Common Issues in Google Workspace (G Suite) Integration

1. While integrating Google Workspace (G Suite) with the Hexnode console, an error message Invalid Input appears.

Possible Cause

• This could happen if any of the steps went wrong while configuring G Suite.

Solution

Go through the steps and ensure that the below-mentioned ones are carried out properly.

• JSON file is downloaded from the corresponding Service account in Google Developers Console.
• Service Account Admin is chosen as the Service Account role.
• Enable G Suite Domain-wide Delegation option under the created Service Account is checked.
• Ensure that APIs and services are enabled.
• In the Google Admin Console, ensure that API clients are correctly authorized. (Syncing the users and user groups)

While integrating with Hexnode console,

• Ensure that the G Suite account’s Admin email is provided.
• A proper Domain name is provided.
• The correct JSON file is uploaded.
• The correct Token is provided.

Once these details are provided, the integration will be completed automatically.

2. On integrating Google Workspace (G Suite) with Hexnode console, an error stating G Suite domain names could not be retrieved appears

Cause

Except for the primary domain, the sub-domains and users in the sub-domains are unable to synchronize with the Hexnode MDM portal.

Reason

The OAuth scopes for the API client does not include domain specification.

Since a G Suite account can have multiple domains, the users belonging to all the different domains are synchronized only if the domain scope is specified while managing access to the API client.

Solution

Include the domain scope for the API client from the Google Admin Console.

1. Log in to Google Admin Console.
2. Navigate to Security > API Controls > MANAGE DOMAIN WIDE DELEGATION > Domain wide delegation .
3. Identify your API client from the list. Click Edit.



4. Copy and paste the following link in the field OAuth scopes:

   https://www.googleapis.com/auth/admin.directory.domain

5. Click Authorize.



6. Next, log in to the Hexnode MDM console.
7. Navigate to Admin > G suite.
8. Click on the Refresh Domain button and click Save.

It refreshes the domain and syncs the user information from the sub-domains also.

3. While generating token from Google Admin Console, Control Panel Error #1000 appears.

Solution

Following are the two primary solutions:

• Try clearing browser cache.
• Run the website in incognito mode.

If the above solutions don’t work, try with the following secondary solution:

• Login to Google Admin Console.
• From the main menu, navigate to Apps > Additional Google Services.
  
  
• Click on Add Services.
  
• Click on Add it now under the Android Management services package.
• Once the package is added, you’ll be redirected to Security > Manage EMM provider for Android > Generate Token.
• Token will now be generated successfully.

4. After configuring Google Workspace (G Suite) on the Hexnode portal, “G Suite could not be configured, ensure that necessary OAuth scopes are provided” error message is shown.

Possible Causes

This could happen if:

• Any of the OAuth scopes are missing while configuring G Suite.
• Admin SDK is not enabled.

Solution

Ensure the necessary scopes are added correctly under the SHOW DOMIN-WIDE DELEGATION dropdown menu in your Google Admin account.

1. https://www.googleapis.com/auth/admin.directory.user
2. https://www.googleapis.com/auth/admin.directory.group
3. https://www.googleapis.com/auth/admin.directory.domain

If the issue still persists even after adding the correct OAuth scopes, check if the Admin SDK is enabled for the corresponding account. You can enable the Admin SDK by following the steps below:

1. Sign in to your Google Admin Account.
2. Head over to Security > API reference.
3. Check the Enable API access option.
4. Press Save.

5. “Your sign-in settings don’t meet your organization’s 2-Step Verification policy. Contact your admin for more info.” error message during DEP enrollment.

Possible Causes

• 2-Step Verification is enforced on users from the Google Admin console but is not set up in the user account. As a result, such users will be locked out of their accounts when their active sessions expire.
• 2-Step Verification method is set up as Only security key in the Google Admin console, and consequently, the users have configured a built-in security key for verifying their accounts. During DEP enrollment, if the user tries to authenticate using this built-in security, it can lead to an error. Since the DEP enrollment has a Safari-based web view, built-in security keys compatible only with the Chrome browser cannot be used as a method of 2-factor authentication.

Precautions

• Notify the users and ensure that they have set up 2-step verification in their account before enforcing the same from the Google Admin console. Users can activate the 2-step verification by following the steps below:
  1. Open Google Account.
  2. Select Security from the navigation menu.
  3. Select 2-Step verification under Signing in to Google.
  4. Click on Get started and follow the on-screen instructions.
• Administrators can review Account reports or check 2-Step Verification Settings to find the users who have set up security keys before enforcing the 2-step verification method.

Solutions

• Administrators can recover user accounts by generating backup codes:
  1. Log in to the Google Admin console.
  2. Go to Users and select the user account you intend to recover.
  3. Navigate to Security > 2-step verification.
  4. Click on Get Backup Verification Codes and copy one of the verification codes.
  5. Send this code to the user.
  6. Users can sign in to their account using a password and this backup code.
• Refer to recovering accounts protected by 2-step verification for additional best practices.