Skip to main content
Skip table of contents

Google Workspace End Point Manager

What is Google Workspace Endpoint Manager?

Google Workspace Endpoint Manager manages security for mobile devices, desktops, laptops, Chromebooks, and other endpoints.

Why Should You Use the Google Workspace Endpoint Manager Connector?

The Google Workspace Endpoint Manager connector provides visibility into the assets in your environment. You can use this visibility to:

  • ensure assets are managed per your security policies

  • derive relationships between assets, users, applications, and data

How Does This Connector Work?

Lucidum executes read-only requests to the Google Workspace Endpoint Manager REST API and ingests only meta-data about Google Workspace Endpoint Manager devices. Lucidum does not retrieve any data stored on your assets.

Configuring the Connector in Lucidum

Field

Description

Example

JSON Key File

For details on creating a service account and a JSON Key for that account, see https://cloud.google.com/iam/docs/keys-create-delete#creating.

lucidum_user.json

Customer ID

The Customer ID, assigned by Google.

To find the customer ID, navigate to Settings > Organization > License Management. Customer ID is located in the System Version area.

c3674b58-d412-4614-a23b-4cac04593e25

Email

Provide the email for the administrator account for your Google Workspace.

Usually, this is the email address used to log into the Google Workspace Admin console.

This is not the email for the service account.

The service account s[ecified in the JSON file will then access the Google services by impersonating the administrator account.

lucidum_user@lucidum.io

Source Documentation

Creating a Service Account, API Key, and JSON File for Lucidum

To create an account for Lucidum to access Google Drive:

  1. Go to the Google Cloud Console and select the project that you want to create the service account for.

  2. Enable the following cloud APIs. For details, see: https://developers.google.com/workspace/guides/enable-apis

    • Admin SDK API 

    • Cloud Identity API

    • Drive Activity API

    • Google Drive API

  3. Create a Service Account for Lucidum data connector. For details, see: https://developers.google.com/workspace/guides/create-credentials#service-account .

  4. After entering the Service account description, click Done. The remaining steps are not required.

  5. The service account does not require a role.

  6. To assign permissions to the newly created service account, select the service account. Under Actions, select Manage details.

  7. In the DETAILS tab, expand Show Domain-Wide Delegation.

  8. Select Enable Google Workspace Domain-wide Delegation.

  9. Click SAVE

  10. In the DETAILS tab, copy the Unique ID to your local computer. This is the Client ID you must enter in the subsequent tasks.

  11. Create JSON key for the new service account.

  12. Go to KEYS tab > ADD KEY.

  13. In the Create private key for modal page, select Key type as JSON and click CREATE

  14. The JSON key will be downloaded automatically. Save this JSON key file to your local computer.

Creating the Delegate Email

  1. For details on creating a delegate, see https://developers.google.com/identity/protocols/oauth2/service-account#python .

  2. Log in to Google Workspace (https://workspace.google.com/ ) as a Workspace administrator.

  3. Click on Admin console.

  4. In the Google Admin console, go to Security > API Controls > MANAGE DOMAIN WIDE DELEGATION.

  5. Click Add new.

  6. In the Add a new client ID modal page, enter the Client ID you saved earlier.

  7. In the OAuth scopes section, specify the following required scopes:

    • https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,

    • https://www.googleapis.com/auth/admin.directory.user.readonly

    • https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

    • https://www.googleapis.com/auth/admin.directory.user.security

    • https://www.googleapis.com/auth/cloud-identity.devices.readonly

    • https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly

    • https://www.googleapis.com/auth/admin.directory.group.readonly

    • https://www.googleapis.com/auth/drive.readonly

    • https://www.googleapis.com/auth/drive.activity.readonly

  8. Click AUTHORIZE.

Required Permissions

The user you create for Lucidum requires the following scopes:

  • https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,

  • https://www.googleapis.com/auth/admin.directory.user.readonly

  • https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

  • https://www.googleapis.com/auth/admin.directory.user.security

  • https://www.googleapis.com/auth/cloud-identity.devices.readonly

  • https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly

  • https://www.googleapis.com/auth/admin.directory.group.readonly

  • https://www.googleapis.com/auth/drive.readonly

  • https://www.googleapis.com/auth/drive.activity.readonly

API Documentation

API for Google Drive: https://developers.google.com/drive/api/guides/about-sdk

API for Google Drive Activity: https://developers.google.com/drive/activity/v2

API for Google Chrome Manager: https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.