If a Google Workspace organization has limited the ability to install Google Workspace applications, a few extra steps need to be taken by a Google Workspace admin to allow signing into Gem. If you try to sign in, you'll see the authorization error "Error 400: admin_policy_enforced".
If you're not a Google Workspace admin, you can share this article with someone who is, though there's a good chance they'll already know how to configure things correctly.
Allowing the Gem app to have API access
To allow users to sign into Gem, you'll need to configure it to have API access through the Google Workspace Security Admin Portal.
First, click on "API controls" at the bottom.
Next, click on the "Manage Third-Party App Access" button.
Then, click on the "Configure new app" button.
In the next window that appears, you can search for the name "Gem", and it should be the first result that appears. Make sure the Client ID matches which is 58431258424-k57jbgkusp2u1akuqb7rd060v72ar6g3.apps.googleusercontent.com. Once you've found it, click on it.
On the next step, you can either allow the entire organization to access the app or specific org units. Once it's selected, click "Continue".
On the next step, select "Trusted", and click "Continue". This doesn't mean we get access to everything, it only means we can now request access to use specific APIs. If you know that your organization will only be utilizing a subset of the available permissions, you can select "Specific Google data" and select the scopes that you need.
On the last step, you'll just review all the settings you just configured. If everything looks good, click the "Finish" button. Once you've done that, users should now be able to sign into Gem.