Begin Scanning Third-Party Apps on the G Suite Marketplace
Enable Prisma SaaS to discover third-party apps that your users attempt to install from G Suite Marketplace.
Prisma SaaS can discover third-party apps that your users attempt to install from G Suite Marketplace. To protect your application ecosystem from unsanctioned third-party apps, enable Prisma SaaS to scan for them by adding the G Suite Marketplace app. Afterward, you can remediate the risks.
To connect G Suite Marketplace app to Prisma SaaS and begin scanning assets, you need to:
- Create a service account from Google Cloud Console.
- Enable Administrator and client API access from Google Admin Console.
For information on automated remediation capabilities with G Suite Marketplace, refer to Remediate Third-Party Apps.
Add G Suite Marketplace App
As you prepare the G Suite account, take note of the following values, as they are required to complete the setup of the G Suite Marketplace app on Prisma SaaS:
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the G Suite Marketplace app.
Private Key Password
The default password for the new private key.
The client ID is entered when enabling G Suite domain-wide delegation, and on Prisma SaaS when adding the G Suite Marketplace app.
Google Administrator account
The email entered to create a service account in G Suite Marketplace, and on Prisma SaaS when adding the G Suite Marketplace app. This administrator account must have Super Admin role permissions.
- Create a service account from GCP.
- Log in to Google Cloud Console as a G Suite administrator with Super Admin role permissions.If you have not used the Google Cloud Console before,Agreeto the Google Cloud Platform Terms of Service.
- Create a new project from GCP.
- At the top of the screen, open your project list, then.Select a projectNEW PROJECT
- Name your project (for example,Prisma SaaS G Suite), select your organization (domain), thenCreatethe project.
- Authorize OAuth Consent for the new project.
- Select.APIs & ServicesOAuth consent screen
- SpecifyInternaluser type/application type.
- Specify anApplication name(for example,Prisma SaaS) andSupport email.This is the name that displays on the Third-Party Apps page in Prisma SaaS.
- SpecifyAuthorized domain, thenSaveto authorize.
- Create the Service Account Key for the new project.
Prisma SaaS requires this key when you add the G Suite Marketplace app in 4.
- Select.APIs & ServicesCredentialsService Account KeyCreate credentials
- Specify aService account name(for example,Prisma SaaS).
- SelectP12as theKey Type, then.CreateCreate Without RoleAfter GCP issues a default password and new private key, your browser automatically downloads the new private key to your computer.
- Store the default password and key to a secure location as the key cannot be recovered if lost.
- Enable Domain-wide Delegation for the new service account.GCP creates a service account client when domain-wide delegation is enabled on a service account.
- Select.APIs & ServicesCredentialsManage service accounts
- Locate the service account, then.ActionsEdit
- SelectEnable G Suite Domain-wide Delegation, thenSaveyour changes .
- Retrieve and save the Client ID for the new service account client.
- Select.APIs & ServicesCredentialsManage service accounts
- In OAuth 2.0 client IDs, copy and save theClient ID.
- Enable API Access in G Suite Marketplace from the new service account.
- Select.APIs & ServicesDashboardENABLE APIS AND SERVICES
- Search for andEnablethree APIs:
- Google Drive API
- Admin SDK
- Audit API
- Enable API Client access to G Suite Marketplace.
- Log in to Google Admin Account as the G Suite administrator with Super Admin role permissions.
- Select.SecurityAdvanced settingsManaged API client access
- Specify Client ID and required scopes.
- InClient Name, enter theClient IDthat you saved in 1.f.
- InOne or More API Scopes, copy and paste the following scope, thenAuthorizeaccess to data in Google services.https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/drive.apps.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly
- Add the G Suite Marketplace app.After authentication, Prisma SaaS adds the new G Suite Marketplace app to the Cloud Apps list asG Suite Marketplacen,wherenis the number of G Suite Marketplace app instances that you have connected to Prisma SaaS. For example, if you added one G Suite Marketplace app, the name displays asG Suite Marketplace 1. You’ll specify a descriptive name soon.From this point forward, keep this project exclusively for Prisma SaaS. Do not revoke, disable authorization, or change the project in any way. If you do, Prisma SaaS stops scanning.
- (Optional) Give a descriptive name to this app instance.
- Select theG Suite Marketplacenlink on the Cloud Apps list.
- Enter a descriptiveNameto differentiate this instance of G Suite Marketplace from other instances.
- ClickDoneto save your changes.
- Start Scanningto begin discovery.
- During the discovery phase, Prisma SaaS scans for third party apps and the users that are using them. Even in the unusual case that none of your end users have installed a third party app, Prisma SaaS still displays:
View the results of third party app discovery, then:
- G Suite Administrator as aTop User.
- G Suite as one of theUnclassifiedthird party apps. You canApproveit, but you cannotBlockit.
Fix G Suite Marketplace Issues
The most common or most important issues related to adding a G Suite Marketplace app are as follows:
When you add the G Suite Marketplace app in Prisma SaaS, you receive an operation error:
Unable to perform this operation.
Prisma SaaS requires that the combo (client ID, email, and key) be accurate.
If any one of those requirements is incorrect, Prisma SaaS cannot authenticate and displays the same error.
When Prisma SaaS returns the error, the UI displays the email and clears the sensitive fields (client ID and P12 Certificate).
Verify that all three requirements are accurate. The Google Admin account must have Super Admin role permissions. Also, make sure you’re uploading the correct key. Lastly, verify that all three APIs are enabled as outlined in 2.
Your onboarding and initial discovery went smoothly, but there appears to be a delay in subsequent discovery.
Google's APIs allows for a set amount of event updates (API calls) in a specific period. This throttling ensures maximum uptime of SaaS apps.
Prisma SaaS promptly requests event updates from Google, but this limit (quota) results in a latency in event delivery, depending on the amount of data being requested.
This latency is most noticeable when updates occur immediately after onboarding.
Your onboarding and initial discovery went smoothly, but Prisma SaaS is no longer discovering third party apps that you know were installed. Prisma SaaS does not display an error and the Cloud Apps list indicates
This issue can occur when an admin unintentionally disables API access or changes the Prisma SaaS G Suite project on GCP. Prisma SaaS depends on such authorization and immediately stops working when access is revoked.
Recommended For You
Recommended videos not found.