The Google for Education Community Platform

The guide can be ignored. It's just there to help ease those who never used API Access Control into the process.

So the "confirmation" only makes sure you have configured the necessary apps for OUs Under-18... while I keep saying this entire separate-Over/Under-18 thing was completely unnecessary.

What they should have done was just force change the setting to Block everything, and just tell everyone that they need to do the necessary work before the deadline.

NOBODY should be running with the setting Allow everything, regardless of user age.

Exactly!

I have always run 100% Restricted, but I will actually switch the Google Sign-in service to Unrestricted, after confirming that my thoughts are correct.

Then perhaps I can set a new service to Limited and it'll only be allowed to access the unrestricted Google sign-in, even if it wants to use other restricted services.

That's what I have to test and verify before changing it globally.

Thanks Kim!  I think that makes a lot of sense, on mine there are a bunch that have 0 users using them, so I figure I can set those as restricted and wait until the point where someone is blocked to let me know.  I am using "the forcing students" as the reason to push it for everyone and really tighten up all the extensions that staff were loading.  Let us know if you can verify the limited theory, or if anyone else can comfirm.

Id be interested in the outcomes of your experiments.

They actually have to log into it using their school account.

Not use username/password but click the Sign-in with Google button.

There has been a few times that there was an API access that we reviewed, it was not Google Certified, but was necessary for what it was needed for. On those few Apps I set the access to Limited, but I was always curious as to what it really limited.

Limited means it can access all Google Services that are set to Unrestricted here.

Ah, thank you sir!

Nope, I don't know. I haven't tested.

It should definitely be included in the request, so you should give that as feedback.

You can see who requested what by doing this:

My search shows almost exactly the same list.  

Either block for students OU or change to only Trust for staff OU.

Yes, start the Add an app process, but don't finish it. After supplying the ID, it will reveal the service, sometimes. 🙄

Other times, the name is useless.

ChatGPT is called "Universe". Completely irrelevant.

Access will be allowed, because you trusted the client_id, not the scopes.

In conversations with one of the team engineers it has been said that we eventually also want to be able to control exactly which scopes are allowed, not just a blanket Yes/No.

However, this is where controlling the Google services come into play.

If you set such a client_id as Limited, then it should only be able to access Unrestricted Google services.

I still haven't verified this 100% (I'm on summer vacation), but I will.

This wording is based on US/American law, and actually has nothing at all to do with Google/Workspace, nor is it relevant to anyone outside of USA, where other laws rule.

In Sweden, and most likely all of EU, where GDPR is valid, these decisions are 100% made by the school/district and parents have no say whatsoever.

This is American CYA wording, making sure whatever happens, none of it is Google's fault.

My recommendation stands fast.

Give feedback to Google that we want to be able to turn Off requests.

I do not want to allow students to request.

I have 0 requests, and I am never going to allow anything this way.

I now have a list that looks like this. Since I can't keep students under 18 from requesting - this is what I end up with. Now, I'm tempted to just do nothing as these are blocked by default and that is what I want. But I also don't want to end up with a huge list. I could copy the cliendIDs, make a csv and upload that (I assume?). But then that just feels like a roundabout way of doing the same thing.

To configure each of these is like 8 clicks on 4 different pages.

Ignore them.

Also give Google feedback that we want a setting to disable requests from Under-18, and another setting to enable requests from Over-18!

How dumb was that to force requests from Under-18 while not making it possible for Over-18 to request?

Has an official feature request been created anyone yet that we can up vote? Teachers are hating us muchly for shutting the door on these third party apps but it's equally annoying for us to track down what to research/open. The bottom line seems to be that Teachers were opening their school accounts up to way more services than the should've been, so a necessary evil. 18+ having a way to request apps will make the flow easier for sure. I almost want to just make the staff under 18 for a week or two so they can get them in!

We have a Google Form for the new apps & services.

One advantage of the Request process is that you get the correct client_id without having to explain to the user how to get it.

Alrighty, I submitted a feature idea here. I think that's the proper place no? Also, I found out yesterday that in order to see what scopes a third party app wants to access, we have to have an account accept the 0Auth for those fields to be populated in the Admin Console. (That seems backwards)

Thanks!

Immediately upvoted.

I'm toying with the idea of trying to use this to an advantage: if teachers are trying to use something WITH students and the students get the error message, ask ALL the students to click the request button.  Then I see multiple students requesting the same app I'll know that it's a teacher trying to use it with them.  Otherwise, ALL my requests from students have been one offs, so easy to ignore.

I'm taking this approach because this whole 'approval of app API' has let me know that there is a complete set of online sites that teachers were using with students that I had no idea they were using ... and some that I've turned off are maybe ok (I just haven't had time to review them all yet).  Yes, they are supposed to only use authorized stuff, but we have a culture of 'teachers never get into trouble' if they don't follow the rules.  But I can't blame the teachers: Alberta, Canada, isn't know for citizens who follow the rules ... me included (I set up bootlegged wifi at schools when District office said 'no').