You may have heard about Google’s plan to keep G Suite accounts safe from hijackers by blocking the use of Less Secure Apps (LSAs) for new users starting June 2020, and for new and existing users in February 2021. If your organization has already disabled access to LSAs, you won’t be impacted by the update. If LSAs are allowed in your domain, take my hand and let me guide you through this journey!
What are less secure apps anyways?
Let’s start here. Less secure apps are apps and devices that don’t use modern security standards like OAuth, and therefore are prone to account hijacking. Instead of using OAuth 2.0 as a connection method, less secure apps access your Google account with just your username and password.
Examples of less secure apps are as follows:
- iOS Mail, Contacts, Calendar apps set up as “Microsoft Exchange” account type (Google Sync)
- Outlook for Mac
- MacOS Mail
- Outlook 2016 or older set up via password-based POP or IMAP
- Printers/Scanners that use POP3 and IMAP without OAuth
Where do you begin?
Assess the situation in your organization by identifying affected apps and users. Your organization’s primary admin received an email about the LSA shutdown with a list of users likely to be affected.
An admin should also take advantage of G Suite reporting that will help you better understand who is impacted.
- In the Admin Console > Device Management, check out the managed mobile devices that show as a “Google Sync” type of configuration. Those users with Google Sync configurations will be affected by the February 2021 shutdown.
- Leverage the Security report in the Admin Console to identify Gmail (IMAP) and Gmail (POP) Last Used Time. This will give you an indication of which users have G Suite connected via IMAP/POP to email clients or other devices.
Get control over your company’s data
It may seem as if the configuration updates are going to completely overwhelm your IT team and end users. On the bright side, this is the perfect time to re-think (or begin thinking about) your policies around approved/restricted applications and devices used for accessing your corporate G Suite data. For example:
- Did you allow Outlook setup via IMAP/POP for users after deploying G Suite? Get the situation under control by deploying G Suite Sync for Microsoft Outlook instead. Better yet, deploy Google Chrome browser and enforce G Suite’s web-based services be accessed via a web browser.
- Have you been waiting for the right time to better manage your iOS devices? Now is a good time to enable Advanced MDM with an Apple Push Certificate, for the benefits of whitelisting/managing apps on iOS devices, controlling how data syncs with apps, wiping G Suite data from devices and more.
Breaking down the timeline
There’s no need to wait until June to change your new hire onboarding practices. Act now to ensure new employees get G Suite on their devices the right way so they won’t need to be revisited next year. Also, get a head start on ensuring existing users are on the right track before access to LSAs is turned off for them in February 2021.
Get a jump start on the following prior to June 15, 2020:
- Instruct new users to use the Google mobile apps on iOS instead of the native Mail, Contacts, Calendar apps on iPhone/iPad.
- Those who insist on using iOS native Mail, Contacts and Calendar apps should add the account, selecting the Google account option during the setup process (not Exchange).
Email client users
- Set up accounts in Thunderbird, Outlook for Mac and MacOS Mail settings to connect using OAuth. For existing users, this may require removing and re-adding the account to use IMAP with OAuth.
- Don’t use Outlook 2016 or older on Windows via IMAP connections. Switch to a newer version of Outlook that supports OAuth and download G Suite Sync for Microsoft Outlook to synchronize data from G Suite to Outlook.
- When possible, don’t allow email clients unless there is a critical business need for them. Streamline and simplify IT by requiring a supported web browser for accessing G Suite.
- Ensure that existing users who get new devices (phone, tablet, laptop, computer) are aware of the correct way to configure G Suite on iOS or email clients.
- For the best experience, use Chrome browser to access G Suite services on the web and get the Google mobile apps on smartphones/tablets.
There’s no harm in getting a jumpstart on ensuring existing employees have their devices configured appropriately. Helpdesk and support teams will be thankful for the company taking a proactive approach to addressing the impacts of this change. Ignoring this update is guaranteed to make February 21, 2021 a terrible, horrible, no good, very bad day for IT support teams.
After February 15, 2021, expect the following:
- Error messages for incorrect usernames and passwords will occur for less secure apps/devices.
- Resolve errors by reconfiguring settings to use OAuth, removing and re-adding the account correctly (see above under “June 2020”) or a switch to a more secure app that connects to G Suite accounts via OAuth.
- Admins can manage configurations on behalf of iOS users using the Advanced MDM settings to push Google Account configurations to re-add G Suite accounts using OAuth.
Please note that additional devices and applications may also be affected by this update. Review Google’s G Suite Updates Blog for additional instructions for scanners, CalDAV, CardDAV and more.
Need a hand?
Connect with us if you could use a hand with preparing for this change and proactively addressing the impacts to your organization. We got your back!