RM Cloud Service Delivery can assist you with your Google Workspace federation. For further information, please speak to your Sales representative on 01235 645 316 or email getintouch@rm.com, quoting this article.

Introduction

We recommend that you make Google Workspace available to your RM Unify establishment(s) using the RM Unify Google Workspace connector available in the App Library. The connector will automatically provision new users added to your RM Unify establishment(s) into Google Workspace and allow your users to access their Google Workspace accounts using the same username and password they use to access other apps and services available through RM Unify.

This article outlines the steps involved in setting up the RM Unify Google Workspace connector for your Google Workspace organisation. For each step, it gives general instructions, linking where appropriate to more detailed instructions in Google documentation.

Before proceeding with federation, you may find it helpful to read TEC5782172 from the Other Useful Articles section below to better understand how RM Unify manages Google OU structure, groups and users (including some user attributes) when federated.

Once you have installed the RM Unify Google Workspace connector, the following will happen:

• RM Unify will automatically create and manage accounts in Google Workspace for all your RM Unify users.
• RM Unify will automatically create and manage role groups and year groups in Google Workspace for your RM Unify establishment(s).
• RM Unify will automatically create and manage organisational units (OUs) in Google Workspace for your RM Unify establishment(s), role groups and year groups.
• For multi-academy trust and other multi-establishment customers using a shared Google Workspace organisation, RM Unify will additionally create establishment type OUs above your individual establishments to facilitate more efficient centralised administration.
• Users will log on to Google Workspace via RM Unify (and if they are already logged on to RM Unify, they will not have to enter their credentials again to use Google Workspace).
• Users that sign into their Chromebooks using their Google Workspace for Education account can automatically sign in to the RM Unify Launch Pad when they open Chrome (i.e. no additional sign in prompt).

After linking to RM Unify, only the Google Workspace super administrator will be able to log on directly to Google Workspace with their existing credentials. All other users will have to log on via RM Unify. Click here for more information.

When federating a Google Workspace domain, you must log on directly to the RM Unify establishment being federated to and start the federation wizard there. Do not use the Manage Other Establishments feature of the RM Unify Management Console to connect from another establishment, as there is a risk that both the establishments you are logged on to and the establishment you have connected to, will both be federated to the same domain. This would potentially update all of your existing users with email addresses on the incorrect domain and stop single sign-on from RM Unify.

Overview

To install and set up Google Workspace with RM Unify, you will need to complete these steps:

1. Sign up for Google Workspace for Education.
2. Verify your Google Workspace domain(s).
3. Get Google Workspace ready for linking to RM Unify.
4. Get sufficient Google Workspace educational licences for your establishment(s).
5. Link (federate) Google Workspace to your RM Unify establishment(s).
6. Complete any additional setup tasks in Google Workspace, as required.

Step 1: Sign up for Google Workspace for Education

If you don't already have Google Workspace for Education, you can sign up here.

During the sign up you will be prompted to choose an existing domain or buy a new domain. We recommend using your existing school domain (e.g. stmarys.sch.uk), because the .sch.uk suffix represents you as an educational establishment and simplifies verifying your educational establishment status. The domain you use will affect the email addresses that your users will have in Google Workspace, for example, if you choose stmarys.sch.uk, then your email addresses will end in @stmarys.sch.uk. If you don't want to use Google Workspace for email, you can still use your existing school domain and you will still be able to send and receive email using your existing provider, unless you also change your DNS MX records (see step 6 below).

If you're a multi-academy trust with multiple establishments, you may wish to register a parent domain (e.g. mymat.org.uk) to represent the trust, and a child domain for each member academy (e.g. academy1.mymat.org.uk, academu2.mymat.org.uk etc.).

The next step is to create a username for your Google Workspace account. We recommend that you use a generic username, such as 'google-superadmin' (accounts for individual users will be created later using RM Unify).

At the end of the sign up, you need to complete a form that allows Google to verify that you are eligible for Google Workspace for Education.

Step 2: Verify your Google Workspace domain

Having signed up, you will need to log on to the Google Workspace admin console using your new account. The first time you try to do this, Google Workspace may ask you to verify your account by phone (this includes a slightly confusing message about unusual activity on your account). Once you have done this, you may need to log on again; you will now be at the Google Workspace admin console.

You can now begin verifying ownership of your domain(s) by clicking the Start Setup button at the top of the admin console. In order to verify your domain(s), you will need to modify your DNS configuration. DNS configuration is typically provided by either your domain provider or your Internet Service Provider.

Note: Once you have verified your domain(s), Google Workspace will prompt you to move on to the next setup task - adding users - but we recommend that you don't add users now. You will be using RM Unify to add users, so please follow the instructions below for linking to RM Unify before you complete the remaining setup tasks in Google Workspace.

Step 3: Get Google Workspace ready for linking to RM Unify

To enable RM Unify to automatically manage your Google Workspace domain users, the platform requires the username and password for a super administrator account in your domain and an access code tied to that account. The access code can be generated in the 'Link Google Workspace to your RM Unify establishment' section below, but you need to create the account just now.
Note: The password and access code get stored securely in encrypted form within RM Unify, so it does not create a security risk.

To create the super administrator account:

1. Open the Google Workspace Admin console.
2. Add a new user. Click here for more info on creating Google Workspace users.
   1. The first part of the user's primary email address should be rmunifyprovisioningaccount.
   2. Select the link 'Manage user's password...', select 'Create password' for the user, create a long complex password and clear the 'Ask user to change password...' box.
      Note: Please keep a written record of this password, you willl need to enter it into RM Unify.
   3. Once the account is created, locate it in Users and select it.
   4. Expand the Security setting and ensure that 'Require password change' is set to OFF.
   5. Expand the 'Admin roles and privileges' section.
   6. Assign the Super Admin role and click Save.
3. Log on to Google Workspace as the new user and accept the terms and conditions.

Step 4: Educational licences assigned

Google will check your eligibility for educational licensing; until this check is complete, you will be limited to a small number of licences (typically 50).

Please wait until your eligibility has been checked before you proceed to link to RM Unify. Once Google has approved your educational status you will be granted 10,000 user licences. Although it is not actually possible to view the number of licences currently in use, when you reach close to your limit a warning will be shown under the Billing section of the admin console. At this point Google will contact you to add further licences.

If you link to RM Unify before sufficient licences are available in your establishment, some accounts will not be created in Google Workspace. RM Unify will check during installation and warn you if this is likely to happen. If you do run out of licences, you will need to uninstall all Google Workspace tiles, wait 20 minutes and then reinstall the tiles.

Step 5: Link Google Workspace to your RM Unify establishment

You will find several Google Workspace tiles in the RM Unify app library: Gmail, Google Calendar, Google Drive, Google Classroom, and Google Sites. Installing any one of these will link (federate) your Google Workspace organisation to RM Unify and create your RM Unify users in your selected Google Workspace domain. Installing the other tiles will then give you convenient links to services within Google Workspace. Removing tiles from one or more shared Launch Pads will not remove the corresponding user's access to Google Workspace, but unselecting one or more enabled roles will delete the associated users from Google Workspace.
Important note: If you're a multi-academy trust and you wish to share a single Google Workspace organisation (with a single or per establishment domain) across the various RM Unify establishments in your trust, you must install the RM Unify Google Workspace connector to your academy trust establishment first, then install it to each academy establishment. Failure to do so will adversely impact all subsequent federations of domains in your Google organisation. If you are not sure what to do, please feel free to contact RM Support for further advice on this.

To install Google Workspace:

1. Sign in to RM Unify using a Super Admin account.
2. Navigate to the App Library.
3. Find a Google Workspace tile (e.g. Gmail) and click it to begin the installation wizard.
4. Click 'Set up'. If you're an academy belonging to an academy trust that's installed the RM Unify Google Workspace connector and given permission for its child establishments to connect to its Google Workspace organisation, you'll be asked if you'd like to connect to your parent establishment's Google Workspace organisation. Select Yes or No.
5. If installing the connector for the parent establishment's Google Workspace organisation:
   1. Input the name of the domain pre-registered with your Google Workspace organisation that you'd like your RM Unify users auto provisioned into and click Next.
      Note: Make sure to enter just the domain name and not include the prefix 'www', e.g. enter 'stmarysps.sch.uk' and not 'www.stmarysps.sch.uk'.
   2. Once the Google Workspace health check successfully completes, click Finish.
   3. Now that the connector is set up for your establishment, select which roles you'd like provisioned into Google Workspace and which Launch Pads you want the tile to appear on.
   4. Click other Google Workspace tiles in the App Library and select which Launch Pads you want each to appear on.
6. Otherwise:
   1. Read the summary outlining pre-installation steps you need to perform in Google Workspace (those mentioned above) and if you've performed these steps, click Next.
   2. If you are installing the RM Unify Google Workspace connector for a different domain than your Microsoft 365 domain, tick the relevant box. If you do not tick this box and already have Microsoft 365 federated to RM Unify, then the same domain will be used.
   3. Enter the domain pre-registered with your Google Workspace organisation that you'd like your RM Unify establishment users to be provisioned into and input the credentials for the 'rmunifyprovisioningaccount' super admin account you created in the 'Get Google Workspace ready for linking to RM Unify' step above.
      Note: If you're a multi-academy trust and you wish to share a single Google Workspace organisation across the trust, please additionally do the following:
      1. Check the 'allow my child establishments to connect to my Google Workspace for Education organisation' option when installing the RM Unify Google Workspace connector to your trust establishment.
      2. When installing to each academy, select the 'connect to my parent establishment's Google Workspace organisation' option.
   4. On the next page in the setup wizard, "Give RM Unify permission to manage your Google Workspace organisation..", click the 'Sign in with Google' button.
   5. Log on using the Google Workspace Super Admin account created in the 'Get Google Workspace ready for linking to RM Unify' section above, tick all boxes and click Continue.
   6. When you receive the success message, "Thank you for giving RM Unify authorisation to access Google APIs for your establishment.", close the tab to return to the setup process, and finally click Next.
   7. RM Unify will then run a quick compatibility check to verify that your domain is properly set up and that you have enough licences. The results of this check will be displayed.
   8. After clicking Next, select whether or not to review your users' email addresses before federating your organisation. This option allows you to link existing users in your Google Workspace domain to existing users in your RM Unify establishment, or to control the email addresses that will be assigned to your RM Unify users when creating accounts for them in Google Workspace. Click Next.
   9. Once you are satisfied with your chosen email addresses, click Finish and on the next page, confirm any unmatched accounts by clicking Confirm Finished, OK.
   10. The next page is where you will confirm your agreement to connect your Google Workspace tenancy to our RM Education Partner Console. This is performed by retrieving a transfer token from Google Workspace as directed and entering it into the specified field. Once completed, click Next.
   11. The next page allows RM to add a custom schema, which contains RM Unify-specific attributes for use in user provisioning and management within your Google Workspace tenancy. Simply click Next to accept this schema change, then click Finish to complete the federation.
   12. The final steps are to tick the box agreeing to the privacy statement, then select the Roles to which Google Workspace should be installed to and also the Launch Pads the app should appear on.

Note: Please be aware that federating sign on to a third party is a Google organisational wide setting. As such any users belonging to any domain in your Google Workspace organisation not linked to an RM Unify account won't be able to sign in (unless they are a Google super admin; super admin accounts can log in directly to Google).

• If this email address already exists in Google Workspace, the Google Workspace account will be linked to the RM Unify user. Therefore the RM Unify user will log on to Google Workspace as jsmith@mydomain.sch.uk and see any existing emails and documents for this account.
• If there is no existing Google Workspace account, RM Unify will generate a new one.
• If there is already an account jsmith@mydomain.sch.uk then a number will be appended to the account to ensure uniqueness, e.g jsmith1@mydomain.sch.uk, jsmith2@mydomain.sch.uk etc

Step 6: Complete any additional setup tasks in Google Workspace

• Set the homepage for managed Chromebooks
  To single sign in to RM Unify, Chromebook users must visit a set URL in the format https://<RMUnifyScope>.rmunify.com/sso/google. We recommend applying this setting in the Google Admin Console to make your Chromebook users go to this URL automatically. For instructions on how to do this, log on to RM Unify and access the instructions on the RM Unify SSO settings page.
• Pre-authorise (accept consent for) Google apps on behalf of your Chromebook users
  1. Navigate to https://admin.google.com/AdminHome?fral=1&chromeless=1#OGX:ManageOauthClients as a Google Workspace Super Admin user.
  2. In the Client Name field, enter:
     83055815730-h9gpaet17qj2f2ip1tibdts0bqhn4l7m.apps.googleusercontent.com
  3. In the 'One or More API Scopes' field, enter the following comma-separated line of text:
     https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile
  4. Click Authorize to enter the values.
• Configure delivery of email
  For your users to receive emails, you will need to configure DNS MX records. There is extensive help on how to configure these and how to migrate existing email within Google Workspace. If you do not wish to use Google Workspace for email then we recommend not configuring DNS MX records and disabling Gmail (see 3.3 above).
• Create some groups
  RM Unify will create basic groups for roles (teaching staff, non-teaching staff and students) and for year groups if year of entry information is available. You may want to create more groups to allow easy communication within your school.
• Customising
  Using the Company profile link in the admin console, you can add your own school logo to be used Google Workspace.