Tag Archives: Admin Console

Set a custom time period for messages to automatically be deleted in Google Chat

What’s changing

For select Google Workspace editions, admins can now define a duration after which their users' messages in Google Chat will be deleted automatically. This can apply to messages in 1:1 conversations, group conversations, and spaces — time periods can be assigned for each message type. Note that this retention period only applies to messages sent when history is enabled. The auto-deletion timeframe can range from 30 days to several years.





Who’s impacted

Admins and end users


Why it’s important

Currently, admins have limited control over the history duration of conversations in Google Chat: with history off, messages are deleted after 24 hours; with history on, messages remain visible for indefinite time, unless proactively deleted by Vault Retention policy or proactively deleted by user by user.

This update gives admins more granular control over how long their users can see messages in conversations. For end user practicality, this helps unclutter conversations, while complying with retention requirements (if a retention policy is applied). If you’re using the Auto Deletion policy combined with a Vault Retention Policy, the Vault policy prevails. For more information, see this article in our Help Center.


Getting started


Rollout pace


Availability

  • Available to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus customers.

Resources


New Alert Center notifications for Apple push certificates

What’s changing 

The Apple Push Notification Service (APNS) certificate is a critical component for advanced mobile management for iOS devices. This certificate expires yearly and requires manual renewal. If you don't renew the certificate, your organization’s iOS devices will not be able to access Google Workspace applications after the certificate expires. To help you stay on top of their renewal period and take action in a timely manner, we will: 

Notify you via the Alert Center and email when: 
  • Your certificate is 30, 10, and 1 day from the date of expiration. 
  • Your certificate has expired. 








Getting started 

  • Admins: 
  • End users: There is no end user impact or action required.


Rollout pace 


Availability 

  • Google Workspace Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, The Teaching and Learning Upgrade, Education Fundamentals, Frontline, and Cloud Identity Premium customers 

Resources 

Expanding admin privileges for Google Meet hardware devices

What’s changing 

We’re increasing the number of admin privileges for Google Meet hardware devices from three to twelve. This gives admins more ways to delegate admin roles and access as it pertains to device data and management within the Admin console. 

Previous Google Meet hardware privileges





Updated Google Meet hardware privileges






Why it’s important 

Previously, admins had limited ability to restrict access to Google Meet hardware data and functionality in the Admin console to their delegated admins. Aside from the most recently added enrollment privilege, access could otherwise only be granted with or without calendar assignment functionality—no further customization was possible. 

Some of the new privileges include the ability to: 
  • View devices: Admins get read-only access to device data, including issue history and fleet data export functionality; required to be able to access pages hosting functionality in many other privileges (including Manage calendar assignment, Perform actions and its child privileges, and Deprovision Google Meet hardware).
  • Manage organizational unit settings: Admins can edit Google Meet hardware settings controlled at the organizational unit-level and move devices between organizational units 
  • Manage device meetings: Admins can connect to a meeting remotely and mute or hang up an active call 

A full list of new roles, with descriptions, can be found in our Help Center

Additionally, two of the existing hardware privileges have been renamed for clarity within the new privilege structure: 
  • Google Meet hardware with Calendar is now Manage Google Meet hardware and calendars.
  • Google Meet hardware without Calendar is now Manage Google Meet hardware.
Admins who have already been assigned existing privileges will not experience any functional changes – the privilege will remain assigned but with the updated name. 


Getting started 

  • Admins: Admins who wish to use this new functionality to provide more limited access will need to create a custom role (create, edit, and delete custom admin roles) with the specific Google Meet hardware privileges they wish to assign to a delegated admin. Existing admins already assigned privileges will not be affected. 

Rollout 


Availability 

  • Available for all Google Meet hardware customers. 

Resources

Assign admin roles to specific groups

What’s changing 

Scale and secure your role-based access controls (RBAC) practice on Workspace by leveraging a new capability for role assignments to groups. You can now assign admin roles to groups in addition to or instead of individual users. For example, you can assign the service admin role to an existing group that contains all of the IT admins in your organization. 

Currently, there is a limit of 500 role assignments— since groups can contain unlimited members, this gives you more flexibility to manage roles as needed. This is particularly helpful for larger organizations, allowing them to pare down their role assignments without exceeding the limits

Also, roles assigned to groups will automatically reflect changes in underlying membership of the group. This allows admins to manage role assignments at a higher-entity level vs adding/removing end-users one at a time to maintain updated privileges.




Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers, as well as legacy G Suite Basic and Business customers
  • Available to Google Cloud Identity Premium customers

Resources


Fine tune access to data with additional options for Access Approvals

What’s changing 

In 2022, we introduced Access Approvals, which enables customers to control when Google support personnel can access specific data during support and general maintenance. Beginning today, we’re introducing additional options that provide customers even more control over these data interactions: 
  • Specify: Google support personnel can indicate which specific product data they need access to - for example: Gmail data only, instead of all Workspace Data. 
  • Access duration: Specify a time limit wherein data can be accessed. 
  • Control: Revoke previously granted access if no longer applicable. 
  • Context: Denote the reason an access request was approved or denied, or why a previously approved request was revoked, to streamline the process for future requests.




Who’s impacted

Admins


Why it’s important

We know it’s essential that our customers have visibility and control over their systems and data and how they’re accessed by any third party, including Google. Introducing additional controls for our customers helps ensure that their data is accessed in an explicitly consensual manner that best suits the needs of their business.


Read more about Sovereign Controls for Google Workspace, Client-side encryption, data regions, and Access Management capabilities, for more information on how we provide our customers solutions to reach their digital sovereignty goals. 


Getting started

Rollout pace



Availability

  • Access Approvals is part of Google Workspace Assured Controls, which is available as an add-on for Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative. 

Resources


Improve search results with Personalization Boost and Click Boost for Cloud Search

What’s changing 

To help you find relevant documents faster, we’re introducing user personalization boost and click boost for the Cloud Search API. These boosts tailor search results based on the way users interact with search results: documents that have been clicked on by the user in the past, or clicked on by other users for similar queries, will rank higher in search results.


Getting started

  • Admins and developers: The feature is available by default. Use this guide to learn more about the use of personalization boost and click boost in Cloud Search ranking.
  • End users: There is no end user action required — when configured by your admin, you’ll automatically see more personalized, relevant search results.

Rollout pace

  • This feature is available now.

Availability

  • Available to Google Cloud Search Customers

Resources


Admins can install Chat apps for use in direct messages

What’s changing

Google Chat apps integrate with productivity tools, enable you to collaborate with others, and can also help automate your work. Previously, to start using an app in Chat, users had to individually install apps as described here

Starting this week, admins can install Chat apps for direct messages on behalf of users within their domain from the Workspace Marketplace. Users will automatically see when an app has been enabled, eliminating the need to manually install the app themselves. 

Admins can deploy Chat apps as they see fit: to an entire domain, OU, or group of users using the Workspace Marketplace apps management controls

Who’s impacted 

Admins 

Why you’d use it 

This feature enables admins to provide their users with instant access to the Chat integrations they need for their workflow within an organization. 

Getting started 

Rollout pace 


Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Education Standard, the Teaching and Learning Upgrade, Frontline, and legacy G Suite Basic and Business customers 
  • Not available to Nonprofits 
  • Not available to users with personal Google Accounts 

Resources 

Add or remove client-side encryption from a Google Doc

What’s changing 

You can now choose to add client-side encryption to an existing document or remove it from an already encrypted document (File > Make a copy > Add/Remove additional encryption). This update gives you the flexibility to control encryption as your documents and projects evolve and progress.



Getting started

Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources


Google Workspace Updates Weekly Recap – March 17, 2023

New updates 

There are no new updates to share this week. Please see below for a recap of published announcements. 


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Introducing new space manager capabilities in Google Chat
Space managers now have additional capabilities to ensure effective conversations take place in spaces: space configuration, member management, and conversation moderation. | Learn more.

External label for Google Meet participants
“External” labels will be available in Google Meet. Users will see a label in the top-left corner of their meeting screen indicating that participants who are external to the meeting host’s domain have joined the meeting. In the people panel, external participants will be denoted with the same icon. | Learn more.

Provide custom Google Meet background images for your users
Admins can now provide a set of images for the background replace feature in Google Meet. This will enable users to easily select an image that properly represents their company's specific brand and style. | Learn more

Improving your security with shorter Session Length defaults
To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). | Learn more



Completed rollouts

The features below completed their rollouts to Rapid Release domainsScheduled Release domains, or both. Please refer to the original blog post for additional details.


Rapid Release Domains:
Scheduled Release Domains:
Rapid and Scheduled Release Domains:

Improving your security with shorter Session Length defaults

What’s changing 

To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web). 


For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. See below for more information. 




Who’s impacted 

Admins, end users, and developers 


Why you’d use it 

Many apps and services can access sensitive data or perform sensitive actions. Because of this, managing session length is foundational to cloud security and compliance. It ensures that access to the Google Cloud Platform is finite after a successful authentication, which helps deter bad actors should they gain access to credentials or devices.


Additional details 

Google Cloud session controls 
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. This ensures customers do not mistakenly grant infinite session length to users or apps using Oauth user scopes. After the session expires, users will need to re-enter their login credentials to continue their access. This impacts the following: 

Settings can be customized for specific organizations, and will impact all users within that org. This is a timed session length that expires the session regardless of the user's activity. When choosing a session length, admins have the following options:
  • Choose from a range of predefined session lengths, or set a custom session length between 1 and 24 hours. 
  • Configure whether users need just a password, or require a Security Key to re-authenticate.


Third-party SAML identity providers and session length controls 
If your organization uses a third-party SAML-based identity provider (IdP), the cloud sessions will expire, but the user may be transparently re-authenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that users are required to re-authenticate at the correct frequency, evaluate the configuration options on your IdP and review the Help Center article to Set up SSO via a third party Identity provider.


Trusted applications
Some apps are not designed to gracefully handle the re-authentication scenario, which can cause confusing app behavior. Other apps are deployed for server-to-server purposes via user credentials — because they don’t require service account credentials, they are not prompted to periodically re-authenticate.

If you have specific apps like this, and you do not want them to be impacted by session length reauthentication, the org admin can add these apps to the trusted list for your organization. This will exempt the app from session length constraints, while implementing session controls for the rest of the apps and users within the organization.


Getting started

  • Admins: For customers who have their session length set to "Never Expire", your session length will reset to 16 hours. It can be turned off or modified at the OU level. Visit the Help Center article to learn how to set session length for Google Cloud services for your organization.  
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace

Availability

  • Available to all Google Workspace and Cloud Identity customers, as well as legacy G Suite Basic and Business customers