Provisioning a Google Drive Service Account

Provision a service account for Google Drive to allow Cloud App Security to scan files stored in Google Drive. Cloud App Security uses the service account to run advanced threat protection and data loss prevention scanning on files in Google Drive.


Cloud App Security scans files in users' My Drive, except the shared drives.

The steps outlined below detail how to provision a service account for Google Drive from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Hover over Google Drive and click Provision.

    The Provision Service Account for Google Drive screen appears.

  3. Click Click here in Step 1.
    1. On the Trend Micro Cloud App Security application screen in the Google Workspace Marketplace that appears, click INSTALL.

      A new window appears for you to sign in to Google.

    2. Specify your Google Super Admin credentials, and click Next and then CONTINUE.

      An authorization screen appears.

    3. Select I agree to the application's Terms of Service and Google Workspace Marketplace Terms of Service and click Accept to start installation.

      The application is successfully installed.

  4. Go back to the Cloud App Security management console as instructed and click Click here in Step 2.
  5. In the new window that appears, click your Google Super Admin account.
  6. On the authorization screen, click Allow.
  7. Go back to the Cloud App Security management console as instructed and click Done.

    Cloud App Security then synchronizes your Google Drive user and organization unit information, including the user ID, user name, user email address, organization unit ID, and organization unit name. The time required depends on how many users and organization units you have in Google Drive.

    Cloud App Security generates a quarantine folder (trendmicro_cas_quarantine__dont_change_or_delete) and a temporary folder (trendmicro_cas_temp__dont_change_or_delete) in the Google Drive administrator's root directory. The quarantine folder can be accessed only by the administrator, while the temporary folder can be edited by all users.


    Cloud App Security renames the files in the quarantine folder. Each file is prefixed with RANDOM_UUID, which is a unique string randomly generated by Cloud App Security. For example, some_file.doc will be renamed ecdd6cc3-58d4-42a4-831a-e39bcbc1c8d5_some_file.doc.

    The temporary folder stores quarantined files before they are moved to the quarantine folder and restored files before they are moved back to their original locations.

  8. Hover over the notification icon in the upper-right corner of the management console.

    If the message "Google Drive protected." appears on the Notifications screen, the provisioning is successful.


    To avoid unnecessary notifications, all users must exclude the temporary folder (trendmicro_cas_temp__dont_change_or_delete) from the synchronization list. Perform the following steps as a user:

    1. Locate and click the Google Drive tray icon on your desktop.

    2. Click Settings and choose Preferences.

    3. Click the Sync options tab and click Sync only these folders.

    4. Clear the check box of the temporary folder (trendmicro_cas_temp__dont_change_or_delete) in the box below.