Use this guide to enable the provisioning of end-users' iOS devices to access G Suite (formerly Google Apps) without requiring the Google password or manual setup.

1. Have iOS 5.0 or later devices

2. Create a Service Account with G Suite (see G Suite API Configuration Steps below)

3. Delegate domain-wide authority to the G Suite Service Account (see G Suite API Configuration Steps below)

4. Have a directory Service Account with read and write access for SecureAuth IdP

5. Create a New Realm for the iOS G Suite Provision in the SecureAuth IdP Web Admin

6. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

The Registration Methods tab in SecureAuth IdP Version 9.0 has been renamed Multi-Factor Methods as of Version 9.0.1


1. Download the Apple Configurator 2 from Apple

2. Click File > New Profile (or CMD + N)

3. In the General section, provide a Name for the profile, e.g. Gmail Profile

4. (OPTIONAL) Set the Organization, Description, and Consent Message fields to preferred values

5. Select Always from the Security dropdown


6. In the Exchange ActiveSync section, provide an Account Name for the Exchange ActiveSync account, e.g. Gmail ACME

7. Set the Exchange ActiveSync Host to m.google.com

8. Check the Use SSL box

Leave the remaining fields blank as they are automatically populated during the provisioning process

9. Save (CMD + S; or close the window, which opens the prompt) the profile and keep the .mobileconfig file available for the SecureAuth IdP Configuration Steps (below)

This step is for Active Directory data stores only

1. In the Profile Fields section, map the directory field that contains the user's Gmail address to the SecureAuth IdP Property, e.g. Email 1

Be sure that the Gmail Address includes the domain name, e.g. user@company.com

2. Map the directory field that contains the user's Gmail password to the SecureAuth IdP Property, e.g Aux ID 1

3. Select Advanced Encryption from the Data Format dropdown, and check Writable

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes


4. Select iOS G Suite Provision from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

5. An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/iOSProvisionEmail.aspx)

6. A customized post authentication page can be uploaded, but it is not required


7. Select the SecureAuth IdP Property that corresponds to the directory field that contains the Gmail address (Email 1)

8. Leave the Google Apps Domain Name field blank

9. Set the Admin Email to the G Suite Administrative email account

10. Set the Service Email to the Service Account email address obtained from the G Suite Steps above (step 18)

11. Click Choose File and select the p12 File obtained in the G Suite Steps above (step 12)

12. Set the P12 Password to the Private Key Password obtained in the G Suite Steps above (step 12)

13. Select Enabled from the Create User dropdown if SecureAuth IdP is to automatically create the G Suite user account (if it does not already exist)

14. Select Enabled from the Sync Password dropdown if SecureAuth IdP is to conduct a one-way synchronization of the user's directory password to G Suite

To synchronize on specific dates versus every time the password changes, map a directory field to the Ext. Sync Pwd Date property in the Data tab

If no field is mapped, then the password synchronizes every time

G Suite requires passwords with a minimum of 8 characters

15. Select Enabled from the Mail Forwarding dropdown if another email address will receive messages; select Disabled to disable the feature; or select Not Set if SecureAuth IdP is to not be included in this feature

16. Select the Profile Field that contains the user's Forwarding Email Address


17. Click Choose File to Upload new 3.0+ Template, and select the Gmail Profile file saved in the Apple Configurator Configuration Steps (step 9)

18. Select Aux ID 1 (or the Profile Property that contains the user's Gmail password) from the Email Password Mapping dropdown

19. Select True from the Sync Password Every Time to synchronize the password every time from G Suite to the iOS device

If True is selected, and Random Password is selected from the Password Syncing dropdown (step 20 below), then only one iOS device can be used at a time

If False is selected, and Random Password is selected, then multiple iOS devices can be used at a time

If User Password is selected from the Password Syncing dropdown, then users can employ multiple iOS devices no matter the selection in this step

20. Select Random Password from the Password Syncing dropdown to provision the device with a Google password unknown to the user

Select User Password to provision the device with the user's Gmail password

21. Select True from the Generate Profile with Cert dropdown to generate a certificate with the profile (if connection requires it)

Click Save once the configurations are completed and before leaving the Post Authentication page to avoid losing changes


22. Click View and Configure FormsAuth keys/SSO token to configure the token / cookie properties of this realm

These are optional configurations