the security policy associated with emails.

    Note - Avanan recommends using Automatic mode for better maintenance and management and a smoother user experience. Before using the Manual mode, contact Avanan Support to help resolve any issues raised with the Automatic mode for onboarding.

  4. Enable the I Accept Terms Of Service checkbox and click OK.

  5. In the Google Workspace window that appears, sign in with Google administrator credentials.

  6. After successful authentication, you will be redirected to the Avanan application installation page.

    Click Admin Install.

  7. In the Admin install pop-up that appears, click Continue.

  8. Review the permissions requested by Avanan application. Select Everyone at your organization, accept the terms of services, and click Finish.

  9. In the confirmation pop-up that appears after the Avanan application completes the installation, click Done.

    Gmail - Group Selection pop-up that appears.

  10. To protect all users in your organization, select All Organization and click OK.

  11. To protect specific users in your organization, select Specific group, enter the group name and click OK.

    Note - The group name must have an associated email address.

    Avanan enables the Gmail SaaS application and starts monitoring for security events.

Activating Google Drive

To activate Google Drive:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Start for Google Drive.

  3. Log in to the Google Workspace Marketplace using your Google administrator credentials.

  4. If the Avanan Cloud Security app is already installed from Google Workspace Marketplace, after successful authentication, Avanan starts scanning the Google Drive of users.

    If not, continue from steps 3 in Activating Gmail.

Note - After activating Google Drive, Avanan performs retroactive scan of its content. For more information, see Onboarding Next Steps.

For more details about automatic configuration on Google Workspace, see Google Workspace Footprint.

Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Avanan automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Avanan Cloud Security app, a new Super Admin user account is created in your Google Admin console.

The Super Admin user has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Avanan Service User.

This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

What is the Super Admin User Used For?

Avanan uses Super Admin user to perform tasks that cannot be accomplished with the Google APIs.

Avanan uses Super Admin user to do these tasks:

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

Also, Avanan recommends to enable Multi-Factor Authentication (MFA) to enhance security for this account.

Changing the Google Application Role

After successfully onboarding the Google Workspace SaaS application to Avanan, the administrator can change the role assigned to the Avanan application. To do that:

  1. Sign in to your Google Admin console with an account with super administrator privileges.

  2. Create a custom admin role. For more information, see Google Documentation.

  3. Assign these privileges to the role:

    1. In the Admin console privileges:

      1. Assign Settings privilege to Gmail.

      2. Assign Groups privilege.

    2. In the Admin API privilege, assign Groups privilege.

  4. Search for the Cloud-Sec-AV Service Admin role and do these:

    1. Unassign the Super Admin role. For more information, see Google Documentation.

    2. Assign the custom admin role created in step 2. For more information, see Google Documentation.

User Groups

After activating Google Workspace, Avanan automatically creates these user groups.

  • avanan_inline_policy

  • avanan_monitor_policy

You can view these user groups under Groups in your Google Admin console.

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these Avanan groups. Though this will not impact the email delivery, Avanan cannot scan the emails, and no security events get generated.

Before activating Google Workspace, you must create exclusion rules for these user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be avanan_inline_policy@mycompany.com and avanan_monitor_policy@mycompany.com, where mycompany is the name of your company.

Note - If you have activated Google Workspace without creating exclusion rules, contact Avanan Support.

Host

Avanan automatically creates a host (aka mail route) in your Google Admin console. You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

Note - By default, the Required mail to be transmitted via a secure (TLS) connection (Recommended) checkbox is selected. To disable it, contact Avanan Support.

Inbound Gateway

Avanan automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

SMTP Relay Service

Avanan automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

Content Compliance Rules

Avanan automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings. The rules are called:

  • [tenantname]_monitor_ei

  • [tenantname]_monitor_ii

  • [tenantname]_monitor_eo

  • [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Protect (Inline) mode is enabled. If you remove the Protect (Inline) mode for users in Avanan, the Content Compliance Rule remains in the Google Admin console but the content of the user group avanan_inline_rule gets updated to reflect that no users are protected in this mode.

Google Drive Permissions Changes

Depending on the Google Drive policy configured by the administrator, Avanan takes action (quarantine, remove permissions) on the files uploaded to Google Drive.

Avanan uses different users to take these actions depending on whether the Drive containing the file has an owner.

  • If Google Drive has an owner, Avanan takes the action on behalf of the owner.

  • If Google Drive does not have an owner, Avanan follows this procedure:

    1. Avanan adds the Super Admin user as an owner of the Drive.

    2. Avanan uses the Super Admin user to take the necessary action on the file.

    3. Avanan removes the Super Admin user from being the owner of the Drive.