G Suite

Discussion in 'Technical Corner' started by flyingcheesehead, Sep 23, 2019.

  1. flyingcheesehead

    flyingcheesehead Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    22,924
    Location:
    UQACY, WI
    Display Name:

    Display name:
    iMooniac
    Hi all,

    I'm becoming rather annoyed with G Suite, mainly around data syncing.

    It seems that Google really wants to force you to use their own tools. I can't use Mail on my Mac to get my G Suite mail. To get it on my iPhone and iPad, I still have to use the kludgey Outlook workaround...

    Is there any good standalone app G Suite mail client for Mac OS?

    Also, I'm able to set up Notes on the Mac to sync with G Suite... Supposedly. The notes are listed under my G Suite account in the app, but I can't find them anywhere online (theoretically it sounds like I should get a "notes" label in GMail), and I can't get my mobile devices to even show the switch to enable note syncing.

    Has anyone been able to get Notes to sync through G Suite?

    Thanks!
     
  2. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,525
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    I use Mail on GSuite all the time. Same with direct use of the built in Mail on iOS devices.

    Is the GSuite one you administer or someone else? They may have turned off support for “lower security clients” in GSuite Admin. Or in normal terms, they turned off IMAP.

    You can check if they allowed it to be flipped by users. Go into Gmail settings from a browser and to the Forwarding and IMAP tab and see if you can turn it on there.

    If not, your GSuite admin is a dick. LOL. No reason not to allow it with encryption. Google claiming it is “lower security” is completely poppycock, as you know. :)
     
  3. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,525
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    P.S. Did your iOS device ask to accept a certificate when you attached to this GSuite account the first time? If so, they’ve also turned on the mobile device controls.

    Lemme see if there’s any settings that would do what you’re describing in there. Just a sec.
     
  4. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,525
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Nope. Here's what can be controlled on iOS devices... in fact, I can force configure your Google account directly into all the Apple apps from Mobile settings for iOS, even.

    Your GSuite admin is either forgetting to tell Apple device users that they need to go into Gmail settings and allow IMAP, or they're blocking you from doing it. GSuite also still allows the old Google Sync protocol which is EOLed for all non GSuite accounts.

    Anyway, have fun with that... I see nothing that would block you using G Suite. What other device management is on these devices? I think you mentioned JAMF?

    You may also want to read this: (Stuff that just flat doesn't work right between Google and Apple)
    https://support.google.com/a/users/answer/139635?hl=en

    This doc explains to users the settings I have as an admin, below -- for iOS management.
    https://support.google.com/a/users/answer/6098065?hl=en

    Might also check and see what they're actually controlling:
    https://support.google.com/a/users/answer/7383952?hl=en

    I think we also ran into a solid brick wall iOS limitation on number of Google accounts it would attach to. I can't remember exactly but something to do with aliases. One of our users needs to be able to send AS six different user@differentdomains.com accounts since we have six businesses in house -- iOS couldn't do it properly without attaching all of them as separate IMAP accounts, even though it is all the same Gmail account and mailbox.

    We "fixed" that by using an even better solution: Load the native GMail *App* on to the iOS device. Anyone doing GSuite on iOS should have this anyway.

    Outlook?! On iOS??? GAG. No. No. No.

    Another brick wall on iOS. You can NOT attach to two GSuite accounts with iOS Mobile Management turned on on both. iOS can't deal with two accounts and two certificates and sets of rules.

    Android handles both of the above showstoppers of course, since it has business and personal profiles and the two are properly separated. Two business accounts doesn't bother it and it uses the more strict rule in any ruleset for things like forcing screen lock, etc. Far more intelligent at handling multiple accounts with business controls applied to one or more.

    Hope that helps.

    Screen Shot 2019-09-24 at 01.28.11.png
     
    flyingcheesehead likes this.
  5. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,525
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Hmm ... you can ignore my comment about IMAP. Not needed.

    I just disabled it on my two GSuite accounts and connected OS X Mail and iOS Mail just fine with the native Google account setups in both OSes.

    You should never have to use the “Exchange trick” at all anymore either. All you should have to do is create an account in any of those apps and say it’s a Google account. It should pop a browser window to auth with Google’s native logon box.

    Hmmm. Let’s see. There’s also a security setting in GSuite admin to block third party auth or allowing third party apps to connect. In your case they’d have to be allowing Exchange/the old ActiveSync protocol, but not third party direct auth which would be stupid. Google direct auth is WAAAAY more secure than ActiveSync.

    Just tossing out ideas here. They have your GSuite Admin settings totally pooched up if Apple devices won’t connect. :)
     
    flyingcheesehead likes this.
  6. flyingcheesehead

    flyingcheesehead Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    22,924
    Location:
    UQACY, WI
    Display Name:

    Display name:
    iMooniac
    I use Mail on iOS too, but can't use Mail on the desktop.

    CEO administers it. His philosophy on security is quite a bit tighter than mine generally is. But, I respect that and put Diceware passwords on everything and generally keep things pretty locked down. He's also scary smart and I'm sure if we got into the discussion he would probably tell me exactly how to exploit the particular security hole in IMAP that he's worried about. :)

    Well, considering my tab is just called "Forwarding" that's a no. ;)

    Most likely, yes.

    We do use JAMF, but only on the laptops. Mobiles are BYOD and we don't do anything with them yet. The only profiles I have on my iOS devices are the ones I need to run the prerelease versions of ForeFlight.

    Yeah... I just wish they had a GMail app on Mac OS too.

    I believe this is no longer true in iOS 13.
     
  7. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,525
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    LOL there’s problem number one right there... he simply read that Google thinks it’s insecure and went with it. He needs professional IT security help, but probably can’t afford it. :)

    I’m sure he’d tell you all about what the security hole is for Mail.App to be allowed to third party auth, too. Hahaha. And I’m not saying that in a nice way. :)

    Mac Mail.App doesn’t require IMAP and does Google’s own “they claim it’s better” auth mechanism these days, so he must have blocked that auth mechanism.

    Jussssst as a check though, have you opened up Keychain and deleted anything Google related for that account? It could be your Mac got caught with one of a couple of bugs in past updates doing Google Auth and the only way to get it to behave again after that is dumping the keychain stuff so it will start over.

    Have to do that while Mail is shut down and also log into accounts.google.com and go to the Security menu and revoke any “Third Party Apps with Account Access” associated with your Mac.

    Ahhh. I bet that’s what he turned off. No third party apps allowed to auth. So in fact, check that first. If your Mac isn’t in there, no point in fixing the keychain. He’s disallowed it there.

    It’s interesting that he left the old ActiveSync interface allowed if he’s that security “aware”. Gag. He probably doesn’t know he did. Forgot it’s a grandfathered thing for GSuite users only since MSFT makes Google pay a licensing fee to use it. Which is what got it killed for all free GMail accounts. Google wasn’t about to pay for all of those licenses. Ha. That or he’s got Outlook addicts he can’t fix. Hahahaha.

    As I recall, Google does need more granularity there. With all of these websites saying “log in with Google!” I could see some problems arising from morons using their company GSuite accounts to auth to websites like that and then being all ****y if they got fired and lost the account. But really, that’s on them. Pick the right Google account. Ha.

    I’ll have to look and see if they give the admin a way to see what third party apps authenticated via Google and kill individual ones. Now you have me curious. They didn’t used to. Been a while since I looked.

    We leverage the crap out of Google auth. Primary auth whenever possible is AD. AD is synced to GSuite. We don’t have to even log into GSuite Admin to add or dump a user. It’s just reading an OU. From there if some system doesn’t allow AD sync, we just tie it to Google auth.

    If you get fired, all I have to do for 90% of our systems is just disable you in AD. It propagates to Google and a couple other things and you’re gone. All the important stuff. VPN access, mobile access, logins to nearly everything. Toast. It’ll even toss you off the network or VPN in real time. :)

    Well anyway. For the most part the Gmail web interface is usually very adequate to use on a Mac running Chrome. Safari? Meh. Not so great. Firefox is also decent. But there’s a couple of things Mail.App does better that we wouldn’t block it for those reasons. If Mail.App auth to Google gets compromised, so does the Google web interface. Same mechanism.