CrowdStrike + Google Workspace EDR Compliance

Overview

For Google Workspace shops, this playbook cross-references the Google Workspace user directory and device inventory against CrowdStrike Falcon enrollments. Non-compliant users (those without a running agent) surface in a daily Slack report so they can be remediated before becoming an attack vector.

Who this is for: Security and IT teams at Google Workspace-native organizations

Why automate this

Google Workspace-first companies often lack the built-in Mobile Device Management visibility that Microsoft Intune provides. This playbook fills that gap by using Google's device directory as the source of truth and enforcing EDR coverage against it every day.

How it works

1. 01

   Run on a daily schedule

2. 02

   Query the Google Workspace Admin SDK for all user devices

3. 03

   Extract device serial numbers and owner email addresses

4. 04

   Query CrowdStrike Falcon for all enrolled device IDs

5. 05

   Diff the two sets to find users missing the Falcon sensor

6. 06

   Generate a structured report with counts, names, and devices

7. 07

   Post the report to a Slack compliance channel

Impact

• Closes the MDM visibility gap in Google Workspace environments

• Daily coverage reports with zero manual effort

• Maintains CrowdStrike-backed security baselines across BYOD devices

• Audit evidence generated automatically