Automated Google Licensing

Over the past year or so, I have seen more districts moving to a paid version of Google Workspace. As a result, they need a way to assign these licenses automatically. There is a way to do this within the Google Admin Console (GAC), but unfortunately, GAC does not provide a way to automatically remove licenses. This is a key component of the process to make it completely automated and hands-free, so we recommend not using this method. If you had previously used this method, it will need to be disabled to leverage the automation that can be accomplished with Google Cloud Directory Sync (GCDS).

Make sure that your active/enrolled students ou is configured to NOT automatically assign licenses in GAC.

Version 4.7.12 of GCDS is the minimum version to take advantage of the automated licensing option. The most current version is 5.0.28, so this option has been around for a while now.

There is one small catch to this method of automation. Because we will be using GCDS to handle the licenses assignment, it requires that we connect the licensing to membership in a group in Active Directory (or any other ldap compliant directory like eDirectory). If you are no longer using AD, this won’t apply, but you also wouldn’t be using GCDS either. In order for this to be completely hands-off and automated 100%, you need to have automation in place that will add new staff and students to groups when their accounts are created and remove them when they are no longer employed or enrolled in the district.

Group automation can be done rather easily with Microsoft Powershell, which is how Student Provisioning Services currently does this for most of their customers. The districts that have many more groups or more complex groups may find that Condrey Corporations solution called Group Symmetry is the answer. I have implemented this for several districts and found it to be very helpful in large or complex environments.

IMPORTANT: Before you attempt to make any of these changes to your production environment, make a copy of your production .xml file and experiment with the copy until you are sure that you get the desired results. Then, save this file back over your production copy to put it into production. Automation is great, but it can also help you to make very big mistakes very quickly.

What follows are step-by-step instructions for how to do this in your district or business:

1. You must be running version 4.7.12 or later for this to be an option.

2. Under General Settings, you must check the licenses option to enable this function and add the item to the list of available options to configure.

3. Start the configuration of the Licenses option by populating the email address attribute field. For Active Directory, the default value is “mail”.

4. Select the SKU Management tab to identify the SKU that you purchased from Google for staff and students if appropriate. For the purposes of these instructions, I am going to assign “Google Workspace for Education Plus – Legacy” to all teaching staff and “Google Workspace for Education Plus – Legacy (Student)” to all currently enrolled students.

NOTE: It is critical to understand that you must be able to write a single ldap query for each license. When you build a query and assign a license, the process removes that SKU from the list and will not allow you to build a second query for the same SKU. There is a 1:1 relationship between SKU and ldap query.

5. For my students, I have the following groups automated and I’m going to use the students-all group to assign the Google license SKU. My ldap query will be:

(&(objectClass=person)(mail=*)(memberof=CN=Students-ALL,OU=Groups,OU=Students,OU=Accounts,DC=ad,DC=sps-k12,DC=com))

The & means that all of the conditions that follow must be met. There are 3 conditions that must be met for a user to match this query. 1. The active directory object must be a person. 2. They must have some value entered in the email field (it cannot be blank). 3. They must be a member of the group named “Students-ALL”.

We take this information and create an ldap license rule in GCDS. Click on “Add Rule”, cut and paste your preformatted ldap query like the one above into the ldap query field, select “Assign licenses to Google domain users”, select the SKU that you want to assign and then check the box “Remove this license from the Google domain users that don’t match this rule”. The screen will look like this:

Before you click OK to save this and put it into effect, make sure that you select “Test LDAP Query” to see if you get any students that match your ldap search. The results should look like this:

6. For my staff, I have a group for teachers in each building or grade band, so my ldap search query is more complex. I need it to be true if you are in any of four groups, so the query would be:

(&(objectClass=person)(mail=*)(|(memberof=CN=Teachers-PS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-

ES,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-MS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)(memberof=CN=Teachers-HS,OU=Groups,OU=Staff,OU=Accounts,DC=ad,DC=sps-k12,DC=com)))

The & means that all of the conditions that follow must be met. There are 3 conditions that must be met for a user to match this query. 1. The active directory object must be a person. 2. They must have some value entered in the email field (it cannot be blank). 3. They must be a member of any one of the four groups named “Teachers-PS”, “Teachers-ES”, “Teachers-MS” or “Teachers-HS”.

We take this information and create an ldap license rule in GCDS. Click on “Add Rule”, cut and paste your preformatted ldap query like the one above into the ldap query field, select “Assign licenses to Google domain users”, select the SKU that you want to assign and then check the box “Remove this license from the Google domain users that don’t match this rule”. The screen will look like this:

And then when we test the query, the results should look like this:

NOTE: If your search results return no users, check the ldap base dn on your ldap configuration page. This search doesn’t have the option to specify it’s own basedn, so it will use the one defined on the ldap page.

7. Then to see what this would do to your production environment, you must ALWAYS preview the changes first. Go to the sync tab, check “Clear cache” and then click “Simulate sync”. You will get a preview window with results that will look something like this:

I personally have an additional process where I download all users from google and cross-reference this list against current assigned licenses to be sure that I am getting exactly the results that I want. Once I have done that, I can move this .xml file into production use.

NOTE: This process will not remove licenses that were previously assigned in another way. If they were assigned automatically through GAC, this will not remove them because they are not a member of this group. GCDS keeps track of licenses that it assigned in its own internal database and will only remove licenses that it previously assigned.

There is an amazing tool name GAM that is a command line interface for GAC. It can be used to remove license assignments that are no longer needed. It is a very handy tool to have around, but can be finicky at times to get installed. You can find it here: https://github.com/GAM-team/GAM

I hope that you have found this useful and are able to successfully implement this for your business or district. If you have trouble and need assistance, please schedule an appointment through http://www.sps-k12.com