Finding less secure apps

[Samuel]

Hello,

I'm trying to find out what less secure apps my users could have and if we should block this option

Here is the information I can already find

- less secure apps

from console > reports > accounts activity > less secure apps report, it tells us if the user activated it or not

I can't retrieve this infromation from GAM

- application specific passwords

gam all users show asps

- connected apps

gam all users show tokens

Are these 3 things related to each other?

And how can I identify less secure apps?

Thank you

[+KimNilsson]

Did you also check out the new API reports?

https://admin.google.com/AdminHome?hl=en&pli=1&fral=1#SecuritySettings:flyout=oauth2scopemanagement

[Samuel]

Yes, and there are 754 apps installed

And my problem is that it's not written which are less secure

I found in this post https://productforums.google.com/forum/#!msg/gmail/1zfLRzarw5Q/1nvz_ERHAgAJ the difference between "less secure apps" and "application specific passwords"

Google considers all apps, clients, and accesses which doesn't use the OAuth 2.0 protocol as less secure; and the following are the ways to go about resolving this:

1. If your account doesn't have 2-step verification enabled, proceed to allow access for less secure apps.
2. If your account has 2-step verification enabled, set it up again using an application-specific password.

I won't search any further

[+KimNilsson]

Someone has tried to create a script to list them, but it only works for really small domains, since it can't handle longer run times than then standard 5 minutes.

https://github.com/slackhq/gsuite-oauth-third-party-app-report/wiki

[Jay Lee]

"Less secure" apps are any apps that use username/password to authenticate instead of using OAuth. This makes them less secure because they store and transport your Google password.

Thus by their very nature they won't show on any of the OAuth reports nor do they have to identify themselves to Google in the same way OAuth apps need to.

I'd simply look for POP / IMAP users and I'd strongly recommend cutting them off from using username/password. I believe many POP/IMAP implementations these days support OAuth (Thunderbird, iOS mail, etc). So they can still use the protocol via a more secure OAuth authentication channel in many cases.

Jay

On Mon, Jul 23, 2018 at 11:55 AM +KimNilsson <there.is.no...@gmail.com> wrote:

Someone has tried to create a script to list them, but it only works for really small domains, since it can't handle longer run times than then standard 5 minutes.

https://github.com/slackhq/gsuite-oauth-third-party-app-report/wiki

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/395bfdee-ab47-4e07-bb21-704565f60c9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kim Nilsson]

Yes, in the domains I control I am recommending that we disable IMAP and POP. Will go into effect this September. 

I have also since long blocked all access to accounts.google.com/signin outside my whitelist, which blocks all use of addons and extensions that work through service accounts to give external services access to my users' content. 

[Samuel]

Thanks for these informations.

The script does not work for me because of the timeout, I will look to adapt it according to my needs

[Kim Nilsson]

Samuel, if you do manage to circumvent the time limit, please publish your updated version. 

I'm sure the original developer will appreciate it too. 

[Samuel Sobrino]

All my script use GAM trought php, for performances I use a database, not shure it could be shared

I did't know that we could request thing trought Sheets, after looking a the script, what can be done is to fill the Users tab with a GAM result (gam all users print tokens), and after that run the second step of the script

Le mer. 25 juil. 2018 à 13:14, Kim Nilsson <there.is.no...@gmail.com> a écrit :

Samuel, if you do manage to circumvent the time limit, please publish your updated version. 

I'm sure the original developer will appreciate it too. 

--
You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/vXTJNrmDqTE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFsE%2B907FuCdHceq-cSoPDoPaBBOLZ_pg8f6QitEn1GMPg%40mail.gmail.com.

[Kim Nilsson]

Yes, but I tried that and it still failed.

My fault, most likely, since I don't know what to edit to be able to run only the second part of the script.

/Kim

--

There is No Substitute!

google.com/+KimNilsson

[Samuel Sobrino]

Juste tried now, with some tweaks

all users with tokens (gam command and some columns removed) in the tab Users = 4970 lines

In App Script editor line 158 -> oauth_scopes = token[4].split(' ');

From github -> In App Script editor, click Run > step2.

And voila the second tab is flled

I don't know if the gam command can be redirected to drive, perhaps the modification on line 158 is not necessary

I'll try this tomorrow

--

You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/vXTJNrmDqTE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFtqTJEnOJmRrG4Qz6q7yFauwVVnnpiVDvkvB4cLKYB43w%40mail.gmail.com.

[Kim Nilsson]

Ok, for me that oauth_scopes code is found on line 174, and not 158.

When I tried to run step 2 I got this error.

TypeError: Det går inte att hitta funktionen split i objekt true. (rad: 174, fil: Kod

Translated from Swedish it says.

TypeError: Can't find the function split in object true. (line: 174, file: Kod)

[Samuel]

It's correct line 174, I changed the first part of the script for my tests

Could you try this

gam <UserTypeEntity> print tokens todrive

open drive/sheets

rename the tab : Users

insert an empty column in b

move column d (displaytext) in b

delete the emtpy column d

filter on column e (nativeapp) where true and delete what is found

remove filter

delete column e and f (nativeapp and userkey)

you should have in this order : user,displayText,clientId,anonymous,scopes

click Tools > Script Editor....

In the Apps Script editor, copy and paste third-party-app-report.gs (https://github.com/slackhq/gsuite-oauth-third-party-app-report/blob/master/third-party-app-report.gs)

on line 174 replace  --> oauth_scopes = token[4].split('\n');

with --> oauth_scopes = token[4].split(' ');

Save (ctrl+s)

In App Script editor, click Run > step2.

Allow access the Sheets

You should now have a Counts tab

It's not the most simple, but it work

[Samuel]

Even better

gam <UserTypeEntity> print tokens todrive

open drive/sheets

click Tools > Script Editor....

In the Apps Script editor, copy and paste third-party-app-report.gs MY NEW Version (https://github.com/samuel-sobrino/gsuite-oauth-third-party-app-report-with-GAM/blob/master/third-party-app-report.gs)

Save (ctrl+s)

In App Script editor, click Run > step2.

Allow access the Sheets

You should now have a Counts tab

My Version of the script doesn't need the domain

We automaticly get the tab name

No need to change the data from GAM (order, filter, deletion)

[Steve - DynTech]

Did anyone try this to get tokens on a larger domain and see if it succeeds? GAMADV-XTD required

gam config auto_batch_min 1 redirect csv ./tokens.csv multiprocess all users print tokens

[Kim Nilsson]

Yup, I did.

5664 users.

16046 tokens.

Took about 20 s for Samuel's report script to run. So as long as you don't have over 100k users, I think that part of the script will keep itself below the time limit.

[Erick Cheng]

Samuel - thank you so much for the improvements! I've incorporated your code and updated the wiki as well :)

https://github.com/slackhq/gsuite-oauth-third-party-app-report/wiki#alternative-utilizing-gam

https://github.com/slackhq/gsuite-oauth-third-party-app-report/commit/78cce8ad6c2f326916788347a50f6dddbe018a39

Kim - thank you for the updates and testing as well!

[Samuel]

Erick
Thanks for the update / incorporation, I did not know when I could have documented all this

Thanks to your script I discovered what was possible to do with apps scripts

Kim
Thank you for your participation in this group, you are a great source of information