Google Sync is a Google Workspace feature that uses Microsoft Exchange ActiveSync to let your users synchronize their work mail, contacts, and calendars to platform-specific and third-party apps on their mobile devices. For example, iPhone and iPad users can sign in with Microsoft Exchange to get their work Gmail messages in the Apple Mail app and Google calendar events in Apple Calendar.
Security risks with Google Sync
Google Sync doesn’t support OAuth authentication, 2-factor authentication, or security keys, which leaves your organization’s data less secure. With more secure alternatives available, we recommend you transition off Google Sync as soon as possible, ahead of the less secure app access shutdown.
What you can do
Many third-party apps support user sign-in with a Google Account instead of Microsoft Exchange. To allow users to sign in with their work account, you can configure your app management settings to allow data syncing for specific apps or use Google endpoint management to push account information to specific platforms. To set up app access by organizational unit, use the Google endpoint management options.
These instructions focus on how to set up Google Workspace so your users can access their work mail, calendar events, and contacts in Apple iOS apps. For Android users, we recommend users switch to the Android Gmail app. If you want to use another third-party app that supports Google OAuth, you can trust the app. If the third-party app doesn’t support Google OAuth, contact the app developer.
Sync mail, calendar, and contacts in Apple iOS apps
If your organization uses advanced mobile management through Google endpoint management, use these instructions instead.
Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Apps
Google Workspace
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Click POP and IMAP access.
- Check the Enable IMAP access for all users box.
- Select Restrict which mail clients users can use and enter 450232826690-0rm6bs9d2fps9tifvk2oodh3tasd7vl7.apps.googleusercontent.com, the client ID for Apple iOS apps.
-
Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
iOS device users can now add their work account to a device and get their mail, calendar events, and contacts in iOS apps. Changes can take up to 24 hours but typically happen more quickly. Learn more
Other options
Sync calendar and contacts in Apple iOS apps, use Gmail app for mailFirst, disable IMAP so that users can only get their mail in the Gmail app:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
-
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Click POP and IMAP access.
- Uncheck the Enable IMAP access for all users box.
-
Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Now, allow calendar and contacts data to sync:
-
In the Admin console, go to Menu
Security
- Click Manage third-party app access.
- Click Configure new app and choose OAuth app name or client ID for how you want to search for the mail client.
- Enter 450232826690-0rm6bs9d2fps9tifvk2oodh3tasd7vl7.apps.googleusercontent.com.
- Click Search, select iOS, and click Select.
- Leave the access level set to trusted.
- To let users get messages on their iOS device in the Gmail app when IMAP is off:
- If you use a third-party mobile device management (MDM) service, set it to push the Google Account payload profile. If you use Google endpoint management, turn on Push Google Account configuration (see instructions in the next section).
- Users must use the iOS Gmail app and sign in with their managed Google Account. They should leave Apple Calendar and Apple Contacts turned on, but turn off Apple Mail. If they try to sign in to Apple Mail with their work account, the sign-in fails silently.
Before you begin: If needed, set up advanced mobile management.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Devices
- Click Account configurations.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Check the Push Google Account configuration.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
To sync their mail, contacts, and calendar events, users must download the Google Device Policy app and the Google mobile device management configuration profile. Learn more
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
