Securing Access of Gmail App from Unauthorized Applications

Scalefusion’s OneIdP enables organizations to secure access to Google applications such as Gmail, Drive, and Chat by ensuring they are accessible only on Scalefusion-managed devices. While OneIdP performs the necessary checks to validate device management status, certain application behaviors limit its ability to detect whether the accessing application is authorized. As a result, end users may access corporate data from a managed device but through an unauthorized application, potentially posing a security risk. 

The same objective can be achieved using either of the following approaches:

1. Block login access to all third-party applications (e.g., Outlook, Edison Mail, etc.): Implementing a security policy that prevents users from accessing their Gmail accounts through any application other than the official Gmail app (or other explicitly allowed Google applications).

2. Block login access to specific third-party applications while allowing access to approved ones: Provides an approach to managing which apps can access Gmail accounts.

Here are the steps in detail for both the approaches:

Block login access to all third-party applications

1. Log in to the Google Workspace portal (https://admin.google.com) with Admin credentials.

2. Navigate to Security > Access and data control > API Controls >Settings
    

3. Select the Organizational Units to which you want to apply the restriction.

4. Navigate to Unconfigured third-party apps
   

   

    

5. Select Don’t allow users to access any third-party apps and click on Save
   

   

6. Now, users will be able to sign in to the service only through Google-related applications (e.g., Gmail, Drive, etc.)

Block login access to specific third-party applications while allowing access to approved ones

1. Log in to the Google Workspace portal (https://admin.google.com) with Admin credentials.

2. Navigate to Security > Access and data control > API Controls > MANAGE THIRD-PARTY APP ACCESS
   

    

    

3. Click on Configure new app
   

   

4. Search for the application where User Sign-In needs to be blocked.
   

   

    

5. Click on the app > Select Scope and click on Continue 
   

   

6. Select Blocked and click on Continue
   

   

7. Click on Finish.

8. Users can now only sign in to the service through Google-related applications, excluding those on the block list.