A comprehensive guide to setting up and using the Google Admin Console integration to sync users and/or devices with FMX.How the Integration WorksThe FMX Google Admin Console integration connects your Google users and devices along with Google-mapped fields to your FMX site. This integration creates, updates, and deletes users and devices according to the information provided from Google on a scheduled basis.AuthenticationGoogle allows administrators to create application-specific OAuth Client Credential keys to securely sync users and devices. This guide will walk you through the setup process.User SyncUsers will be created, updated, deleted, and restored according to their status, Organizational Unit (OU), and group association in Google. Building access is also granted and removed as configured based upon OU and/or group membership.Device SyncDevices will be created, updated, retired, and restored according to their status and OU membership in Google.Device Directional SyncingThis integration supports directional syncing for two fields: FMX Google Equipment - Assignment Device - Annotated User Equipment - Type and Building Organizational Unit (OU) For the FMX Equipment Assigned User to/from Google Device Annotated User, the following sync directions are supported: None - Do not sync FMX Equipment Assignment and Device Annotated User From FMX to Google - Update Google Device Annotated User with information from FMX Equipment Assignment From Google to FMX - Update FMX Equipment Assignment with Google Device Annotated User information. The email address in Google must match a user in FMX. For the FMX Equipment Type and Building to/from Google Organizational Unit (OU), the following sync directions are supported: None - Only the initial Equipment Type and Building are set upon creation based on OU and changed with subsequent syncs. From FMX to Google - Update Google Organizational Unit (OU) based on FMX Equipment Type and Building mappings From Google to FMX - Update FMX Equipment Type and Building based on Google Organizational Unit (OU) mappings Bidirectional - Update either Equipment Type and Building or Google Organizational Unit (OU) based on record modification dates Setup Guide for AdministratorsThis section provides step-by-step instructions for configuring the integration for the first time.PrerequisiteBefore starting the configuration wizard, you must complete the following setup steps in both FMX and Google.Configure FMX Create a dedicated User Type: Configure a new user type with the required permissions. For more information, see How to Customize User Access. The permissions needed are: Building & Resource Access: Read: Any User & Contact Access: Administer: Checked Read users: Checked Read contacts: Checked Delete: Checked Equipment Access: Create: Checked Read: Any Update: Any Retire: Any Delete: Any Permitted equipment types: All View audit log: Any Create a dedicated User: Create a new user and assign it to the user type you just configured. For more information, see Adding and Editing Users & Contacts. Assign an identifiable name (e.g., “Google Integration”). Use an email address where you want to receive notifications (e.g., “email+google@domain.com”). Securely document this user’s password for use in the configuration steps. Create required Custom Fields: Required: Create two custom fields, each called "Google Id", for users and equipment. These will be used to map synced users and equipment in FMX to Google users and devices.Important: The ID Fields must be unique and not used by any other integration or for any other purposes. Reusing any ID field across different integrations will cause users or equipment to be deleted or duplicated. Optional: If you plan to map other user details from Google, create these as Custom Fields for Users and Equipment now. Google User fields User ID Email First Name Last Name Full Name Phone Title Department Cost Center Organization Location Employee ID Address Building ID Floor Manager Email OU Path Account Created Google ChromeOS Device fields Device ID Serial Number Asset ID Annotated User Annotated Location Model OS Version Platform Version Firmware Version MAC Address Ethernet MAC Address Last Sync Support End Date Notes OU Path Status Last Enrollment Time First Enrollment Time Boot Mode Manufacture Date Auto Update Expiry Total RAM Order Number ChromeOS Type It is recommended to assign mapped Custom Fields across all synced FMX User Types or Equipment Types and be allowed to be modified by the dedicated sync user. If you decide to limit fields to a specific type, use the broadest type possible (e.g. "Technology" instead of "Technology > Chromebook". For more information, see Form Builder: How to create custom fields. Google Cloud Project Before you begin Ensure your account is a super administrator for your Google Workspace. 1. Create a Google Cloud project Navigate to https://console.cloud.google.com/projectcreate Name: FMX Integration If listed, Set Organization and Location to your domain Click Create Once created, be sure to switch to your new project. 2. Configure App Consent Navigate to API & Services > OAuth consent screen (https://console.cloud.google.com/auth/overview) Click Get started App Information: FMX Integration User support email: Select any email in the list Click Next Select Internal Click NextEmail address: Type your email address Click Next Check I agree Click Continue Click Create 3. Enable API Navigate to API & Services > Library (https://console.cloud.google.com/apis/library) Be sure your project is still selected. Search for Admin SDK API Click it and then click Enable 4. Create Service Account Navigate to IAM & Admin > Service Accounts then click Create Service Account (https://console.cloud.google.com/iam-admin/serviceaccounts/create) Service account name: FMX Integration Click Create and continue Click Done 5. Create Keys for Service Account By default, Google enables a policy that must be adjusted to allow for the creation of Service Account Keys. If you receive an error stating "An Organization Policy that blocks service accounts key creation has been enforced on your organization." jump down to Troubleshooting: Allowing Service Account Key Creation and come back to this step once finished. Click the newly created service account (https://console.cloud.google.com/iam-admin/serviceaccounts) Click the Keys tab Click Add key > Create new key Select JSON and Click Create Download the JSON key and store it securely. You can now copy and paste the contents into the configuration wizard and provide an admin email address for the FMX integration. Allow domain-wide delegation Copy the OAuth 2 Client ID listed by the newly created service account (https://console.cloud.google.com/iam-admin/serviceaccounts) Navigate to your Google Admin portal and go to Security > Access and data control > API controls (https://admin.google.com/ac/owl) Click Manage Domain Wide Delegation Click Add newClient ID: Paste the copied ID from your service account OAuth scopes - combine the following as desired: Required - These are the base scopes required to use the sync. You may need to enable additional scopes if you plan on using additional features as detailed below. https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.device.mobile.readonly, https://www.googleapis.com/auth/admin.directory.userschema.readonly, https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly, Optional - If you plan on allowing FMX to deprovision Chrome OS devices, append the following scope: https://www.googleapis.com/auth/admin.directory.device.chromeos, Optional - If you plan to use the Bidirectional or FMX as the Source of Truth as detailed earlier, append the following scopes if you haven't already: https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.reports.audit.readonly, Troubleshooting Allowing Service Account Key Creation Follow these steps if you receive an error "An Organization Policy that blocks service accounts key creation has been enforced on your organization." Step 1: Add yourself as Organization Policy Administrator Navigate to the Manage Resources option from within your project (https://console.cloud.google.com/cloud-resource-manager) Select the top level domain entry that your project is a child of Click Add Principal New principals: Use your email address Role: Organization Policy Administrator Click Save Step 2: Disable the key creation policy Navigate to IAM & Admin > Organization Policies and search for "Disable service account key creation" (Link to Filtered Organization Policies) You will see two policies - the legacy policy is typically the one enforced by default Click the enforced policy Click Manage Policy Change to Override parent's policy Click Add a rule and select Off Click Set Policy Repeat for the other policy if it is also enforced Step 3: Continue Previous Instructions and Revert Policy Changes You will need to sign out and back in for changes to take effect. You should now be able to generate the keys for your service account from Create Keys for Service Account. After you have completed setting up this integration it is recommended to change your google org policies back for security purposes. Configuration WizardWith your FMX user account and Google Service Account keys you can now begin the configuration wizard process which will walk you through the configuration steps. Was this article helpful? 0 out of 0 found this helpful