Tag Archives: Admin Console

Enhance Your Organization’s Security with Out-of-Domain File Warnings in Google Workspace

What’s changing

Today we’re launching Out-of-Domain file-level warnings, now publicly available to all Google Workspace users. Specifically, a badge will be displayed on Google Docs, Sheets, and Slides files when the file is owned by or shared with someone outside of your domain. You'll also see a pop-up with more details and the option to report the externally owned file for abuse. 

An image showing a Google Doc with the word "External" displayed in a small yellow badge next to the document title. The badge has been clicked, and a pop-up window appears with more information stating that “This document is owned by someone outside your organization. Be cautious about sharing sensitive information
Image of "External" badge displayed in Google Docs


This feature helps users identify potentially risky files and avoid phishing scams when working with files shared from outside your organization.


Additional details

  • Known Limitations:
    • For externally shared content, the badge will not be displayed if any internal Google Groups have access to the document, even if these groups have external members.
    • If any service accounts have access to the document, the External badge will be displayed, even if the service account is owned internally.


Getting started

Screenshot of the Google Workspace Admin console, navigated to Sharing settings. At the bottom of the page, a new section labeled "Highlight external files" is highlighted. The checkbox is checked, and the description reads: "Mark external files shared or owned externally as “external” to flag that content may be viewable outside your organization.
 Image of the Google Workspace Admin console, Sharing settings, showing the "Highlight external files" option enabled


Rollout pace


Availability

  • Available for all Google Workspace customers, as well as Cloud Identity customers

Resources

Data classifications labels for Gmail are now generally available

What’s changing 

In 2024 we introduced data classification labels for email in open beta, and since then we’ve introduced several feature enhancements including: 

Beginning today, we are pleased to announce that data classification labels are generally available, giving admins yet another way to enhance their security posture.



Who’s impacted

Admins and end users

Why it matters 

Data breaches are increasingly common and costly across all organizations, including enterprises, public sectors, and government institutions. By extending data classification labels to Gmail, Google Workspace offers admins a more comprehensive and integrated system for protecting sensitive information. 


Admins can create custom labels or leverage existing Drive labels within Gmail, enabling classification of emails based on department, document type, sensitivity, and more. This allows for the creation of targeted data protection rules, such as blocking the sending of internal-labeled emails to external recipients or automatically applying a confidential label to messages containing sensitive financial data. 


The instant application of auto-classification and DLP rules in Gmail provides immediate feedback to users, educating them on data protection policies and allowing them to rectify issues before emails are sent, ultimately minimizing data breaches and improving overall data security. 


Finally,availability on mobile devices provides a comprehensive experience, ensuring data is protected and labeled across all user devices, whether users are sharing and accessing information from desktop devices or from mobile devices on-the-go.


Additional details

To further enhance the data classification labels experience, instant application of DLP rules and actions triggered by classification labels will soon be generally available on mobile devices. We anticipate that this functionality will be available in May – we’ll share an update once we have more information.


Getting started

  • Admins: 
    • If you've been using classification labels since the open beta period, there are no changes to your experience.
    • If you’re new to Gmail classification labels, they can be enabled at the domain, group level, or individual user level. You also have the option to enable existing classification labels used in Drive for use in Gmail. The Label Manager tool can be accessed by going to Security > Access and data control or admin.google.com/ac/dc/labels in the Admin console.  Visit the Help Center to learn more about getting started with classification labels, Gmail DLP & automatic classification labels, and preventing data leaks in email and attachments.

The Label Manager tool can be accessed in the Admin console  by going to Security > Access and data control



  • End users: Depending on the data loss prevention rules configured by your admin, you may see a dialog letting you know that your message cannot be shared and how to fix your message so it can safely be shared. Visit the Help Center to learn more about classification labels in Gmail.



Users can apply classification labels to a message, according to the organization’s data governance policies


Classification labels on mobile when composing a message and reading a message



Rollout pace


Availability

The Label Manager and manual classification is available to Google Workspace:
  • Frontline Starter and Standard
  • Business Standard and Plus
  • Enterprise Standard and Plus
  • Education Standard and Education Plus
  • Essentials, Enterprise Essentials, and Enterprise Essentials Plus


Data loss prevention rules with labels as a condition or labels as an action are available to:
  • Enterprise Standard and Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
  • Frontline Standard
  • Cloud Identity Premium (in combination with a Workspace Edition that includes Gmail)

Resources


Control Workspace Business and Enterprise users’ access to new Google Workspace with Gemini features before general availability

What’s changing

In the coming weeks, Google Workspace Business and Enterprise admins will be able to turn on access to Workspace with Gemini alpha features for their users. Turning this on gives your users a head start on leveraging our latest AI features and the opportunity to provide Google with helpful feedback as we develop new features. More information can be found below which can help you decide whether early access is right for your users. We first introduced this option last year for Google Workspace customers who previously purchased a Gemini Enterprise, Gemini Business and AI Meetings & Messaging add-on. 


Access to Gemini alpha features can be turned on for all users or a subset of users in specific Organizational Units (OUs) or Groups.

Admin console > Generative AI > Gemini for Workspace > Alpha features




Additional details

  • Alpha features get the same robust data protection standards that come with all Google Workspace services.
  • Alpha features are experimental and may not always get things right. We’re looking forward to customers’ feedback to help us improve these features before they’re rolled out to general availability. However, please keep in mind that Alpha features may be changed, suspended or discontinued at any time without prior notice.

Getting started

  • Admins: 
    • This feature will be OFF by default and can be enabled at the domain, OU, or group level. Visit the Help Center to learn more about turning access to Gemini in Workspace apps Alpha on or off
    • Please consider the following before configuring Gemini alpha access for your users:
      • With this launch, Gemini add-on licenses will no longer be required for your users to access Gemini in Workspace apps alpha features. Please ensure the alpha setting is turned ON only for your desired groups or OUs.   
      • Once the Gemini in Workspace apps alpha setting is enabled, users may be granted access to new alpha features at any time — it is not possible to enable a subset of features or opt-out of specific features. We strongly recommend that admins and end users sign up for the Google Workspace alpha community page. Here, you can find the latest Gemini in Workspace apps alpha features, ask questions and provide feedback about the features on this page.
      • Features may be added to, modified, and removed from alpha at any time — there is no advanced notice of these features appearing for users.
      • Some alpha features may not roll out to all your selected alpha users. 
      • As these features are not yet generally available, we will not offer full support for these features.
      • You can also help us improve Gemini in Workspace apps by allowing users at your organization to provide feedback via research studies and surveys

Rollout pace

Admin setting 

Availability

This update impacts Google Workspace:
  • Business Starter, Standard, and Plus
  • Enterprise Starter, Standard, and Plus


Resources


More options for exporting your Google Workspace data are available in open beta

What’s changing

Beginning today, Admins can choose from several options when exporting their organization’s data (also known as ‘takeout’). Specifically, they will be able to:

  • Export data from all or multiple services, such as Gmail, Chat, or Drive.
  • Export Drive data based on existing Drive labels
  • Export data from within a specific date range
  • Export data from selected shared drives


Exporting data for specific services

Exporting data based on specific Shared Drives

Exporting data based on specific or custom date range

Exporting data based on specific Drive labels







This update is available in open beta, which means no additional sign-up is required.


Who’s impacted

Admins

Why it’s important

In 2022, we introduced the ability for admins to export user generated content by organizational unit (OU) or group, and prior to that update, data export was limited to a customer’s full set of user generated content. With this update, we continue to give our customers more flexibility and specificity over the data they export, which is important as business and compliance needs evolve.

Getting started


Rollout pace


Availability

Resources


More options for exporting your Google Workspace data are available in open beta

What’s changing

Beginning today, Admins can choose from several options when exporting their organization’s data (also known as ‘takeout’). Specifically, they will be able to:

  • Export data from all or multiple services, such as Gmail, Chat, or Drive.
  • Export Drive data based on existing Drive labels
  • Export data from within a specific date range
  • Export data from selected shared drives


Exporting data for specific services

Exporting data based on specific Shared Drives

Exporting data based on specific or custom date range

Exporting data based on specific Drive labels







This update is available in open beta, which means no additional sign-up is required.


Who’s impacted

Admins

Why it’s important

In 2022, we introduced the ability for admins to export user generated content by organizational unit (OU) or group, and prior to that update, data export was limited to a customer’s full set of user generated content. With this update, we continue to give our customers more flexibility and specificity over the data they export, which is important as business and compliance needs evolve.

Getting started


Rollout pace


Availability

Resources


Improve communication and representation with Dynamic layouts in Google Meet

What’s changing

We’re thrilled to introduce a brand new, redesigned layout experience for Google Meet that will improve communication and collaboration for all users, but especially for those in hybrid meetings. There are many exciting new features bundled in this extensive launch across Meet for web and rooms. Check out the video overview to see the new features in action and keep reading for more details:


Dynamic layouts:
  • “Portrait tiles” prioritize faces by cropping out excess background video
  • Optimized tile placement logic to enable much more efficient layouts that minimize unused space
  • Visual design refresh, including color-sampled tile theming for users with their cameras off
  • Larger room tiles in the grid when ‘Dynamic tiles’ is not active
  • More flexibility around how tiles are cropped, including self-view
  • Increased pin limit from 3 to 6 to provide more flexibility to customize your layout


Portrait tiles and various design improvements in action


Dynamic tiles:
  • An individual video tile is created for up to 3 meeting participants joining from the same conference room with Google Meet hardware
  • AI-enabled active-speaker detection automatically highlights only the tile of the in-room speaker without any special hardware requirements
  • Other meeting participants can pin these tiles in their layout as they would any other tile

Individual tiles for up to three meeting participants in a conference room


Face match:
  • When Dynamic tiles are in use in a room with a Google Meet hardware device, users can associate their name with their face from Companion mode on Web so their tile can be labeled. This creates a consistent experience where everyone can show up in their best light, whether they’re in the room or joining remotely. 

When using Companion mode, you can associate your name with your Dynamic tile




Who’s impacted

Admins and end users


Why it matters

These layout enhancements in Google Meet bring a refreshed, modern feel to the meeting grid while also adding the functional benefits of increasing space efficiency and improved representation for hybrid meetings. It allocates available space based on content being presented, tiles pinned by users, and more to address a core hybrid-work challenge  of remote meeting participants not being able to easily see or identify in-room users. 


Additional details

Please see below for more important information regarding these features:

Dynamic layouts
  • Legacy layouts remain available
    • Users who do not wish to see portrait tiles can still do so by switching from Auto (dynamic) to Tiled (legacy) in the layout options selection menu.
  • More flexible self-view options
    • Users now have much more control over the appearance of their self-view tile. When you set your self-view preference, it will carry over across meetings.
  • Framing and new uncropping functionality
  • Prevent your video from being cropped for others
    • Some users may prefer that their video feed never be cropped by other Meet users.  Users can select “Show my full video to others” from the three-dot overflow menu of their self-view tile. This will cause their video to always render as an uncropped tile for other users. We encourage sign-language interpreters especially to consider using this feature to ensure that arms and hands are not unintentionally cropped out.

Dynamic tiles
  • Dynamic tiles work in meetings with up to 3 in-room participants 
  • Dynamic tiles will automatically fall back to a room view if:
    • More than 3 people are detected
    • Users are sitting too close to give each user their own tile without significant overlap
    • There is too much movement detected in the room and it’s causing distractions

  • Platform support
    • Available for ChromeOS-based room devices at launch
    • AOSP (Android) device support is expected in the future
    • Not available in interop mode


Face match
  • Face match is available for any Companion mode web user checked into a room using dynamic tiles. Face match supports a maximum of 12 faces. 
  • Face match only associates your name with your face for Dynamic tiles when you are in view of the room camera for the duration of the meeting. A user may have to check in again using Companion Mode if they disappear from view for long enough.


Getting started

  • Admins: 
    • We recommend thoroughly reviewing the Help Center articles (especially if your organization uses Google Meet hardware) to ensure both you and your end users are prepared for these changes.

    • Dynamic layouts
      • Will be ON by default for all web and room devices.  There is no admin setting for this feature – only layout options for end users.

    • Dynamic tiles
      • You can control whether Dynamic tiles are ON or OFF by default when devices join a call by using the Default camera framing individual device setting. 

Devices > Google Meet hardware > [Device name] > Device settings > Default camera framing

      • Best practices for rollout:
        • Dynamic tiles work best when used in smaller rooms (capacity of 6 or less) where participants sit less than 10 feet from the camera.
        • Glass walls can sometimes cause people outside the meeting room to be picked up by the camera and given a tile – dynamic tiles should be deployed only after testing in these rooms.

    • Face match 
      • Face match will always be available in companion mode when room check-in and dynamic tiles are active on the associated room device. There is no separate admin or end user setting for this feature.

  • End users:  
    • Dynamic layouts
      • Will be ON by default for all web and room devices.  You can turn Dynamic layouts OFF by switching from Auto (dynamic) to Tiled (legacy) from the layout options selection menu in Meet (or to Sidebar or Spotlight)
    • Dynamic tiles
      • Whether Dynamic tiles are ON or OFF by default depends on the configuration of your admin. It can be turned ON or OFF from the framing section of your Meet hardware device touch controller or TV user interface menu.
    • Face match
      • Available via Companion mode if Dynamic tiles is active on your room device and when you check-in to that room device.

Rollout pace

Due to the quantity of features included in this launch, you should expect to see different combinations of the included features gradually become available over the next few weeks. 

  • Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on March 31, 2025
  • Scheduled Release domains: Extended rollout (potentially longer than 21 days for feature visibility) starting on April 17, 2025
.

Availability

  • Dynamic layouts are available for all Google Meet meetings on the web and from meeting rooms via hardware devices. They are available for all Google Workspace customers as well as users with personal Google accounts.
  • Dynamic tiles and Face match require a Google Meet hardware device and associated license.

Resources


Gmail data loss prevention now supports “sensitive content snippets”

What’s changing

We recently launched data loss prevention for Gmail and, beginning today, Admins can see “Sensitive content snippets” for Gmail messages that trigger data loss prevention rules. This content is logged  in the security investigation tool and admins can use the information to better identify security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Snippets are already available for DLP events for Drive, Chat, and Chrome. Visit our Help Center and our previous announcement for more information.

Matched content and information about the data detector type is displayed in the side panel under ‘Log Details’ in the Security Investigation Tool

Getting started

Rollout pace

Availability

Available to Google Workspace 
  • Frontline Standard
  • Enterprise Standard and Plus 
  • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
  • Enterprise Essentials Plus
  • Also available for Chrome Enterprise Premium

Resources


Beta update: Data loss prevention rules based on classification labels are now applied instantly in Gmail on the web

What’s changing

In November 2024, we announced an open beta for data classification labels in Gmail. To further enhance the experience, we’re pleased to announce that auto-classification labeling with data loss prevention (DLP) rules and actions triggered by classification labels detected in the message will now be applied instantly when using Gmail on the web. Previously, users were informed of any implications after messages left the inbox. With this update, the feedback is instant, providing the opportunity to educate users on why their message is classified, blocked or quarantined, and how to remedy the issue to keep their email communications flowing. 

With this new functionality, and with this feature still in an open beta period, we strongly encourage you to continue providing feedback so we can optimize the feature for general availability. You can also use the form to sign-up for feedback sessions with the Google user research team to provide more detailed feedback.




Who’s impacted

Admins and end users

Why it matters
Google Workspace's expansion of data classification labels to Gmail gives admins the ability to mitigate data exfiltration and gain a deeper understanding of shared data based on information type and sensitivity level to apply data protection policies appropriately. Some ways you can use Data Protection Rules with Classification Labels are:

    • Prevent messages based on a specific classification (e.g. Confidential, Internal, NTK) from being accidentally shared with unauthorized users.
      • You can create a rule with specific label(s) as a condition and choose an action to trigger when a message is sent:
        • Warn: users will see a notification that their message may contain sensitive information, helping to prevent accidental sharing. Note that this action does not block the message from being sent.
        • Block: users will be notified that their message will not be sent unless the label is changed or removed (if data organization policy allows).
        • You can also create a rule in a way that allows for sharing labeled messages only if confidential mode is enabled for the message.

    • Enforce classification on every message or specific messages
      • You can create a rule that warns users or blocks the message if a specific classification label is not found in the message. This can help educate users and drive adoption of your organization’s data classification policy among users.
    • Automatically apply classification labels messages if specific information types are found in the message
      • You can create a rule to automatically apply a specific classification label if certain criteria is met. For example, credit card information or medical information are contained within the email. 
      • You can also configure the rule to allow users to modify the label to a more appropriate one based on the situation and data classification policy of your organization.
    For more detailed information, please refer to our beta announcement as well as our Help Center.


    Additional details

    At this time, this update is only supported when using Gmail on the web. Stay tuned for further updates about instantaneous support in Gmail iOS and Android clients.

    Getting started

    Rollout pace

    Availability

    The Label Manager and manual classification is available to Google Workspace:
    • Frontline Starter and Standard
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Education Standard and Education Plus
    • Essentials, Enterprise Essentials, and Enterprise Essentials Plus


    Data loss prevention rules with labels as a condition or labels as an action are available to:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium (with a Workspace Edition that includes Gmail)

    Resources



    Available in beta: Convert your client-side encrypted documents after a Vault or Takeout export

    What’s changing 

    After a Vault or Data export (takeout), admins can now convert their exported client-side encrypted documents to Word files. This allows organizations to maintain ownership over, access to, and analysis of sensitive data in a portable format even after it has been exported from Google Workspace. 


    Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.



    Getting started

    • Admins: Client-side encryption can be enabled at the domain, OU, and Group levels (Admin console > Data > Compliance > Client-side encryption). Visit our Help Center to learn more about client-side encryption.

    Rollout pace

    • The feature will be available immediately once you're accepted into the beta.

    Availability

    • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers.

    Resources


    Consent re-confirmation for under 18 users accessing Additional Services will soon be required

    What’s changing

    When a Google Workspace for Education admin chooses to enable Additional Services for students under the age of 18 to use, they acknowledge that they may be required to collect parental or guardian consent. This includes access to services like YouTube, Google Translate, Google Photos, Google Books, Google Earth and more.

    In September 2024, we communicated that we now require admins who have Additional Services enabled for users under the age of 18 to re-review them on an annual basis. Admins are always in control of which services their users have access to, and this gives admins an opportunity to ensure the right users have access to the right services.

    • If admins do not want to provide access to Additional Services for their under 18 users, they can turn them off for those users. 
    • If admins want to keep Additional services enabled for under 18 users, they need to reconfirm parental consent in the admin console.  
    • If admins do not take action, under 18 users who previously had access to Additional Services will lose access in the coming weeks. Admins can re-enable access to Additional Services at any time. 

    How admins can take action
    Admins were first provided notice of this re-confirmation requirement in September 2024, which indicated a 6 months notice to complete the re-review process before the March 2025 rollout. The banner in the admin console has turned red to alert admins that action is required. While the rollout begins in March, it might take several weeks before some users in your organization are impacted.

    You can easily view which applications require consent reconfirmation from Admin console > Apps > Additional Google services. You can re-confirm consent by checking the box next to the app, hovering over the app, or using the three-dot overflow menu. 

    Experience for impacted end users
    If users lose access to a specific service they’ll be notified “Your Google Workspace for Education account is designated as under 18 and your organization’s admin has not granted you access to this Additional Service. To regain access, inform your admin that you need this service to be enabled.“ 



    Who’s impacted

    Admins and end users under the age of 18


    Why it’s important

    Admins are in control of which services their users have access to, and to do so in alignment with both our terms of service and local laws and regulations that determine what services are appropriate for users under 18. Since admins manage which services their students have access to, only they can enable or disable access for their under 18 users. 


    This is a guide to support admins with collecting consent from parents, which includes this template for communicating with parents and guardians around collecting consent. 

    Additional details

    The requirement to review and re-confirm access to Additional Products is an annual requirement customers must complete for their under 18 users, subject to their Google Workspace for Education Terms of Service

    Getting started


    Rollout pace


    Availability

    This change impacts Google Workspace:
    • Education Fundamentals, Standard, and Plus

    Resources