On the Lambda

Programming, Technology, and Systems Administration

On the Lambda

Supporting Outlook with G Suite

May 4th, 2017 · No Comments · IT News, networking, security

Where I’m at, we use Google Apps (G Suite) for e-mail, but still rely on Active Directory for individual accounts and use MS Office rather than Google Docs most of the time. One situation to come up in the last few years is Google no longer supports MS Outlook out of the box. If you want to use Outlook, you must first enable “Less Secure Apps”.¬†

I know, I know. Why would you ever use Outlook when the Gmail web client and apps are so much better? I hear you. I use the web browser for day to day work. But there are still those who prefer Outlook, and there are a few things Outlook can do that Gmail does not do, or does not do well. Mail merges are an important one.

So, I need a way to support Outlook for some of my users without seriously undermining their security. I think I may finally have a plan.

One mitigation against allowing Less Secure Apps is enabling two-factor authentication. As much as I’d like to mandate that here from a security standpoint, as a practical matter I know that’s not gonna fly with our user base, especially as our campus is in a rural area and we have a small number of students who do not have reliable cell phone service for receiving two-factor keys. What I could do, however, is offer users a trade-off.

The idea is to enforce that Less Secure Apps are disabled. However, if someone wants to use Outlook or other “less secure app”, I can move their account to a different OU within Google where two-factor authentication is enforced. This will allow the creation of an App Password¬†that will work with Outlook. I also see this as way to encourage two-factor adoption among my user base.

Note this is not the ideal solution. Needing to manually move an account to a different OU adds friction on both the IT and user sides of the equation. It’s also not discoverable; users won’t automatically know why they can’t enable Less Secure Apps by themselves, or if they do understand it’s an IT policy they may not realize we have a work-around available. A better option would be for Google to support this automatically, and prompt the user to turn on two-factor at the time they try to enable Less Secure Apps. Sadly, this is not possible.

Also note I have not yet implemented this scheme. I have historical users who may already have one feature enabled but not the other, and I’ll need to identify and clean up these accounts. This idea also does not currently mesh well with our sync process from Active Directory. It will be a significant project to align the two.

Nevertheless, I may at last have a path forward.

Tags:

No Comments so far ↓

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment