Teams and business

Configure 1Password Device Trust and Google Workspace

Learn how to implement 1Password Device Trust (Kolide by 1Password) to secure every device on your team.

With 1Password Device Trust (Kolide) and Google Workspace , you can make sure every device is known, secure, and compliant before it can access company applications, and empower your team to remediate their own device health issues with step-by-step instructions.

With this integration, you can:

  • Import and synchronize your Google Workspace users and groups.
  • Protect the Kolide admin dashboard with Google single sign-on authentication.
  • Allow your users to sign in to Device Trust-protected apps with their Google credentials.

Before you begin

Before you can set up Kolide and Google Workspace, you’ll need:

Tip

This feature is not currently available to all Kolide customers. To make sure you have access, go to Kolide and select your profile in the top-right corner of the page. If you see Identity Providers in the sidebar, you have access. If you see Identity & Access, contact Kolide support to turn on the feature.

These steps were recorded in November 2024 and may have changed since. Refer to the Google Workspace admin documentation  for the most up-to-date steps.

Step 1: Create a 1Password Device Trust-enabled group in the Google Admin console for testing

To test the implementation and make sure it works the way you want it to, first create a Device Trust-enabled group with test users. You can use this test group to give specific people access to Kolide as admins or end users during your testing.

Configure group information

  1. Open two browser windows side-by-side. In one window, sign in to Kolide.
  2. In the second window, sign in to the Google Admin console .
  3. In Kolide, select your profile in the top-right corner of the page, then select Settings and choose Identity Providers in the sidebar.
  4. In Kolide, select the Set Up button for Google, then select Set Up Single Sign On Provider.
  5. In the Google Admin console, select Devices > Groups in the sidebar.
  6. Select Create group.
  7. Fill out the fields, including:
    • Group name: Enter the name “1Password Device Trust Enabled”.
    • Group email: Enter the email address you want to use.
    • Group description: Enter a description of the group. For example: “1Password Extended Access Management Device Trust Enabled Users”.
  8. Select the check box next to Security.

Configure access settings

You can configure access settings in the way that works best for your team, but we recommend limiting who can join the group. This makes sure the group is small for your initial test:

  1. In the Google Admin console, in the “Who can join the group” section, select Only invited users.
  2. Once you’ve configured the other settings, select Next at the bottom of the page.
  3. Select Create Group at the bottom of the page.

Add people to the group

  1. In the Google Admin console, select Add members to Device Trust Enabled.
  2. Select Add members, then in the Find a user or group field, search for your test users and select them.
  3. Choose Add to group.

Step 2: Configure SAML SSO for 1Password Device Trust

Add Kolide as a custom SAML app within your Google Workspace portal. This allows Kolide to use Google as a single sign-on (SSO) service provider for authenticating users into the Kolide admin or end-user portal, along with any apps you’re managing within Kolide.

Set up the Kolide application for SSO

  1. In the Google Admin console, select Apps > Web and mobile apps.
  2. Select the Add apps dropdown, then select Add custom SAML app.
  3. In the App name field, enter the name “Kolide”.
  4. Optionally, if you’d like to add the Kolide logo to your app, download the Kolide logo. Then select the camera icon and upload the file.
  5. Select Continue at the bottom of the page.
  6. Copy the SSO URL from the Google Admin console and paste it into the Provider SSO URL field in Kolide.
  7. Select the copy icon by the certificate in the Google Admin console and paste it into the Provider X.509 Certificate box in Kolide.
  8. In the Google Admin console, select Continue.
  9. In Kolide, copy the Kolide ACS URL and paste it into the ACS URL field in the Google Admin console.
  10. In Kolide, copy the Kolide Entity ID, then paste it into the Entity ID field in the Google Admin console.
  11. In the Google Admin console, select Continue, then select Finish.
  12. In Kolide, select Save Settings.

Set up user access

  1. In the Google Admin console, select the User access dropdown.
  2. Select the Groups dropdown.
  3. Search for the Device Trust Enabled group and select it.
  4. Select the check box next to On for the Service status, then select Save.

Step 3: Configure provisioning for 1Password Device Trust

Import and synchronize your organization’s Google Workspace users and groups into Kolide.

Provision users

  1. In Kolide, select Set Up User Provisioning.
  2. Select Log in with Google Workspace.
  3. Choose your admin account and sign in.

    You need to use an account that has super administrator permissions.

  4. Under “Select what Kolide can access”, select the check box next to Select all.
  5. On the “User Provisioning” pop-up, select the check box next to Import groups.
  6. In Kolide, select the vertical ellipsis button, then select Activate.
  7. In Kolide, select the vertical ellipsis button on the Google Workspace card under Identity Providers, then choose Make Primary.
  8. To make sure that single sign-on and user provisioning are working correctly, in a new private browser window, go to https://app.kolide.com and sign in.

    A private browser window makes sure the existing session is not cached.

  9. Sign in to Kolide with your admin account.
  10. Sign in with your Google credentials for your admin account.
  11. After you’ve successfully signed in, close the private browser window.

Turn on Device Trust

Protecting Kolide’s admin dashboard with Device Trust makes sure that your dashboard is more secure. Device Trust checks the compliance of the device and blocks access if the device is non-compliant, allowing you to test Device Trust capabilities and features before you add more apps to Kolide.

  1. In Kolide, select Google Workspace under Identity Providers.
  2. Select Single Sign-On Provider.
  3. In the Device Trust section, select the check box next to Protect Kolide Admin Dashboard with Device Trust.
  4. Select Update Settings.

Step 4: Test Device Trust

To test the Device Trust sign-in process from the perspective of your team:

  1. Sign in as a user that belongs to your 1Password Device Trust Enabled group.
  2. As an optional step if your team uses an MDM, pre-install the Kolide agent to simulate pushing the agent out to your devices. This is optional because the user will be prompted to install the agent if it is not present.
  3. Go to https://app.kolide.com and sign in with your Google credentials.
  4. You’re redirected to the “Kolide is Verifying Your Device” screen, which shows you that the Kolide agent is installed.

    If you downloaded the Kolide agent in step 2, the device is registered to you and you’re signed in to the Kolide dashboard.

  5. If you didn’t already download the Kolide agent, you’re prompted to download the agent. Download the installer for your operating system and follow the on-screen instructions through to the success message.
  6. In the task bar, you’ll see a Kolide icon that appears for about 60 seconds.
  7. In a new private browser window, go to https://app.kolide.com.

    A private browser window makes sure the existing session is not cached.

  8. Sign in with your Google Workspace credentials using your username and password.
  9. You’re redirected to the “Kolide is Verifying Your Device” screen, which shows you that the Kolide agent is installed.

If the agent was pre-installed on the end-user device, it will register the device. If the agent is not installed, the user will be prompted to download and install the agent before the new device can be registered.

To see how Kolide handles failed checks, first set up device health checks for your team. Then:

  1. In Kolide, choose the Devices tab and select your device to see if there are any failing checks.
  2. Select Details on a check that is straightforward to fix, like File Extensions Are Not Visible in Finder.
  3. Select Actions > Edit Check Settings.
  4. In the Remediation Strategy section, select Configure.
  5. Choose Block Immediately and select Save.
  6. In a new private browser window, go to https://app.kolide.com.
  7. Sign in with your Google Workspace credentials using your username and password. However, don’t enter an authenticator code.
  8. Select Approve with 1Password Device Trust to redirect to Kolide. You should be blocked by Kolide based on the check you changed earlier.
  9. Select Fix this issue, which opens a new table that shows you how to fix the issue.
  10. Fix the issue, then return to the Kolide window and select I’ve fixed it. Recheck now.

Kolide will run a real-time check to validate that the issue has been fixed before completing the sign-in flow.

As part of future testing, continue to add new users to the 1Password Device Trust Enabled group and have users test the sign-in flow.

Get help

To get help with Kolide, contact Kolide Support.

To get help with 1Password Business, contact 1Password Support.

Published: