Tag Archives: Admin Console

Admins can now see and edit user recovery information

What’s changing 

G Suite admins can now view and edit their users’ recovery information, such as backup email addresses and linked phone numbers. We also use this information to verify login requests and increase account security. By making sure your users have accurate and up-to-date information you can help make their accounts more secure.

Who’s impacted 

Admins only.

Why you’d use it 

This feature was developed based on customer feedback. Security and recovery information is important for many account verification processes, such as login challenge. To learn more about how adding recovery information can significantly increase the security of your account, see this blog post.

Giving admins the ability to view and edit this information will mean they ensure more accounts have up-to-date recovery information, and increase the accuracy of the recovery information attached to G Suite accounts. This will help:

  • Make it easier for users to access their account if locked out. 
  • Increase challenges and identification of suspicious login attempts to help to keep malicious actors out. 
  • Enable admins to provide direct support to users who are locked out of their account. 


You can still add employee ID as a login challenge for extra security as well.

How to get started 


  • Admins: There are three ways admins can currently manage recovery information: 
    • Individual user accounts: Go to Admin Console > Users > Individual User > Security > Recovery information > Edit. You’ll be able to edit individual user recovery information directly. 
    • Bulk user upload tool (CSV): Use the bulk upload tool at Admin Console > Users to update in bulk. See the edit accounts with a spreadsheet section of this Help Center article for details. 
    • API: Use the Admin SDK Directory API
  • End users: No action needed, but can add recovery information by going to myaccount.google.com


Helpful links 




Availability 

Rollout details 



G Suite editions 
Available to all G Suite editions.

On/off by default? 
This feature will be ON by default.

Stay up to date with G Suite launches

Defend high-risk users with the Advanced Protection Program for enterprise beta

What’s changing 

Today, we’re announcing the beta of Google’s Advanced Protection Program for G Suite customers. With Advanced Protection Program for enterprise, you’ll be able to enforce a set of enhanced security policies for employees in your organization that are most at risk for targeted attacks. These policies include:
  • Requiring the use of security keys for maximum protection against phishing. 
  • Automatically blocking access to non-whitelisted third-party apps. 
  • Enhanced email scanning for threats. 
  • Download protections for certain file types when signed into Google Chrome. 
Advanced Protection for enterprise will be rolling out in beta over the next several days. See below for more details on how to get started.

Who’s impacted 

Admins and end users

Why you’d use it 

While the individual policies currently included in the Advanced Protection Program are available to G Suite users outside of this beta, the Advanced Protection Program beta offers a simple bundle of our strongest account security settings for your organization’s high-risk users.

Some users who would benefit from the protections of Advanced Protection are:
  • IT admins, 
  • Executives, 
  • Employees in regulated or high-risk verticals such as finance or government.  

How to get started 

  • Admins: Turn the beta on by going to Admin console > Security > Advanced Protection Program and select “Enrollment is enabled” for one or more organizational units (OUs).
  • End users: Once the program is enabled in your domain, users in those OUs specified by their admin can enroll in the Advanced Protection Program by going to g.co/advancedprotection
    • Note that users will need two security keys to complete enrollment. 

Additional details 

Once the beta is enabled for their domain, users will be able to opt in at g.co/advancedprotection. We’ll automatically enforce a specific set of policies for the users you identify as most at risk: 

  • Requiring the use of security keys. Physical security keys, such as our Titan Security Keys, go further than traditional 2-Step Verification to help secure accounts against phishing and account takeovers. 
  • Automatically blocking access to high-risk third-party apps. When a user signs up for new apps or services, they’re sometimes asked to give access to high-risk data in their G Suite account. Advanced Protection allows only Google apps and select third-party apps, including those whitelisted by G Suite admins, to access high-risk user data. 
    • Note: Third party apps that do not require high-risk scopes to function will not be automatically blocked by Advanced Protection. However, they can be blocked through a separate admin policy.
  • Enhanced email scanning. Incoming email will have all available screening for phishing attempts, viruses, and attachments with malicious content. 
  • Stricter account recovery. Users who lose both of their security keys will need admin help to regain access to their accounts on new devices. This prevents automated recovery flows from becoming an attack vector. 
  • Download protections in Google Chrome. We’re adding a new feature in Google Chrome that will reduce a user’s exposure to potentially risky downloads. When signed into Chrome, users will receive a warning that indicates that Safe Browsing could not verify whether a file is safe. This will signal to users to proceed with caution and check the reputation of the source of the file to further validate the legitimacy of the file. 

Find out more about the policies enforced in the Advanced Protection Program at g.co/advancedprotection.

Helpful links 

Availability 

G Suite editions 
  • Available to all G Suite editions 

Beta sign-up 
  • The beta is available to all customers. To turn the beta on by going to Admin console > Security > Advanced Protection Program and select “Enrollment is enabled.”

Stay up to date with G Suite launches

Anomaly detection in the G Suite alert center now in beta

What’s changing

We’re launching the beta of anomalous alert activity for Google Drive. Super admins and admins with delegated privileges for the alert center for G Suite will be alerted when potential data exfiltration risks occur based on unusual Google Drive behavior. Our machine learning models analyze security signals within Google Drive to detect potential security risks such as data exfiltration or policy violations related to unusual external file sharing and download behavior.




Who’s impacted

Admins only

Why you’d use it

Staying on top of activity that impacts the organization’s security is top of mind for most admins.

Once in beta, we’ll proactively notify you of potential security risks including data exfiltration and unusual user behavior patterns that can otherwise be more difficult for security admins to discover.

Additionally, since the alert center integrates with the security center investigation tool for G Suite, organizations can directly launch remediation efforts from within the alert center.

How to get started

  • Admins: Sign up for the beta using this form.
  • End users: No action needed.

Additional details

    With this beta program, we’re launching two new types of alerts:
      • Drive External Sharing Anomalous Activity alert: This alert informs security admins of potential data exfiltration risks based on unusual user Drive sharing behavior to external users.
      • Drive Download Anomalous Activity alert: This alert informs security admins of potential data exfiltration risks based on unusual user Drive downloading behavior.

          Helpful links

              Availability

                G Suite editions
                • Available to G Suite Enterprise and G Suite Enterprise for Education
                • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits

                Stay up to date with G Suite launches

                Whitelist and manage domains more easily in the Admin console

                Quick launch summary

                We’re making a few changes to how G Suite admins manage owned and whitelisted domains in the Admin console. There will be no significant functionality changes, but the interface at Admin console > Account > Domains will be different. Specifically you may notice:

                • A “Manage domains” section. This was previously called “Add/remove domains.”
                • A “Whitelisted domains” section. This was previously called “Whitelisted external domains” and is where you can whitelist domains so your users can more easily collaborate with users in those domains.
                • An updated interface in both of these sections, with options rearranged to make it easier to find and perform common functions.



                Use our Help Center to learn more about how to add more domains to your G Suite account or whitelist trusted G Suite domains.

                Availability

                Rollout details
                G Suite editions
                The features are available to all G Suite editions.

                On/off by default?
                This new interface will be ON by default.

                Stay up to date with G Suite launches

                Use groups to control more G Suite apps and settings

                What’s changing 

                Last year, we announced that you could control access to G Suite apps and services using groups. We’re now expanding what G Suite features you can control using groups. You can now use groups to control default settings for:

                • App Maker database settings 
                • Currents settings (for organizations enrolled in the Currents beta program
                • Directory editability, such as what profile information (e.g. name, birthday, gender, etc.) users can edit 
                • Google Drive and Docs policies for sharing files and link visibility 
                • Google Voice settings (for organizations who have signed up for Google Voice
                • Hangouts Chat history settings and bot installation 
                • YouTube content settings, permissions, and more 


                Who’s impacted 

                Admins only

                Why you’d use it 

                Using groups can make G Suite simpler to manage while making sure the right users have access to the right apps, and have the appropriate default settings within those apps. For example, you could use groups to automatically configure G Suite for specific job functions, project teams, specific seniority levels, or geographic locations.

                How to get started 




                Helpful links 




                Availability 

                Rollout details 


                G Suite editions 
                Available to all G Suite editions

                On/off by default? 
                Group-based controls will be OFF by default and can be enabled at the group level.

                Stay up to date with G Suite launches

                Changes to the user management interface in the Admin console

                What’s changing 

                We’re making some changes to the interface you use to manage users in the Admin console. Specifically you may notice the following updates when you go to Admin console > Users:

                • New text buttons for user management. The buttons that appear when you hover over a user in the user list have been changed from icons to text. 
                • New text links to add users. You can now use text buttons at the top of the table. These replace the ‘+’ button that was previously used to add users. 
                • Dynamic table title bar. There are now different options displayed in the table depending on whether you have any rows selected (see image below). 


                See below for more details and images of the new interface.

                Who’s impacted 

                Admins only

                Why you’d use it 

                These changes will make it easier to find common user management features and therefore manage users more quickly through the Admin console.

                How to get started 




                Additional details 

                New text buttons for user management 

                Instead of icon buttons, you’ll now have text buttons to complete common user management functions, such as resetting passwords, renaming users, adding to groups, and more.


                New text links to add users 

                To add users individually or in bulk, use the text links at the top of the user table. Note that these options change when rows are selected (see ‘dynamic table title bar,’ below).


                A new way to add users  

                Dynamic table title bar  

                Options in the table’s title bar will change when you have user rows selected.


                Helpful links 

                Help Center: Add and manage users 

                Availability 

                Rollout details 



                G Suite editions 
                Available to all G Suite editions

                On/off by default? 
                This feature will be ON by default.

                Stay up to date with G Suite launches

                Greater protection and control with three Gmail security tools

                What’s changing

                We’re making three Gmail security features generally available (GA). The features were previously in beta. Check out the linked announcements for more information on each:

                • Security sandbox, which detects the presence of previously unknown malware in attachments by virtually "executing" them in a private, secure sandbox environment. Learn more.
                • Advanced phishing and malware protection, which provides new controls to place emails into a quarantine, protect against anomalous attachment types, and protect your Google Groups from inbound spoofing emails. Learn more.
                • Gmail confidential mode, which provides built-in information rights management controls in your emails by allowing senders to create expiration dates and revoke previously sent messages. Learn more.

                Who’s impacted

                Admins and end users

                Why you’d use it

                When you deploy and manage security tools at scale, you can more effectively protect your users from threats. With these features now in GA, everyone in your organization—from admins to end users—is more secure.

                How to get started


                • Admins:
                  • Security sandbox: Note: available to G Suite Enterprise and G Suite Enterprise for Education editions only. Find and turn on the beta security sandbox feature at Admin console > Menu > Apps > G Suite > Gmail > Advanced settings. Use our Help Center to find more information on how to detect harmful attachments.
                  • Advanced phishing and malware protection: Find and control these features at Admin console > Menu > Apps > G Suite > Gmail > Safety. You’ll find new options for anomalous attachment and groups spoofing protections, and see the quarantine option available for all controls. Use our Help Center to learn more about how to enhance phishing and malware protection.
                  • Gmail confidential mode: This feature is on by default so no action is required to get started. To disable the feature, navigate to Admin console > Apps > G Suite > Settings for Gmail > User settings.
                • End users:
                  • Security sandbox: No action needed.
                  • Advanced phishing and malware protection: No action needed.
                  • Gmail confidential mode: Follow the steps in this Help Center article to send and open confidential emails.

                Helpful links



                Availability

                Rollout details

                • Security Sandbox
                • Advanced phishing and malware protection
                  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on June 25, 2019.
                  • Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on June 25, 2019.
                • Gmail confidential mode

                G Suite editions

                • Security Sandbox
                  • Available to G Suite Enterprise and G Suite Enterprise for Education.
                  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits.
                • Advanced phishing and malware protection
                  • Controls are available to all G Suite editions.
                  • Chart to view affected emails available is part of the security center and so is available to G Suite Enterprise edition only.
                • Gmail confidential mode:
                  • Available to all G Suite editions.

                On/off by default?

                • Security sandbox: This feature will be OFF by default and can be enabled at the OU level.
                • Advanced phishing and malware protection: This feature will be ON by default.
                • Gmail confidential mode: This feature will be ON by default.

                Stay up to date with G Suite launches

                Use security codes to log in where security keys won’t work directly

                What’s changing 

                We’re adding an option for G Suite users to log in using security codes. A security code is a one-time use code, generated using a security key, that can be used to log in on legacy platforms where security keys aren’t supported directly.

                Security codes will be available by default for some users:

                • Users subject to “Any” or “Any except verification codes via text, phone call” 2-Step Verification policies 
                • Users which are not subject to a specific 2-Step Verification policy, but that have chosen to use a security key. 


                If you currently use an “only security key” policy and wish to allow security codes, an admin can choose turn security codes on for specific users (see more below).

                Find out more about how to select a 2-Step Verification method to enforce here.

                Who’s impacted 

                Admins and end users

                Why you’d use it 

                Security keys increase account security significantly. While most modern systems support the use of security keys, some do not. For example, security keys often don’t work with Internet Explorer and Safari, iOS apps, remote desktops, and legacy applications that don’t support FIDO protocols. With this launch, users can now generate a security code with their security key, which can then be used to authenticate their login attempt where the security key itself won’t work.

                For example, a user may need to access a web application that federates their Google identity, but only works on Internet Explorer 11. While the browser can’t communicate with a security key directly, the user can open a Chrome browser and generate a security code, which can then be entered in Internet Explorer to gain access to the application.

                Security considerations 
                Before enabling this new policy, carefully evaluate if your organization needs security codes. Using security keys without security codes helps to provide maximum protection against phishing. However if your organization has important workflows where security keys can’t be used directly, enabling security codes for those situations may help improve your security posture overall. 

                How to get started 

                Admins:

                • Domains that currently enforce an “only security key” policy can turn on security codes by going to Admin Console > Security > Advanced security settings and selecting “Users may utilize security code”. Use our Help Center to find out more about security codes. Domains that currently enforce other 2-step verification policies will have the feature turned on by default. 

                End users:

                • For users in domains which enforce “Any” or “Any except verification codes via text, phone call” 2-Step Verification policies the feature will be enabled by default. 
                • For users in domains which enforce an “only security key” policy, no action is needed until an admin turns the feature on. 
                • Once enabled, when a user who can use security codes navigates to a page which requires a security key, they will see “Having trouble” or “Try another way.” Once they click on one of those options, they will be able to “Get a one-time security code”. This will link to a page that prompts them to enter their security code, and also tells them where to go (https://g.co/sc) to generate a security code if they don’t have one yet. 



                Helpful links 

                Help Center: Deploy two-step verification and allow security codes 
                Help Center: Security controls and two-step verification

                Availability 

                Rollout details 

                • Rapid Release domains
                  • For domains which currently enforce an “Any” or “Any except verification codes via text, phone call” policy, the feature will be enabled for users in a gradual rollout (up to 15 days for feature visibility) starting on June 24, 2019 
                  • For domains which enforce an “only security key” policy, the admin console setting to allow users to utilize security codes will appear in the admin console in a gradual rollout (up to 15 days for feature visibility) starting on July 8, 2019. 
                • Scheduled Release domains
                  • For domains which currently enforce an “Any” or “Any except verification codes via text, phone call” policy, the feature will be enabled for users in a gradual rollout (up to 15 days for feature visibility) starting on June 24, 2019 
                  • For domains which enforce an “only security key” policy, the admin console setting to allow users to utilize security codes will appear in the admin console in a gradual rollout (up to 15 days for feature visibility) starting on July 8, 2019. 


                G Suite editions 
                Available to all G Suite editions

                On/off by default? 

                • Security codes will be ON by default for domains which currently enforce “Any” or “Any except verification codes via text, phone call” 2-Step Verification policies. 
                • Security codes will be OFF by default for domains which currently enforce an “only security key” policy, security codes will be off by default and admins enable them at the domain, OU, or group level.


                Stay up to date with G Suite launches

                Five new third-party applications added to G Suite pre-integrated SAML apps catalog

                What’s changing 

                We’re adding SAML integration for five additional applications:
                • Firstbird
                • Foodee
                • Hive
                • LaunchDarkly
                • RECOG
                Use our Help Center to see the full list of SAML apps and find out how to configure SAML applications.

                Who’s impacted 

                Admins only

                Why you’d use it 

                With Single-Sign-On (SSO), users can access all of their enterprise cloud applications—including the Admin console for admins—after signing in just one time. Google supports the two most popular enterprise SSO standards, OpenID Connect and SAML, and there are already many applications with pre-integrated SSO support in our third-party apps catalog.

                How to get started 

                • Admins: You can find our full list of pre-integrated applications, as well as instructions for installing them, in the Help Center.
                • End users: No action needed.

                Additional details 

                Note that apart from the pre-integrated SAML applications, G Suite also supports installing “Custom SAML Applications,” which means that admins can install any third-party application that supports SAML. The advantage of a pre-integrated app is that the installation is much easier. Use out Help Center to learn more about installing Custom SAML Applications.

                Helpful links 

                Help Center: Using SAML to set up federated SSO 
                Help Center: Set up your own custom SAML applicationAvailability 

                Rollout details 

                G Suite editions 
                Available to all G Suite editions.

                On/off by default? 
                This feature will be OFF by default and can be enabled at the OU level.

                Stay up to date with G Suite launches

                Use an Android phone for 2-step verification on iOS devices

                Quick launch summary 

                Earlier this year we announced the ability to use your Android phone’s built-in security key for two-factor authentication in G Suite.

                Now, you can use devices with Android 7.0+ (Nougat) to verify your sign-in to Google and Google Cloud services on Apple iPads and iPhones.
                To learn more about using your Android phone’s built-in security key to verify sign-in on iOS devices, see our Security Blog


                Availability 

                Rollout details 
                G Suite editions 
                • Available to all G Suite editions 
                On/off by default? 
                • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.