Migrating to Google’s Provisioning API Version 2.0


Google announced that Gmail Provisioning API version 1.0 will be completely disabled on April 20, 2015. All the customers must upgrade to version 2.0 of the API. Failing to migrate would result in password provision commands being rejected for all re-enrollments and new enrollments, thus blocking the email access. Existing enrolled devices will not be affected by this as their obfuscated password is already synchronized with AirWatch and Google Apps for Business.

AirWatch has upgraded to use this new version of API for its integration with Gmail, which uses a certificate based method of admin authentication. You must migrate to the new version of the API by following the below mentioned steps:

  • Step 1: Creating the Service Account Certificate
  • Step 2: Uploading the Service Account Certificate on the AirWatch Admin Console

Note: Please note that Gmail Provisioning API version 2.0 is not FIPS compliant.

Creating the Service Account Certificate

Note: If you have already created the Service Account certificate, please go to step 2.

On the Google Developer Console

  1. Navigate to https://console.developers.google.com and login using your super admin credentials.
  2. Select Create Project tab.
  3. Enter the project name and the project ID in the applicable fields of the New Project form. The project name is used during configuring MEM in the AirWatch Admin Console.  AirWatch needs this name to reference it with Google. You can name the project as per your choice or preference. The Project ID is automatically generated by google, but can be changed if desired. The Project ID is NOT used by AirWatch.
  4. Navigate to APIs & authAPIs available on the left pane of the Project Dashboard page.
  5. Enable the Admin SDK option available under the Browse API section. Once you enable it, you can view it under the Enabled API section.
  6. Navigate to APIs & authCredentials.
    • Select Create new client ID.
    • Select Service Account option and then click Create Client ID.
    • Save the .p12 certificate with private key to your machine. Please make a note of the generated Client ID, password, and the Email Address as these will be used later while uploading the certificate on the AirWatch Admin Console.

Note: Client ID once generated cannot be deleted. You have to create the whole project again.


On the Google Admin Console

  1. Navigate to https://admin.google.com and login with your super admin credentials.
  2. Select SecurityAuthenticationAdvanced Settings.
  3. Select Manage API client Access hyperlink from the Advanced settings section.
  4. Enter the previously generated Client ID (as mentioned above in step 6) in the Client Name field.
  5. You must authorize your client ID for the required API scopes. The API scopes should be entered as a comma delimited string. You may copy the string below (minus the carriage returns for spacing) directly into the One or More API Scopes field.  Select Authorize to confirm.

    https://www.googleapis.com/auth/admin.directory.device.mobile.action image007.png

Uploading the Service Account Certificate on the AirWatch Admin Console

On the AirWatch Admin Console, a warning message[UR1]  displays on the Mobile Email Management Configuration page until all Gmail MEM configurations have been updated to the new API. If you have multiple Gmail MEM configurations, you need to migrate each individually. You can use the same credentials (including certificate) to migrate each configuration. Upon editing your MEM configuration, you are presented with the new certificate based UI. If you do not want to migrate yet, select Cancel to go back to your existing configuration. Once you migrate to the new API, there is no option to revert.



  1. On your required Organization Group, navigate to EmailEmail Settings and select Edit.
  2. On the Mail Platform wizard form, the option Direct Integration using password management is selected by default. Select Next.
  3. On the MEM Deployment wizard form ► Google Apps Directory APIs Integration section:
    • Upload the service account certificate that you created in the above steps.
    • Enter the Service Account email address.
    • Enter the Application Name. This is the project name that you added while creating the certificate.
    • Select Next.

4. Review your email profiles. Select Next.

5. Review the summary of your MEM configuration and select Save.

You are now migrated to the new version of the Google API!

Keep in mind

You might see two possible errors upon saving a MEM configuration:

  1. A credential error - It is an error with the certificate. The certificate cannot be properly stored and used.
  2. An authentication error with the credentials - A certificate or other value is incorrect for the given administrator.
Have more questions? Submit a request


Article is closed for comments.