Two Step Verfication

[Benjamin Greene]

Hey, 

Does anyone know if there's command to force Two Step Verification on for a user, using GAM? I can't see it anywhere so I'm guessing there may be issues with doing this, I don't know? 

I figured if it can be done in the Apps Panel then it can be done through GAM right?

Thanks

[Jay Lee]

There's no way for an admin to turn 2SV on for a user, user's must enable it themselves so that they can configure SMS messaging and/or the mobile apps. However, admins can force users to use 2SV in the Control Panel. Once a user account has 2SV enforced, they'll need to enter a backup code in order to login. Admins can generate backup codes for a user using the GAM command:

gam user <email address> update backupcodes

the admin can then communicate one of these backup codes to the user along with their initial password. The user should be instructed to immediately enable 2SV for their account (otherwise they won't be able to login a 2nd time).

It's not perfect but this is the only automated means to force users to use 2SV that I'm aware of.

Jay

[April Rosenberg]

We do it with OUs.  New users when they come on board are in the onboarding OU until they get two factor enrolled and then they get moved to their departmental OUs where two factor is enforced.

 

April

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/13c709d8-2e30-417a-bed5-0bc13fa0cc5c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Matthew Adkins]

Sorry to necro this - but is there reporting built into gam 3.3 to allow us to see a users enrolled or enforced status? The standard reports within the admin console appear to constantly be out of date, and I would rather run a report directly against a user's account (as the user's accounts themselves are always up to date).  I noticed you mentioned a command for gam 2.995, this: gam report users fields "'accounts:is_2sv_enforced,accounts:is_2sv_enrolled' todrive

but when I try and run that command on 3.3 I'm getting a parameters error: Error: Parameter "parameters" value "'accounts:is_2sv_enforced'" does not match the pattern "(((accounts)|(gmail)|(calendar)|(docs)|(gplus)):.+,)*(((accounts)|(gmail)|(calendar)|(docs)|(gplus)):.+)"