Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. macOS

Category filter

Google Workspace macOS Management: Enrollment and Integration with Hexnode UEM

Jump To

Hexnode UEM facilitates secure Google Workspace macOS management by enabling device enrollment using Google Workspace user credentials. This integration ensures that enrolled macOS devices are automatically assigned to their respective Google Workspace users, streamlining policy deployment and device monitoring.

The process is divided into two main stages: Configuration (Google Cloud & Admin Consoles) and Enrollment (Hexnode UEM setup and device action).

Prerequisites

  • Google Workspace Account: Your organization must have an active Google Workspace account.
  • Administrator Access: You need administrator credentials for both the Google Cloud Console and the Google Admin Console.
  • Hexnode UEM Portal: Access to your Hexnode UEM administrator portal.

Phase 1: Configure Google Workspace Integration

This phase involves creating a Service Account in the Google Cloud Console and granting it the necessary API permissions.

1.1 Create the Service Account (Google Cloud Console)

  1. Log in to the Google Cloud Console using your Google Workspace admin credentials.
  2. Click Create Project and provide a suitable Project Name (e.g., Hexnode-MDM-Integration). A corresponding Project ID will be generated.
  3. From the Navigation Menu, go to APIs and Services > Credentials.
  4. Click Create Credentials, and select Service account from the drop-down list.
  5. Provide the following details for the new service account:
    1. Service account name (e.g., hexnode-connector)
    2. Service account ID (automatically generated)
    3. Service account description
  6. Click Create and Continue.
  7. (Optional): Grant access to the project by choosing the role Service Accounts > Service Account Admin, and click Continue.
  8. Click Done.
  9. Click on the email address of the newly created service account.
  10. Navigate to the Advanced settings drop-down and copy the generated Client ID.
  11. Navigate to the Keys tab. Click Add Key > Create new key.
  12. Choose the key type as JSON and click Create. The JSON key file will be downloaded.

1.2 Enable Admin SDK API and Manage API Client Access

  1. Go back to the APIs & Services interface from the Navigation menu.
  2. Select Enabled APIs & Services and click +ENABLE APIS AND SERVICES.
  3. Search for and select Admin SDK API. Click Enable.

  4. Log in to the Google Admin Console using your Google Workspace Admin credentials.
  5. Click on Security.
  6. Under API Controls, find Domain wide delegation and click MANAGE DOMAIN WIDE DELEGATION.
  7. Click +Add new and authorize the API clients:
    1. Client ID: Copy the unique ID from the downloaded JSON file or from the Google Cloud console.
    2. OAuth scopes: Copy and paste the following scopes, separated by a comma (no spaces):
      1. https://www.googleapis.com/auth/admin.directory.user (To sync individual users)
      2. https://www.googleapis.com/auth/admin.directory.group (To sync user groups)
      3. https://www.googleapis.com/auth/admin.directory.domain (Mandatory – To fetch the domain)
  8. Click AUTHORIZE.


Note:

To successfully synchronize users, user groups, and domains from your Google Workspace account to the Hexnode console, you must provide the necessary OAuth scopes. These scopes should be separated by commas in the configuration.

Phase 2: Integration of Google Workspace with Hexnode UEM Server

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Admin > Google Workspace.
  3. Configure the following options:
    1. Google Workspace Admin Email: Enter the admin email address used to authorize the service account.
    2. Google Workspace key: Upload the JSON key file downloaded in Phase 1.1, Step 12.
  4. Click Next.
  5. Select the desired domain synchronization options:
    1. Sync across all domains: Syncs users and/or groups across all existing and future domains.
    2. Choose Domain(s): Only syncs users/groups from selected domains.
  6. Scheduled Scan: Configure when Hexnode should sync with Google Workspace:
      Daily: Enter the time (24-hour format) to initiate sync every day.

      Weekly: Select specific days and enter the time for sync.

  7. Click Save to finalize the integration.

Note:

If a new domain is not displayed in the Hexnode console, click Refresh Domains.

Phase 3: Enroll macOS Devices via Google Workspace Authentication

Once configured, you can now enroll macOS via Google workspace authentication.

  1. Go to Enroll > Platform-Specific > macOS > Email or SMS in the Hexnode UEM portal.
  2. Switch the authentication mode to Authenticated Enrollment.
  3. Select Google User under either Enrollment Request (Users will receive an email or SMS with the Hexnode server address and other enrollment instructions.) or Self Enrollment (Users have to enroll devices with their dedicated credentials.).
  4. Change the device Ownership type if required.
  5. Click Next.
  6. If using Enrollment Request:
    1. Select a medium (Email/SMS).
    2. Change the Domain from Local to your Google Workspace domain.
    3. Select the target users and click Save.

  7. On the macOS Device (User Action):
    1. Open the Safari Browser and navigate to the enrollment URL (e.g., https://portalname.hexnodemdm.com/enroll/).
    2. Enable the checkbox to agree to the terms and conditions and click Enroll.
    3. Click Authenticate with Google and enter the user’s Google Workspace credentials.
    4. Provide necessary permissions to allow the profile download.
    5. Once downloaded, go to Settings > Profiles and click Install.

      6. Enter the Mac administrator’s username and password to complete the profile installation and device enrollment.

Frequently Asked Questions (FAQs)

Q1. Why is the domain scope mandatory?

The https://www.googleapis.com/auth/admin.directory.domain scope is mandatory for Hexnode to fetch the list of domains from your Google Workspace account. Without it, domain sync will fail with the error: “Google Workspace domain names could not be retrieved.”

Q2: Why is a Service Account required for this integration?

The Service Account provides a secure, non-interactive way for the Hexnode UEM server to communicate with and read user/group data from your Google Workspace domain without needing direct access to a human administrator’s credentials.

Q3: Does Google Workspace enrollment enforce management automatically like ADE?

No. Unlike Apple’s Automated Device Enrollment (ADE), Google Workspace enrollment acts as a secure authentication gate. The user must still manually install the downloaded MDM profile on the Mac to complete the process.

Q4: Can multiple Google Workspace domains be integrated with Hexnode?

Yes, Hexnode UEM supports integrating multiple Google Workspace domains, allowing you to manage and enroll users from various domains within a single Hexnode console instance.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrolling Devices
Managing Mac Devices