What happens if I have multiple domains in my Google Workspace tenancy, but only want to federate one domain to RM Unify? Federating sign on to a third party is a Google organisational (tenancy) wide setting. As such, any users* belonging to any domain in the Google Workspace tenancy, not linked to an RM Unify account, will not be able to sign in. The alternative options would be to:
- Federate all domains in your Google Workspace tenancy to separate RM Unify establishments.
- Separate your domains into two Google Workspace tenancies, one for federated and one for unfederated domains.
* The exception to this are Google Workspace Super Admin users.
Will the RM Unify provisioned OUs inherit any settings? The OUs provisioned by RM Unify are configured to inherit settings from the root OU, so any settings already set against the root OU will apply to all users provisioned into the OUs created by RM Unify.
What happens to my new users? Newly provisioned RM Unify users will be automatically placed in the appropriate RM Unify provisioned OU, based on role or year group.
What happens to my existing Google Workspace users? During the federation process, you will be prompted to match your RM Unify users to any existing Google Workspace accounts. The matching is done based on email address. If the matched Google Workspace user resides in the root OU, then RM Unify will automatically move the user to the appropriate RM Unify provisioned OU. If the matched Google Workspace user does not reside in the root OU, then RM Unify will not move the user. This is a deliberate precaution to prevent RM Unify from changing previously set customer-defined settings applied to existing users. Although the Google Workspace user will not move OU, it will still be matched to the user's RM Unify account so that future RM Unify account updates such as name changes will still be applied.
I want to move users from manually created OUs to the RM Unify provisioned ones. How do I do that? In the Google Admin Console:
- Apply any desired settings (e.g. to ensure availability of the correct apps, e-safety restrictions for appropriate user groups, usability preferences etc.) to the RM Unify provisioned OUs.
- Move users from the manually created OUs to the root OU.
- Delete any manually created OUs no longer used to prevent future confusion.
- Sign on to RM Unify using an admin account and select a Google Workspace tile in the App Library.
- Click 'Are users missing from Google Workspace click here' and select the Resync Users option in the Support Info section.
- Depending on the number of users in your RM Unify establishment, it may take up to 30 minutes or more to resync all users.
What happens if I create additional OUs in future (e.g. Vulnerable Students) and move users to them using the Google Workspace Admin Console? RM Unify will not move them back to their RM Unify provisioned OU automatically (this is a deliberate precaution). Provided their email address remains the same, the Google Workspace user will remain linked to the user's RM Unify account and future account updates will continue to apply.
You can move them back into the appropriate RM Unify provisioned OU at any time by moving them to the root OU and initiating a resync from a Google Workspace tile in the RM Unify App Library.
Can I rename the RM Unify provisioned OUs, e.g., change Students to Pupils? No, OUs are identified by their name and parent path which means renaming an OU changes its lookup identifier, as well as the lookup identifier for any descendant OUs. This prevents RM Unify from identifying the OU during subsequent user provisioning tasks with the following symptoms:
- When the next new user is created, or a resync initiated, RM Unify will recreate the expected OU(s). New users will be placed in the recreated OU. Existing users will remain in the renamed OU.
- RM Unify establishment type, role and year group membership updates will not be applied to Google Workspace users in the renamed OUs.
- Non-OU related updates (e.g. display name, role, password changes) will be applied as normal.
I don't like the naming convention used for the RM Unify provisioned student year OUs, can I rename them, e.g. rename Year 2010 to be Year 2017 or Year 7? No, as mentioned above RM Unify relies on a specific name and path to OUs. RM Unify will recreate any missing year group OUs it expects to find and will only place new users in RM Unify provisioned OUs. You could create your own year group OUs with the desired name and manually move students into them but this would require ongoing maintenance. Please see the earlier question 'What happens if I create additional OUs in future' above.
Can I change the name and/or email address of an RM Unify provisioned group? Yes, you can change the name and/or primary email address of the group using the Google Workspace Admin Console. The original email address will be retained as an alias and you can add additional aliases if desired. To send an email to the group in Gmail, users can type the email address or any part of the group's display name to find the group.
What happens to my existing Google Workspace groups and classrooms? They will remain untouched. RM Unify does not make any changes to groups and classrooms it did not provision.
Can I still use Google Cloud Directory Sync (GCDS - previously known as Google Active Directory Sync, or GADS), to provision additional users, groups and contacts while federated to RM Unify? You can continue to use it to provision groups and contacts but not users or passwords as these will come from RM Unify. We do not, however, provide support for configuring or managing GCDS unless you have purchased a custom contract that includes this.
Which attributes are passed to the Google Workspace account? The following RM Unify attributes are passed to a user's Google Workspace account:
RM Unify attribute |
Destination Google Workspace attribute |
First name |
First name.
For Teaching and Non Teaching Staff, only the first initial of the first name is displayed by default.
Note: It is possible to customise your configuration to allow the full first name of staff, if requested, e.g John. Please raise a support call with your usual support provider. |
Last name |
Last name. |
RM Unify email address |
Primary email address. |
Display name |
Google Workspace automatically concatenates the user's display name by using the first name and last name values.
For Teaching and Non Teaching Staff, this will display the first initial of the first name, e.g. J Smith.
Note: Please see the 'First name' RM Unify attribute above if you would prefer to have staff display names which use the full first name, e.g. John Smith. This is the only alternative display name format. The Google API does not yet allow salutations such as 'Mr.', 'Mrs.', etc. |
Year of Entry (students only) |
Cost Center* and user assigned membership of the year of entry group. |
Role type |
'Type of Employee'* and user assigned to role-group OU, along with membership of role group. |
Establishment name and DfE code |
Department*. |
Registration group (if MIS group sync to Google Classroom configured) |
User assigned membership of registration group class in Google Classroom.
See TEC5513962 in the Other Useful Articles section below for more information. |
Teaching group (if MIS group sync to Google Classroom configured) |
User-assigned membership of a teaching group class in Google Classroom.
See TEC5513962 in the Other Useful Articles section below for more information. |
*for establishments newly federating after release of RM Unify v4.20 on 14 December 2021. If your establishment was federated before this date, then we are not populating these attributes by default but can do so on request. Please raise a support call with the RM Unify support team.
What happens in Google Workspace when I delete an RM Unify user? The linked Google Workspace account will be suspended initially and then permanently deleted once the RM Unify user has remained deleted for nine months. More information about the RM Unify account deletion process can be viewed here. If you prefer, you can choose to manually delete the Google Workspace account before the nine months period is reached.
What happens when I disable an RM Unify user? When the RM Unify account is disabled, via whatever provisioning method is in use, the linked Google Workspace account will be suspended.
Can I change a user's email address in Google Workspace? You can rename a user in RM Unify (or on the network if AD Sync is in use) and this may allow the associated email address to also update in line with the new name (unless the desired email address is already in use, or is set as an 'override'). Alternatively, for CSV or MIS Sync provisioned RM Unify accounts, you can update the email address directly in the Management Console and it will flow through to Google Workspace. After the email address is renamed, the user's previous email address will be added as an alias in Google Workspace, ensuring that the user continues to receive emails sent to their old address.
Can I still create users directly via the Google Workspace Admin Console? Only Admin users (Google Workspace users assigned Super Admin role) can be created directly in the Console. All other non-admin users should be provisioned via RM Unify.
Do passwords synchronise between RM Unify and Google Workspace? Yes, there is one-way password synchronisation from RM Unify to Google Workspace.
Can I continue to access Google Workspace via Chromebooks or other devices after federation with RM Unify? Yes, as long as the user's RM Unify password meets the minimum password criteria you have configured in Google Workspace.
Can I single sign-on to RM Unify and Google Workspace using a Chromebook? Yes. Users can single sign-on to RM Unify when signed into their Chromebook with their RM Unify managed Google Workspace account.
To single sign-on to RM Unify, users must visit the URL given below. We recommend applying the following settings in the Google Admin Console to make your Chromebook users go to this URL automatically:
- Navigate to Devices, Chrome, Settings, 'Users & browsers'.
- On the right-hand side, under 'USER & BROWSER SETTINGS', browse down to the Startup section.
- From the Homepage setting drop-down menu, select the 'Homepage is always the URL set below' option.
- In the Homepage URL field, enter https://<scope>.rmunify.com/sso/google.
- Also, include the same URL as the first item in the 'Pages to load on startup' field.
How does RM Unify work with Google Classroom? As an establishment with RM Unify MIS Sync enabled, it is possible to sync your teaching groups, year groups and registration groups from your MIS with Google Classroom to create Classes based on those groups. More information can be found in TEC5513962 in the Other Useful Articles section below.
My school will be changing DfE code in the near future, what will happen to the OUs, role groups and classes that have been provisioned from RM Unify? Once you raise a support call with us to change the DfE code, we will make this change in RM Unify. Your existing Google Workspace OU path structure will be renamed to take into account the new DfE code. Your existing Google Workspace role groups will remain unchanged as these do not use the DfE code.
If you have set up automatic MIS group sync to Google Classroom, your existing Google class names will remain unchanged. Class owners can choose to manually rename these classes in Google Workspace if desired. If you would like new class names to use the new DfE code then update the name identifier setting in 'Set up group sync to apps'. Refer to TEC5513962 in the Other Useful Articles section below.
Can I use Google Workspace and Microsoft 365 at the same time? Yes, for more information, please refer to the following articles in the Other Useful Articles section below:
- TEC4945314: Supported configurations when federating your RM Unify establishment to Google Workspace and Microsoft 365.
- TEC4904117: Unable to match existing Google Workspace accounts to RM Unify when Microsoft 365 is already installed.
|