Manage access to unconfigured third-party apps

Google has made recent changes to how third-party applications that utilize the Sign in with Google button can access your organization's Google data. The use of OAuth is convenient because it eliminates the need for users to create a separate username and password since Google already knows their identity. However, in certain managed environments, it may not be desirable to allow the use of Sign in with Google on all apps.

The Admin console now offers new and existing settings that allow you to adjust application scopes and user restrictions based on organizational units (OUs), resulting in a list of trusted applications. Only trusted applications will be accessible to users, while others will be restricted.

For instance, by restricting third-party apps, you can ensure alignment with your organization's policies, safeguard personally identifiable information, control access to, deletion of, or copying of Google Drive data, and prevent personal activity tied to work accounts.

Timeline

October 23, 2023
By October 2023, review app access settings and mark your confirmation they're up-to-date. Starting October 2023, users identified as under 18 won't be able to use their Google Account to sign in to third-party apps that haven't been confirmed.

Warning: Implementing this change in the wrong order can have significant consequences. For example, you wouldn't want to make apps used by teachers and students unavailable.

This article provides recommended best practices for managing third-party apps, including the order of operations. We will guide you through the necessary steps to take before enabling third-party apps.

In this article you'll learn how to:

Create a communication plan

When implementing changes to third-party app access, it is crucial to anticipate the impact on users' workflows and address it through effective and repeated communication. Acknowledging this impact and addressing it in your communication will help set the right expectations and alleviate potential concerns or confusion.
Consider the following when crafting communication to your users:

Utilize various channels such as emails, newsletters, and announcements to reach out to your user base.
Clearly articulate the reasons behind the change, highlighting the importance of protecting user data, student privacy, and staff confidentiality.
Stress that these changes are being made to enhance security and better manage app configurations.
Regularly remind users of the impending deadline to encourage proactive action on their part.
Clearly outline the steps they need to follow to gain app approval or request approval, and ensure this information is conveyed in the initial communication.

Review scopes for Google services

Security > Access and data control > API controls ~ Manage Google services

When users sign in to third-party applications using the Sign in with Google feature, you can manage how those apps can access your organization's Google data. You can impose restrictions or keep access unrestricted for various Google Workspace services. Here's a breakdown of what each option entails:

Unrestricted: Apps configured with a trusted or limited access setting can access data for this service.

Note: You can leave all Google services set to Unrestricted, then manage access through the app list.
Restricted: Only apps configured with a trusted access setting can access data associated with this service.
- For apps that are not trusted…: When checked, non trusted apps can access scopes not classified as high-risk. Such Apps are still blocked from accessing high-risk scopes. Google calls the following high-risk; request access to edit a doc, edit all docs, delete docs, or send email as a user. Combined this restricts only high-risk. Not the data, but the action is sensitive.

For instance, if you set Calendar access as restricted, only apps configured with a trusted access setting can access Calendar data. On the other hand, apps with a limited access setting cannot access Calendar data.

To change a service’s scope:

In the list of Google services, hover over a service.
Security > Access and data control > API controls ~ Manage Google services
Click Change access at the left of the service.
Check a checkbox for an option; Unrestricted or Restricted.
Optional: When selecting Restricted, select For apps that are not trusted…, to allow access to these scopes by non trusted apps, while still blocking such apps from accessing high-risk scopes.
Click Change.

Curate the list of third-party accessed apps

Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list

Accessed apps are third-party apps that have accessed Google data through default settings. These include configured and unconfigured apps. You can view details for org units that have access settings configured for an app and you change access for an app.

Pro Tip: The list of Accessed apps contains a Users column. This column shows you the number of users who have been asked to grant access to each third-party app. If you have numerous apps to review, consider selecting a threshold of users for apps you will configure. That could be 2 users or 12 users. Any apps with fewer users than that, you would leave unconfigured. If needed the apps left unconfigured would be subject to your app approval process per request.

Review Privacy Privacy Terms & Conditions and Terms of Service

To review an apps Privacy Terms & Conditions and Terms of Service:

In the list of Configured apps, click on the App name.
Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list ~ App name
In the App Info card, click a link; Apps Privacy Terms & Conditions or Terms of Service.

View details

To view details for an app:

In the list of Configured apps, hover over an app.
Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list
Click View details at the left of the app.
After viewing the org units and configurations, click the X to close the detail fly out.

Change access

To change access for an app:

In the list of Configured apps, hover over an app.
Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list
Click Change access at the left of the app.
Change the Scope as necessary; Root or Select org units.
Click Next.
Select the access type this app has to Google data for users in the OU; Trusted, Limited, Blocked.
Optional: When selecting Trusted, select Allowlist for exemption from API Access blocks in context-aware access, to exempt the app from API access blocks. You’ll need to explicitly exempt the app during access level assignments to enforce the exemption.
Click Next.
Review the changes.
Click Change Access.

Change Access in Bulk

To change access for multiple apps at once:

In the list of Configured apps, click on the App name.
Security > Access and data control > API controls ~ Manage Google services ~ [Accessed apps card] View list ~ Download list
Select Coma-separated values (.csv).
Click Download CSV and then open the file.
Make the necessary changes in the file.
Return to the Admin console and click Bulk update list above the Configured apps list.
Click Attach Csv file.
Locate and select the file.
Click Upload.

Client IDs: Add Labs tools to the trusted list of API access

Security > API Controls > App Access Control > add app

With the shift towards blocking third-party access, CDW Education Labs tools customers need to add client IDs for the tools to the trusted list. You can search and then select client IDs, use the list below to select the necessary IDs for each tool.

Gopher for Chrome
551947063268-fqhcs015vsvtqracvueo3o5lbgi0v0pf.apps.googleusercontent.com
551947063268-m7uc71teddtv604eof4q47gtl188cim3.apps.googleusercontent.com
551947063268-dikt6f56qq2h4a1f7emje60ohse9hkai.apps.googleusercontent.com
551947063268-9am3ji6otim50k3ljs1vmkfkbh0httrv.apps.googleusercontent.com
551947063268-1cq6tvc3ddpdsfl28j08jjiq173fio23.apps.googleusercontent.com
551947063268-had3ll4861mvj8e4cdhf34614lah0ohh.apps.googleusercontent.com
551947063268-f3a4glr7nochhfogvoo0i8lm0lnbmght.apps.googleusercontent.com
551947063268-jek9sisj669t56j56ers52tjgoi1oguc.apps.googleusercontent.com
108123150180741252824
117141067871846326925

Gopher for Users
541463515699-9sv9gkbpm4sccfa81n887oe90s22tfde.apps.googleusercontent.com
541463515699-qufom5do2mteh2t7fmup750so71j01p2.apps.googleusercontent.com
541463515699-t1m3sgs30h7p64f0age49111m4604k07.apps.googleusercontent.com
541463515699-l92i44rh01sbupomdvkio4kljbkk1pvk.apps.googleusercontent.com
113577717075532193157
112028378935068015645

Gopher for Gmail
244635294303-vur8sov6lgkt2ao4pj38vlfmc0f3dc2c.apps.googleusercontent.com
244635294303-12rn980vh79884airhmlqci8tlosbces.apps.googleusercontent.com
113149838232119368247
111275339226981805832
244635294303-mu8sgr9to4v0e5ada01olv9bql9cqq61.apps.googleusercontent.com
105979659290158508820

Gopher for Groups
458738094239-8inpd0r0jumchrnok2dar3ne7qal9shl.apps.googleusercontent.com
458738094239-c2cbj8d2eva76ubkvnho0rvps140f4fn.apps.googleusercontent.com
458738094239-jnuclnnitvp7ek5fuahicavkbfiuaqlb.apps.googleusercontent.com
106525919862153700197

Gopher for Drive
598519870496-ikvptfcodhf1paids7v0lk68n9d4ddei.apps.googleusercontent.com
104199946420034146113
598519870496-1i4di0r96nmqc5jqlq5d66mnn1hnpfs4.apps.googleusercontent.com
112321279436960883476

Backpack
1066899125415-fnqj502ns399s546mjjjtqtri7nqvmuk.apps.googleusercontent.com
101823082732640074338
100728267555075540338

Group Gator
925095736895-20egad6a3als2lfs33kojd86r63npqnt.apps.googleusercontent.com
925095736895-91l87rks5b5jvhfemr53d11d173v39s1.apps.googleusercontent.com
114188670072768859488
925095736895-eqinenvsdpmsb3mhghc2gkvneep3m23u.apps.googleusercontent.com
116002161166793761231
925095736895-dk8lkfjq97bri92vol8bmkmn6e8th8fo.apps.googleusercontent.com
925095736895-sn3kr1o32uvn30sk0a1alp7lbgrs742g.apps.googleusercontent.com
111581715227366658871
115399695961234315036

Event-O-Matic
713368976382-bkv89mecsl7khdt7p2i1v5i1utksdet3.apps.googleusercontent.com
713368976382-ae5ga7o3t2sdgne0a9tebqh4pikh42k4.apps.googleusercontent.com
713368976382-vnp0omhhip9i1njhna4mv9f0s46veteg.apps.googleusercontent.com

Little SIS for Classroom
538690509659-co8cppbp16iqrt8qatoflo68v9bsf0q0.apps.googleusercontent.com
538690509659-t0a47quji8m6bovkiq6dg3auoinr0q9m.apps.googleusercontent.com
538690509659-0sdssm24qcdln14n0mnskp330snre2ut.apps.googleusercontent.com
113198896099808382005
113953468076917773894
105084137985250246030
117953365590628204049
111529521933491426419
105391539279561021410
117311213619142178125

Little Sis Premium
633700111840-fkmdas1s4cj8k7kf0l59rqn7tv5rk6st.apps.googleusercontent.com
117444449218395855941
101687776992737623860
106952700806137489895
112005934719573399295

Local Hero
1021829343285-85utm3pkbnajbbmg1rdilom1spti08sp.apps.googleusercontent.com
1021829343285-9cbvhh6g8cqslh19l33opc953b94hts2.apps.googleusercontent.com
1021829343285-v9kg7su6pk2kmb7p342omc53ba3b3poa.apps.googleusercontent.com
105202281531042947157
109562719221742507305
109938733100013196107

Client IDs: Add Labs tools to the trusted list of API access

Security > API Controls > App Access Control > add app

Backpack
1066899125415-fnqj502ns399s546mjjjtqtri7nqvmuk.apps.googleusercontent.com
101823082732640074338
100728267555075540338

Little Sis Premium
633700111840-fkmdas1s4cj8k7kf0l59rqn7tv5rk6st.apps.googleusercontent.com
117444449218395855941
101687776992737623860
106952700806137489895
112005934719573399295

Confirm configured apps for under 18 users

Google Workspace requires in its Terms of Service schools to obtain parental consent for the Google services they allow students under the age of 18 to access, including Additional Services or third-party apps.

The confirm third party apps stepper, in the Admin console, walks admins through the settings to confirm:

What happens when users under 18 try to sign into unconfigured apps with their Google account,
AND
Individual access settings configured for third-party apps.

By clicking Confirm access settings at the last step in the stepper, schools are confirming that they have obtained parent or guardian consent for any additional services they allow students under the age of 18 to use.

Accessing the Confirm app access settings for students stepper

An information bar appears at the top of the Home page when you log into the Admin console.

Note: The process does not have to be completed in one sitting, and you can always update settings in the Admin console even after confirming.

Click GET STARTED at the left of the info bar to open the confirmation stepper.
When the stepper opens, review the overview and click Continue to get started.

Settings for unconfigured apps

By default the setting for unconfigured app access is set to Don’t allow users to access any third-party apps. When selected, users under 18 cannot access any apps until access settings are configured for the apps. Users can request access so you can configure settings as needed for each app.

You can select the Allow users to access-third-party apps that only request basic info needed for Sign in with Google. When selected, users under 18 can access third-party apps that request the basic information such as a user’s name, email, and profile picture.

Review your selection, then click Next.

Settings for configured apps

In this step you are confirming unconfirmed apps.

The stepper, step 2 opens to the Unconfirmed third-party apps list.

Use the Access list to narrow the list of apps that appear in the list.
OR
Enter the name of an app in the search field to search for a specific app.
In the apps list, select the checkbox for one or more apps.
OR
Click Select apps on all pages to select all Unconfirmed apps.
Click Confirm access settings.
Caution: When moving between Unconfirmed and Confirmed apps lists, if you have not clicked Confirm access settings, selected checkboxes are not retained. You must confirm access settings for each list independently.
Click Confirmed above the apps list to open the Confirmed third-party apps list.
In the apps list, select the checkbox for one or more apps.
Once finished, click Confirm access settings.

If necessary, you can also update access in this step too. When you update access for an unconfirmed third-party app, that app moves to the confirmed list.

To change access for a third-party app in the Unconfirmed or Confirmed list:

Be sure you are at the appropriate list; Unconfirmed or Confirmed.
Filter by Access or Search for the specific app.
Above the apps list, click Trust, Limit, or Block.
Repeat for each third-party app, as needed.

Set the unconfigured third-party apps Admin console setting

Security > Access and data control > API controls > Settings ~ Unconfigured third-party apps

After you‘ve configured the necessary third-party apps, you can adjust the Unconfigured third-party apps Admin console setting that determines what happens when users try to access unconfigured third-party apps with their account.

For users over 18, this setting defaults to Allow users to access any third-party apps.
For users under 18, this setting defaults to Don’t allow users to access any third-party apps.

Selecting Don’t allow users to access any third-party apps means that users can’t access any apps until access settings are configured for the apps. Selecting this option prevents the list of third-party apps from growing while you are curating your list of trusted apps.

Plan for ongoing app approval

Security > Access and data control > API controls > [Apps pending review card] ~ View list
Security > Access and data control > API controls > Settings > Custom user message

By default the Unconfigured third-party apps setting default blocks users under 18 from accessing unconfigured apps. These users can request access to the app. These requests appear in the Apps pending review list in App Access Control. From here you can manage access for those apps.

If you have your own app review and approval process you can direct users to resources for that process via the Custom message.

To turn on the custom user message:

From API controls, click Settings.
Click Custom user message.
Turn the message ON.
Provide information for the users to initiate your app review/approval process.

Note: The message does not incorporate hyperlinks. For links consider a shortened URL format making it easy for your users to copy and paste the link.
Click Save.

Related materials

Control access to Google services by age
Confirm your third-party app settings by October 23, 2023
Control which third-party & internal apps access Google Workspace data
Assign Context-Aware access levels to apps
Communicating with Parents and Guardians about Google Workspace for Education