Tag Archives: Admin Console

Restrict third-party API access to Google Workspace and end user data with new app access control

What’s changing 

You can now block all third-party API access to Google Workspace data with a new setting. This compliments other available OAuth settings which help you control which third-party & internal apps access Google Workspace data

When selected, all third-party apps are denied access to Workspace and end user data, blocking all OAuth 2.0 scopes. This also means that users cannot use their Google Workspace accounts to sign into third-party apps and websites. 

Who’s impacted 

Admins and end users

Why it’s important 

This new setting adds another layer of protection over your Workspace and end user data. Not every third party application has robust security measures in place or conforms to your security policy — by restricting third-party APIs from requesting sensitive information, such as login or email scopes, you can ensure your data and user data stays secure.

When all third party API access is blocked, an app will not be able to access any Workspace user date, across web and mobile. If users try to authorize an untrusted app, they’ll see an authorization error message. Admins can customize this error message if they choose.

Getting started 

Rollout pace 


Update design for the Admin console home page

Quick launch summary

We’re making some updates to the home page in the Admin console. You may notice: 
  • A new card-based interface which includes more information and links to provide quick access to common tasks. 
  • Expandable (or collapsible) cards for Users, Billing, and Domains, with quick links to common items in those areas. 
  • Reordered items to make it easier to find the most used sections and complete common tasks. 
We hope this design will make it quicker to navigate around the Admin console, easier to find items you need to manage, and simpler to understand how Google Workspace is deployed within your organization. 

The new admin console home page 

The old Admin console home page 

Getting started 

  • Admins: You’ll see the new interface when you log into the Admin console. Visit the Help Center to learn more about using the Admin console
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers 

Resources 

Login related audit events are now located in a single location in the Admin console

What’s changing 

We’ve consolidated all login related audit events to a single location within the Workspace Admin Console under Reports > Audit Log > Login. Here, you can find information on the following events: 
  • Two step verification enrollment or disablement, 
  • Advanced protection enrollment or disablement, 
  • Password changes, 
  • Recovery question changes, 
  • Recovery phone changes, 
  • Recovery email changes, 
  • Out of domain email forwarding enablement.

Who’s impacted 

Admins 

Why it’s important 

We hope that by displaying this information in a single location, Admins will have greater visibility into critical actions carried out by their users on their own accounts, without having to switch between multiple places in the Admin console. 

Additional details 

You can also use the Reports API to view information on login events. Use the Google Workspace Developer Guide to learn more about getting started with the Reports API and using the Login Activity Report

Enterprise plus and Education Plus Super Admins can also use the security investigation tool (Admin console > Security > Investigation Tool > User Log Events) to view more detailed information and take action on suspicious login activity.


Getting started 


Rollout pace 


Availability 

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers

Resources 

New recommended DLP rules help protect sensitive data

What’s changing 

To help our customers more easily implement security controls, we will start providing recommended data loss prevention (DLP) rules personalized for your organization. These recommendations are based on the results of your data protection insights report and any rules you’ve already implemented, and will be surfaced in the admin console. 

Each rule that DLP recommends is a fully realized, ready-to-use rule that is preconfigured to warn users on sharing sensitive data. You can use the rules as they are, or edit the rules to customize them for your organization. The rules will only be enforced when you choose to activate them. 


Who’s impacted 

Admins 


Why it’s important 

Protecting your company’s confidential data is critical. DLP rules can give you control over what users can share, and helps prevent the unintended exposure of sensitive information. Your data protection insights report can help identify priority areas to address, but creating, testing, and implementing rules can be time consuming. 

By generating fully realized, ready-to-use rules recommended based on your organization’s specific situation, we aim to make it easier to add controls and help protect sensitive information within your organization. 

The DLP rule performance charts can help you understand rule performance so you can make any necessary adjustments, and help identify where additional investigation is needed, with one-click integration to the investigation tool where available. 

See recommended rules at Admin console > Security > Data protection 

Getting started 

  • Admins: 
    • To see the recommended rules, go to Admin Console > Security > Data Protection. To view the data protection insights report you must be a DLP admin or an admin that received an email invitation to view the report. 
    • Rule suggestions will be enabled by default for all organizations with data protection insights report, but rules will not be enforced unless you choose to activate them. Recommended rules will not be available if data protection insights reports are turned off. 
    • Visit our Help Center to learn more about how to prevent data leaks with DLP recommended rules
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Education Plus, and Nonprofits, as well as G Suite Basic and Business customers 

Google Workspace Education Plus admins can enable Google Meet recording for users with student licenses

Quick launch summary

We’re adding a new setting for Google Workspace for Education Plus (formerly G Suite for Education) admins that will enable Google Meet recording capabilities for users with Education Plus student licenses. Student licenses are available to customers who purchased Education Plus for their staff. 


When turned on, students can record meetings the same way other users can today. This can be helpful for students who want to review a lesson or class presentation later on. Once turned on, meeting recordings will be automatically saved to the student’s Google Workspace for Education Drive account. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Education Plus (formerly G Suite for Education) Customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals and Nonprofits, as well as G Suite Basic and Business customers 


Resources 

Enhanced admin controls for Gmail IMAP

Quick launch summary

You can now enable Gmail IMAP and Gmail POP separately and enable access via IMAP on a per-app basis in the Admin console.




In addition to granularly allowing mail clients to sync via IMAP and/or POP, there’s also a new option to specify a list of OAuth IDs, which are the approved IMAP clients that your users are allowed to use. For example, you may choose to allow your users to use the default mail app on mobile devices and desktop computers. By default, all IMAP clients will be allowed unless this feature is explicitly enabled. Note that IMAP clients can only be restricted if they support OAuth.

Getting started

  • Admins: This feature will be OFF by default and can be enabled at the domain or organizational unit (OU) level. Visit the Help Center to learn more about turning IMAP options on or off for your organization.
  • End users: There is no end user setting for this feature. End users will only be able to use the allowlisted IMAP clients approved by admin.

Rollout pace

Availability

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Nonprofits, Education, and Enterprise for Education customers
  • Not available to Google Workspace Essentials customers

Resources

New Assured Controls help support your information governance goals

What’s changing 

Today we’re introducing Assured Controls for Google Workspace Enterprise Plus, an add-on that helps customers control cloud service provider access and attain their information governance goals. 


As part of the Assured Controls feature set, we’ll first roll out Access Management. Access Management enables customers to geographically limit Google staff support actions to U.S. Persons within our Support teams. At launch, Access Management will be limited to accesses that are covered by Access Transparency in Gmail, Google Calendar, Google Docs, Google Drive, Google Sheets, and Google Slides, and will only be supported in the U.S. region. To learn more, contact Google Support or your account representative.


Note that we do not access customer data for any reason other than those necessary to provide support services and fulfill our contractual and legal obligations. When Support access is warranted, Access Management helps customers geographically limit that access. 


For more information on this and other Google Workspace Security launches, see our Cloud Blog post and register for our upcoming Google Cloud Security Talk


Who’s impacted 

Admins only 


Why you’d use it 

Some customers in regulated industries, particularly the public sector, have specific requirements related to cloud service provider access to data in the course of customer support interactions. Access Management provides customers with the ability to geographically limit those Google staff support actions. 

As Assured Controls is available on Google Workspace’s native platform, you don’t need to move to a separate environment for access to these restriction capabilities. This can help reduce costs and complexity, while allowing your organization to benefit from the full set of advanced features that Google Workspace offers. 


Getting started 

  • Admins: Once you’ve purchased the Assured Controls add-on, you can assign licenses and manage the feature at Admin Console > Access Management. Users assigned the policy will have any data owned by them restricted to designated U.S. Persons within our support teams. Access Management is surfaced for logging in the Access Transparency logs. To learn more contact Google Support or your account representative 
  • End users: No end user impact. 



Rollout pace 

  • Contact your Google account representative to learn more about availability and timing. 

Availability 

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

Expanding data regions coverage to Google Drive, Docs, Sheets, and Slides user indices

What’s changing 

Data regions for Google Workspace allows customers to choose a specific geographic location—in the U.S., in Europe, or globally distributed—for their covered data at rest to help meet organizational or compliance needs. We’re now extending data regions coverage to user indices for Google Drive, Docs, Sheets, and Slides for the U.S. data region. 

For more information on this and other Google Workspace Security launches, see our Cloud Blog post and register for our upcoming Google Cloud Security Talk


Who’s impacted 

Admins 


Why you’d use it 

Google Workspace’s globally distributed cloud infrastructure reduces latency and protects data with geo redundancy, so most organizations choose not to geo-restrict their data. If, however, your organization has preferences as to where its data is stored at rest, data regions can help you achieve your compliance goals.

Since launching data region controls in 2018, we’ve continued to make improvements, including the addition of new covered apps and data types in 2019 and expanded coverage and group-based admin controls in 2020. By expanding data regions coverage to Google Drive, Docs, Sheets, and Slides user indices, we hope to better support our customers’ data location preferences and give them great control. 




Getting started 

  • Admins: Data location is OFF by default and can be enabled at the group or OU level. However, when this launch is rolled out to your domain, Google Drive, Docs, Sheets, and Slides user indices will automatically be migrated to comply with existing U.S. data location policies you’ve set up. Visit the Help Center to learn more about how to choose a geographic location for your data
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Plus and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, or Education Fundamentals, or G Suite Basic, Business, or Nonprofits customers 

Resources 

Let Google Calendar automatically book a replacement room for your events

What’s changing

If a room declines your event, Google Calendar can now find a similar room to replace it, automatically.

Who’s impacted

Admins and end users

Why you’d use it

In the past, when a room declined a Calendar meeting, your users may not have noticed until the last minute, leaving them and their guests without a room. This was especially common with recurring meetings, where a room may have declined on some dates but not others.

When this new feature is enabled, your users will save time and effort as Calendar automatically tries to find and book a replacement room that is a similar size, is in the same building, and has the same equipment.


Additional details 

The organizer and guests of the event will receive an email informing them of the newly booked room. Visit the Help Center for more information.




Getting started

  • Admins: This feature will be ON by default and can be disabled at the domain level by going to Admin console > Building and resources > Global Room Settings and deselecting “Automatic room replacement.”Please note that for this feature to work, the setting must be enabled and you must have structured resources added in the Admin console. Make sure your resources are all classified correctly to prevent incorrect room replacements.
  • End users: There is no end user setting for this feature. Visit the Help Center to learn more about automatic room replacement.



Rollout pace

Admin setting
Feature rollout

Availability

  • Available to Google Workspace Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, and Education Plus, as well as G Suite Basic, Business, and Nonprofits customers
  • Not available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, as well as G Suite Basic customers

Resources

New option to download third-party apps and domain wide delegation to CSV

Quick launch summary 

Google Workspace customers can set up and manage apps for app access control and domain-wide delegation through the Admin console at Admin console > Security > API Controls. However, for some customers the lists of apps in these sections can be long, which can make it difficult to see and manage the information in the Admin console. 


With this launch, we’re adding new options to download 3rd party API apps and domain wide delegated apps to a CSV file. This file will contain all the information which is displayed in the Admin console list. Having the information in CSV format may make it easier to understand and analyze how these apps and features are accessed in your organization. 


Getting started 

  • Admins: You’ll see the option to download app and client info at Admin console > Security > API Controls > App access control or Domain wide delegation. Use our Help Center to learn more about app access control and domain-wide delegation
  • End users: No end user impact. 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers 

Resources