Begin Scanning Third-Party Apps on the G Suite Marketplace

Enable Prisma SaaS to discover third-party apps that your users attempt to install from G Suite Marketplace.
Prisma SaaS can discover third-party apps that your users attempt to install from G Suite Marketplace. To protect your application ecosystem from unsanctioned third-party apps, enable Prisma SaaS to scan for them by adding the G Suite Marketplace app.
After you add the cloud app, configure automatic remediation for the third-party apps that Prisma SaaS discovers, or manually remediate.
Before you begin, you must create a service account and enable Administrator and client API access in G Suite. As you prepare the G Suite account, take note of the following values, as they are required to complete the setup of the G Suite Marketplace app on Prisma SaaS:
Item
Description
New Private Key
A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Prisma SaaS when adding the G Suite Marketplace app.
Private Key Password
The default password for the new private key.
Client ID
The client ID is entered when enabling G Suite domain-wide delegation, and on Prisma SaaS when adding the G Suite Marketplace app.
Google Administrator email
The email entered to create a service account in G Suite Marketplace, and on Prisma SaaS when adding the G Suite Marketplace app.
  1. Create a service account in Google for G Suite Marketplace.
    1. Log in to Google Developer Console as the G Suite administrator.
      If you have not used the Developer Console before,
      Agree
      to the Google Cloud Platform Terms of Service.
    2. At the top of the screen next to your most recent project name, open your project list and then
      Create a new project
      .
      g-suite-login-console.png
    3. Select your organization (domain) and add your new project.
      g-suite-config-new-project.png
    4. Name your project and
      Create
      the product.
    5. Click
      Notifications
      and select
      Create Project: <project name>
      .
      g-suite-create-prisma-saas-project.png
    6. Search for
      Credentials
      and select
      Credentials API Manager
      .
    7. Select
      OAuth Consent
      and enter your
      <project name>
      in
      Product Name Shown to Users
      , and
      Save
      the project.
      g-suite-config-credentials.png
    8. Select
      Credentials
      Create Credentials
      Service Account Key
      .
      g-suite-select-credentials.png
    9. Select
      P12
      as the
      Key Type
      and
      Create
      the service account key.
      Select
      Create Without Role
      if a warning message displays.
      g-suite-create-service-account-key.png
    10. After a default password and new private key are issued,
      Save
      the new private key to your computer.
      Store the private key securely as the key cannot be recovered if lost, and is required for adding the G Suite app on Prisma SaaS.
      g-suite-new-private-key-no-pw.png
    11. Select
      Credentials
      Manage Service Accounts
      .
      g-suite-credentials.png
    12. Click the three dots to the right of the service account and select
      Edit
      .
      g-suite-create-service-account-edit.png
    13. Enable G Suite Domain-wide Delegation
      and
      Save
      .
      g-suite-edit-service-account.png
    14. Click
      View Client ID
      for
      <project name>
      .
      g-suite-view-client-id.png
      Note the value of the Client ID, and
      Save
      .
      g-suite-manage-service-account.png
  2. Enable API Access in G Suite.
    1. On your service account, select
      Credentials
      API Manager
      Dashboard
      Enable API
      .
      g-suite-enable-api.png
    2. Click
      Google APIs
      and select
      Drive API
      and
      Admin SDK
      under G Suite APIs.
      g-suite-admin-sdk-api.png
    3. Enable
      the API.
      g-suite-enable-admin-sdk-api.png
    4. Return to
      Dashboard
      Enable API
      G Suite APIs
      and
      Enable
      the
      Drive API
      .
    5. In
      Google APIs
      ,
      Search
      for and
      Enable
      the
      Audit API
      .
      g-suite-audit-api.png
  3. Enable API Client access to G Suite.
    1. In a new browser window, log in to Google Admin Account as the G Suite Administrator.
    2. Select
      Security
      Show more
      .
      g-suite-api-client-more.png
    3. Select
      Advanced Settings
      Manage API Client Access
      .
      g-suite-api-client-advanced-settings.png
    4. Enter the
      Client ID
      previously noted in
      Client Name
      .
      g-suite-api-client-manage-access.png
      Copy and paste the following scope in
      One or More API Scopes
      , and then
      Authorize
      access to data in Google services.
      https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/drive.apps.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.reports.audit.readonly
  4. Add the G Suite app.
    1. On the Prisma SaaS
      Dashboard
      ,
      Add a Cloud App
      .
      g-suite-tile-frame.png
    2. Select
      G Suite
      , then
      Click here to prepare your G Suite Account
      .
    3. Enter the
      Google Administrator Email
      , the
      Client ID
      you previously noted, click
      Upload Certificate
      to upload the P12 format private key certificate issued from your Google service account, and click
      OK
      .
    4. Connect to G Suite Account
      .
      Upon successful authentication, the new G Suite app is listed in Cloud Apps as G Suite
      n,
      where
      n
      is the number of G Suite app instances that you have connected to Prisma SaaS, for example G Suite 1.
    5. Review and
      Accept
      the permissions for Prisma SaaS when scanning your assets on G Suite.
  5. Add policy rules.
    When you add a new cloud app, Prisma SaaS automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Asset Rule to look for risks unique to any G Suite Marketplace apps.
  6. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns (Basic DLP) to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  7. Monitor the results of the scan.
    As Prisma SaaS scans files and matches them against the settings, view the results by selecting
    Explore
    Third-Party Apps
    . To assess and remediate the results:
    g-suite-explore-third-party-apps.png

Recommended For You