All Google accounts are protected by advanced risk-based authentication. Your employees can further protect their account by enabling Google 2-step verification. However hackers are getting even more sophisticated and are starting to use phishing techniques to get around multi-factor authentication. For even more protection employees can leverage Google’s Security Key support which provides industry leading account security. If as an administrator you want to require these added security features, you can purchase Google Apps for Work Unlimited.
Your employees can leverage advanced account security to log in to supported SaaS apps via standards like SAML and OpenID Connect. This ODIC support can already be used with many SaaS apps listed in the Google Apps Marketplace. SAML is pre-configured for many popular SaaS providers or IT admins can add custom SAML apps integrations. Developers of apps that don’t support single sign on to work accounts hosted by Google can follow our API guides in the Google Identity Platform documentation to use these new features.
If you rely on apps that don’t support these standards, Google Smart Lock for Passwords can help your employees securely save their passwords. If they are using a personal phone, Google is even smart enough to save the passwords for their work email into their work account instead of their personal account.
Google provides multiple enterprise mobility controls. You can require that your employee’s phones have a screenlock, whether it is an iPhone fingerprint sensor, Google SmartLock or a basic PIN. You can also require that the phone is not jail-broken (done on Android using the Safetynet service tests). If an employee loses a device, you can tell Google to revoke the device, and the Google apps on the phone will wipe your business data that was stored on the phone. Many employees worry their company will take too much control of their personal phone, but these mobile controls are designed to address such privacy concerns.
Your custom built or third-party apps can also use information about the user and state of the device to decide what level of access to provide to each user
Google provides multiple options to manage your users. You can use Google’s Admin console, you can sync from an on-premise Active Directory (including passwords) or you can use our provisioning API if you want to sync from other sources like an ERP application.
Your user’s group management can be synced from other sources and we provide ways for employees to create and maintain groups themselves.