topic Re: Google Workspace prvisioning in Endpoint Security

Google Workspace prvisioning

marijanlesko — Mon, 21 Apr 2025 21:57:07 GMT

We have around 200+ Apple devices that are reset 2-3 times per year for temporary workers.

I have used a profile to automatically setup Google Workspace mailboxes on iPhones and iPads through SME.

We had 2 mailboxes setup per phone:

Personal, owner's mailbox, with personal email
Mailbox (single) containing only external contacts for easier sharing

Every device would be provisioned with those 2 mailboxes through MDM. contacts mailbox would have the password pushed using MDM, while personal mailbox would require the owner to provide the password.

We used Exchange Activeync for iOS as instructed by Meraki documentation.

Every Apple device would be provisioned through MDM with owner's email and Google Workspace settings. The owner would only have to enter his email password.

That worked flawlessly for 8+ years until 2 weeks ago when suddenly, both mailboxes would randomly ask device user to enter the password.

The passwords would not be accepted and the request would keep randomly popping up.

I tried to manually provision a single Google WKS email account on a managed device (Apple Mail) and it worked using Google option.

Meraki MDM Exchange Active Sync setting for iOS that worked for many years stopped working for Google workspace.

Our only option is now to provision Google account manually on every device what is time consuming.

Testing, we have discovered that iOS Exchange ActiveSync profile setting now only works for Microsoft 365 and automatically opens Microsoft authentication page.

Setup for Google Workspace using ActiveSync as per Meraki documentation (last version from 2023) does not work anymore.

Is there anybody who had the same issue?

Re: Google Workspace prvisioning

ekramer — Tue, 22 Apr 2025 02:23:43 GMT

We switched away from Exchange accounts several years ago. Instead we use the Google profile to establish user's email accounts. They're account is preset on the iPad, but they do have to authenticate with their password to start using it. Google OAuth is the method of verifications.

Re: Google Workspace prvisioning

Patrick_1 — Tue, 22 Apr 2025 16:51:36 GMT

I suspect this is the issue being reported by multiple end users at my organization.
Can you provide details on the issue for your organization?

I have had over a dozen users indicate the password incorrect notification, however they are able to use the same password to access their account.

The truly sad part, is I have been working with a Meraki support rep since April 6th when this was first reported by only 3 or 4 users and they are clueless.

Re: Google Workspace prvisioning

marijanlesko — Fri, 25 Apr 2025 00:14:17 GMT

Hm sounds like my issue.

Will have more time tomorrow.

Re: Google Workspace prvisioning

marijanlesko — Fri, 25 Apr 2025 00:15:08 GMT

Interesting. Do you have any links to more elaborate documentation for the setup?

Re: Google Workspace prvisioning

Patrick_1 — Fri, 25 Apr 2025 14:45:26 GMT

Currently, iOS devices configured to use the Meraki profile that pushes any “Exchange ActiveSync” email configuration are continually prompting users for their passwords

This appears to be directly related to this Google blog post

Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported

(search this page for the word “incorrect”)

At this time, the following workarounds can be used:
Use the Gmail app (a Meraki profile can be configured for this)

Use Outlook app (a Meraki profile can be configured for this)

Manually configure native iOS app and sign-in using OAUTH

I have not had any luck configuring a Meraki profile to push a Google Account to an iOS device that successfully syncs email once the user enters their password. If anyone has a working custom mobileconfig they would be willing to share, I would appreciate it.

Re: Google Workspace prvisioning

BrandonD1 — Tue, 29 Apr 2025 17:51:28 GMT

Hi @marijanlesko & @Patrick_1,

Just to add onto @Patrick_1's comments, we do have a few options for configuration since the recent Google changes in accepted authentication methods:

Configure a 3rd party (non-native iOS Mail App) via a Managed App Config - more on this below:
- https://documentation.meraki.com/SM/Profiles_and_Settings/Using_the_Managed_App_Settings_Payload
  - Gmail
    - https://support.google.com/work/android/answer/7065453?hl=en (Non-Cisco URL)
  - Microsoft Outlook:
    - https://learn.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/account-setup?view=exchserver-2019#key-value-pairs (Non-Cisco URL)
Configure and utilize OAuth2 rather than basic authentication - touched on below by Google Support:
- https://support.google.com/a/answer/9750173?sjid=2283771315733416322-NA (Non-Cisco URL)
Lastly (and potentially the easiest effort if the default Mail App is desired) - utilize the 'Google Account' Payload. If utilizing 'Owner' e-mail addresses (more on this below) they can be passed through the following process with Apple Configurator:
- https://documentation.meraki.com/SM/Profiles_and_Settings/Variables_in_Custom_Apple_Profiles_with_Systems_Manager

<key>AccountName</key>
<string>$OWNERUSERNAME</string>
<key>EmailAddress</key>
<string>$OWNEREMAIL</string>

https://documentation.meraki.com/SM/Other_Topics/Owners

I did confirm internally that our Payload (more on this below) for ActiveSync has not changed as of recent and has been implemented per Apple's Developer Documentation outlined below:

https://developer.apple.com/documentation/devicemanagement/exchangeactivesync