2SV listings?

348 views
Skip to first unread message

Patrick Doherty

unread,
Dec 16, 2015, 7:33:42 AM12/16/15
to Google Apps Manager
Is there any way to get GAM to give me a list of people who have enabled 2SV (or people who haven't so I can go and chase them)?

Thanks

This e-mail and any attachments are confidential and solely for the use of
the intended recipient.  They may contain material protected by legal
professional or other privilege. If you receive it in error, please delete
it from your system, make no copies of it, do not disclose its contents to
any third party or use it for your own or any other person's benefit.
Please advise the sender of its receipt as soon as possible. Although this
email and its attachments are believed to be free of any virus or other
defect, it is the responsibility of the recipient to ensure that they are
virus free and no responsibility is accepted by the company for any loss or
damage arising from receipt or use thereof. Any opinions expressed that do
not relate to the official business of the company are those of the author,
not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007
Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE

Brian Gray

unread,
Dec 16, 2015, 2:37:44 PM12/16/15
to Google Apps Manager


On Wednesday, December 16, 2015 at 6:33:42 AM UTC-6, Patrick Doherty wrote:
Is there any way to get GAM to give me a list of people who have enabled 2SV (or people who haven't so I can go and chase them)?


I don't think that 2SV status is available through the API.  You can get a list through the Admin Console.

Go to Admin Console > Users, then click the 3-dots menu in the top right and choose Download users.  You can download the current OU or the entire domain.

2SV status is listed in the right-most column.

save image
Auto Generated Inline Image 1

RayB

unread,
Dec 17, 2015, 12:43:07 PM12/17/15
to Google Apps Manager
gam report users gives accounts:is_2sv_enforced and accounts:is_2sv_enrolled

Brian Gray

unread,
Dec 17, 2015, 1:01:13 PM12/17/15
to Google Apps Manager

On Thu, Dec 17, 2015 at 11:43 AM, RayB <raymond....@glhhotels.com> wrote:
gam report users gives accounts:is_2sv_enforced and accounts:is_2sv_enrolled


Thanks Ray - I missed that when I went looking for it in the wiki.


----------------
See my Free Class Periods calendar - bit.ly/bgray-times.
----------------
Brian Gray
bg...@sstx.org



Nate Ferrell

unread,
Dec 24, 2015, 5:04:58 AM12/24/15
to Google Apps Manager
I use that command often as well to automate sending 2SV enrollment emails, update a custom schema and suspend users due to noncompliance after 3 notifications are received... just keep in mind there is latency between the Admin Reports and current day (usually it's 1-2 days behind and updates once a day around noon)

RayB

unread,
Dec 24, 2015, 5:18:01 AM12/24/15
to Google Apps Manager
Hi Nate,

Any chance you could give more details on how you're doing that?
I've not had much to do with using custom schema's, I'm guessing using it as a form tagging/marking users like the externsion attributes in AD?

Thanks

Ray

Nate Ferrell

unread,
Dec 26, 2015, 6:43:00 PM12/26/15
to Google Apps Manager
Of course!

I basically created a custom schema with a few bool values, "2SV_Exempt", "Notif_Exempt", "First_2SV_Email", "Second_2SV_Email","Final_2SV_Email".

Not sure what OS you're running, but I am doing mine via Windows with PowerShell... Here's the command I ran to create the schema and fields:

$GAM = "C:\GoogleApps\GAM\gam.exe"      #(or wherever you GAM installation resides)

& $GAM create schema 2SV field 2SV_Exempt type bool endfield field First_2SV_Email type bool endfield field Second_2SV_Email type bool endfield field Final_2SV_Email type bool endfield field Notif_Exempt type bool endfield


I then run a job that checks for users in our New Hire OU, fills all of the custom schema fields as False if they for users new enough that they haven't had the job run against them yet, then cycles through each user and checks for notifications sent. If they have received the first notification and are still not enrolled in 2SV, they are sent a second notification and the second notification custom schema value is marked as "True", etc.... 

Here's the full user loop that I run... This handles schema updating, email sending, enrolled user moving to 2SV enforced OU, and suspension if they have received 3 notifications and are still not enrolled... Also includes logging and some other variables that are set outside this snippet:

$allusers = & $GAM print users fullname ou creationtime lastlogintime custom all suspended | ConvertFrom-Csv | ? {$_.orgUnitPath -eq "/Users/New Hire Staging"}

foreach ($user in $allusers | ? {$_.'customSchemas.2SV.2SV_Exempt' -eq "False" -and $_.'customSchemas.2SV.Notif_Exempt' -eq "False" -and $_.lastLoginTime -ne "Never" -and $_.suspended -eq "False"})
    {
    "" | Add-Content $txtlog -PassThru
    $UserEmail = $user.primaryEmail
    $UserFullName = $user.'name.fullName'

    $2svEnrolled = & $GAM report users user $UserEmail fields 'accounts:is_2sv_enrolled' | ConvertFrom-Csv | select -ExpandProperty 'accounts:is_2sv_enrolled'

    if ($2svEnrolled -eq "False")
        {
        $FirstNotif = $user.'customSchemas.2SV.First_2SV_Email'
        $SecondNotif = $user.'customSchemas.2SV.Second_2SV_Email'
        $FinalNotif = $user.'customSchemas.2SV.Final_2SV_Email'

        "$UserEmail is not currently enrolled in 2-Step Verification - Checking if user has received any notification emails" | Add-Content $txtlog -PassThru

        if ($FirstNotif -eq "False" -and $SecondNotif -eq "False" -and $FinalNotif -eq "False")
            {
            "$UserEmail has not yet received a 2SV notification email - sending first email" | Add-Content $txtlog -PassThru
            & $GAM update user $UserEmail 2SV.First_2SV_Email True
            & $MailScript -UserEmail $UserEmail -UserName $UserFullName -Notification "first"
            }
        elseif ($FirstNotif -eq "True" -and $SecondNotif -eq "False" -and $FinalNotif -eq "False")
            {
            "$UserEmail has only received the first 2SV Email - sending second email" | Add-Content $txtlog -PassThru
            & $GAM update user $UserEmail 2SV.Second_2SV_Email True
            & $MailScript -UserEmail $UserEmail -UserName $UserFullName -Notification "second"
            }
        elseif ($FirstNotif -eq "True" -and $SecondNotif -eq "True" -and $FinalNotif -eq "False")
            {
            "$UserEmail has received 2 2SV Emails - sending final email" | Add-Content $txtlog -PassThru
            & $GAM update user $UserEmail 2SV.Final_2SV_Email True
            & $MailScript -UserEmail $UserEmail -UserName $UserFullName -Notification "final"
            }
        elseif ($FirstNotif -eq "True" -and $SecondNotif -eq "True" -and $FinalNotif -eq "True")
            {
            "$UserEmail is not enrolled in 2SV or exempt and has received the final email - suspending user due to non-compliance" | Add-Content $txtlog -PassThru
            & $GAM update user $UserEmail Suspended True 2SV.Notif_Exempt True
            & $MailScript -UserEmail $UserEmail -UserName $UserFullName -Notification "suspended"
            }
        sleep 2
        & $GAM print users query "email:$UserEmail" fullname ou creationtime lastlogintime custom all suspended | ConvertFrom-Csv
        }

    elseif ($2svEnrolled -eq "True")
        {
        "$UserEmail has enrolled in 2-Step Verification -- moving user to 2-Step Enforced OU" | Add-Content $txtlog -PassThru
        & $GAM update user $UserEmail org "/Users/New Hire Staging/2-Step Enforced"
        sleep 2
        & $GAM print users query "email:$UserEmail" fullname ou creationtime lastlogintime custom all suspended | ConvertFrom-Csv
        }
    else
        {
        "Reports are not yet generated for $UserEmail, unable to determine 2-Step Enrollment status -- moving to next user." | Add-Content $txtlog -PassThru
        }
    }
Reply all
Reply to author
Forward
0 new messages