Configuring Gmail mobile mail cutoff/SSO
Mobile Mail SSO enables your users to use their single sign-on passwords for Gmail and enforce that all ActiveSync traffic goes through Forcepoint ONE SSE. The feature works by changing the user’s Gmail/Google Apps password to a new salted and hashed version of their single sign-on password.
The user does not know this password so that they cannot access Gmail directly and are cutoff from all direct access.
When email traffic goes through the Forcepoint ONE SSE proxy, Forcepoint ONE SSE authenticates the user against the SAML IdP (either external IdP or Forcepoint ONE SSE), and upon successful authentication, hashes the SSO password and sends the result to Google inside of the authentication request to authenticate. When their SSO password is updated, Forcepoint ONE SSE automatically updates the hashed password in Google apps.
Deployment Process
In order to deploy this feature, users must delete and re-add their mail accounts on their mobile devices. When using the Autodiscover feature, the newly added account will be configured automatically to go through Forcepoint ONE SSE. There are two stages to migrating users - voluntary and forced migration.
- Voluntary Migration: During voluntary migration, Forcepoint ONE SSE only changes Google passwords for users that already have one or more devices using Forcepoint ONE SSE. The Forcepoint ONE SSE admin portal allows you to monitor migration status and send reminder emails periodically to users that have mobile devices but have not yet migrated yet. It is a recommended best practice to leave several weeks for voluntary migration, to send reminder emails during the course of that time, and move to forced migration only once a large majority of your users have migrated to Forcepoint ONE SSE.
- Forced Migration: Once you trigger forced migration for a group, Forcepoint ONE SSE will change the Google password for all users that have devices in Google but have not yet migrated on their own to Forcepoint ONE SSE. When this happens, user mobile devices will fail authentication until they configure their device to use Forcepoint ONE SSE and start authenticating with their SSO password.
Configuration
In order to configure mobile mail SSO, follow the steps below:
- The first step you will need to take is to provide Forcepoint ONE SSE with API access to your Google Apps account in order to be able to change user passwords. You can follow the steps on the Gsuite SSO Cutoff guide page.
- Users can be cutoff from directly accessing Google Apps based on the access method configured in policy rules. Web based cutoff via SAML SSO is a prerequisite for ActiveSync based
cutoff. To enable Web based cutoff via SAML SSO in Forcepoint ONE SSE
admin portal, navigate to . Select the App Instance for which you want to enable SAML SSO by clicking on the instance name. In the Google App Instance dialog select
cutoff method SAML SSO for Web, Client Apps.
- Google Password change for access via ActiveSync - In the Forcepoint ONE SSE admin portal, navigate to . Select the App Instance for which you want to enable Google password change by clicking on the instance name. In the Google App
Instance dialog enable Google Password Change under ActiveSync. This would change the Google passwords for all users and use SAML for
ActiveSync authentication instead.
- Google Password change for access via ActiveSync - In the Forcepoint ONE SSE admin portal, navigate to . Select the App Instance for which you want to enable Google password change by clicking on the instance name. In the Google App
Instance dialog enable Google Password Change under ActiveSync. This would change the Google passwords for all users and use SAML for
ActiveSync authentication instead.
Voluntary Migration
In this phase you will focus on getting users to delete and re-add their mobile mail accounts so that they leverage Forcepoint ONE SSE and starting using their SSO passwords. On the page, click Manage Migration.
- The resulting page displays the list of all groups that have policies configured to force their Google Apps usage through the Forcepoint ONE SSE proxy, along with a percent Migrated status. This indicates the percentage of users per group (with one or more devices in Google determined via API access) have migrated to Forcepoint ONE SSE.
- The Send Reminder Email link allows you to send a customized email to all users in that group that have not yet migrated their devices to Forcepoint ONE SSE. You can send this email as often as you would like.
Forced Migration
Once a sufficient percentage of users in a group have migrated to Forcepoint ONE SSE, moving to Forced Migration will ensure that the remainder migrate their accounts as they will no longer be able to access their email from their mobile devices until they do so. Click on the Voluntary link in the Migration column.
- In the Mobile Mail SSO dialog, select Forced and accept the warning by typing YES in all caps. Once this step
is completed, all users’ passwords will be changed and they will only be able to access their mail on mobile devices if they go through Forcepoint ONE SSE and use their SSO password.