Our company is developing enterprise G Suite application which uses restricted authentication scopes. We don't allow to install our application for gmail users but we onboard several enterprise companies per day so we can't ask administrator of each customer domain to whitelist application after installing it from Marketplace, so far we have several hundreds of active customers. Also due to the number of clients we can't be restricted by 100 users capacity advertised by Google for application which doesn't go through verification process.
We published our application back in 2018 for the first time and in 2018 we also passed our first verification procedure. Then in the beginning of 2019 we were asked to resubmit application for verification again and started the process. During verification process we have done the following steps: - submitted the video describing authentication process - unchecked "Individual install" checkbox - verified domain and linked project with our GCP organisation Unfortunately now it seems that our verification procedure has went in wrong direction and we are kind of stuck - we answered that our application supports only Domain-wide installation and asked if we still need verification. This happened after verification team has complained that it can't install application with plain Gmail account and we answered them that individual install is disabled. I guess at this step we should have provided them test G Suite account instead, but I'm not sure since we didn't get any hints on this. At that moment we didn't realise that we still need to proceed with verification to avoid user cap and whitelisting each domain and assumed that install will still work fine this way. After this we have received yet another confirmation from verification team that verification is not needed. Still after more than a month we have received email that our verification request is declined. Since our previous request was rejected we have resubmitted another one recently, but I believe that it has went in wrong direction again - our latest email from verification team asks us that all our current customer domain admins should whitelist the application. But as I understand with our volume we need to properly pass verification process. So now I have the following questions: - how shall we proceed with proper verification process? we are receiving very standard replies as if some robot is answering, I'm not sure how can i disregard previous context (domain-wide application which is whitelisted by admins) and ask what to do to proceed with verification - what steps will be needed for verification in our case? do we need to provide enterprise G Suite account for verification team to evaluate the application? - shall we still pass security assessment if we don't provide our service to individual Gmail users? I mean can we pass application verification, but doesn't pass security assessment? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8f7e7489-49b1-40cd-a9d8-41d35a5a7867%40googlegroups.com.
