Tag Archives: Admin Console

New beta adds IRM controls for DLP to help protect sensitive content in documents

What’s changing 

You can now automatically restrict the ability to download, print, and copy sensitive documents through data loss prevention (DLP) rules. These new DLP-driven information rights management (IRM) controls, currently available in beta, will make it more difficult for users to make copies of documents that might expose sensitive content. 

G Suite DLP rules already enabled admins to limit the sharing of documents directly. However, users could make copies of documents by printing it, copying it to unmanaged locations, or downloading it to physical media. These copies were not subject to the same sharing controls, increasing the risk of that content being exposed. 

There are already controls so that document owners and editors can manually prevent viewers and commenters from printing, copying, or downloading their files. However, this placed the responsibility of selecting the correct restriction on a file on end users. 


Who’s impacted 

Admins and end users 


Why it’s important 

The new IRM controls will help ensure that only a single version of sensitive documents exists, and therefore that company DLP policies will help protect it. This could help reduce the potential for accidental or intentional exposure of sensitive content in documents. It also reduces the need for end-users to recognize and manually adjust the IRM settings for files, creating a more scalable and automated process to protect your organization’s content. 


Additional details 

Admin setting for IRM in the DLP rule creation workflow 
When you’re creating or editing a DLP rule, there will be a new option: “Beta: Disable download, print, and copy for commenters and viewers.” If selected, this will prevent downloading, printing, and copying of the document unless the user has editor or owner permissions. Note that this is only available as part of our new Drive DLP system
Admins can add IRM controls to DLP rules 


Users will see new notifications on affected files 
Document editors and owners will see a new note when in the settings section of the sharing screen, as pictured below. Users with view or comment access will not be able to download, copy, or print the document—these options will be greyed out for them. Note that this only places limits on “viewer” or “commenter” roles within Drive. 
Document owners and editors will see a new note when they try to share the document 
Document viewers and commenters will have print, download, and copy options greyed out 


Getting started 

  • Admins: This feature will be OFF by default and can be enabled as part of new and existing DLP rules. Visit the Help Center to learn more about how to create new DLP rules and see FAQs about the Drive DLP IRM beta
  • End users: There is no end user setting for this feature. 

Rollout pace 

  • This feature is available now for all users. 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and G Suite Enterprise Essentials customers 
  • Not available to G Suite Basic, G Suite Business, and G Suite for Nonprofits, and G Suite Essentials customers 

Resources 

Roadmap 

Set the default meeting length for Google Calendar events in your domain

What’s changing

We’re adding a new setting in the Admin console where you can define the default Calendar meeting length for users in your domain. Previously, the default of 60 minutes could only be changed from a user's individual Calendar settings. Now, admins can set a new default length for all of their users.

Who’s impacted

Admins and end users

Why you’d use it

You can make your organization more efficient by selecting the default meeting length that makes the most sense for your employees’ time and room usage.

How to get started

Admins: This new setting’s default value will remain at the standard 60 minutes unless admins take action to change it. Default meeting lengths can be customized at the organizational unit (OU) or domain level. Visit the Help Center to learn more about setting the default duration for events in your organization.


End users: If an admin changes the default meeting value, it will apply to end users who haven’t changed the "Default Meeting Length" setting in their individual Calendar settings and to all new users in a domain. End users will be able to overwrite the admin’s setting from their individual Calendar settings.


Rollout pace

Availability

  • Available to G Suite Business, G Suite Enterprise, G Suite Enterprise for Education and G Suite for Education customers
  • Not available to G Suite Essentials, G Suite Enterprise Essentials, G Suite Basic and G Suite for Nonprofits customers

Resources

Simplify management of company-owned iOS devices with new Apple Business Manager integration

What’s changing 

We’re launching an integration between Google endpoint management and Apple Business Manager (formerly the Device Enrollment Program, or DEP). This makes it possible to securely distribute and manage company-owned iOS devices from the Google Admin console. 

The integration will enable G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, and Cloud Identity Premium customers to set Google endpoint management as an MDM server on Apple Business Manager. 


Who’s impacted 

Admins 


Why you’d use it 

With the integration between Google endpoint management and Apple Business Manager: 
  • Admins can manage company-owned iOS devices directly from the Admin console, in the same location as they manage other devices that access their organization’s data. 
  • Admins can control a wider range of features including app installation, Apple app usage, authentication methods, and more, as shown in this table of supervised company-owned iOS device settings
  • Apple Business Manager and Google endpoint management automatically sync for seamless device management. 
  • Users follow a simple device setup and enrollment through the built-in setup wizard. 
Apple Business Manager setup in the Admin console



Getting started 

  • Admins: To use this feature, you need to enable advanced mobile management for iOS devices in applicable OUs, and have an Apple Business Manager account set up. Visit our Help Center to learn more about how to set up company-owned iOS device management
  • End users: There is no end user setting for this feature. Once provisioned by an admin, users can follow the device setup wizard steps to enroll the device. Once the setup wizard is complete, the Google Device Policy app will automatically install and the user should sign in to it with their G Suite or Cloud Identity account. 

Rollout pace 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and G Suite Essentials customers 

Resources 

Block apps from accessing G Suite data with app access control

What’s changing 

Last year, we launched app access control to help all G Suite and Cloud Identity customers control access to G Suite data via OAuth 2.0 by third-party and domain-owned apps. Now, we're improving it by allowing admins to block apps from accessing any OAuth 2.0 scopes. This makes it easy for customers to quickly restrict apps that are deemed to be high-risk or compromised. 

If an app is blocked, it will not be able to access any data from Google services. It will be blocked whether the app is on iOS, Android, or the web. If users try to authorize the app, they’ll see an authorization error message. Admins can customize this error message if they choose. 


Who’s impacted 

Admins 


Why you’d use it 


G Suite has a robust developer ecosystem, with thousands of apps available via the G Suite Marketplace and directly to customers, and a rich API framework enabling customers to develop custom apps. Not all apps, however, conform to every enterprise customer’s security policy, so our customers and partners value controls to manage third-party apps accessing G Suite data. 

Previously, admins could trust or limit access by specific apps. Now, we’re streamlining this to make it easier to manage potentially thousands of apps, and to help you to more quickly block apps when needed. By adding an option to block an app, you can quickly and efficiently protect data when an app is compromised or high-risk.
You can now block app access to OAuth 2.0 scopes via the Admin console. 

Apps can now be trusted, limited, or blocked. 


Getting started 

Rollout pace 

Availability 

  • Available to G Suite Basic, G Suite Business, G Suite Enterprise, G Suite for Education, G Suite Enterprise for Education, and G Suite for Nonprofits customers
  • Not available to G Suite Essentials and G Suite Enterprise Essentials customers

Resources 

Migration of Drive DLP rules to new system

What’s changing 


Now, we’re going to migrate any rules you created in the legacy DLP system to this new system. After this migration, you should use the new DLP system to create and manage your organization’s DLP rules for Drive. There are three key things to know: 
  • You can manually migrate your rules to the new system any time before August 10. 
  • Starting on August 10, we’ll automatically move any unmigrated rules to the new system. 
  • These migrations relate to rule management in the Admin console only. There’s no change in how the rules will be enforced for end users. 

Use our Help Center to learn more about the migration, and see more details below. 


Who’s impacted 

Admins with privileges to manage DLP rules. 


Why it’s important 

By bringing all your rules into the new DLP system, we’re making it easier to manage your DLP rules and take advantage of the improvements that the new system offers. 


Additional details 

Learn more about the new DLP system 
The new Drive DLP system offers more advanced policies, additional admin insights, and more flexible deployment than the legacy system. The new Drive DLP functionality can be found at Admin console > Security > Data Protection

To learn more, see our launch announcement for the new DLP system or visit our Help Center to learn more about the new DLP for Drive. You can also visit our Help Center to learn more about the migration to the new DLP system


User-controlled migration available now 
Currently, you can manually migrate your rules to the new UI by manually creating a new rule in the new Drive DLP and then deleting the legacy DLP rule. During that time, you won’t be able to update your rules, but they will still be in effect for end users. 

Note that on August 3, customers who have yet to create any legacy Drive DLP rules will not be able to create rules in the legacy system. Existing customers can continue to create and modify rules up until their migration. Rules can be created in the new system at any time. 

Before migration takes place, you’ll see a banner about the upcoming changes 


Automatic migration will start on August 10 
If you haven’t manually migrated your rules by August 10, we’ll start to automatically migrate them to the new system. Migration is expected to complete for most customers by the end of August 2020. A small subset of customers will be migrated in September 2020. Once started for your domain, the migration process can take up to 24 hours, and during that time you won’t be able to modify rules in the legacy system. 

Once the migration is completed for your domain, you will see a banner announcing that your DLP rules have moved when you go to the legacy rules location at Admin console > Security > Rules. At that point, you will no longer be able to create DLP rules in the legacy system. 

When migration is complete, you’ll see a notification banner in the Admin console 

Getting started 

Rollout pace 

Automatic rule migration: 
  • Rapid and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on August 10, 2020. Migration is expected to complete for most customers by the end of August 2020. A small subset of customers will be migrated in September 2020. 

Availability 

  • Available to G Suite Enterprise, G Suite for Education, and G Suite Enterprise for Education customers. 
  • Not available to G Suite Basic, G Suite Business, and G Suite for Nonprofits, G Suite Essentials, and G Suite Enterprise Essentials customers. 

Resources 

Push device updates and settings to managed Windows 10 devices more quickly

Quick launch summary 

In April, we launched enhanced security for Windows. It allows admins to push device configuration updates, device settings, and more to Windows 10 devices remotely, without any specific network requirements. 

Now, it will be quicker for applied settings to take effect on managed devices faster. Previously, it could take up to six hours for settings to change on a device. With this update, they will take effect in a few minutes in most cases, as long as the device is connected to the internet. This will help ensure devices are updated and in compliance faster and that critical security updates are applied quickly. 


Getting started 

Rollout pace 

Availability 

  • Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and G Suite Essentials customers 

Resources 

Updates to Admin console security settings section, new location for password policy reporting

What’s changing 

We’ve streamlined the security settings section of the Admin console. Specifically you may notice: 
  • Interface and content updates to Admin console > Security 
  • A new location for password policy reporting at Admin console > Reports 
See more details below. 


Who’s impacted 

Admins 


Why it matters 

This is the latest in a series of updates we’ve made in the last few months to improve the Admin console. These updates will make your security settings easier to see, and help you find important settings which can help you maintain a strong security posture for your organization. 


Additional details 

Interface and content updates to Admin console > Security 
  • An updated and reorganized interface for the main security settings section at Admin Console > Security. 
  • A new banner to the top of the Admin Console > Security page, which has links to learn more about security and privacy in Google Cloud. Previously this information was in a dedicated section (at Admin console > Security > Security and privacy resources) which has now been removed. 
  • The removal of password policy reporting from this section. It’s now been moved to the Reports section (see more below). 

A new location for password policy reporting at Admin console > Reports 
Data on user password policy compliance has been moved to the Reports section of the Admin console. Now you can find information such as password strength and length requirements at Admin Console > Reports > Accounts, and Admin Console > Reports > User reports > Security. Previously, this was at Admin console > Security > Password monitoring

By adding this data to the reports section, you can now use filters, view by OU, view historical values, and download reports features that were not available in the previous location. 

In addition, when reporting on password policy compliance, we now simply show whether or not a user’s password length is in compliance with the configured policy. Previously, we stated the specific length of the password. 


New password compliance information in the Admin console > Reports section 

You can now use filters, view by OU, view historical values, and download reports for password compliance data 

The new interface for the Security section of the Admin console 


Getting started 

Rollout pace 

Availability 

  • Available to all G Suite customers

Resources 

Coming soon: manage Google Chat and classic Hangouts chat settings from one place in the Admin console

What’s changing

You'll soon be able to manage all Google Chat and classic Hangouts chat-related settings from a single page in the Admin console. This follows the update we made last year to combine several settings for Google Chat and classic Hangouts.

On July 6, 2020, we’ll start mapping your existing service status (e.g. Google Chat on, classic Hangouts on, Chat preferred off) to the new setting that matches your current user experience. You don’t need to take any action.

Most end users will not see any change. In domains where Google Chat is turned ON but classic Hangouts and Chat preferred are turned OFF, however, users will begin seeing Chat in Gmail over the next few weeks.

Visit the Help Center to learn more about the different settings options for chat.
New chat service settings in the Admin console


Who’s impacted

Admins and end users

Why it matters

With all your chat settings in one place, including on / off controls for different chat services, you can now view your organization's chat configuration holistically and more easily tailor it to your needs.

Additional details

We recommend the “Chat preferred” setting for admins who would like to transition their entire organization from classic Hangouts to Google Chat. With this launch, Chat preferred is now configurable at the organizational unit (OU) level.

While these changes are rolling out, admins may temporarily see the "Chat clients" tab as well as the new service page. They should only change the new service status page to make changes for their domain.

Please note that while the experience for most end users will not change with these new settings, in the coming weeks we’ll launch Chat in Gmail to domains that have the “Chat only” setting selected. This means that any user in a domain where Chat is turned ON and Classic Hangouts and Chat Preferred are turned OFF will start seeing Chat in Gmail. This feature was previously only available to domains with the Chat preferred setting selected. End users will have the option to turn Chat in Gmail off at the individual level.

Getting started

Admins: No action is required, as we’ll automatically align your existing settings to the new setting that matches your current user experience. Visit the Help Center to learn more about choosing a chat service for your organization.
New combined service on / off setting row in the Admin console
End users: Visit the Help Center to learn more about how to turn Chat in Gmail on or off for your account.

Rollout pace

New chat settings and page


Chat in Gmail to “Chat only” domains


Availability


  • Available to all G Suite customers

Resources




Use group-based controls for LDAP client access permissions

Quick launch summary 

You can now configure the access permissions for an LDAP client by group. Previously, controls were only available at the organizational unit (OU) level.

LDAP clients are in the secure LDAP service, which enables users to access traditional LDAP-based apps and IT infrastructure using their G Suite credentials. This new feature allows you to allow or prevent specific groups of users from signing in to an application. This can help you make sure only appropriate users are able to access and use specific applications.

Group-based controls for LDAP clients in the Admin console 

Getting started 



Rollout pace 




Availability 


  • G Suite Enterprise, G Suite for Education, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Nonprofits, and Cloud Identity Free customers 

Resources 


Admin console improvements: API client access, GSM apps, admin roles, domain management, and unmanaged users

We’ve made several updates to the Admin console interface. Specifically, we’ve:
  • Streamlined the API client access page 
  • Improved and expanded the G Suite Marketplace apps (GSM) settings 
  • Made it easier to manage admin role assignments 
  • Created a new interface for domain management 
  • Updated the unmanaged users and consumer account invite section 

See below for more details on each of these changes.


Streamlined the API client access page 

The API client access page helps you grant API access to internal or 3rd-party apps, especially those using service accounts, on behalf of your users. We’ve created a simpler view of all apps that are authorized for domain-wide delegation and all authorized scopes, with service account and app name details. Updates to this view include:

  • A new location for the page. It’s now found at Security > API Controls > Domain-wide Delegation. It was previously at Security > Advanced settings
  • Improved interface, with more information and clearer UI, which makes it easier to see, understand, and manage apps and scopes. 
  • Removed applications domain-installed from G Suite Marketplace (GSM) from this view (they’re now in the GSM settings section, detailed below.) 

Visit the Help Center to learn more about controlling G Suite API access with domain-wide delegation
The new interface for domain-wide delegation in the Admin console 



Improved and expanded G Suite Marketplace apps (GSM) settings section 

The GSM section helps you control which GSM apps your organization can use. Updates in this section include:

  • General interface updates to several pages, including Admin console > Apps > G Suite Marketplace whitelist, Admin console > Apps > Settings for G Suite Marketplace apps, and Admin console > Apps > Domain install G Suite Marketplace apps
  • Functionality updates when you click into a specific app on the Domain install G Suite Marketplace apps page, including: 
    • A new “partially approved” status, in addition to "approved" and "not approved" to provide more visibility into data permissions for apps. 
    • New grouping for data access scopes by API buckets (e.g. "Gmail," "Calendar," etc) to make it easier to understand app data access. 
    • The OAuth client ID for the app. 

Visit the Help Center to learn more about how to manage Marketplace apps for your organization.
An example of the improved GSM app information page 



Easier to manage admin role assignments 

We’ve made updates to the area where you can view, create and assign admin roles within your organization. Improvements include:

  • A new roles home page, where you can quickly see all the system and custom roles and the admins assigned those roles. 
  • New quick-action buttons to more easily understand role privileges, then add and manage users in those roles. 
  • Easier ways to create and assign custom roles, including ability to copy an existing role. 

Use our Help Center to learn more about administrator roles in G Suite.
The new interface to manage admin roles 



New interface for domain management in the Admin console 

We’ve updated the interface you use to manage your primary domain, secondary domains, and domain aliases. When you go to Admin console > Domains > Manage domains, you may notice:

  • An updated interface with more complete information and descriptions of items and domain state. 
  • New grouped action buttons which make it easier to see and select the action you want to take, such as verifying domains, changing your primary domain, setting up MX records, and more. 
  • A new side panel which shows information about domains registered through Google, enabling you to quickly see and manage renewals and advanced DNS settings. 

Use our Help Center to learn more about how to add and manage domains in G Suite.
The new domain management interface in the Admin console 

Updated the unmanaged users and consumer account invite section 

We’re making improvements to the interface you use to find and manage users who have personal Google Accounts that use your organization's domain. Through this interface you can invite them to join your domain so you can better manage their accounts and any company data within it.

Specifically, when you go to Admin console > Tools > Transfer tool for unmanaged users, you’ll find an updated interface that makes it easier to:

  • Switch between managed and unmanaged account views. 
  • See and filter users with personal accounts. 
  • Invite them to migrate that account to your G Suite organization. 

Visit the Help Center to learn more about managing existing personal accounts for your organization.
Unmanaged user section in the Admin console

Getting started 

  • Admins: These updates will happen automatically. Use the Help Center links in each section above to learn more about the enhancements and available controls. 
  • End users: No end user impact. 

Rollout pace 

  • These updates are available now for all users. 

Availability 

  • Available to all G Suite customers 

Roadmap 

  • Updates to the G Suite Marketplace apps section in Admin console was listed as an upcoming G Suite release.