Configuring GAM with Google Apps

Google Apps can be difficult to manage. One of our favorite tools to help with this is GAM.  It is also free and the team that created it did a great job.  The source code is on GitHub here.  This command line interface lets you manage Google Apps in a similar way to Powershell with Office 365.  Like Office 365, many configuration elements can only be manipulated via command line and batch processing is much easier in the command shell.  

While GAM is a great tool, it can be a bit challenging to setup, especially since Google made some look and feel changes to their developers website.  This post will briefly walk you through setting up GAM with Google Apps.

You need to register the applicaiton with Google and activate the right API before GAM will function.  The details of this are here on the GAM support Wiki.  However, there are a few twists and turns.

Get access to the developers site.  

Anyone can logon to the developers site at console.developers.google.com.  You can not create a project though until your account has access enabled.  We always recommend limiting access.  While development console is pretty obscure, obscurity is not a recommended security posture.

If necessary, move the accounts that will need Console access to a seperate OU.  Login to the Admin console for your Google Apps domain and click Security

Next you need to allow access to the developers console.  Rearrange your users into the right OU or update your OU structure in Directory Sync.  Contact us if you need help.

If you have tried creating a project in the Google Developers Console and keep getting a Project Failed error message you need to follow this process.

The settings for the console access is tucked away under the apps menu.  Turn on the Console for "Some Organizations", select the right OU, disable inheretance as needed and wait.  It can take 24 hours to take effect but is normally ready within a couple hours.

Configure GAM for Google Apps

First, refer to the GAM Wiki linked above for the latest updates.  The goal is to to create and download two .JSON files that register your project and the application with Google.

1. Login to the Developers Console at console.delopers.google.com and create a new Project.  Name this whatever you like but GAM for %DOMAINNAME% is descriptive.  Only the name is necessary.  Click Save.

2. Enable the necessary API's.  You need several for GAM to work correctly.  

  • Groups Settings API
  • Admin SDK
  • Calendar API
  • Classroom API
  • Drive API
  • Enterprise License Manager API
  • Gmail API

It is easiest to use the search function here and turn on each one that your need.  Click the name as you find it and then Enable API in the screen pops up.  Rinse and repeat.

6.jpg

3. Create first JSON file

Click on Credentials and then OAuth Consent Screen.  Enter your account if needed and the name of your Project. Click Save.

Click Credentials and pick OAuth 2.0 Client ID. 

8.jpg

Select OTHER, enter "GAM" or another name and click Create.  A popup window will display the key and name.  Close this screen and find the Download arrow on the right.  Download this file to the same directory as GAM and name it client_secrets.json.

4.  Create the service account

Click Add credentials again and select Service Account.  Select JSON.

 

When you click Create, the file will download to your system.  This is the only copy of your key!!!  If you misplace it you need to reregister the app.  .  Be prepared to save the file to the same location as the GAM.exe executable and name it oauth2service.json in the same directory.

Run GAM

That's it!  Once you successfully have the client_secrets.json and oath2service.json files in the same directory as GAM.exe, you can run gam.  There is a one-off account authentication that is well described in the Wiki.  If you have any problems or would like help with a Google apps or Gmail migration, contact us.  If you would like assistance with you Google Apps provisioning or Single Sign on, consider idBOX, our all in one account provisioning and single sign on product.