Tag Archives: Admin Console

View Cloud Search usage reports in the Admin console and the Stats API

What’s changing

Admins can now view Cloud Search usage information via charts in the Admin console and using the Stats API.

Who’s impacted

Admins only

Why it’s important

Previously, admins only had limited visibility into the usage of Cloud Search within their domains. Now, they have greater insight into things like how often applications are being used and whether all the content they need indexed is accessible.

How to get started



Additional details

Specifically, you’ll be able to view Cloud Search data around active users, query volume, and number of searches. Note: these stats will be available immediately through the Stats API. Rollout details for the Admin console can be found below in the Availability section.

Helpful links



Availability

Rollout details


G Suite editions

  • Available to G Suite Enterprise and G Suite Enterprise for Education, as well as standalone Cloud Search Platform customers
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits


On/off by default?

  • This feature will be ON by default.


Stay up to date with G Suite launches

Add comments and save filter views in the alert center

What’s changing 

We’re making some updates to the alert center for G Suite. Admins with alert center privileges can now:

  • Leave comments on alerts. This can make it easier to collaborate during investigations and keep a record of investigation and resolution actions for an alert. 
  • Use saved filters. This can help you quickly return to specific views without applying several individual filters each session. 

Who’s impacted 

Admins only

Why you’d use it 

These new features and other recent alert center updates make it easier to find important alerts and work with colleagues to mitigate risk. By leaving comments you and your colleagues can more easily collaborate on investigations. The comments can also serve as a record of actions taken on alerts, making it easy to remember what happened.Additionally, saved filters will help personalize your experience so you can more quickly focus on alerts specific to your job function. For example, if you’re focused specifically on phishing and malware, you can save a filter to only see Gmail-related alerts.

How to get started 




Additional details 

Leave comments to collaborate better 
You can now leave comments on alerts. When you leave a comment, it will appear in the ‘Alert history’ section when you look at an alert, and can be viewed by any other admin with access to the alert. This can help you keep track of any actions taken on the alert, and can make it easier for team members to collaborate to investigate and remediate alerts. Note that comments can be deleted, but only by the user that left the comment.


You can leave comments in the Alert history section of an alert 


Use saved filters to personalize the alert center 
If you have filters that you use regularly (for example, you may regularly filter for “High severity” alerts which have an “In Progress” status), you can now save these filters so you can get back to them quickly. Filters saved will be individual to each user, but you can share the URL once the filter is applied so colleagues can see the same view.


Saved filters help you quickly access common filter views in the alert center 


Helpful links 

Help Center: About the alert center 

Availability 

Rollout details 



G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.


Stay up to date with G Suite launches

Validate your MTA-STS configurations in the Admin console

What’s changing

Earlier this year, we announced that Gmail would be enforcing the MTA-STS security standard in beta. We’re now adding a diagnostics page for all admins to validate their MTA-STS configurations.

Who’s impacted

Admins only

Why you’d use it

On this page you can validate your MTA-STS and TLS reporting configuration. If any of your domains are not configured correctly, you’ll see what the suggested configuration is, making it easier to configure new MTA-STS settings.

How to get started


  • Admins: In the Admin console, navigate to Apps > G Suite > Settings for Gmail > Advanced settings. Here, you’ll be able to validate your MTA-STS configuration.
  • End users: No action needed.

Helpful links



Availability

Rollout details


G Suite editions

  • Available to all G Suite editions

On/off by default?

  • This feature will be ON by default.

Stay up to date with G Suite launches

Use Google 2-Step Verification and risk-based login challenges with 3rd-party identity providers

What’s changing 

We’re making two Google login security measures available to organizations that use 3rd-party identity providers. Admins at these organizations can choose to turn on two features that significantly improve account security against various attacks on user accounts. These features are new for customers using 3-party identity providers:

  • 2-Step Verification, an extra verification step that automatically requests verification when certain conditions are met (for example, when someone tries to log in on a new device or browser). Learn more about 2-Step Verification
  • Risk-based login challenges, which uses machine learning to analyze user access patterns and assess the risk of a malicious attack, and presents additional verification challenges when the behavior looks suspicious. Learn more about risk-based login challenges


Who’s impacted 

Admins and end users

Why you’d use it 

This will allow you to better protect your users' accounts from unauthorized access. You can use this feature to:

  • Increase overall account security, by leveraging Google's risk-based challenges for users authenticating on your 3rd-party identity provider. 
  • Enforce Google 2-Step Verification for certain users only. For example, you can enforce Google 2-Step Verification in combination with your 3rd-party identity provider for users with access to more sensitive information stored within Google. 
  • Use 2-Step Verification without additional costs. You can enforce these policies for users predominantly accessing Google resources at no additional cost. 

How to get started 


  • Admins: You can choose whether to enforce additional 2-Step Verification for users at Admin console > Security > Login challenges > Post-SSO verification. Use our Help Center to learn more about 2-Step Verification with 3rd-party identity providers
  • End users: If turned on, a user will simply have to complete the 2-Step Verification step using a familiar Google sign-in interface after they sign in to the 3rd-party identity provider. Learn more about Google 2-Step Verification


Admin controls available for verification enforcement when using a 3rd-party identity provider 

Helpful links 




Availability 

Rollout details


G Suite editions 
Available to all G Suite and Cloud Identity editions.

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.


Stay up to date with G Suite launches

Control session length for Google Cloud Console and gcloud CLI

What’s changing 

We’re opening a public beta so G Suite, Google Cloud Platform (GCP), and Cloud Identity admins can set a fixed session duration for specific apps and services. After the session expires, users will need to re-enter their login credentials to continue to access:
Settings can be customized for specific organizational units.

Note that this is designed to work on the web. However, the settings will apply to authentication on all platforms, including the web and mobile apps where they exist. As a result, affected mobile apps may not work properly when the feature is enabled.

Who’s impacted 

Admins only

Why you’d use it 

Many apps and services include sensitive data, and it’s important that only specific users can access that information. By requiring re-authentication, you can make it more difficult for the wrong people to obtain that data if they gain unauthorized access to a device.

How to get started 

  • Admins: Find session length controls at Admin console > Security > Google Cloud session control (Beta). See our Help Center to learn more about how to set session length for Google Cloud services
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Additional details 

Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider, the cloud sessions will expire, but the user may be transparently reauthenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that the user is rechallenged for authentication, be sure to match the session timeout at the IdP with the session length you’d like to enforce.

Provides fixed-time controls (not activity-based) 
Note that the new session control is a fixed time limit—it does not look for session activity, or ‘idle time’. At this time, Google Cloud and G Suite do not support activity-based session expiry.

Re-authentication options 
When choosing a session length, admins will be able to choose:
  • Between a range of predefined session lengths, or set a custom session length. 
  • Whether users need regular login credentials (password and, if configured, 2-Step Verification), or require a security key to re-authenticate. 


Helpful links 

Help Center: Beta: Set session length for Google Cloud services 

Availability 

Rollout details 


Editions 
Available to all G Suite and Cloud Identity editions

On/off by default? 
This feature will be OFF by default and can be enabled at the OU level.

Stay up to date with G Suite launches

New Android management client for devices registered after September 16, 2019

What’s changing 

On September 16, 2019, we’ll begin gradually rolling out a new Android management system called “Android Management API.” Apps managed through the new system will also use a new on-device management client, Android Device Policy, which will replace the existing Google Apps Device Policy client.

While the new client has mostly similar features, there are some differences in management and usage that will impact G Suite admins and end users. The changes will make it easier for admins and users to set up and manage Android devices for work.

You will receive an email notification before it impacts your domain 
The rollout will be conducted in stages, and could take several months to reach all domains. We will email your organization’s primary admin around 3 weeks before it will reach your domain with more specific dates for deployment.

See below for more details about the changes.

Who’s impacted 

Admins and end users

Why you’d use it 

The new client will have closer ties to the Android infrastructure, allowing us to quickly add new features and more easily develop updates for increased security. It will also provide a more seamless experience for end users, with fewer apps to manage and more integrated functionality.

How to get started 


  • Admins: Familiarize yourself with the changes outlined in this post, including the additional details section below. Let your users know about the changes they can expect. 
  • End users: No action needed. 


Additional details 

Devices that will use the new Android management client 
Once this change has been deployed to your domain, newly registered devices that meet the following requirements will be automatically managed using the Android Management API:

  • The device is using Android M or above. 
  • The device supports a work profile and company-owned (fully managed) device mode. 
  • The user account is under advanced mobile device management. 

This will not impact previously enrolled devices; they will still be managed through the legacy Android management client.

How managing devices is different with the new client 
In the Admin console, most of the functionality will remain the same. All devices will be displayed and managed through the same interface at Admin console > Device management.

There will be some changes, however, for devices managed through the new client.

The following features will not be supported:
  • Device admin mode
  • Option to disable Work Profile setup (If you don’t want to use Work Profiles in your organization, you can instruct your users to set up devices without enabling the feature) 
  • Wipe Account for company-owned devices or devices in fully managed device (device owner) mode (Wipe Device will still be available) 


The following new features will be available:


The following features will change:
  • If you manually choose to Wipe Device, you’ll have a new option to either retain the factory reset protection settings or clear them along with the complete wipe. 
  • The Auto account wipe setting will perform Wipe Device for devices in fully managed device (device owner) mode. In addition to being applied when devices fall out of sync, Auto account wipe will be triggered when devices fall out of some policies (for instance, when a more restrictive passcode policy has been enforced by the admin). In both cases, the user will be given a grace period and notifications to correct the issue prior to the wipe taking place. 
  • Device management rules will initiate a device wipe instead of an account wipe for devices in fully managed device (device owner) mode. 


You can see which client is managing a device in the Admin console at Security details > User agent. Devices using the legacy client will have a version of Google Apps Device Policy, while devices using the new client will have a version of Android Device Policy. Use our Help Center to learn how to view mobile device details.

How using a device is different with the new client 
The main end-user visible changes include the following:

  • Users will have an updated enrollment experience. 
  • After the new version is deployed, users will no longer see a Device Policy app in their app drawer. The new management system and Android Device Policy app will be integrated with Android for a more seamless experience. 
  • Users won’t be able to use My Devices to manage their device (for the time being, they can use Find My Device). 
  • If your organization enforces a strong password, the password will require a symbol in addition to the letter and number previously required. 


Users will experience a slightly different setup flow when registering new devices. 


Migrating from the legacy system to the Android Management API 
Once this change has been deployed to your domain, you can manually migrate users and devices to the new Android Management API in the following ways:

  • Factory reset and re-register any eligible device. 
  • Provide a new device and register it. 

In the future, we’ll add options and tools to help you migrate existing devices to use the Android Management API. Check out the G Suite Updates blog for the latest changes and migration updates. 

Availability 

Rollout details 
  • All domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 16, 2019. The rollout will be conducted in stages, and could take several months to reach all domains. 
  • Primary admins will be notified by email around 3 weeks before it will reach your domain. 

G Suite editions 
  • Available to all G Suite editions 

On/off by default? 
  • This feature will be ON by default for new devices that meet the requirements above.


Stay up to date with G Suite launches

Improving Chrome Enterprise management in the Admin console

Quick launch summary 

We’re updating the Admin console to provide a quicker, more searchable experience for Chrome Enterprise administrators. Specifically you may notice a number of changes when you go to Admin Console > Devices > Chrome Management, including:

  • Significantly improved performance, with faster page loads, device actions, and more. 
  • Improved search and filter so you can find what you’re looking for quickly. 
  • Unified app management for Android apps, Chrome extensions and web apps so you can manage all of your apps in one place. 
  • Centralized printer management for users, devices, and managed guests. 
  • Brand new policies to help control the user experience, including Chrome Safe Browsing and Password Alert, Quick unlock with PIN and fingerprint, and Legacy Browser Support for Chrome Browser on Windows. 


See our Cloud Blog post for a detailed look at the updates to the Chrome Enterprise experience in the Admin console.

Availability 

Rollout details 


G Suite editions 
Available to all G Suite editions.


Stay up to date with G Suite launches

See encryption status and security patch level for devices with basic mobile management

What’s changing 

We will now show more information about devices with basic mobile management in the G Suite Admin console. Specifically, admins will now be able to see the encryption state and the security patch level for Android devices. Previously, this information was only available for devices with advanced mobile management.

Who’s impacted 

Admins only

Why you’d use it 

Encryption state and security patch level are important pieces of information for assessing device security. There is less risk of a data leak from a lost or stolen mobile device if that device is encrypted and password protected. Devices with more recent security patch levels are typically less susceptible to attacks than devices with older patch levels.

By making this information available for more devices, we hope you can better understand potential security vulnerabilities, better track the progress of security improvement initiatives, and make access-level decisions and rules to help ensure data is secure in your organization.

How to get started 




Additional details 

Encryption status is available for Android devices with API level 11 (Android 3.0) and up, and security patch level is available for Android devices with API level 23 (Android M) and up.

  • You can see both encryption status and security patch level on the device detail page for each device in the Admin console. This is available to all G Suite customers. 
  • You can also see the security patch level in the devices audit logs at Admin console > Reports > Devices. Note that the devices audit log is only available to G Suite Business, G Suite Enterprise, and G Suite Enterprise for Education domains. 
  • You can set up rules based on this information to automate mobile management tasks


See encryption status and security patch level for devices with basic mobile management 


Helpful links 



Availability 

Rollout details 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 
  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on September 3, 2019 


G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default.


Stay up to date with G Suite launches

Help protect your organization with new alert center features

What’s changing 

We’re making some updates to the alert center for G Suite. The new features will make it easier to find, collaborate, and take action on potential issues within your domain. Specifically you can now:

  • Assign alerts to other team members or yourself 
  • Manage and track alert workflow status 
  • Prioritize alert triage and investigations by severity 
  • See related alerts for the same user 
  • Add new search attributes 
  • See alert change history 
  • Find and manage alerts more easily 


Some of the updates were previously available in beta and are now generally available. Read more about these changes below.

Who’s impacted 

Admins only

Why you’d use it 

The alert center already provides a single place to see notifications about potential issues within your domain and take action to resolve the issues. We hope these enhancements will make it easier to use the alert center, make it easier to find important and actionable alerts, and improve collaboration between admins and related teams.

How to get started 




Additional details 


  • Set status, assignee, and severity of alerts: Add key information to help your team take ownership of, assess, and collaborate as you work through security investigations. 
  • Use a more powerful search: Find alerts more easily by searching for alerts that contain a specific email address when researching an incident. 
  • See related alerts: The alert detail view will show other alerts related to the same actor or user to help discover possible related security incidents. 
  • See alert change history: See the history of metadata or content updates to that alert. This includes when status, assignee, or severities have changed. 
  • Find and manage alerts more easily: Bookmark specific alert URLs, bulk delete alerts, and sort alerts by factors such as last updated time. 





Search, filter, and sort to find alerts more easily 


Helpful links 




Availability 

Rollout details 



G Suite editions 
Available to all G Suite editions

On/off by default? 
This feature will be ON by default

Stay up to date with G Suite launches

Security center improvements: Gmail content, saved investigations, and more

What's Changing

We’re making it easier to assess and manage threats and improve your organization’s security posture using the G Suite security center. With these changes, superadmins or delegated admins with appropriate permissions can:

  • View Gmail content directly in the investigation tool when email content is needed to understand the potential security risk to a user or the domain during an investigation. 
  • Choose whether to include deleted Gmail content in search results and restore emails that have been recently deleted by users when required as part of the security investigation. 
  • Use “Group-by” to group search results around specific attributes when querying logs in the investigation tool.  
  • Save and share investigations with other security admins. 
  • See new charts and use new data sources related to user login logs. 

Note that to see Gmail content, admins must have superadmin status or have the “View detailed content” permission. Additionally, those admins will be required to add justification for accessing email content, which is then stored with the log recording their access. See more details below.

Who’s impacted 

Admins only

Why you’d use it 

The G Suite security center already helps you protect your organization with security analytics and best practice recommendations from Google. It provides a unified security dashboard, a tool to investigate and remediate threats, and more. These new features will make it easier to assess and manage threats in the tool directly, and help you collaborate with colleagues to improve your security posture.

How to get started 




Additional details 


Investigate, remediate, search and restore Gmail Content within the investigation tool. 
Malicious emails can be a critical source of data for an admin investigating attempted attacks within their domain or identifying other potential security risks. Now, superadmins or admins with “View detailed content” permission who enter justification for the access request can choose to view the content of email messages that match their risk criteria directly in the investigation tool. They can also choose whether to include deleted emails as part of the investigation. Use our Help Center to learn more about Gmail message content in the investigation tool.

This makes it easier to understand the full context of risks associated with emails and can make it quicker to identify, triage, and take action on security and privacy issues in your domain.


See Gmail content directly in the investigation tool 


“Group-by” option around specific search attributes when querying logs in the investigation tool 
When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model. Use our Help Center to find out how to add a group-by option when customizing a search.

Save and share investigations in the investigation tool
We want to make sure admins are able to work together to assess their organization’s exposure to security issues. Admins can now save their investigations in the security investigation tool and share them with other admins to improve collaboration. Use our Help Center to learn how to save, share, and change ownership of investigations.

User logs in the security center 
There are new charts in the Security Dashboards and new data sources in the investigation tool related to user login logs and the state of users in the organization. Use our Help Center to see more about how to search and investigate user log events.

Helpful links 

Help Center: About the security center 
Help Center: About the security investigation tool 

Availability 

Rollout details 



G Suite editions 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits


On/off by default? 
These features will be ON by default.

Stay up to date with G Suite launches