I have Google Advanced Protection enabled on my Google account. Among other things, this prevents me from installing add-ons that have permission scopes that are considered excessive enough to be considered a security risk for my account. It looks like the Tiller Money Labs add-on is one such add-on. Are there any plans to tighten the permissions on this add-on so that those of us that have our accounts locked down a little more tightly can use it? Or am I just out of luck?
Error 400: policy_enforced
Advanced Protection prevented your Google Account from signing in. This security feature stops most non-Google apps and services from accessing your data to keep your account protected.
It’s true that the Tiller Money Labs add-on uses broader scopes than the Tiller Money Feeds add-on. We would prefer to use narrower scopes but, to enable the quick-prototyping nature of the Tiller Money Labs add-on and also implement the sheet-insertion capability, we needed the
https://www.googleapis.com/auth/spreadsheets (where the Tiller Money Feeds add-on uses
We work hard to limit the scopes of the Tiller Money Feeds add-on because it is essential to run our core subscription product. Because the Tiller Money Labs add-on is an optional grab-bag of experimental features, the required scopes are less constrained.
We are reworking our add-on ecosystem to address concerns like the one you raise. That said, these changes are significant and will take time to implement properly. So, unfortunately, there are no imminent solutions to address this.
If I remember correctly, the Tiller addons are not signed. Would that make a difference?
Thanks, totally appreciate the situation and I fully acknowledge that my choice to lock my account down more than a typical account sometimes has these outcomes. I appreciate the response. Looking forward to continuing my Tiller explorations!
That’s right @dmn, you can’t use the Labs add-on if you have Advanced Protection turned on for your Google Account. This is expected.
One way you can “work around” it if you choose and want to explore the add-on would be to use a separate (perhaps brand new) Google Account that doesn’t have sensitive information you’re trying to protect where Advanced Protection is not turned on. The Labs add-on does not care which Google Account you use (e.g. you don’t have to use it with your Tiller Money subscribed Google Account like you do with the Tiller Money Feeds add-on).
@aronos, I don’t think it would help if they were signed as Google has built their ecosystem intentionally to prevent add-ons that have broad scopes like the Labs add-on from running in an account that has Advanced Protection turned on.
I have the same issue. Is there an updated eta for a rework of Labs which works with advanced protection?
Hi @bjc, no there is not. We don’t intend to “rework” the Tiller Community Solutions add-on at this point. We have some plans for moving some of the most popular features (e.g. split transactions) into our core Tiller Money Feeds add-on at some point, but there is no firm timeline.
I just ran into this issue and only found my way here after trying a number of different queries. I think it would be helpful to have some documentation about this issue near where the user might encounter it. I came across the feeds add-on troubleshooting guide so perhaps there should be a community add-on troubleshooting guide that includes this and is linked to in the initial tour near the “Install Tiller Community Solutions” button?
Also ran into this error. It would be nice if more of the Labs features could start moving to the core product or the Labs integration could start with the
spreadsheets.currentonly scope and then request the wider scope if a sheet-insertion is necessary. I’ve been relying on the community add-on for the Savings Budget template (for envelope budgeting) so fingers crossed this template is added to the core add-on soon.
It should also be noted that the official Envelope Add-on by Tiller also produces the same error: "* Access blocked: Envelope Budget is not approved by Advanced Protection*
Error 400: policy_enforced
Request details: access_type=offline login_hint=<email scrubbed> hl=en response_type=none gsession redirect_uri=https://script.google.com/oauthcallback state=ACjPJvGP_nROcfn_LsOcy9dFaFI-GCbYvjXumMv5iAOsOAEuwlPyH-iOEzkJm2g5wrQzd9OvVo3Qv71sMzgeNNM_-c2cnJ5JJRnTJX4QWM-EZYSNKvV31wBw_OAmcc_MSciYJZRkJuDRoFB1Mz-q5AP8N9RjSbxC1bk2-xa7MfpfqJV05-rgsbRhEcMbnpczORoZ-X5ZjRvQtM7sFLK_3Ddwt1qAh1vy6EL20DMNsPHrJdZroKxr-oeKXku8wBpBDbZ0oFaoe1HdngFTG7Y_hsy-58kvsosK-XE8aaI0cnhQFHBXojnC264GALG7YtrK0pqVCpa6MM5YlgouUGls_dpCvoHgDhTIxkJ7wnuelB07zba1ZXfHkEreUhl_n6VItokRDLT4zFqW4PgaM1NGghIHkksg5QteccQkWyqYk5eoYoyUl9OIwwcuz9k2CPfd8qHKH9_gwKyTYxYc6p7fLQCbOq97Y9ZmgoxmUPHphllO_vbXtQh4FTkIIqpvZEln9T84N8HSs3TjzR56Oe6DzQ7yNR4IN-H-yCmrX5eBxtA2quqGe0njsPB6HWjqiQ client_id=646608109404-51lo3p4dj2t3b1k8kf3sj0tu48n3fbgo.apps.googleusercontent.com prompt=consent scope=https://www.googleapis.com/auth/script.external_request https://www.googleapis.com/auth/spreadsheets https://www.googleapis.com/auth/script.container.ui https://www.googleapis.com/auth/script.scriptapp