Set up your MDM account: Google Workspace

Important: Every effort has been made to provide information that is current and accurate. While this information is considered to be correct at the date of publication (September, 2023), changes in content may impact the accuracy.

Set up Destiny Resource Manager Google Workspace admin role

  1. Log in to Google Workspace at https://admin.google.com

  2. In the left-hand menu, select Account > Admin roles.

  3. At the top of the page, click Create new Role.

  4. Under Role info, enter a Name and Description, and then click CONTINUE.

    Role Info

  5. Select the following Admin Console privileges (all child privileges will also be selected):

    • Organizational Units/Read

    • Mobile Device Management/Manage Device Settings

    • Chrome Management/Settings/Manage Chrome OS Devices

    • Chrome Management/Settings/Manage Chrome OS Device Settings

    • Reports

  6. Select the Admin API privilege, Organization Units/Read.

  7. Click CONTINUE.

  8. Click CREATE ROLE.

Set up Destiny Resource Manager Google Workspace user

  1. In the left-hand menu, select Directory > Users.

  2. Under All organizations, select Users from all organizational units.

    All Organizations pop-up

  3. In the left panel, click Add new user.

  4. The User Information form appears. Enter the following information:

    • First name

    • Last name

    • Primary email

  5. Click ADD NEW USER.

    User Information Form

  6. In the confirmation window, if you want to copy and save the password, click COPY PASSWORD.

  7. Click DONE.

  8. On the Admin roles and privileges page, search for the destinyrm user just added, then click to enter the user window.

  9. Go to Admin roles and privileges, then click ASSIGN ROLES.

    Admin roles and privileges with ASSIGN ROLES highlighted

  10. In the pop-up, browse to the destinyrm role in the list, toggle the Assigned state to Assigned, and then click SAVE.

    Admin roles and privieges pop-up, Assigned state toggle

    Admin roles and privileges page with destinyrm role highlighted

    Note: The destinyrm role is now assigned to the destinyrm user.

Set up Google Cloud service account in Google Cloud console

  1. Log in to Google Cloud Console: https://console.cloud.google.com/

  2. On the cloud console main page, click the Select a project drop-down, then on the pop-up, click NEW PROJECT.

    Cloud console main page with NEW PROJECT highlighted

  3. On the New Project page, enter the project name as destinyrm, select the Organization and Location you want, and then click CREATE.

    New Project page with Project name and CREATE highlighted

    Note: You now have your own Organization and Location.

  4. On the Google Cloud main page, click the projects drop-down, then select the destinyrm project.

    Google Cloud main page with projects drop-down highlighted

  5. On the project main page, click API APIs & Services.

    Project main page with API APIs & Services highlighted

  6. On the APIs & Services page, click + ENABLE APIS AND SERVICES.

    APIs & Services page with +ENABLE APIS AND SERVICES highlighted

  7. On the API Library page, search for admin sdk api.

    API Library page with admin sdk api highlighted

  8. In the search results, click Admin SDK API.

    Search results page with Admin SDK API highlighted

  9. On the Admin SDK API page, click ENABLE.

    Admin SDK API page with ENABLE highlighted

  10. On the APIs & Services page, in the left navigation bar, click Credentials.

    APIs & Services page with Credentials highlighted

  11. On the next page that appears, click + CREATE CREDENTIALS, then select Service account.

    Credentials page with +Create Credentials and Service account highlighted

  12. On the IAM & Admin page, enter the information below, then click CREATE AND CONTINUE.

    IAM & Admin page with information fields and Creat and Continue highlighted

  13. In Step 2, click the Role drop-down, then select Owner.

    Grant this service account access to the project section with Role drop-down and Owner option highlighted

  14. In step 3, click DONE.

    Grant users access to this service account section with DONE highlighted

  15. On the next page that appears, click the destinyrm service account link.

    Service Accounts pop-up with destinyrm service account highlighted

  16. On the Service Account page, record the Unique ID value for later use, then click the KEYS tab.

    Service Account page Unique ID and Key tab selected

  17. In the Keys section, click the ADD KEY drop-down, and select Create new key.

    Keys section with the Add Key drop-down and Create new key highlighted

  18. In the pop-up, select the JSON option, then click CREATE.

    Create a private key for destinyrm pop-up with JSON option selected

    The JSON key file downloads, and the following pop-up appears.

    Private key saved to your computer confirmation pop-up

    Note: Other keys can be created, but each key can only be downloaded once.

Grant API permissions to service account

  1. Open the Google Admin Console again (https://admin.google.com). In the left navigation tree, select Security > Access and data control > API controls.

    Google Admin Console page with API controls highlighted in the Access and data control drop-down

  2. On the API controls page, scroll to the bottom, and then click MANAGE DOMAIN WIDE DELEGATION.

    API controls page with Manage Domain Wide Delegation highlighted

  3. On the Domain-wide Delegation page, click Add new.

    Domain-wide Delegation page with Add new highlighted

  4. In the Add new client ID pop-up, enter the Unique Client ID value you recorded earlier, add the OAuth scopes listed below, then click AUTHORIZE.

    OAuth scopes to add:

    https://www.googleapis.com/auth/admin.directory.orgunit.readonly,

    https://www.googleapis.com/auth/admin.directory.user.readonly,

    https://www.googleapis.com/auth/admin.reports.audit.readonly,

    https://www.googleapis.com/auth/admin.directory.device.chromeos,

    https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly

    Add a new client ID pop-up with Client ID and OAuth scopes highlighted