Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.
Before enabling the Trusted Endpoints policy on your applications, you'll need to configure your managed mobile devices. This guide walks you through Google G Suite configuration for Android mobile devices.
Note that this G Suite management integration and the Duo Mobile management integration for verifying endpoints are mutually exclusive. You won't be able to use G Suite for verification if a management integration for Duo Mobile exists.
The new G Suite integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the G Suite management integration page to complete the configuration steps.
Log on to the Google Cloud Platform console as an administrator and use the menu on the left to navigate to IAM & admin → Service Accounts.
Select a project. If you don't have any current Cloud Platform projects you'll need to click the Create Project prompt to proceed. Give your new Google Cloud Platform project a descriptive name, like "Duo Auth". If you do already have a Google Cloud Platform project created for another use you can create a new project for Duo.
Click Create service account on the "Service account management" permissions prompt. Enter a Service account name
Click Create service account, then give it a name. You do not need to select a Role. Select both Furnish a new private key (leave the default JSON selection) and Enable G Suite Domain-wide Delegation.
When you click Create, it automatically downloads the new service account's JSON key file. Close the pop-up once the file downloads.
Click the View Client ID link on the far right for the service account you just created, and note the Client ID (typically a string of numbers). You'll need this to complete configuration.
While still logged in to the Google Cloud Platform console as an administrator, navigate to APIs & services → Library.
Search for Admin SDK on the "API Library" page. Click on it to view.
Click the Enable button for Admin SDK.
To complete this part of your G Suite configuration you'll need to copy information from Duo to G Suite. Log in to the Duo Admin Panel and view your G Suite management integration's properties page before the next steps.
Log on to the G Suite Admin console as an administrator and click on Security.
Click Advanced Settings and then click the Manage API client access link.
Copy the Duo Cloud Platform service account client ID and paste it in as the authorized API Client Name.
Copy the scope url from step 3 of the G Suite management integration setup page (e.g.
https://www.googleapis.com/auth/admin.directory.device.mobile.readonly) and paste it in to the authorized API One or More API Scopes field.
Click the Authorize button.
Return to your Google G Suite management integration page in the Duo Admin Panel.
Enter the following information into the blank fields under step 3 of the Google G Suite "Enter API Details" section:
|Admin Email||Enter the email address of the G Suite administrator.|
|API User Email||Enter the client_email from the private key file downloaded from the Google Cloud Platform console earlier when you created the service account.|
|Private Key||Enter the private_key from the private key file downloaded from the Google Cloud Platform console earlier when you created the service account.|
Click the Test Configuration button to verify Duo's API access to your Google G Suite instance. You'll receive a "Configuration Succesful!" message if everything's correct. If the test fails, verify that you completed the Google G Suite configuration steps and entered the right information in the Duo Admin Panel.
After you successfully test your configuration, click the Save & Configure Android Devices button.
Once your G Suite managed devices receive the Duo config you can set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the G Suite trusted endpoint management integration in the Admin Panel and enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Google G Suite integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Google G Suite.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.