Why do I need to disable IMAP and POP access?
IMAP stands for Internet Message Access Protocol, while POP stands for Post Office Protocol. These are both standards for reading email with third-party applications, and have been present for decades. These are perfectly fine for normal users who want to manage multiple email addresses with one application, but in truth continuing to use IMAP and POP apps with your Google Apps for Work/Education package is dangerous to your security.
The reason why is that these applications support neither 2-Step Verification or the latest, greatest security standards, like SSL and TLS. 2-Step Verification is vital for stopping unintended access to your business' information, and not having secured email means malicious parties have a vector of attack. The lesser security standards means that these applications are more likely to be effected by behavior like packet snipping and device infection.
The best way to go about securing Gmail admin settings is by making sure everyone is always up to date. To do this, you'll need to make sure people are using the right apps and you have the right settings enabled on your domain.
What applications are effected?
In shot, the only right way to access Gmail is by using the Gmail web interface or using official Gmail apps available on the App Store or Play Store. Applications like default email apps on iOS and Android, Apple Mail and Outlook won't keep your experience as secure as it should be, and could open up vulnerabilities. Make sure that all of your users are using Gmail Web or a Gmail App, then go ahead and disable POP and IMAP access. If there are users who absolutely need access, you can grant it to them individually, but this option needs to be disabled if you're serious about securing Gmail admin settings.
How do I disable it?
Fortunately, POP and IMAP access should already be disabled by default. However, you should make sure that they are. To check, go to "Organizations" under "Advanced settings" and "Gmail" in your Admin console. POP and IMAP access should be disabled by default, but if it isn't, simply check the box to make sure that it is.
And there you go! Following this blog post, you've either fixed a security hole or successfully made sure there wasn't one. Checks like these are necessary to ensure the health of your network and your business.