A comprehensive guide to setting up and using the Google Admin Console integration to sync users and/or devices with FMX.

How the Integration Works

The FMX Google Admin Console integration connects your Google users and devices along with Google-mapped fields to your FMX site. This integration creates, updates, and deletes users and devices according to the information provided from Google on a scheduled basis.

Authentication

Google allows administrators to create application-specific OAuth Client Credential keys to securely sync users and devices. This guide will walk you through the setup process.

User Sync

Users will be created, updated, deleted, and restored according to their status, Organizational Unit (OU), and group association in Google. Building access is also granted and removed as configured based upon OU and/or group membership.

Device Sync

Devices will be created, updated, retired, and restored according to their status and OU membership in Google.

Device Directional Syncing

This integration supports directional syncing for two fields:

FMX Google
Equipment - Assignment Device - Annotated User
Equipment - Type and Building Organizational Unit (OU)

For the FMX Equipment Assigned User to/from Google Device Annotated User, the following sync directions are supported:

  • None - Do not sync FMX Equipment Assignment and Device Annotated User
  • From FMX to Google - Update Google Device Annotated User with information from FMX Equipment Assignment
  • From Google to FMX - Update FMX Equipment Assignment with Google Device Annotated User information. The email address in Google must match a user in FMX.

For the FMX Equipment Type and Building to/from Google Organizational Unit (OU), the following sync directions are supported:

  • None - Only the initial Equipment Type and Building are set upon creation based on OU and changed with subsequent syncs.
  • From FMX to Google - Update Google Organizational Unit (OU) based on FMX Equipment Type and Building mappings
  • From Google to FMX - Update FMX Equipment Type and Building based on Google Organizational Unit (OU) mappings
  • Bidirectional - Update either Equipment Type and Building or Google Organizational Unit (OU) based on record modification dates

 

Setup Guide for Administrators

This section provides step-by-step instructions for configuring the integration for the first time.

Prerequisite

Before starting the configuration wizard, you must complete the following setup steps in both FMX and Google.

Configure FMX

  • Create a dedicated User Type: Configure a new user type with the required permissions. For more information, see How to Customize User Access. The permissions needed are:
    • Building & Resource Access:
      • Read: Any
    • User & Contact Access:
      • Administer: Checked
      • Read users: Checked
      • Read contacts: Checked
      • Delete: Checked
    • Equipment Access:
      • Create: Checked
      • Read: Any
      • Update: Any
      • Retire: Any
      • Delete: Any
      • Permitted equipment types: All
      • View audit log: Any
  • Create a dedicated User: Create a new user and assign it to the user type you just configured. For more information, see Adding and Editing Users & Contacts.
    • Assign an identifiable name (e.g., “Google Integration”).
    • Use an email address where you want to receive notifications (e.g., “email+google@domain.com”).
    • Securely document this user’s password for use in the configuration steps.
  • Create required Custom Fields:
    • Required: Create two custom fields, each called "Google Id", for users and equipment. These will be used to map synced users and equipment in FMX to Google users and devices.
      Important: The ID Fields must be unique and not used by any other integration or for any other purposes. Reusing any ID field across different integrations will cause users or equipment to be deleted or duplicated.
    • Optional: If you plan to map other user details from Google, create these as Custom Fields for Users and Equipment now.
      • Google User fields
        • User ID
        • Email
        • First Name
        • Last Name
        • Full Name
        • Phone
        • Title
        • Department
        • Cost Center
        • Organization Location
        • Employee ID
        • Address
        • Building ID
        • Floor
        • Manager Email
        • OU Path
        • Account Created
      • Google ChromeOS Device fields
        • Device ID
        • Serial Number
        • Asset ID
        • Annotated User
        • Annotated Location
        • Model
        • OS Version
        • Platform Version
        • Firmware Version
        • MAC Address
        • Ethernet MAC Address
        • Last Sync
        • Support End Date
        • Notes
        • OU Path
        • Status
        • Last Enrollment Time
        • First Enrollment Time
        • Boot Mode
        • Manufacture Date
        • Auto Update Expiry
        • Total RAM
        • Order Number
        • ChromeOS Type
    • It is recommended to assign mapped Custom Fields across all synced FMX User Types or Equipment Types and be allowed to be modified by the dedicated sync user. If you decide to limit fields to a specific type, use the broadest type possible (e.g. "Technology" instead of "Technology > Chromebook".
    • For more information, see Form Builder: How to create custom fields.

Google Cloud Project

Before you begin

Ensure your account is a super administrator for your Google Workspace.


1. Create a Google Cloud project

Navigate to https://console.cloud.google.com/projectcreate

  • Name: FMX Integration
  • If listed, Set Organization and Location to your domain

Click Create

Once created, be sure to switch to your new project.


Navigate to API & Services > OAuth consent screen (https://console.cloud.google.com/auth/overview)

  1. Click Get started
    • App Information: FMX Integration
    • User support email: Select any email in the list
  2. Click Next
  3. Select Internal
  4. Click Next
    • Email address: Type your email address
  5. Click Next
  6. Check I agree
  7. Click Continue
  8. Click Create

3. Enable API

Navigate to API & Services > Library (https://console.cloud.google.com/apis/library)

Be sure your project is still selected.

  1. Search for Admin SDK API
  2. Click it and then click Enable

4. Create Service Account

Navigate to IAM & Admin > Service Accounts then click Create Service Account (https://console.cloud.google.com/iam-admin/serviceaccounts/create)

  1. Service account name: FMX Integration
  2. Click Create and continue
  3. Click Done

5. Create Keys for Service Account

By default, Google enables a policy that must be adjusted to allow for the creation of Service Account Keys. If you receive an error stating "An Organization Policy that blocks service accounts key creation has been enforced on your organization." jump down to Troubleshooting: Allowing Service Account Key Creation and come back to this step once finished.

  1. Click the newly created service account (https://console.cloud.google.com/iam-admin/serviceaccounts)
  2. Click the Keys tab
  3. Click Add key > Create new key
  4. Select JSON and Click Create
  5. Download the JSON key and store it securely. You can now copy and paste the contents into the configuration wizard and provide an admin email address for the FMX integration.

     


Allow domain-wide delegation

  1. Copy the OAuth 2 Client ID listed by the newly created service account (https://console.cloud.google.com/iam-admin/serviceaccounts)
  2. Navigate to your Google Admin portal and go to Security > Access and data control > API controls (https://admin.google.com/ac/owl)
  3. Click Manage Domain Wide Delegation
  4. Click Add new
    • Client ID: Paste the copied ID from your service account
  5. OAuth scopes - combine the following as desired:

Required - These are the base scopes required to use the sync. You may need to enable additional scopes if you plan on using additional features as detailed below.

https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,

Optional - If you plan on allowing FMX to deprovision Chrome OS devices, append the following scope:

https://www.googleapis.com/auth/admin.directory.device.chromeos,

Optional - If you plan to use the Bidirectional or FMX as the Source of Truth as detailed earlier, append the following scopes if you haven't already:

https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/admin.reports.audit.readonly,

Troubleshooting

Allowing Service Account Key Creation

Follow these steps if you receive an error "An Organization Policy that blocks service accounts key creation has been enforced on your organization."

Step 1: Add yourself as Organization Policy Administrator

  1. Navigate to the Manage Resources option from within your project (https://console.cloud.google.com/cloud-resource-manager)
  2. Select the top level domain entry that your project is a child of
  3. Click Add Principal
    • New principals: Use your email address
    • Role: Organization Policy Administrator
  4. Click Save

Step 2: Disable the key creation policy

  1. Navigate to IAM & Admin > Organization Policies and search for "Disable service account key creation" (Link to Filtered Organization Policies)
  2. You will see two policies - the legacy policy is typically the one enforced by default
  3. Click the enforced policy
  4. Click Manage Policy
  5. Change to Override parent's policy
  6. Click Add a rule and select Off
  7. Click Set Policy
  8. Repeat for the other policy if it is also enforced

Step 3: Continue Previous Instructions and Revert Policy Changes

You will need to sign out and back in for changes to take effect. You should now be able to generate the keys for your service account from Create Keys for Service Account. After you have completed setting up this integration it is recommended to change your google org policies back for security purposes.

 

Configuration Wizard

With your FMX user account and Google Service Account keys you can now begin the configuration wizard process which will walk you through the configuration steps.

Was this article helpful?

  • 0 out of 0 found this helpful