# 33 Disable POP/IMAP / app-specific passwords

> DRAFT · v0.1.4 · role: Prevent · [policy: #27 · #8](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

POP, IMAP and app-specific passwords predate 2SV and do not honour it. Since Google's less-secure-apps turndown (March 2025) the account password itself no longer works over POP/IMAP for third-party apps — the remaining password-only path through them is an app password. An app password in particular is a full-mailbox credential a user can mint for themselves, and it is the exact bypass used to defeat 2SV in the UNC6293 campaign. Closing these paths — together with the auto-forwarding and delegation settings that share this screen ([№18](disable-user-forwarding-delegation.md)) — is what makes 2SV enforcement actually binding.

## Caveats

- An app password bypasses 2SV entirely — 2SV enforcement (№1) is not complete until app passwords are blocked as well.
- Existing app passwords are not revoked by flipping the toggle — revoke them per user under Directory > Users > Security, or with GAM.
- Turning IMAP off breaks multifunction printers, scan-to-mail and some CRM mail plugins — inventory those clients and stage the change OU by OU, or you buy a helpdesk queue.

## Setup steps

1. Select the OU (organizational unit), starting with the admins' OU, then turn POP and IMAP off for everyone. — `Apps › Google Workspace › Gmail › End User Access`

   - **POP and IMAP access** = uncheck 'Enable POP access for all users' and 'Enable IMAP access for all users' (IMAP can instead be restricted to OAuth mail clients only)

   docs: [Turn POP & IMAP on or off for users](https://knowledge.workspace.google.com/admin/sync/turn-pop-and-imap-on-or-off-for-users)

2. Block app-specific passwords — this is the exact bypass used to defeat 2SV in the UNC6293 campaign. — `Security › Authentication › 2-Step Verification`

   - **Allow users to generate app passwords** = Do not allow

3. While you are on this screen, close the other legacy egress path it hosts: automatic forwarding. Mail delegation, on the Gmail > User settings page, is covered together with it by [№18](disable-user-forwarding-delegation.md). — `Apps › Google Workspace › Gmail › End User Access`

   Allow users to automatically forward email to another address = unchecked (mail delegation: №18)

   docs: [Let users automatically forward their own Gmail emails](https://knowledge.workspace.google.com/admin/gmail/let-users-automatically-forward-their-own-gmail-emails)

4. Inventory the legacy clients you are about to break (scanners, MFPs, CRM mail plugins, phone mail apps) and migrate each to OAuth or SMTP relay before enforcing.

   - **Exception list** = documented, time-boxed, in a separate OU

   docs: [Transition from less secure apps to OAuth](https://knowledge.workspace.google.com/admin/sync/transition-from-less-secure-apps-to-oauth) · [Route outgoing SMTP relay messages through Google](https://knowledge.workspace.google.com/admin/gmail/advanced/route-outgoing-smtp-relay-messages-through-google)

## Ongoing maintenance

- **[automatable: script]** Monthly: re-run the ASP enumeration — a non-empty result means the policy regressed or an OU escaped it.

## How to verify

1. App passwords are the loudest legacy hole — enumerate them tenant-wide; the list should be empty.

   ```
   gam all users print asps
   ```

2. From a test account, try enabling IMAP in Gmail settings — the option should be absent or greyed out.

## Settings screens

- Apps > Google Workspace > Gmail > End User Access (POP and IMAP access; Google Workspace Sync / GWSMO is on this same screen)
  - console: https://admin.google.com/ac/apps/gmail/enduseraccess
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/enduseraccess.png
- Security > Authentication > 2-Step Verification (Allow users to generate app passwords)
  - console: https://admin.google.com/ac/security/2sv
  - screenshot: ../screenshots/admin.google.com/ac/security/2sv.png
