allow less secure apps option

[Dan Schwartz]

Hi - 

We occasionally run a program to transfer mail for a user that needs to authenticate to the user's account with IMAP, and have found that the security feature labeled "allow less secure apps" needs to get turned on for the program to run.  Is there a way with GAM to toggle this setting?  The setting is in the user's security settings under "my accoun/connected apps & sites" at the bottom of the screen.  

--

Dan Schwartz | LTS - Systems and Networking  | Lehigh University | da...@lehigh.edu | (610) 758-5061

[Sam Colman]

Exactly the same problem. This feature would be very handy.

Thanks.

[Josef Fortier]

Google has made a change in how they handle IMAP as of the last few days. They now force this setting for IMAP connections.

We have been using IMAP to transfer graduated student mail stores to our "alumni" domain (a separate, older Google Apps instance). This has now stopped working due to the change on Google's end.

I've just got off the phone with tech support. As I understand it:

1) There are a number of complaints...

2) Google has not yet exposed this setting in the API (so Jay cannot yet implement it).

3) I was given a recommendation to use Jay's "Got your back" (and they said Jay was amazing :-)

[Rodrigo Lipert]

Hello Dan Schwartz,

You can allow this option for all users in domain, go to:

admin.google.com

Security>Basic settings>Go to the less secure application settings >>

Check 

allow less secure apps

best regards!

O conteúdo desta mensagem é confidencial e para uso exclusivo do destinatário. Não o divulgue! Apague-o imediatamente se o recebeu por engano.

The content of this message is confidential and for the exclusive use of the recipient. Do not disclose! Delete it immediately if received by mistake.

[Daniel Schwartz]

Yes, but that just allows the user to login and toggle the setting.  It doesn't help when we have a program that needs that toggled and the user isn't currently around (or doesn't know) to do it. We can't even programmatically query the users account to find out if the toggle is in the correct position for our program to run.

[Jay Lee]

There's no api for gam to use to automate this.

Have you tried contacting the app developers and requesting they support a more secure login protocol like OAuth 2.0? Username/password authentication is simply not safe to allow by default on today's internet.

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/760ea944-0c1d-48fd-9711-89ce00f6cd26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jay Lee

[Josef Fortier]

I've been working with GYB (Mr Lee's other Google App) in an effort to replace IMAP migration, and, even though this is not the focus of the list, thought it worth passing on notes.

1) The GYB 0.41 is likely the way to go, among other things it uses the (newish) gmail API, which seems to avoid a lot of the issues with Google and  IMAP (transfer caps, speed and password).

2) the 0.4[0-1] is a major rewrite, and the docs do not appear to be updated. Specifically 

• The service account file in the docs is 'privatekey.json' but the name the 0.41 version expects is oauth2service.json
  
• The project needs the GMail API added (which makes some sense). The app will let you know this
• The --service-account flag no longer takes an argument. All the needed info seems to be in the JSON key

3) I had success with a git clone of the current package rather then the release. Not sure whether there is a difference.
4) Their appears to be a bug in the release update check, so touch noupdatecheck.txt
5) The "estimate" action also was broken (this seems to be reported).
6) I had the same problem I've had with the cacert.pem in GAM, with the same fix (replacing the file).

But with those steps, I'm able to perform actions, not fully tested but it seems like it will work where IMAP is definitely not.

 

[Josef Fortier]

FWIW, Google seems to be getting some heat for this change.

When we transitioned, the Mail API was not available, and the previous API version would not allow **exporting** (only importing) so IMAP was the only option.

My boss tells me that Google's documentation still indicates that the Mail API has to be augmented with IMAP. I'm sure this is outdated, but it was where Google wanted us to go.

[Josef Fortier]

And, in case it's not clear, **both** GAM and GYB are incredible! Thank you Jay.

[Josef Fortier]

More info on GYB:

1) It works (with caveats :-)
2) Best options for my use case

a) --fast-restore (this is probably not ideal, but it dramatically speeds things up). Drawback is loss of threading

b) --batch-size 1. There restore seems a lot more picky, and I've run into numerous issues. Setting the batch size to one doesn't seem to materially effect performance (in part because of --fast-restore I'm sure). But it allows fairly accurate identification of problem messages, otherwise it involves selecting one out of 10 (which appears to be the default batch size for 0.41). Just find that message and remove it from the download and re-run. With our students all I've ever committed to is a "best effort" transfer, so this seems like it will work for me :-)

[Josef Fortier]

Jay writes...

Have you tried contacting the app developers and requesting they support a more secure login protocol like OAuth 2.0? Username/password authentication is simply not safe to allow by default on today's internet.

What Oauth2 clients are out there?

More particularly, what clients might be driven in a scripted fashion?

Mostly what I see is source libraries (which may be the way to go). 

Does anyone have experience with any particular package?

[Ullfig, Roberto Alfredo]

I’ve lost a lot of hours working on this issue with users. I hope GAM developers can get this query in soon. Users insist they have it set but I need to verify myself. As far as I can tell, this setting is required to be on if the user wants to migrate email from an expired university google apps account to their personal gmail.com account– there is no alternative other than IMAP or POP for this.

 

---

Roberto Ullfig – rul...@uic.edu

ACCC Research Programmer

--

You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/c18b5e8d-78e6-49dd-ac29-5ad338b3fefb%40googlegroups.com.

[Ian Crew]

Hi all:

I’ve been tackling this issue myself today, and I *think* I may have found a workaround:

First, create a “Less Secure Apps” (or whatever) OU, then set “Enforce access to less secure apps for all users” in that OU, as shown below:

Then, any user that you create in/move into that OU should have the "allow less secure apps" setting forced on, and it is possible to use GAM to move users into/out of OUs.

With a little limited testing, this technique seems to work pretty well, so I thought I’d share it.  I’d appreciate hearing if it also works for others.

Cheers,

Ian

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp-SA908OMV6ZA-nLkQETLSpOONqHvWD_0N5M_9CF7ctSA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

___

Ian Crew

IST-Architecture, Platforms and Integration (API)

Earl Warren Hall, Second Floor

University of California, Berkeley

[T Roche]

Handy workaround - did the job!

[Jon Limmer]

Ian,

If you move that account back out of this OU, does the "Less Secure Apps" setting remain on or does the account revert back?

Jon

On Monday, February 29, 2016 at 8:40:26 PM UTC-5, Ian Crew wrote:

Hi all:

I’ve been tackling this issue myself today, and I *think* I may have found a workaround:

First, create a “Less Secure Apps” (or whatever) OU, then set “Enforce access to less secure apps for all users” in that OU, as shown below:

Then, any user that you create in/move into that OU should have the "allow less secure apps" setting forced on, and it is possible to use GAM to move users into/out of OUs.

With a little limited testing, this technique seems to work pretty well, so I thought I’d share it.  I’d appreciate hearing if it also works for others.

Cheers,

Ian

[+KimNilsson]

Roberto, and others, today there is a feature called Takeout Transfer that allows G Suite users to migrate Gmail and Drive content to a private Gmail account, without the need for Less Secure Apps as it is a built-in system in G Suite.

https://takeout.google.com/transfer

On Wednesday, 3 February 2016 22:22:34 UTC+1, Roberto Ullfig wrote:

I’ve lost a lot of hours working on this issue with users. I hope GAM developers can get this query in soon. Users insist they have it set but I need to verify myself. As far as I can tell, this setting is required to be on if the user wants to migrate email from an expired university google apps account to their personal gmail.com account– there is no alternative other than IMAP or POP for this.

 

---

Roberto Ullfig – 

ACCC Research Programmer