In order to set up your Google Admin Console(GAC) Integration, FMX will need the following items:

  • API access key password
  • GAC Customer ID

  • GAC Account email address
  • GService account email address
  • P12 file

Please follow the instructions below and provide the GAC Customer ID, GAC Account email address, and GService account email address using the secure messages feature in FMX. The P12 file can be emailed to your FMX Customer Success Manager or Account Manager.

Overview:

  1. Create a project for FMX (console.cloud.google.com)
  2. Enable Google Workspace (console.cloud.google.com)
  3. Configure google cloud project and app (console.cloud.google.com)
  4. Create access credentials (console.cloud.google.com)
  5. Get customer ID (admin.google.com)
  6. Create admin roles/privileges (admin.google.com)
  7. Create user account (admin.google.com)
  8. Give the new FMX user admin role/privileges
  9. Create service account (console.cloud.google.com)
  10. Add authorization scopes (admin.google.com)
  11. Get P12 file (console.cloud.google.com)

Follow the steps listed below for each:

1. Create a Google Cloud Project

  1. In console.cloud.google.com
  2. Navigation Menu > More Products > IAM & Admin > Create a Project
    1. Set Project name to FMX-GOOGLE
    2. Create

 

2. Enable Google Workspace

  1. In console.cloud.google.com
  2. Navigation Menu > APIs & Services > Library
    1. Search for Admin SDK API
    2. Click into the Admin SDK API and Enable

3. Configure Google Cloud Project

  1. In console.cloud.google.com
  2. Navigation Menu > APIs & Services > OAuth consent screen
    1. User Type
    2. Choose Internal
    3. Create

App Information

  1. App name: FMX
  2. User support email: **use the email in the drop down
  3. Scroll down to the very bottom of the page to Developer contact information
    1. Email address: dev-team@gofmx.com
    2. Save and continue

Scopes

    1. Click on the ADD OR REMOVE SCOPES button
    2. Search for Admin SDK API
      1. Check the box next to the two following scopes
        1. …/auth/admin.directory.device.chromeos.readonly
        2. .../auth/admin.directory.user.readonly
      2. Save and continue

Summary

  1. Review and confirm the two scopes added are listed under Scopes

 

4. Create Access Credentials 

  1. In console.cloud.google.com
  2. Navigation Menu > APIs & Services > Credentials
    1. Click on Create Credentials and choose OAuth Client ID from the list
      1. Application Type: Web Application
      2. Name: FMX Integration
      3. Create

5. Get the Customer ID

  • In Google Admin Console (admin.google.com)
    1. In the navigation panel, Select Account
    2. Select Account Settings
    3. See the Profile section for the Customer ID

customeridGAC.png

 

6. Create custom admin role/privileges

  1.  In Google Admin Console (admin.goolge.com)
  2. In the left navigation menu, go to Account, then Admin Roles
    1. Create new role
    2.  Name the custom role “FMX API Admin” and description “Give FMX API Access”
    3. Find the following privileges and check the Read box:
      1. Organizational Units
      2.  Users
      3. Manage Chrome OS devices
  3. Continue, and Create Role

 

7. Create a user account for FMX

*This step needs to be completed before creating the Gservice account

  1. In the navigation panel, select Directory, then Users
    1. Add new user
    2. Make the users' first name: FMX and the last name: User
    3. Copy the full email address and send to the FMX team, and you will also need it for the next step.*We do not need the password for this user’s email

GACuseremail.png

 

 

8. Give the new FMX user admin role/privileges

  1. In the fmx user profile, find the Admin roles and privileges section
  2. Click either Assign Roles or anywhere in that section
  3. Find the FMX API Admin role and switch it from unassigned to assigned.

 

9. Create a Gservice account email

  1. Go to console.cloud.google.com
  2. In the navigation panel, open Service Accounts, then +Create Service Account and follow these steps

gservice_1.png

 

Service Account details

  1. Put in FMX for the service account name
  2. Copy the full gservice account email address to provide to the FMX team
  3. Click Create and Continue

273b1622-95c4-4f0e-8a07-f840405ac56c.png

Grant this service account access to project

  1. Leave the role blank

36d677b3-0456-4575-9888-67d12f287021.png

Grant users access to this service account

  1. In the service account users role input box, add the FMX user that was created earlier
  2. Click Done

385e2e3e-3c7e-4c20-aeab-645d06a80874.png

 


10. Add authorization scopes

In console.cloud.google.com, under IAM & Admin, go to Service Accounts

1. Find the email associated with FMX, and to the far right under OAuth 2 Client ID, copy the client ID

2. In Google Admin Console (admin.google.com)

3. in the left navigation panel, go to Security > Access and data control > API Controls

4. In the Domain Wide Delegation section

5. Click into Manage Domain Wide Delegation

6. Add new 

7. Paste the client ID from the gservice account into the client ID field

8. Add the following OAuth scopes (each scope should be on its own line)

View details to ensure all four were added correctly

 

  1.  

11. Create a P12 file

In console.cloud.google.com, go to Navigation Menu > IAM & Services > Service Accounts, click on the email of the new FMX Gservice account

 

cc53c456-ac03-4998-87eb-9540baaa297d.png

  1. Go to the Keys tab
  2. Add Key and choose Create new key
  3. Choose P12 in the pop-up window, and Create
  4. A .p12 file should be automatically downloaded (check your downloads)
  5. Save this file and provide it to the FMX team

b11eee4c-d181-47c2-9fd7-c4f3e018f759.png

 

 

 

 

Was this article helpful?

  • 2 out of 2 found this helpful