Sunday, January 15, 2023

Monitoring of operating system versions in Google Workspace

Let’s continue the presentation of examples of use event logs from Google Workspace. Today I’ll describe how to use event logs to check and notify users about outdated versions of the operating system. The idea is to inform users via email that newer versions of the operating systems are available to install. Described methods work for all popular operating systems - e.g. MacOS, Windows, Linux, iOS or Android. 

Keep in mind that this method only notify users and/or administrators. The next step is to enforce installation of the new version. MDM systems can enforce such installation or we can use Google Workspace Context-Aware Access to prohibit older versions. 


Described use case: User just after login to Google Workspace receives notification via email that newer version of the operating system is available.


Source code described here is available at github repository: https://github.com/Prevenity/Cloud-Security

The main function is main_version_monitor(). The first function is read_dates(). The function is using a spreadsheet to store the date of the last execution of the script. The main function should be executed at least every 5-10 minutes in order to notify users as soon as possible. We use the last execution date because in the next function read_events() is calling AdminReports.Activities.list() GSuite API which retrieves a list of activities. The read_events() collect 6 types of data from Google Workspace events: DEVICE_TYPE, DEVICE_MODEL, OS_VERSION, SERIAL_NUMBER, date and email of user. 


try {
 response = AdminReports.Activities.list(
 userKeyA, //”all”
 applicationNameA, //”mobile”
 optionalArgsA
);

catch (error) {
Logger.log(error);
}
...

if (params_event[zm4].name == "DEVICE_TYPE")
 device_type_vod = params_event[zm4].value;
if (params_event[zm4].name == "DEVICE_MODEL")
 device_model_vod = params_event[zm4].value;
if (params_event[zm4].name == "OS_VERSION")
 os_version_vod = params_event[zm4].value;
if (params_event[zm4].name == "SERIAL_NUMBER”
 serial_id_vod = params_event[zm4].value;



table_mobile.push([
 event_temp.actor.email,
 event_temp.actor.callerType,
 event_temp.id.time,
 serial_id_vod,
 device_type_vod,
 device_model_vod,
 os_version_vod]);


The next important function is compare_version_v2(). As you can see we are able to collect from the Device Action event information about the version of the operating system. Now, we have to inform the function which operating systems are approved. We are using a spreadsheet as a database of approved versions. An example is below:


Function is quite simple:


function compare_version_v2(version_to_check){

var handler_to_file = open_spreadsheet_file("", "supported versions");

for(var zmx = 1; zmx<handler_to_file[10].length;zmx++ )

{

 if(handler_to_file[10][zmx] == version_to_check)

   return true

}

 return false;

}


Finally, we have to prepare a message which will be sent via email.