Earlier this year Google added third-party app access controls to the Admin console. If you want to Block all third-party API access, then your users cannot authorize third-party apps to call Google APIs on their behalf to access portions of their Google Workspace services such as Google Drive, Gmail, Calendar, Contacts, etc. Before this setting was in place, administrators could block third-party apps, but it was time-consuming to manage an ever-growing block list. Depending on the size of your institution, IT departments simply do not have the hours to manage a high volume of apps with a high level of confidence in security.
An alternative method and the focus of this article focuses on is to turn off all API access to the core Google Workspace services and run solely from an allow list. Once the Block all third-party API access setting is ON and a whitelist is in place, this method will take less time to maintain and offer greater confidence in security, but it is not without its challenges too.
So, what are the challenges faced by Google administrators in restricting third-party app access to an allow list? Here are the top 3.
Challenge 1: Arriving at a list of third-party apps to allow
A major challenge that many Google admins and IT departments face is how to review existing apps used on the domain and determine which to allow API app access. Complicating the process further, App access control settings are domain-wide settings. Who and how many people you need to help in vetting applications and the criteria by which you vet apps will vary depending on your institution’s size and learning environment. However, the greatest success you can have is to make the best of the systems and information you already have in place.
Let’s look at Upper Grand District School Board (UGDSB). The Board serves 35,000 students through 65 elementary schools and 11 secondary schools in Ontario, Canada. The Information and Communication Technology infrastructure team, lead by Peter Scantland, is leveraging their existing Digital Resource Catalog to vet apps.
The process involves all the key stakeholders; the educator, IT, risk, and contract teams. The school district created a clear multi-departmental assessment process and online progress reporting. Any teacher is invited to submit an application or web service for review. That request is then submitted for pedagogical, IT system, risk, and contractual reviews. Each department assesses the application based on its specific responsibilities and expertise. If any review fails the entire process is stopped and the application is not approved for use. Staff can track the progress of the reviews or identify approved apps via an online application reporting website.
Challenge 2: Letting teachers know their favorite app may go away
Communications, this is a tricky one. Staff may not understand the need behind restricting app access and may not react well to not having access to their favorite app. For staff to understand the need for change, communication is critical.
One way to target your communications is to use Google Apps Manager (GAM) to determine which staff use specific apps. With that list in hand, you could notify users only if an app they used was going away rather than notifying all staff about all apps. Of this idea, Peter offers this, “In a perfect world, I would email all users.”
Communicating a complex concept such as security should be distilled down to its essence, and only basic information passed along. Peter highlighted what he’s learned about communication, sharing that, “You can communicate anything if it’s really bad news it just has to happen way in the future”. He added, “It (communication) is a missing piece, we need to be able to tell people to get out, to get out quickly, but we have to find them first and then put that messaging together vs. just cutting them off.”
Challenge 3: Getting a plan for moving forward
Once you reach this point, you’ve invested many hours in vetting apps, communicating internally for this change, constructing an allow list, and setting the app access controls. There’s still a bit of work to do, but you are nearly there. The last challenge in rounding out this project is to be sure there is a process in place for evaluating new apps in the future.
In Peter’s words, “We’d rather be more restrictive and then let the Toothpaste out, but how and when is the question”. If your goal is to block all apps outside the allow list, the ramification may be frequent staff requests for the return of certain apps. Once blocked you can loosen up as necessary.
Putting a plan in place for managing future apps and training incoming staff on the app policy can help administrators not get overwhelmed with requests. Chances are, the process you used to originally vet apps, can be transitioned to a maintenance process to evaluate new apps. You’ll have the advantage of knowing what worked and maybe didn’t work in the first place while you first vetted apps. This is a great chance to integrate those process improvements into your ongoing process.
Undoubtedly, there are more challenges in migrating to an allowed list, some specific to your organization. It may seem like a simple process, but there is a lot of change built-in and you may need to take it slow. If you need help evaluating which users are using specific apps, evaluating your allow list setup, or the App Access Control in the Admin console, AIT is here to help. Reach out to our team of experts.
About the Author:
Lorrie was born and raised near Pittsburgh, PA. She is a proud graduate of Slippery Rock and Chatham Universities. She holds degrees in Business and Professional Writing. In her role as Technical Writer, Lorrie adds clarity to all things Amplified IT. She continually looks for better ways to explain the ‘how’ and ‘why’ for our products and services. Being a Pittsburgh native, Lorrie loves all things black and gold. When she does get downtime, she enjoys family, baking, walking, and archery. A fun fact: Lorrie participated in the largest wedding cookie table which earned a Guinness World Record with 88,425 cookies!