Manage Access to Unconfigured Third-Party Apps

© 2023 CDW LLC. Designed by CDW Amplified for Education
  1. Help Center
  2. Google Workspace
  3. What's New in Google Workspace

Manage Access to Unconfigured Third-Party Apps

Google has made changes to how third-party applications that utilize the Sign in with Google button can access your organization's Google data. The use of OAuth is convenient because it eliminates the need for users to create a separate username and password since Google already knows their identity. However, in certain managed environments, it may not be desirable to allow the use of Sign in with Google on all apps.

The Admin console offers settings that allow you to adjust application scopes and user restrictions based on organizational units (OUs), resulting in a list of trusted applications. Only trusted applications will be accessible to users, while others will be restricted.

For instance, by restricting third-party apps, you can ensure alignment with your organization's policies, safeguard personally identifiable information, control access to, deletion of, or copying of Google Drive data, and prevent personal activity tied to work accounts.

Timeline

October 23, 2023
As of October 2023, users identified as under 18 cannot use their Google Account to sign in to third-party apps that haven't been confirmed.

Warning: Implementing access to third-party apps in the wrong order can have significant consequences. For example, you wouldn't want to make apps used by teachers and students unavailable.

This article provides recommended best practices for managing third-party apps, including the order of operations. We will guide you through the necessary steps to take before enabling third-party apps.

What You'll Learn

Below, click on a bolded heading to see the details, or click the Expand All/Collapse All button.

In this article, you'll learn how to:

Create a communication plan

When implementing changes to third-party app access, it is crucial to anticipate the impact on users' workflows and address it through effective and repeated communication. Acknowledging this impact and addressing it in your communication will help set the right expectations and alleviate potential concerns or confusion.
Consider the following when crafting communication to your users:

  • Utilize various channels such as emails, newsletters, and announcements to reach out to your user base.
  • Clearly articulate the reasons behind the change, highlighting the importance of protecting user data, student privacy, and staff confidentiality.
  • Stress that these changes are being made to enhance security and better manage app configurations.
  • Regularly remind users of the impending deadline to encourage proactive action on their part.
  • Clearly outline the steps they need to follow to gain app approval or request approval, and ensure this information is conveyed in the initial communication.
Review scopes for Google services

Security > Access and data control > API controls ~ App access control card ~ Manage Google services

When users sign in to third-party applications using the Sign in with Google feature, you can manage how those apps can access your organization's Google data. You can impose restrictions or keep access unrestricted for various Google Workspace services. Here's a breakdown of what each option entails:

  • Unrestricted: Apps configured with a trusted or limited access setting can access data for this service.
    Note: You can leave all Google services set to Unrestricted, then manage access through the app list.
  • Restricted: Only apps configured with a trusted access setting can access data associated with this service.
    • For apps that are not trusted…: When checked, non trusted apps can access scopes not classified as high-risk. Such Apps are still blocked from accessing high-risk scopes. Google calls the following high-risk; request access to edit a doc, edit all docs, delete docs, or send email as a user. Combined this restricts only high-risk. Not the data, but the action is sensitive.

For instance, if you set Calendar access as restricted, only apps configured with a trusted access setting can access Calendar data. On the other hand, apps with a limited access setting cannot access Calendar data.

To change a service’s scope:

  1. In the list of Google services, hover over a service.
    Security > Access and data control > API controls ~ App access control card ~ Manage Google services
  2. Click Change access at the left of the service.
    changeAccessArrow.png
  3. Check a checkbox for an option; Unrestricted or Restricted.
    changeAccessOPtions.png
  4. Optional: When selecting Restricted, select For apps that are not trusted…, to allow access to these scopes by non trusted apps, while still blocking such apps from accessing high-risk scopes.
  5. Click Change.
Curate the list of third-party accessed apps

Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list

Accessed apps are third-party apps that have accessed Google data through default settings. These include configured and unconfigured apps. You can view details for org units that have access settings configured for an app and you change access for an app.

Pro Tip: The list of Accessed apps contains a Users column. This column shows you the number of users who have been asked to grant access to each third-party app. If you have numerous apps to review, consider selecting a threshold of users for apps you will configure. That could be 2 users or 12 users. Any apps with fewer users than that, you would leave unconfigured. If needed the apps left unconfigured would be subject to your app approval process per request.

Review Privacy Privacy Terms & Conditions and Terms of Service

To review an apps Privacy Terms & Conditions and Terms of Service:

  1. In the list of Accessed or Configured apps, click on the App name.
    Security > Access and data control > API controls ~ App access control card ~ Manage Google services ~ [Accessed apps card] View list ~ App name
    Security > Access and data control > API controls ~ App access control card~ Manage Google services ~ [Configured apps card] View list ~ App name
    ConfiguredAppList.png
  2. At the left, click a link; Apps Privacy Terms & Conditions or Terms of Service.
    TermsofServiceLinksCardArrow.png

View details

To view details for an app:

  1. In the list of Configured apps, hover over an app.
    Security > Access and data control > API controls ~ Manage Google services ~ [Configured apps card] View list
  2. Hover over an app.
  3. Click View details at the right of the app.
    AccessedAppsHoverArrow.png
  4. After viewing the org units and configurations, click the X to close the detail fly out.

Change access

To change access for an app:

  1. In the list of Accessed or Configured apps, click on the App name.
    Security > Access and data control > API controls ~ App access control card~ Manage Google services ~ [Accessed apps card] View list ~ App name
    Security > Access and data control > API controls ~ App access control card~ Manage Google services ~ [Configured apps card] View list ~ App name
  2. Hover over an app.
  3. Click Change access at the right of the app.
    AccessedAppsHoverArrowChangeAccess.png
  4. Change the Scope as necessary; Root or Select org units.
    AccessedChangeAccessScope.png
  5. Click Next.
  6. Select the access type this app has to Google data for users in the OU; Trusted, Limited, Blocked.
  7. Optional: When selecting Trusted, select Allowlist for exemption from API Access blocks in context-aware access, to exempt the app from API access blocks. You’ll need to explicitly exempt the app during access level assignments to enforce the exemption.
  8. Click Next.
  9. Review the changes.
  10. Click Change Access.
  11. At the Confirm parental consent prompt, click Confirm.
    ConfirmParentalConsent.png

Change Access in Bulk

To change access for multiple apps at once:

  1. In the list of Accessed or Configured apps, click on the App name.
    Security > Access and data control > API controls ~ App access control card~ Manage Google services ~ [Accessed apps card] View list ~ App name
    Security > Access and data control > API controls ~ App access control card~ Manage Google services ~ [Configured apps card] View list ~ App name
  2. Click Download List above the apps list.
    DownloadListArrow.png
  3. Select Coma-separated values (.csv).
  4. Click Download CSV and then open the file.
    Download
  5. Make the necessary changes in the file.
  6. Return to the Admin console and click Bulk update list above the apps list.
    BulkUpdateListArrow.png
  7. Click Attach CSV file.
  8. Locate and select the file.
    UpdateList.png
  9. Click Upload.
    See Unconfigure OAuth Apps with Bulk Update list for how to bulk update access to unconfigured
Client IDs: Add Labs tools to the trusted list of API access

Security > API Controls > App Access Control > add app

With the shift towards blocking third-party access, CDW Education Labs tools customers need to add client IDs for the tools to the trusted list. You can search and then select client IDs, use the list below to select the necessary IDs for each tool.

Gopher for Chrome
551947063268-fqhcs015vsvtqracvueo3o5lbgi0v0pf.apps.googleusercontent.com
551947063268-m7uc71teddtv604eof4q47gtl188cim3.apps.googleusercontent.com
551947063268-dikt6f56qq2h4a1f7emje60ohse9hkai.apps.googleusercontent.com
551947063268-9am3ji6otim50k3ljs1vmkfkbh0httrv.apps.googleusercontent.com
551947063268-1cq6tvc3ddpdsfl28j08jjiq173fio23.apps.googleusercontent.com
551947063268-had3ll4861mvj8e4cdhf34614lah0ohh.apps.googleusercontent.com
551947063268-f3a4glr7nochhfogvoo0i8lm0lnbmght.apps.googleusercontent.com
551947063268-jek9sisj669t56j56ers52tjgoi1oguc.apps.googleusercontent.com
108123150180741252824
117141067871846326925

Gopher for Users
541463515699-9sv9gkbpm4sccfa81n887oe90s22tfde.apps.googleusercontent.com
541463515699-qufom5do2mteh2t7fmup750so71j01p2.apps.googleusercontent.com
541463515699-t1m3sgs30h7p64f0age49111m4604k07.apps.googleusercontent.com
541463515699-l92i44rh01sbupomdvkio4kljbkk1pvk.apps.googleusercontent.com
113577717075532193157
112028378935068015645

Gopher for Gmail
244635294303-vur8sov6lgkt2ao4pj38vlfmc0f3dc2c.apps.googleusercontent.com
244635294303-12rn980vh79884airhmlqci8tlosbces.apps.googleusercontent.com
113149838232119368247
111275339226981805832
244635294303-mu8sgr9to4v0e5ada01olv9bql9cqq61.apps.googleusercontent.com
105979659290158508820

Gopher for Groups
458738094239-8inpd0r0jumchrnok2dar3ne7qal9shl.apps.googleusercontent.com
458738094239-c2cbj8d2eva76ubkvnho0rvps140f4fn.apps.googleusercontent.com
458738094239-jnuclnnitvp7ek5fuahicavkbfiuaqlb.apps.googleusercontent.com
106525919862153700197

Gopher for Drive
598519870496-ikvptfcodhf1paids7v0lk68n9d4ddei.apps.googleusercontent.com
104199946420034146113
598519870496-1i4di0r96nmqc5jqlq5d66mnn1hnpfs4.apps.googleusercontent.com
112321279436960883476

Backpack
1066899125415-fnqj502ns399s546mjjjtqtri7nqvmuk.apps.googleusercontent.com
101823082732640074338
100728267555075540338

Group Gator
925095736895-20egad6a3als2lfs33kojd86r63npqnt.apps.googleusercontent.com
925095736895-91l87rks5b5jvhfemr53d11d173v39s1.apps.googleusercontent.com
114188670072768859488
925095736895-eqinenvsdpmsb3mhghc2gkvneep3m23u.apps.googleusercontent.com
116002161166793761231
925095736895-dk8lkfjq97bri92vol8bmkmn6e8th8fo.apps.googleusercontent.com
925095736895-sn3kr1o32uvn30sk0a1alp7lbgrs742g.apps.googleusercontent.com
111581715227366658871
115399695961234315036

Event-O-Matic
713368976382-bkv89mecsl7khdt7p2i1v5i1utksdet3.apps.googleusercontent.com
713368976382-ae5ga7o3t2sdgne0a9tebqh4pikh42k4.apps.googleusercontent.com
713368976382-vnp0omhhip9i1njhna4mv9f0s46veteg.apps.googleusercontent.com

Little SIS for Classroom
538690509659-co8cppbp16iqrt8qatoflo68v9bsf0q0.apps.googleusercontent.com
538690509659-t0a47quji8m6bovkiq6dg3auoinr0q9m.apps.googleusercontent.com
538690509659-0sdssm24qcdln14n0mnskp330snre2ut.apps.googleusercontent.com
113198896099808382005
113953468076917773894
105084137985250246030
117953365590628204049
111529521933491426419
105391539279561021410
117311213619142178125

Little Sis Premium
633700111840-fkmdas1s4cj8k7kf0l59rqn7tv5rk6st.apps.googleusercontent.com
117444449218395855941
101687776992737623860
106952700806137489895
112005934719573399295

Local Hero
1021829343285-85utm3pkbnajbbmg1rdilom1spti08sp.apps.googleusercontent.com
1021829343285-9cbvhh6g8cqslh19l33opc953b94hts2.apps.googleusercontent.com
1021829343285-v9kg7su6pk2kmb7p342omc53ba3b3poa.apps.googleusercontent.com
105202281531042947157
109562719221742507305
109938733100013196107

Client IDs: Add Labs tools to the trusted list of API access

Security > API Controls > App Access Control > add app

With the shift towards blocking third-party access, CDW Education Labs tools customers need to add client IDs for the tools to the trusted list. You can search and then select client IDs, use the list below to select the necessary IDs for each tool.

Gopher for Chrome
551947063268-fqhcs015vsvtqracvueo3o5lbgi0v0pf.apps.googleusercontent.com
551947063268-m7uc71teddtv604eof4q47gtl188cim3.apps.googleusercontent.com
551947063268-dikt6f56qq2h4a1f7emje60ohse9hkai.apps.googleusercontent.com
551947063268-9am3ji6otim50k3ljs1vmkfkbh0httrv.apps.googleusercontent.com
551947063268-1cq6tvc3ddpdsfl28j08jjiq173fio23.apps.googleusercontent.com
551947063268-had3ll4861mvj8e4cdhf34614lah0ohh.apps.googleusercontent.com
551947063268-f3a4glr7nochhfogvoo0i8lm0lnbmght.apps.googleusercontent.com
551947063268-jek9sisj669t56j56ers52tjgoi1oguc.apps.googleusercontent.com
108123150180741252824
117141067871846326925

Gopher for Users
541463515699-9sv9gkbpm4sccfa81n887oe90s22tfde.apps.googleusercontent.com
541463515699-qufom5do2mteh2t7fmup750so71j01p2.apps.googleusercontent.com
541463515699-t1m3sgs30h7p64f0age49111m4604k07.apps.googleusercontent.com
541463515699-l92i44rh01sbupomdvkio4kljbkk1pvk.apps.googleusercontent.com
113577717075532193157
112028378935068015645

Gopher for Gmail
244635294303-vur8sov6lgkt2ao4pj38vlfmc0f3dc2c.apps.googleusercontent.com
244635294303-12rn980vh79884airhmlqci8tlosbces.apps.googleusercontent.com
113149838232119368247
111275339226981805832
244635294303-mu8sgr9to4v0e5ada01olv9bql9cqq61.apps.googleusercontent.com
105979659290158508820

Gopher for Groups
458738094239-8inpd0r0jumchrnok2dar3ne7qal9shl.apps.googleusercontent.com
458738094239-c2cbj8d2eva76ubkvnho0rvps140f4fn.apps.googleusercontent.com
458738094239-jnuclnnitvp7ek5fuahicavkbfiuaqlb.apps.googleusercontent.com
106525919862153700197

Gopher for Drive
598519870496-ikvptfcodhf1paids7v0lk68n9d4ddei.apps.googleusercontent.com
104199946420034146113
598519870496-1i4di0r96nmqc5jqlq5d66mnn1hnpfs4.apps.googleusercontent.com
112321279436960883476

Backpack
1066899125415-fnqj502ns399s546mjjjtqtri7nqvmuk.apps.googleusercontent.com
101823082732640074338
100728267555075540338

Group Gator
925095736895-20egad6a3als2lfs33kojd86r63npqnt.apps.googleusercontent.com
925095736895-91l87rks5b5jvhfemr53d11d173v39s1.apps.googleusercontent.com
114188670072768859488
925095736895-eqinenvsdpmsb3mhghc2gkvneep3m23u.apps.googleusercontent.com
116002161166793761231
925095736895-dk8lkfjq97bri92vol8bmkmn6e8th8fo.apps.googleusercontent.com
925095736895-sn3kr1o32uvn30sk0a1alp7lbgrs742g.apps.googleusercontent.com
111581715227366658871
115399695961234315036

Event-O-Matic
713368976382-bkv89mecsl7khdt7p2i1v5i1utksdet3.apps.googleusercontent.com
713368976382-ae5ga7o3t2sdgne0a9tebqh4pikh42k4.apps.googleusercontent.com
713368976382-vnp0omhhip9i1njhna4mv9f0s46veteg.apps.googleusercontent.com

Little SIS for Classroom
538690509659-co8cppbp16iqrt8qatoflo68v9bsf0q0.apps.googleusercontent.com
538690509659-t0a47quji8m6bovkiq6dg3auoinr0q9m.apps.googleusercontent.com
538690509659-0sdssm24qcdln14n0mnskp330snre2ut.apps.googleusercontent.com
113198896099808382005
113953468076917773894
105084137985250246030
117953365590628204049
111529521933491426419
105391539279561021410
117311213619142178125

Little Sis Premium
633700111840-fkmdas1s4cj8k7kf0l59rqn7tv5rk6st.apps.googleusercontent.com
117444449218395855941
101687776992737623860
106952700806137489895
112005934719573399295

Local Hero
1021829343285-85utm3pkbnajbbmg1rdilom1spti08sp.apps.googleusercontent.com
1021829343285-9cbvhh6g8cqslh19l33opc953b94hts2.apps.googleusercontent.com
1021829343285-v9kg7su6pk2kmb7p342omc53ba3b3poa.apps.googleusercontent.com
105202281531042947157
109562719221742507305
109938733100013196107

Confirm configured apps for under 18 users

Google Workspace requires in its Terms of Service schools to obtain parental consent for the Google services they allow students under the age of 18 to access, including Additional Services or third-party apps.

The Configure new app and Change access for 1 app steppers, in the Admin console, walk admins through Scope and access to Google data settings to confirm:

  1. What happens when users under 18 try to sign into unconfigured apps with their Google account,
    AND
  2. Individual access settings configured for third-party apps.

By clicking Confirm in the Confirm new app and Update Access steppers, schools are confirming that they have obtained parent or guardian consent for any additional services they allow students under the age of 18 to use.

Settings for unconfigured apps

By default the setting for unconfigured app access is set to Don’t allow users to access any third-party apps. When selected, users under 18 cannot access any apps until access settings are configured for the apps. Users can request access so you can configure settings as needed for each app.

You can select the Allow users to access-third-party apps that only request basic info needed for Sign in with Google. When selected, users under 18 can access third-party apps that request the basic information such as a user’s name, email, and profile picture.

  1. Navigate to Security > Access and data control > API Controls.
  2. Click on the Settings card to expand it.
  3. Hover over the Unconfigured third-party apps setting and click Edit at the right.
    ThirdPartyUnconfigEdit.png
  4. Choose an option for Settings for users 18 and older
    • (Default) Allow users to access any third-party apps
    • Allow users to access third-party apps that only request basic info needed for Sign in with Google
    • Don't allow users to access any third-party apps
  5. Choose an option for Settings for users under 18.

    • (Default) Don't allow users to access any third-party apps

      These users can request access to the app. These requests appear in the Apps pending review list in App Access Control. From here you can manage access for those apps.

      If you have your own app review and approval process you can direct users to resources for that process via the Custom message

    • Allow users to access third-party apps that only request basic info needed for Sign in with Google
  6. Click Save.

Settings for configured apps

In this step you are confirming unconfirmed apps.

  1. Navigate to Security > Access and data control > API controls > Manage Third-Party App Access > [Apps pending review card] ~ View list.
  2. Filter to locate the app, if necessary.
  3. Hover over an app name and click Configure Access at the right.
  4. Select the checkboxes for the OUs to configure access. 
  5. Click Configure Access.
    ThirdPartyUnconfigToConfigured.png
  6.  Change the Scope as necessary; Root or Select org units.
    CrazyGameConfigure1.png
  7. Click Next.
  8. Select the access type this app has to Google data for users in the OU; Trusted, Limited, Blocked.
  9. Optional: When selecting Trusted, select Allowlist for exemption from API Access blocks in context-aware access, to exempt the app from API access blocks. You’ll need to explicitly exempt the app during access level assignments to enforce the exemption.
  10. Click Next.
  11. Review the changes.
  12. Click Change Access.
  13. At the Confirm parental consent prompt, click Confirm.
    ConfirmParentalConsent.png
Set the unconfigured third-party apps Admin console setting

Security > Access and data control > API controls > Settings ~ Unconfigured third-party apps

After you‘ve configured the necessary third-party apps, you can adjust the Unconfigured third-party apps Admin console setting that determines what happens when users try to access unconfigured third-party apps with their account.

  • For users over 18, this setting defaults to Allow users to access any third-party apps.
  • For users under 18, this setting defaults to Don’t allow users to access any third-party apps.

Selecting Don’t allow users to access any third-party apps means that users can’t access any apps until access settings are configured for the apps. Selecting this option prevents the list of third-party apps from growing while you are curating your list of trusted apps.
UnconfiguredSettings.png

Plan for ongoing app approval

Security > Access and data control > API controls > Manage Third-Party App Access > [Apps pending review card] ~ View list
Security > Access and data control > API controls > Settings > Custom user message

By default the Unconfigured third-party apps setting default blocks users under 18 from accessing unconfigured apps. These users can request access to the app. These requests appear in the Apps pending review list in App Access Control. From here you can manage access for those apps.

If you have your own app review and approval process you can direct users to resources for that process via the Custom message.

To turn on the custom user message:

  1. From API controls, click Settings.
  2. Click Custom user message.
  3. Turn the message ON.
  4. Provide information for the users to initiate your app review/approval process.
    Note: The message does not incorporate hyperlinks. For links consider a shortened URL format making it easy for your users to copy and paste the link.
  5. Click Save.

 

Related materials

Control access to Google services by age
Confirm your third-party app settings by October 23, 2023
Control which third-party & internal apps access Google Workspace data
Assign Context-Aware access levels to apps
Communicating with Parents and Guardians about Google Workspace for Education

Comments

0 comments

Article is closed for comments.

Articles in this section

See more