Activating Google Workspace (Gmail and Google Drive)

Prerequisites

To activate Google Workspace, you must have these:

  • You have the Administrator access to activate Google Workspace.

  • Additional Google Workspace license to integrate with Harmony Email & Collaboration. (Integration is not supported for clients on the free G-Suite license tiers.)

  • You have the minimum supported SaaS license. See Minimum License Requirements to Activate SaaS Applications.

  • If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, before activating Google Workspace, you must create exclusion rules for these user groups.

    • check_point_inline_policy

    • check_point_inline_outgoing_policy

    • check_point_monitor_policy

    • check_point_monitor_outgoing_policy

    For more information, see User Groups.

By default, the Google Chrome browser authenticates the signed-in Chrome user in Google Workspace instead of a selected account. To see if you are signed in to Google Chrome, look for the user name in the browser's top-right corner.

Possible workarounds:

  • Perform the Google Workspace activation using a non-Chrome browser.

  • Sign out (switch to Guest) any logged-in Chrome user before you continue.

While onboarding Google Workspace (Gmail / Google Drive), Harmony Email & Collaboration creates a service user (cloud-sec-av@[domain]) in the root organizational unit.

Before onboarding, make sure that these settings are selected in your Google Admin console.

  • Go to Authentication Settings of the root organizational unit and check these settings.

    • The Allow users to turn on 2-Step Verification check-box is selected.

    • If the Only security key option is selected, do not select the Don’t allow users to generate security codes option.

Notes:

If the Authentication Settings are not supported, onboarding fails. To resolve this issue, do one of these.

  • If you want to keep the unsupported Authentication Settings of your root organizational unit, move the service user (cloud-sec-av@[domain]) to an organizational unit with the supported Authentication Settings. Then, start onboarding Gmail or Google Drive again.

  • Create a new dedicated organizational unit with the supported Authentication Settings and move the service user (cloud-sec-av@[domain]) to the organizational unit. Then, start onboarding Gmail or Google Drive again.

Activating Gmail

00:00: 00:05: This tutorial demonstrates how to activate protection for Gmail, with 00:09: Harmony email and collaboration. 00:12: Log in to Infinity Portal and access the harmony email and 00:16: collaboration Administration portal. 00:18: If Gmail is the first product, you are onboarding to Harmony email 00:22: and collaboration the welcome page appears 00:26: If you already have a contract purchase from checkpoint, click already have a contract 00:30: and follow the on-screen instructions to add your user Center account. 00:33: Otherwise click Start free trial by default. 00:37: The trial is for 14 days and you can access all the features. 00:41: If welcome to checkpoint page appears click, let's get started and in the SAS 00:45: selection page, that appears, click Start for Gmail. 00:48: If you have already, onboarded another SAS application with Harmony email and 00:52: collaboration, the overview page, appears, click, security settings 00:56: and then click SAS applications. 00:59: Click Start for Gmail. 01:01: In the confirmation pop-up that appears click Start to confirm 01:05: Select the mode of installation, checkpoint recommends using automatic 01:09: mode, which provides better maintenance management and a smoother user 01:13: experience. 01:14: Click okay to confirm. 01:16: You are now redirected to the Google login page, follow the on-screen 01:20: instructions and sign in with Google Global administrator credentials. 01:24: After successful authentication to Google workspace, you will be redirected 01:28: to the harmony email and collaboration application installation page, 01:32: click admin install, 01:35: In the confirmation pop-up that appears click continue. 01:39: Review the permissions and select everyone at your organization. 01:44: Select the terms of service and click next. 01:47: After successful installation of the application, a confirmation popup 01:51: appears, click done. 01:53: Now that the application is installed successfully Gmail group selection 01:57: pop-up, appears to protect all the users in the organization. 02:00: Select all organization to protect a specific group 02:04: of users, select specific group and enter the group name and then click 02:08: okay. 02:10: Gmail SAS is enabled and Harmony email and collaboration starts 02:14: monitoring for security events to prevent threats. 02:17: You must change the policy protection mode. 02:20: To do that. From the left navigation, panel, click policy. 02:24: Expand Google mail and click the default threat protection. 02:28: Select the policy protection mode as prevent inline. 02:32: Scroll down and click save and apply. Now that the policy protection mode 02:36: is changed to prevent inline, Harmony email and collaboration starts 02:40: taking preventive actions. 02:42:

To activate Gmail:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Start for Gmail.

  3. Select the mode of operation:

    • Automatic mode

      Harmony Email & Collaboration performs the necessary configurations to your Google Workspace environment and operates in Monitor only mode.

    • Manual mode

      You must manually configure the necessary settings in the Google Admin Console before linking the application to your Gmail account and every time you add or edit the security policy associated with emails.

    Note - Check Point recommends using Automatic mode for better maintenance and management and a smoother user experience. Before using the Manual mode, contact Check Point Support to help resolve any issues raised with the Automatic mode for onboarding.

  4. Enable the I Accept Terms Of Service checkbox and click OK.

  5. In the Google Workspace window that appears, sign in with Google administrator credentials.

  6. After successful authentication, you will be redirected to the Harmony Email & Collaboration application installation page.

    Click Admin Install.

  7. In the Admin install pop-up that appears, click Continue.

  8. Review the permissions requested by Harmony Email & Collaboration application. Select Everyone at your organization, accept the terms of services, and click Finish.

  9. In the confirmation pop-up that appears after the Harmony Email & Collaboration application completes the installation, click Done.

    Gmail - Group Selection pop-up that appears.

  10. To protect all users in your organization, select All Organization and click OK.

  11. To protect specific users in your organization, select Specific group, enter the group name and click OK.

    Note - The group name must have an associated email address.

    Harmony Email & Collaboration enables the Gmail SaaS application and starts monitoring for security events.

Activating Google Drive

To activate Google Drive:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Start for Google Drive.

  3. Log in to the Google Workspace Marketplace using your Google administrator credentials.

     

  4. If the Check Point Cloud Security app is already installed from Google Workspace Marketplace, after successful authentication, Harmony Email & Collaboration starts scanning the Google Drive of users.

    If not, continue from steps 3 in Activating Gmail.

Note - After activating Google Drive, Harmony Email & Collaboration performs retroactive scan of its content. For more information, see Onboarding Next Steps.

For more details about automatic configuration on Google Workspace, see Google Workspace Footprint.

Google Workspace Footprint

After Activating Google Workspace (Gmail and Google Drive), Harmony Email & Collaboration automatically creates a Super Admin, host (mail route), inbound gateway, SMTP relay service, two user groups, and four content compliance rules.

Super Admin

While installing the Check Point Cloud Security app, a new Super Admin user account is created in your Google Admin console.

The Super Admin user has an email address in the cloud-sec-av@[domain] format and is sometimes referred to as the Check Point Service User.

This user requires a Gmail license. For more details about the Super Admin role, see Pre-built administrator roles.

What is the Super Admin User Used For?

Harmony Email & Collaboration uses Super Admin user to perform tasks that cannot be accomplished with the Google APIs.

Harmony Email & Collaboration uses Super Admin user to do these tasks:

Super Admin Security

The password of the Super Admin contains 43 random characters, a mix of lower case letters, upper case letters, and digits. The password is safely stored in AWS Key Management Service (AWS KMS).

Also, Check Point recommends to enable Multi-Factor Authentication (MFA) to enhance security for this account.

Changing the Google Application Role

After successfully onboarding the Google Workspace SaaS application to Harmony Email & Collaboration, the administrator can change the role assigned to the Check Point application. To do that:

  1. Sign in to your Google Admin console with an account with super administrator privileges.

  2. Create a custom admin role. For more information, see Google Documentation.

  3. Assign these privileges to the role:

    1. In the Admin console privileges:

      1. Assign Settings privilege to Gmail.

      2. Assign Groups privilege.

    2. In the Admin API privilege, assign Groups privilege.

  4. Search for the Cloud-Sec-AV Service Admin role and do these:

    1. Unassign the Super Admin role. For more information, see Google Documentation.

    2. Assign the custom admin role created in step 2. For more information, see Google Documentation.

User Groups

After activating Google Workspace, Harmony Email & Collaboration automatically creates these user groups.

  • check_point_inline_policy

  • check_point_inline_outgoing_policy

  • check_point_monitor_policy

  • check_point_monitor_outgoing_policy

You can view these user groups under Groups in your Google Admin console.

Note - If you use GCDS (Google Cloud Directory Sync) to synchronize your user groups on-premises and in the cloud, the synchronization triggers the deletion of these Check Point groups. Though this will not impact the email delivery, Harmony Email & Collaboration cannot scan the emails, and no security events get generated.

Before activating Google Workspace, you must create exclusion rules for these user groups. Select the exclusion type as Group Email Address, match type as Exact Match, and the group email address should be in the groupname@[domain] format.

For example, the group email addresses should be check_point_inline_policy@mycompany.com and check_point_monitor_policy@mycompany.com, where mycompany is the name of your company.

Note - If you have activated Google Workspace without creating exclusion rules, contact Check Point Support.

Host

Harmony Email & Collaboration automatically creates a host (aka mail route) in your Google Admin console. You can see the host from the Google Admin Console under Apps > G Suite > Settings for Gmail > Hosts.

Note - By default, the Required mail to be transmitted via a secure (TLS) connection (Recommended) checkbox is selected. To disable it, contact Check Point Support.

Inbound Gateway

Harmony Email & Collaboration automatically creates an Inbound gateway. You can see the inbound gateway from the Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

SMTP Relay Service

Harmony Email & Collaboration automatically creates an SMTP relay service. You can see the SMTP relay service from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings.

Content Compliance Rules

Harmony Email & Collaboration automatically creates three Content Compliance Rules. You can review the content compliance rules from your Google Admin console under Apps > G Suite > Settings for Gmail > Advanced Settings. The rules are called:

  • [tenantname]_monitor_ei

  • [tenantname]_monitor_ii

  • [tenantname]_monitor_eo

  • [tenantname]_inline_ei

where ei stands for incoming traffic, ii stands for internal traffic, and eo stands for outgoing traffic.

Note - The [tenantname]_inline_ei rule gets created when the Protect (Inline) mode is enabled. If you remove the Protect (Inline) mode for users in Harmony Email & Collaboration, the Content Compliance Rule remains in the Google Admin console but the content of the user group check_point_inline_rule gets updated to reflect that no users are protected in this mode.

Google Drive Permissions Changes

Depending on the Google Drive policy configured by the administrator, Harmony Email & Collaboration takes action (quarantine, remove permissions) on the files uploaded to Google Drive.

Harmony Email & Collaboration uses different users to take these actions depending on whether the Drive containing the file has an owner.

  • If Google Drive has an owner, Harmony Email & Collaboration takes the action on behalf of the owner.

  • If Google Drive does not have an owner, Harmony Email & Collaboration follows this procedure:

    1. Harmony Email & Collaboration adds the Super Admin user as an owner of the Drive.

    2. Harmony Email & Collaboration uses the Super Admin user to take the necessary action on the file.

    3. Harmony Email & Collaboration removes the Super Admin user from being the owner of the Drive.