What is Google Workspace Endpoint Manager? #
Google Workspace Endpoint Manager manages security for mobile devices, desktops, laptops, Chromebooks, and other endpoints.
Why Should You Use the Google Workspace Endpoint Manager Connector? #
The Google Workspace Endpoint Manager connector provides visibility into the assets in your environment. You can use this visibility to:
-
ensure assets are managed per your security policies
-
derive relationships between assets, users, applications, and data
How Does This Connector Work? #
Lucidum executes read-only requests to the Google Workspace Endpoint Manager REST API and ingests only meta-data about Google Workspace Endpoint Manager devices. Lucidum does not retrieve any data stored on your assets.
Configuring the Connector in Lucidum #
Field |
Description |
Example |
---|---|---|
JSON Key File |
For details on creating a service account and a JSON Key for that account, see https://cloud.google.com/iam/docs/keys-create-delete#creating. |
lucidum_user.json |
Customer ID |
The Customer ID, assigned by Google. To find the customer ID, navigate to Settings > Organization > License Management. Customer ID is located in the System Version area. |
c3674b58-d412-4614-a23b-4cac04593e25 |
|
Provide the email for the administrator account for your Google Workspace. Usually, this is the email address used to log into the Google Workspace Admin console. This is not the email for the service account. The service account s[ecified in the JSON file will then access the Google services by impersonating the administrator account. |
Source Documentation #
Creating a Service Account, API Key, and JSON File for Lucidum #
To create an account for Lucidum to access Google Drive:
-
Go to the Google Cloud Console and select the project that you want to create the service account for.
-
Enable the following cloud APIs. For details, see: Enable Google Workspace APIs  | Google for Developers
-
Admin SDK APIÂ
-
Cloud Identity API
-
Drive Activity API
-
Google Drive API
-
-
Create a Service Account for Lucidum data connector. For details, see: Create access credentials  | Google Workspace  | Google for Developers .
-
After entering the Service account description, click Done. The remaining steps are not required.
-
The service account does not require a role.
-
To assign permissions to the newly created service account, select the service account. Under Actions, select Manage details.
-
In the DETAILS tab, expand Show Domain-Wide Delegation.
-
Select Enable Google Workspace Domain-wide Delegation.
-
Click SAVE
-
In the DETAILS tab, copy the Unique ID to your local computer. This is the Client ID you must enter in the subsequent tasks.
-
Create JSON key for the new service account.
-
Go to KEYS tab > ADD KEY.
-
In the Create private key for modal page, select Key type as JSON and click CREATE
-
The JSON key will be downloaded automatically. Save this JSON key file to your local computer.
Creating the Delegate Email #
-
For details on creating a delegate, see https://developers.google.com/identity/protocols/oauth2/service-account#python .
-
Log in to Google Workspace (https://workspace.google.com/Â ) as a Workspace administrator.
-
Click on Admin console.
-
In the Google Admin console, go to Security > API Controls > MANAGE DOMAIN WIDE DELEGATION.
-
Click Add new.
-
In the Add a new client ID modal page, enter the Client ID you saved earlier.
-
In the OAuth scopes section, specify the following required scopes:
-
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
-
https://www.googleapis.com/auth/admin.directory.user.readonly
-
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
-
https://www.googleapis.com/auth/admin.directory.user.security
-
https://www.googleapis.com/auth/cloud-identity.devices.readonly
-
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly
-
https://www.googleapis.com/auth/admin.directory.group.readonly
-
https://www.googleapis.com/auth/drive.readonly
-
https://www.googleapis.com/auth/drive.activity.readonly
-
-
Click AUTHORIZE.
Required Permissions #
The user you create for Lucidum requires the following scopes:
-
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
-
https://www.googleapis.com/auth/admin.directory.user.readonly
-
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
-
https://www.googleapis.com/auth/admin.directory.user.security
-
https://www.googleapis.com/auth/cloud-identity.devices.readonly
-
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly
-
https://www.googleapis.com/auth/admin.directory.group.readonly
-
https://www.googleapis.com/auth/drive.readonly
-
https://www.googleapis.com/auth/drive.activity.readonly
API Documentation #
API for Google Drive:Â https://developers.google.com/drive/api/guides/about-sdk
API for Google Drive Activity:Â https://developers.google.com/drive/activity/v2
API for Google Chrome Manager:Â https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices