AN ADMIN GUIDE TO G SUITE MARKETPLACE
- G Suite marketplace offers thousands of applications which can enhance your G Suite users’ experience and make them even more productive.
- However, it also puts you (G Suite Admin) on a risk of shadow IT if your G Suite users start installing these marketplace apps by themselves.
- I invested sometime learning about security oriented best practices for G Suite marketplace, Let me share everything I learnt, and hopefully it would help you administer G Suite.
Table of Contents
Chapter # 1
G Suite Marketplace Overview
What is G Suite Marketplace & Why should you care?
You signed up for G Suite because you love the apps like Gmail, Google drive, chat, meet etc as they help you collaborate seamlessly, but I think there is one more reason that you had in mind when you signed up.
And that is an ease to access these tools from anywhere, and from any device.
So with G Suite, you have taken care of messaging and collaboration, but how about other applications which help you run your business, apps like-:
- CRM to manage your customer relationships.
- Account apps to help you manage your finances.
- Email marketing apps to help you reach out to your existing and prospective customers.
Ideally, these applications should also be available just like G Suite, and better if they can integrate with G Suite apps helping you become more productive.
That’s where G Suite Marketplace comes into the picture.
So What is G Suite Marketplace?
G Suite Marketplace is an online catalogue where G Suite customers can find applications for their business needs. These third party applications are designed to work seamlessly and securely with G Suite.
You get following benefits from this marketplace as a G Suite Customer-:
1. Increased Productivity : Your users would be more productive as G Suite Marketplace applications are designed to work seamlessly with G Suite.
For e.g – Your users do not need to remember another set of credentials for that CRM application, as they can now login to it via their G Suite credentials (SSO).
2. Complete Business Operating System : You would be able to run your business online with G Suite marketplace applications as most of them are cloud based, eg. Salesforce for CRM, Xero for accounting, Mailchimp for email marketing etc.
3. Seamless Data Access : You would be able to access your G Suite data into these applications and vice versa, which would help you save time.
For e.g -: If you use canva.com to create your marketing assets, you would be able to access your company assets in Google Drive right into Canva.
4. Data Security : As a G Suite app developer myself, I can tell you that these marketplace applications need to go through Google’s well defined review process before they appear in the marketplace, this review process ensures that developers follows security standards.
Chapter # 2
Marketplace Apps - Secure Adoption
Assess Security of G Suite Marketplace Applications
G Suite Marketplace applications enhance your users experience and help them get more done, however as a G Suite Administrator you should first assess security of these 3rd party applications before letting your users install them.
G Suite Marketplace applications security should be considered as “Shared Responsibility Model”, where Google and you both take care of security assessment at some level.
After publishing a few applications in G Suite marketplace, following is my understanding in terms of what security measures are taken by Google, and what should be your responsibility.
Whats covered by Google?
(i) To ensure developer has accepted Google’s terms of service.
(ii) To ensure developer has registered their application with Google.
(iii) To ensure developer has clearly listed the API scopes that their application would be accessing along with providing justification for the usage of each of the API scopes.
Note : Based on my experience going through OAuth review process multiple times, Google only grants OAuth scopes which are really required by your application to provide its functionality.
For e.g : Google initially rejected my application ‘Labels Manager for Gmail’ because I applied to get mail.google.com as OAuth scope which was very broad.
I was suggested to use https://www.googleapis.com/auth/gmail.labels which is good enough to provide Gmail labels management functionality.
My application was approved, once I narrowed the API scope to least required.
(iv) Developer has an OAuth consent clearly defined.
(iv) Developer has provided support channel details.
Now, Google does its part of ensuring that developers have followed above best practices, however Google does NOT control the relationship between you and the app developer.
For e.g -: During the application installation, Google makes sure that application should ask for OAuth consent showing which API scopes / data will this app be able to access, however it is your responsibility to decide whether you want to provide consent to this application for it or not.
I recommend you to evaluate the security of each application you either install or add to your company approved apps list.
You can do this by following (please take following as reference points only, and use your company’s security policies for such evaluation).
What should be assessed by you?
(i) Understand which API scopes /data would be accessed by this G Suite marketplace application, and if these scopes are “must” required to provide you the desired functionality.
(iii) Pay attention to the application reviews, and read the comments by other users of this application in G Suite marketplace.
(iv) If you are into regulated industry and have certain compliances to meet (e.g HIPAA, FINRA etc), then check if the marketplace application can help you stay compliant (e.g if they can sign BAA for HIPAA compliance etc).
(v) Reach out to the application developer via provided support channel if you have additional questions.
(vi) Only install application for the required scope (e.g if CRM application is only used by your sales team, do not install it for all users, rather do it just for the sales org unit, I have this in details in the installation best practices).
Chapter # 3
G Suite Marketplace Settings
G Suite Marketplace (Security Oriented) Settings
G Suite Marketplace has thousands of application which can help your users be more productive, however it also increases the risk of ‘Shadow IT’.
Though it depends on your company policy, but ideally, you should not allow your users to install applications from G Suite marketplace by their choice, because users might not pay much attention to things OAuth scopes grants etc.
You should rather create a list of company approved marketplace apps, and only put apps in it after you have assessed their security.
Now, let me show you marketplace settings offered by Google, and how to configure these settings in an information security oriented way.
Login to your G Suite Admin Console and click on “Apps” as shown below.
Here you would see different application or services provided by G Suite, click on “Manage” under G Suite Marketplace apps as shown in the screenshot below.
You would now see various options available to you which would define how and which marketplace applications can be installed by your G Suite users.
Let us cover these options in details :
1. Allow Users to install any application from G Suite Marketplace : As it is clear by its title, if you select this option, then your G Suite users would be able to install any application available in G Suite Marketplace. I would recommend you not to choose this option as it exposes a bit of risk to let users install applications not yet assessed by you.
2. Do not allow users to install any application from G Suite Marketplace : If you select this option, then your G Suite users will not be able to install any application from G Suite Marketplace. This is not the recommended option either as it restrict your users to take advantage of G Suite marketplace and get more done with applications of choice.
3. Allow Users to Install only Whitelisted applications from G Suite Marketplace : In most cases, you should go with this option as it let your G Suite users install applications from marketplace but only the ones which have been assessed and put in whitelist by you.
Chapter # 4
G Suite Marketplace App Management
Manage G Suite Marketplace Application Whitelist
You will not have any applications in the whitelist when you start, so ideally, you should first assess the security of the given marketplace app, and then put it in your whitelist.
Add an application to G Suite marketplace whitelist :
To add any application to your G Suite marketplace whitelist, login to your Google admin console –> go to Apps –> Manage marketplace apps –> click on “Manage Whitelist” as shown in the screenshot below.
Here you would see the list of applications already whitelisted, along with an option to add more apps.
Click on “Add the app to the whitelist” as shown below.
You can search the application here by typing its name, for example, I searched for Classright (an application I developed to automate Google Classroom management).
You should now click on “Add to the Whitelist” button to add this app to your whitelisted marketplace apps as shown in the screenshot below.
You should now see the newly added application in the list of your whitelisted applications.
Now your users would only be able to install the apps you whitelisted, they will see an error if they try to install any other application other than whitelisted ones.
Remove an application from G Suite marketplace whitelist :
You can easily remove application/s in such cases right from your G Suite Admin console as follows-:
Login to G Suite Admin Console –> Go to Apps –> G Suite Marketplace apps card would show you number of whitelisted apps –> Click on it.
If you need to remove only one application, simply hover on it, and you would see “Remove from the whitelist” button on right.
Click on it to remove the application from whitelist (as shown below).
However, if you need to remove multiple apps from the whitelist at once, then use the checkbox option to select the apps you want to remove, then click on “Remove selected apps” as shown below.
G Suite Marketplace Application Installation
G Suite marketplace applications can be installed by your G Suite users by directly going to marketplace (assuming you have allowed them to install).
However, as a G Suite Administrator, you can also push marketplace apps to your G Suite users, this might be helpful to proactively install applications which are used by your organization, for e.g CRM application for sales people.
Install G Suite Applications as G Suite Administrator
To install application from G Suite marketplace as an Admin, login to your G Suite Admin Console –> Go to Apps –> Click on services from G Suite marketplace apps card as shown in the screenshot below.
You may also directly go to G Suite Marketplace.
You would now see an option to ‘Add app to domain install list’, click on it to open G Suite marketplace.
You would see that applications have been categorized in the marketplace which would help you easily find the top rated, most popular and recommended for G Suite apps.
If you know the name of the application, you can also use search bar to search for it. In my case, I will install the application I developed called “Ok Goldy” which helps bulk perform G Suite operations.
Once you find the application you are looking for, click on its thumbnail.
Now you would see this application in expanded form which includes total number of users using it, app reviews, overview, and also an option to install it either as an individual (only for you) or for your domain (for multiple users in your G Suite tenant).
To click for your domain, click on ‘Domain Install’.
Google will now show you information about the installation process, click on Continue.
This screen is very important for your to pay attention as it would show you a few things:
1. API Scopes which this application is requesting (You can click on the exclamation icons to see more information about the requested scopes).
2. You can install this application either for your G Suite tenant (e.g for all users) or for a selective Organizational Unit (e.g subset of users).
Once you are satisfied, and ready to grant this application required permission, click on Allow as shown in the screenshot below.
Your selected application would be installed within a few seconds, and you would see the confirmation message, click on next.
You would also see some additional details about further setup that might be required by this application.
You may click to complete additional setup link, or click on ‘Done’.
Now, your users would see the application installed (e.g application I installed in this demo is for Google Sheet, so I can see the app in sheet add-ons, similarly if the app you install is for Gmail, you would see it under Gmail sidebar).
Chapter # 5
Post Installation best practices
Post Installation best practices
Once you install applications from G Suite marketplace as a G Suite Admin, you should still follow some security best practices.
To post manage G Suite marketplace apps, login to your G Suite Admin console –> Go to Apps –> Click on services from the marketplace card.
Here you would see the installed applications, click on the application you want to manage as shown in the screenshot below.
You would see some important information about the application here which would help you manage it.
1. You would see the scope of this application (e.g whether this app has been installed for all users in your G Suite tenant, or for a specific organization unit (e.g subset of users).
2. You would see which OAuth scopes have been granted to this application.
3. You would also see an option to ‘Revoke Access’, which once done revoke this application’s access to your G Suite users’ data.
4. In case you need to delete this application, you can also do that from this screen as shown below.
Chapter # 6
G Suite Marketplace FAQs
Most frequent questions and answers about G Suite Marketplace
Though It is recommended to leverage G Suite marketplace for adding functionality to G Suite, however there might be cases where you would need to give access to an application not available in G Suite marketplace.
In such cases, you can take the client id from the app developer along with OAuth scopes that this would need to access, then follow this to provide access to this app-:
- Login to G Suite Admin login.
- Go to Security –> API controls.
- Click on ‘Manage domain wide delegation’.
- Click New
- Add the Client Id and OAuth scopes.
Google does not charge you anything to install apps from the marketplace, however you should check with the application developer if they would charge you to use their application.
Most of the basic applications are available for free.
Some applications are offered as add-on to your existing application subscription, for e.g if you salesforce subscription outside of G Suite marketplace, then you would be able to use Salesforce app from marketplace.
Finally, some applications are built just for the G Suite marketplace, where you would have payment relationship directly with the developer.
For e.g email marketing applications available in marketplace with freemium pricing model.
No. G Suite marketplace does not list the chatbots which you can install in Google Chat.
You should rather go to https://chat.google.com/u/0/botcatalog/summary to see all chatbots available in Google’s catalogue.