AN ADMIN GUIDE TO G SUITE MARKETPLACE
- Google Workspace marketplace offers thousands of applications which can enhance your Google Workspace users’ experience and make them even more productive.
- However, it also puts you (Google Workspace Admin) on a risk of shadow IT if your Google Workspace users start installing these marketplace apps by themselves.
- I invested sometime learning about security oriented best practices for Google Workspace marketplace, Let me share everything I learnt, and hopefully it would help you administer Google Workspace.
Table of Contents
Chapter # 1
Google Workspace Marketplace Overview
What is Google Workspace Marketplace & Why should you care?
You signed up for Google Workspace because you love the apps like Gmail, Google drive, chat, meet etc as they help you collaborate seamlessly, but I think there is one more reason that you had in mind when you signed up.
And that is an ease to access these tools from anywhere, and from any device.
So with Google Workspace, you have taken care of messaging and collaboration, but how about other applications which help you run your business, apps like-:
- CRM to manage your customer relationships.
- Account apps to help you manage your finances.
- Email marketing apps to help you reach out to your existing and prospective customers.
Ideally, these applications should also be available just like Google Workspace, and better if they can integrate with Google Workspace apps helping you become more productive.
That’s where Google Workspace Marketplace comes into the picture.
So What is Google Workspace Marketplace?
Google Workspace Marketplace is an online catalogue where Google Workspace customers can find applications for their business needs. These third party applications are designed to work seamlessly and securely with Google Workspace.
You get following benefits from this marketplace as a Google Workspace Customer-:
1. Increased Productivity : Your users would be more productive as Google Workspace Marketplace applications are designed to work seamlessly with Google Workspace.
For e.g – Your users do not need to remember another set of credentials for that CRM application, as they can now login to it via their Google Workspace credentials (SSO).
2. Complete Business Operating System : You would be able to run your business online with Google Workspace marketplace applications as most of them are cloud based, eg. Salesforce for CRM, Xero for accounting, Mailchimp for email marketing etc.
3. Seamless Data Access : You would be able to access your Google Workspace data into these applications and vice versa, which would help you save time.
For e.g -: If you use canva.com to create your marketing assets, you would be able to access your company assets in Google Drive right into Canva.
4. Data Security : As a Google Workspace app developer myself, I can tell you that these marketplace applications need to go through Google’s well defined review process before they appear in the marketplace, this review process ensures that developers follows security standards.
Chapter # 2
Marketplace Apps - Secure Adoption
Assess Security of Google Workspace Marketplace Applications
Google Workspace Marketplace applications enhance your users experience and help them get more done, however as a Google Workspace Administrator you should first assess security of these 3rd party applications before letting your users install them.
Google Workspace Marketplace applications security should be considered as “Shared Responsibility Model”, where Google and you both take care of security assessment at some level.
After publishing a few applications in Google Workspace marketplace, following is my understanding in terms of what security measures are taken by Google, and what should be your responsibility.
Whats covered by Google?
(i) To ensure developer has accepted Google’s terms of service.
(ii) To ensure developer has registered their application with Google.
(iii) To ensure developer has clearly listed the API scopes that their application would be accessing along with providing justification for the usage of each of the API scopes.
Note : Based on my experience going through OAuth review process multiple times, Google only grants OAuth scopes which are really required by your application to provide its functionality.
For e.g : Google initially rejected my application ‘Labels Manager for Gmail’ because I applied to get mail.google.com as OAuth scope which was very broad.
I was suggested to use https://www.googleapis.com/auth/gmail.labels which is good enough to provide Gmail labels management functionality.
My application was approved, once I narrowed the API scope to least required.
(iv) Developer has an OAuth consent clearly defined.
(iv) Developer has provided support channel details.
Now, Google does its part of ensuring that developers have followed above best practices, however Google does NOT control the relationship between you and the app developer.
For e.g -: During the application installation, Google makes sure that application should ask for OAuth consent showing which API scopes / data will this app be able to access, however it is your responsibility to decide whether you want to provide consent to this application for it or not.
I recommend you to evaluate the security of each application you either install or add to your company approved apps list.
You can do this by following (please take following as reference points only, and use your company’s security policies for such evaluation).
What should be assessed by you?
(i) Understand which API scopes /data would be accessed by this Google Workspace marketplace application, and if these scopes are “must” required to provide you the desired functionality.
(iii) Pay attention to the application reviews, and read the comments by other users of this application in Google Workspace marketplace.
(iv) If you are into regulated industry and have certain compliances to meet (e.g HIPAA, FINRA etc), then check if the marketplace application can help you stay compliant (e.g if they can sign BAA for HIPAA compliance etc).
(v) Reach out to the application developer via provided support channel if you have additional questions.
(vi) Only install application for the required scope (e.g if CRM application is only used by your sales team, do not install it for all users, rather do it just for the sales org unit, I have this in details in the installation best practices).
Chapter # 3
Google Workspace Marketplace Settings
Google Workspace Marketplace (Security Oriented) Settings
Google Workspace Marketplace has thousands of application which can help your users be more productive, however it also increases the risk of ‘Shadow IT’.
Though it depends on your company policy, but ideally, you should not allow your users to install applications from Google Workspace marketplace by their choice, because users might not pay much attention to things OAuth scopes grants etc.
You should rather create a list of company approved marketplace apps, and only put apps in it after you have assessed their security.
Now, let me show you marketplace settings offered by Google, and how to configure these settings in an information security oriented way.
Login to your Google Workspace Admin Console and click on “Apps” as shown below.
Here you would see different application or services provided by Google Workspace, click on “Manage” under Google Workspace Marketplace apps as shown in the screenshot below.
You would now see various options available to you which would define how and which marketplace applications can be installed by your Google Workspace users.
Let us cover these options in details :
1. Allow Users to install any application from Google Workspace Marketplace : As it is clear by its title, if you select this option, then your Google Workspace users would be able to install any application available in Google Workspace Marketplace. I would recommend you not to choose this option as it exposes a bit of risk to let users install applications not yet assessed by you.
2. Do not allow users to install any application from Google Workspace Marketplace : If you select this option, then your Google Workspace users will not be able to install any application from Google Workspace Marketplace. This is not the recommended option either as it restrict your users to take advantage of Google Workspace marketplace and get more done with applications of choice.
3. Allow Users to Install only Whitelisted applications from Google Workspace Marketplace : In most cases, you should go with this option as it let your Google Workspace users install applications from marketplace but only the ones which have been assessed and put in whitelist by you.
Chapter # 4
Google Workspace Marketplace App Management
Manage Google Workspace Marketplace Application Whitelist
You will not have any applications in the whitelist when you start, so ideally, you should first assess the security of the given marketplace app, and then put it in your whitelist.
Add an application to Google Workspace marketplace whitelist :
To add any application to your Google Workspace marketplace whitelist, login to your Google admin console –> go to Apps –> Manage marketplace apps –> click on “Manage Whitelist” as shown in the screenshot below.
Here you would see the list of applications already whitelisted, along with an option to add more apps.
Click on “Add the app to the whitelist” as shown below.
You can search the application here by typing its name, for example, I searched for Classright (an application I developed to automate Google Classroom management).
You should now click on “Add to the Whitelist” button to add this app to your whitelisted marketplace apps as shown in the screenshot below.
You should now see the newly added application in the list of your whitelisted applications.
Now your users would only be able to install the apps you whitelisted, they will see an error if they try to install any other application other than whitelisted ones.
Remove an application from Google Workspace marketplace whitelist :
You can easily remove application/s in such cases right from your Google Workspace Admin console as follows-:
Login to Google Workspace Admin Console –> Go to Apps –> Google Workspace Marketplace apps card would show you number of whitelisted apps –> Click on it.
If you need to remove only one application, simply hover on it, and you would see “Remove from the whitelist” button on right.
Click on it to remove the application from whitelist (as shown below).
However, if you need to remove multiple apps from the whitelist at once, then use the checkbox option to select the apps you want to remove, then click on “Remove selected apps” as shown below.
Google Workspace Marketplace Application Installation
Google Workspace marketplace applications can be installed by your Google Workspace users by directly going to marketplace (assuming you have allowed them to install).
However, as a Google Workspace Administrator, you can also push marketplace apps to your Google Workspace users, this might be helpful to proactively install applications which are used by your organization, for e.g CRM application for sales people.
Install Google Workspace Applications as Google Workspace Administrator
To install application from Google Workspace marketplace as an Admin, login to your Google Workspace Admin Console –> Go to Apps –> Click on services from Google Workspace marketplace apps card as shown in the screenshot below.
You may also directly go to Google Workspace Marketplace.
You would now see an option to ‘Add app to domain install list’, click on it to open Google Workspace marketplace.
You would see that applications have been categorized in the marketplace which would help you easily find the top rated, most popular and recommended for Google Workspace apps.
If you know the name of the application, you can also use search bar to search for it. In my case, I will install the application I developed called “Ok Goldy” which helps bulk perform Google Workspace operations.
Once you find the application you are looking for, click on its thumbnail.
Now you would see this application in expanded form which includes total number of users using it, app reviews, overview, and also an option to install it either as an individual (only for you) or for your domain (for multiple users in your Google Workspace tenant).
To click for your domain, click on ‘Domain Install’.
Google will now show you information about the installation process, click on Continue.
This screen is very important for your to pay attention as it would show you a few things:
1. API Scopes which this application is requesting (You can click on the exclamation icons to see more information about the requested scopes).
2. You can install this application either for your Google Workspace tenant (e.g for all users) or for a selective Organizational Unit (e.g subset of users).
Once you are satisfied, and ready to grant this application required permission, click on Allow as shown in the screenshot below.
Your selected application would be installed within a few seconds, and you would see the confirmation message, click on next.
You would also see some additional details about further setup that might be required by this application.
You may click to complete additional setup link, or click on ‘Done’.
Now, your users would see the application installed (e.g application I installed in this demo is for Google Sheet, so I can see the app in sheet add-ons, similarly if the app you install is for Gmail, you would see it under Gmail sidebar).
Chapter # 5
Post Installation best practices
Post Installation best practices
Once you install applications from Google Workspace marketplace as a Google Workspace Admin, you should still follow some security best practices.
To post manage Google Workspace marketplace apps, login to your Google Workspace Admin console –> Go to Apps –> Click on services from the marketplace card.
Here you would see the installed applications, click on the application you want to manage as shown in the screenshot below.
You would see some important information about the application here which would help you manage it.
1. You would see the scope of this application (e.g whether this app has been installed for all users in your Google Workspace tenant, or for a specific organization unit (e.g subset of users).
2. You would see which OAuth scopes have been granted to this application.
3. You would also see an option to ‘Revoke Access’, which once done revoke this application’s access to your Google Workspace users’ data.
4. In case you need to delete this application, you can also do that from this screen as shown below.
Chapter # 6
Google Workspace Marketplace FAQs
Most frequent questions and answers about Google Workspace Marketplace
Though It is recommended to leverage Google Workspace marketplace for adding functionality to Google Workspace, however there might be cases where you would need to give access to an application not available in Google Workspace marketplace.
In such cases, you can take the client id from the app developer along with OAuth scopes that this would need to access, then follow this to provide access to this app-:
- Login to Google Workspace Admin login.
- Go to Security –> API controls.
- Click on ‘Manage domain wide delegation’.
- Click New
- Add the Client Id and OAuth scopes.
Google does not charge you anything to install apps from the marketplace, however you should check with the application developer if they would charge you to use their application.
Most of the basic applications are available for free.
Some applications are offered as add-on to your existing application subscription, for e.g if you salesforce subscription outside of Google Workspace marketplace, then you would be able to use Salesforce app from marketplace.
Finally, some applications are built just for the Google Workspace marketplace, where you would have payment relationship directly with the developer.
For e.g email marketing applications available in marketplace with freemium pricing model.
No. Google Workspace marketplace does not list the chatbots which you can install in Google Chat.
You should rather go to https://chat.google.com/u/0/botcatalog/summary to see all chatbots available in Google’s catalogue.