This feature is only available with Google Workspace for Education editions.
Users designated as under 18 by the age-based access setting are blocked from using unconfigured third-party apps. An unconfigured third-party app is any app that isn't yet configured with an access setting (trusted, limited or blocked) in the Admin console. Learn about age-based access settings.
When a user designated as under 18 tries to access an unconfigured app, they’ll be blocked, but see a message with the option to request access. Note, for some Android apps, users will be blocked, but may not be presented with a screen allowing them to request access.
When a user requests access, you can allow access by configuring access for the app as described below.
If you selected Allow users to access third-party apps that only request basic info needed for Sign in with Google (under the Unconfigured third-party apps setting for users designated as under 18), users designated as under 18 only need to request access to an app if the app asks for more than the basic information required to use Sign in with Google (name, email, and profile picture, if any). You’ll need to review just those apps that ask for more data, and if appropriate, configure access settings for them.
Note: Google Workspace Marketplace apps might have different configuration steps. For details, go to Manage Marketplace apps access for users designated as under 18.
Important: For users under the age of 18, your organization is responsible for obtaining parental consent, if required by applicable law, before allowing these users to access third-party apps.
Google Workspace for Education Admin Console: How to review third party app access requests
Configure access for requested third-party apps
In the Admin console, you can review third-party apps users designated under 18 have requested access to. For apps you want to allow users designated as under 18 to access, you need to configure access settings, using the steps below.
Note: You can always unconfigure an app for users at any time using CSV bulk upload. Learn more
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- On the home page, in the App access control card, you see:
- Apps pending review—How many apps users designated as under 18 have requested access to.
- User requests—The number of users who requested access.
Note: Multiple users might have requested the same app.
Click Review apps.
- In Apps pending review, the requested apps are sorted by the number of user requests.
Tip: Before deciding which apps to configure access for, review information for each app:
- User requests—The number of users who requested access to the app.
Note: At User requests, click the number to see which users requested access to the app. - Org units with requests—The number and name of organizational units in which users requested access
- Requestable services—Google data the app previously requested to access from Google users
Click the app name to see app details.
- User requests—The number of users who requested access to the app.
- For apps you want to make accessible to users designated as under 18, point to the app and click Configure access.
- For apps you want to block for users designated as under 18 to access, you have two options:
- Leave as is—If you don’t configure access within 6 months, the app is removed from the list.
- Dismiss or block the app—Point at the app and click Dismiss to remove it. Or, you can configure access for the app and choose Block to prevent it reappearing in the list.
- Check the box for organizational units you want to configure access for.
Note: You can select up to 10 organizational units. If you’re configuring more than 10, use bulk updates. Learn about bulk updates.
- Click Configure access.
- (Optional) Under Scope, update the organizational units to configure access for, if needed.
- Under Access to Google data, select one of the following access settings, and click Continue. The setting you select is applied to all organizational units selected previously under Scope.
- Trusted—Users can sign in with Google to the third-party app and the app can request access to Google data, both restricted and unrestricted Google services.
- Limited—Users can sign in with Google to the third-party app and the app can request access only to unrestricted Google data.
- Blocked—Users can’t sign in with Google to the third-party app and the app can’t request access to any Google data.
This is up to you, depending on which services are set as restricted and unrestricted on the Google services page. You might select Restricted if data for a Google service is more sensitive and you want to allow only a small number of apps - apps marked Trusted - to request access to data for that Google service. Or, you might select Unrestricted if data for a service is less sensitive, and you want to allow more third-party apps - apps marked Trusted and Limited - to request access to data for that Google service. Learn more about managing Google service access.
Example
Let’s say in the Google services page you marked:
- Gmail and Drive as Restricted
- All other apps (like Calendar, Chat) as Unrestricted
This means:
- Apps you configure as Trusted can request user data from all Google services, including Gmail and Drive.
- Apps you configure as Limited can request user data from all Google services on that page except Gmail and Drive.
- Review your selection and click Configure access.
Some changes can take up to 24 hours. Next, notify users that they can access the app.