(Unpinning this next week, as it has already rolled out. We may still come back to it in the future.)
So, despite the deadline being "moved to October", you need to fix your settings NOW!
The default settings are in effect, and say that Under-18 can't use third-party apps!
Here comes a bunch of images from my testing.
At the top of the admin console we can now see the new date.
There is also a new card on the front page.
If you click the Get started button new page opens the walk-through process of setting it up.
First you get to select the default setting for unconfigured (unknown or known) apps/services.
My recommendation has always been to keep the default "block all".
Then you are offered the opportunity to confirm and/or change the access of apps & services already in use.
You will have to allow/trust the client_ids of the third-party (external) apps & services that you wish your users can use with their Workspace accounts. Luckily those currently used are already listed (can be several thousands if you have many users), and you can easily click and change their access. For the future you will have to gather the client_id on the first run of a new service (it will be denied, with error details containing the client_id) and add it as trusted.
After finding those apps & services where you already have a formal, preferably written, decision that people should use, stop touching the list! Yes, you will have some whiners complaining about not being able to use TikTok with their work account, but that's their problem.
Any other apps/services that are to be allowed must go through a proper vetting process with a documented decision on whether to allow it or not. Anything else will make it untenable and most likely illegal. Yeah, I say "illegal". Just because you didn't block everything before doesn't mean that not doing that was legal.
Are you really sure? 🙂
Ta daaa!
Now you are prepared for the setting going into effect (in October, if we are to believe the first notification).
If you go to the API Access Control page manually, you can see there's a new card for pending reviews.
And the API Control Settings page display your new settings.
When a user tries to use a new/untrusted service they will be denied, with the opportunity to send a request for access.
This is what the confirmation of the request looks like.
"In the olden days" the user had to click the error details and send you the client_id, so you could add it manually, but today the request is automatically added to the new Pending review page, where you can easily click to allow it or not.
Nice, isn't it!?
However, a definite heads-up is warranted.
I have tested it, and my Under-18 test user is already being blocked... just saying... so perhaps it may come into effect before October. That's the user I created the SignIn and Request images with.
Update 2023-10-11 - My settings. Disabled Requests, and, of course, blocking everything for everyone.
4 ACCEPTED SOLUTIONS
Update 2023-10-11 - My settings. Disabled Requests, and, of course, blocking everything for everyone.
You can see who requested what by doing this:
My search shows almost exactly the same list.
I now have a list that looks like this. Since I can't keep students under 18 from requesting - this is what I end up with. Now, I'm tempted to just do nothing as these are blocked by default and that is what I want. But I also don't want to end up with a huge list. I could copy the cliendIDs, make a csv and upload that (I assume?). But then that just feels like a roundabout way of doing the same thing.
To configure each of these is like 8 clicks on 4 different pages.
Yesterday I received a Google Operations alert about this, reminding of the October 23 deadline.
Update 2023-10-11 - My settings. Disabled Requests, and, of course, blocking everything for everyone.
