Jun 29, 2023
Hugo
David
Today in How to Automate, we will learn how you can automate the Google Workspace device management tasks from Mindflow.
As work from anywhere expands, employees increasingly access your resources from everywhere, with different devices: laptops, computers, or phones. From the IT viewpoint, unless your organization enforces company-issued devices, you must deal with a growing pool of devices. No matter what, you still need to closely manage the pool of approved devices to access your Google Workspace in this instance.
Without automation, you would have to log in to the Admin console, then, on the left tab Devices -> Mobile & endpoints -> Devices, look for the date of last sync, check the ones above a predefined threshold, and click on Delete device.
The process could take 5 to 15 minutes or more, depending on your organization's size and the number of devices you are paying attention to. Still, these precious minutes could be used for something else, such as investigating some incidents!
On Mindflow, you can design a workflow to automate your Google Workspace device management tasks, from the trigger to the final report of devices removed in Slack. This workflow will only orchestrate two tools: Google Workspace through Google Admin Directory SDK API and Slack. Google Workspace device management automation
Before getting our hands dirty, we must ensure everything regarding API authorizations and Slack is ready on Google.
Google Workspace device management - First steps
Google Admin
To use the endpoints we are going to show, you will need to add to your service account the following OAuth scope: https://www.googleapis.com/auth/admin.directory.device.mobile in Google Admin -> Security -> Access control and data -> API control and select your Client to add the scope (extensive doc here).
Slack
As always, log in to https://api.slack.com/apps/YOUR WORKSPACE ID/oauth? and add the following scope to your existing bot: chat:write.
Mindflow
Make sure the credentials are registered in the Vault. Update the Google one with the scope if it is not already listed. Create the Flow and name it as you want! Of course, make sure you select the perfect emoji, such as a hamster.
Finally, let's look at the final Flow before starting!
Google Workspace device management automation workflow
The tutorial will be divided into sections to reflect milestones: Setting the schedule, Configuring the For each loop, and creating the final Slack notification step.
Google Workspace device management - Setting the schedule and first steps
As our first step in this workflow, we will configure the schedule so that the workflow can be automatically executed regularly. The intervals are up to you to decide. In this example, we are going to set a quarterly schedule.
To do so, click the calendar icon next to the workflow's title on the top left of the canvas. Then select At regular intervals and right under Yearly. Finally, select the different months, April, August, and December, and the days, hours, and minutes in these months to set the exact triggering time. Once done, click Save.
The schedule is set!
Now, on the canvas, right-click to create a Transform Data (TD). We will create an item that will be used later in the workflow. Name this TD Setting deviceRemoved. Click the gear icon under it to open the configuration tab and click "Add an item". Name this item devicesRemoved. Leave it empty.
Create a second step by querying directory.mobiledevices.list or Retrieves a paginated list of all user-owned mobile devices in the Finder. Once created, ensure the corresponding Google credential is selected in the Settings tab. In the input tab, under Customer id *, type my_customer. Manually run the step once to generate logs.
The first steps are done! On to the more complicated part of the workflow.
Google Workspace device management - Creating and configuring the For each loop.
After this Google step, you will create a For-each loop named For each device. Open the configuration panel and, in Source *, type "/" to open the Data Picker tool. In the pop-over, click the executed Google step and pick the table mobiledevices in the answer's body. The For-each will iterate on all the objects in this table.
Inside the For-each, create a TD and name it Compute current and lastSync months. Create three items and name them currentMonthLetters, currentMonthDigits, and lastSync.
currentMonthLetters: type "/" to get the propertydatelocated in the Google execution log headers. Click fx to open the functions panel. We are going to apply four functions to compute the current month in digits by clicking Add a function:
Parse DateTime: Configure the following fields as such: Built-in format * "Automatic", Input format string * leave it empty, and Input timezone * "UTC".
JSON Path: In Query *, type "
$..Date".
Regular expression: Select "User Defined "under Built-in regexes *. Paste"
[A-Za-z]+"in Regex *. Leave everything else as is.
Array slice: In Start *, type "2". Once done, you should see a month popping up under the Output value. It is the current month that we were looking for.
currentMonthDigits: in this second function, start by pasting the following JSON
{
"January": 1,
"February": 2,
"March": 3,
"April": 4,
"May": 5,
"June": 6,
"July": 7,
"August": 8,
"September": 9,
"October": 10,
"November": 11,
"December": 12
}
Then click fx. Apply a JSON Path and fill Query * with"$.currentMonthLetters"(type "/" and call the variable currentMonthLetters right after the ".").
lastSync: Type "/", select For each device and Pick lastSync. Then click fx. Apply a Slice function with a Start * at 5 and an End * at 7.
Your functions are set!
Create a condition following Compute current and lastSync months and name it Delta currentMonth - lastSync. Create a branch by creating the next step that is either directory.mobiledevices.delete or Removes a mobile device. Open Compute current and lastSync months, name the first branch >3, and click the arrow on the right. In the first field, invoke currentMonthDigits and lastSync. Leave a space between the two pills. Click fx and apply a Subtract function. As Delimiter * select "Space". Go back on the Compare function configuration panel and select the operator "Is greater than" then type "3".
The comparison is set. Every device that was last synced more than 3 months ago will be removed from approbation status on Google Workspace.
Back on the Google directory.mobiledevices.delete and open the configuration panel. Make sure the credential is selected, then hop on the Input tab. Under Customer id *, write "my_customer". Under Resource id * "/" and pick resourceId inside For each device.
The final step in your For-each will be to create a TD that you will name devices removed. Inside, add an item named devicesRemoved. Call devicesRemoved, back to the line, format with "-" and back to the line again. Now fill in the details you want to pass on to the analyst to have as much intel as possible in their report, such as:
Owner: Pick the property coupled with the object "0" in the table
namefrom For each deviceMobile device model: Pick
modelfrom the For eachLast sync: Pick
lastSyncfrom For each device
The For-each loop is set! There is only one last step to create in this Google Workspace device management workflow!
Google Workspace device management - Notification
As a final step, find the chat_postMessage or send a message via Slack call. Check that the corresponding credential is selected in the Settings tab. In the input tab, fill in the channel ID to which this report will be sent.
In the text field, start by typing something like "The following mobile devices that were last synced above three months on Google Workspace were successfully removed:" then, invoke devicesRemoved.
The Google Workspace device management workflow is complete! You can run it once to check that everything is alright. Congrats!
