Tag Archives: Admin Console

Google Workspace Updates Weekly Recap – December 15, 2023

2 New updates

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.


We have begun enforcing 2-step verification for all admin accounts 
Two-step verification (2SV) is a critical security measure that has been proven to reduce password-based hijacking by more than 50%. We are committed to protecting the security of our users and are taking additional steps to help customers guard against data compromise and prevent account takeovers.

We have begun enforcing 2SV for all admin accounts and will continue this enforcement on an ongoing basis. As of December 2023, this change is already in effect for some customers. When this goes into effect for your organization, you will receive the following notifications:
  • 30 days prior to enforcement in your domain: Super admins will receive various email and in-app notifications informing them of the forthcoming enforcement, encouraging them to verify their admins’ 2SV status. 
  • Once enforcement goes into effect in your domain: All admins will receive email and in-app notifications upon signing into their accounts for the next thirty days. If they do not enable 2SV within this time period, they will be locked out and will need to follow these steps to recover an administrator account.
We highly encourage all administrators to turn on 2SV as soon as possible. Visit the Help Center for more details and further guidance.



Dynamic groups limit increased to 500 
We’re increasing the number of dynamic groups a customer can have from 100 to 500. Dynamic groups are defined as groups whose membership is managed automatically based on specific criteria, such as a user’s department or location. This increase gives admins more flexibility to create dynamic groups as needed and cuts down on manual group management tasks that would otherwise be required. | Rolling out now to Rapid Release and Scheduled Release domains at a gradual pace (up to 15 days for feature visibility). | Available for Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus, Enterprise Essentials Plus, and Cloud Identity Premium customers only. | Learn more about dynamic groups.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Meet Add-ons SDK available in Developer Preview 
The Google Meet Web Add-ons SDK is available through our Developer Preview Program. Developers can use the SDK to bring their app experience right into Meet. End users can install, open, and collaborate in apps right inside a meeting, either as the meeting focal point, or in the sidebar — all without ever leaving Meet. | Learn more about Meet Add-ons SDK .

Huddly cameras bring continuous framing to Google Meet Series One room kits 
As part of our initiative to bring adaptive framing to Google Meet meeting rooms, we’re proud to announce that you can now access Huddly’s continuous framing capability available as part of the Series One room kit hardware devices. | Available to all Google Workspace customers using Google Meet Series One room kits only. | Learn more about Google Meet Series One.

Record and share your name pronunciation across Google Workspace products 
From your Google account settings, you can now record your name and share its pronunciation with other users. The pronunciation can be played from your profile card across various Google Workspace tools such as Gmail or Google Docs on web or mobile devices. | Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, Frontline Starter, Frontline Standard, and Nonprofits customers only. | Learn more about name pronunciation. 

Easy access to people, documents, building blocks and more in Google Docs 
When moving to a blank line within your Doc, you will see an “@” button with the option to select, search and insert smart chips, such as people, dates, timers, or files, building blocks, calendar events, groups and more. | Learn more about bringing smart canvas features to the forefront of your workflow

Excuse assignments in Google Classroom 
Teachers can mark an assignment for a particular student as “Excused” instead of giving it a 0-100 score. This will exclude that particular assignment from the student’s overall grade. | Learn more about excusing assignments. 

Introducing interactive questions for YouTube videos in Google Classroom 
Educators can now turn any YouTube video into an interactive lesson by adding questions for their students to answer throughout the video. | Available to Education Plus and the Teaching and Learning Upgrade only. | Learn more about interactive videos. 

Introducing the Bitbucket app for Google Chat 
We’re adding Bitbucket for Google Chat. Bitbucket is a Git-based code and CI/CD tool optimized for teams using Atlassian’s Jira. | Learn more about Bitbucket app for Google Chat. 

Use “Profile Discovery” to display basic information only in search results, available in open beta 
Google Workspace admins can now turn on “Profile discovery” for their users. When turned on, users can customize how they appear across Google products to people who search for them by their phone number or email. Specifically, you can choose how you want your name to be displayed and how your profile picture will be displayed. | Learn more about Profile Discovery.


Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains: 
Scheduled Release Domains: 
Rapid and Scheduled Release Domains: 

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Use “Profile Discovery” to display basic information only in search results, available in open beta

What’s changing

Google Workspace admins can now turn on “Profile discovery” for their users. When turned on, users can customize how they appear across Google products to people who search for them by their phone number or email. Specifically, you can choose how you want your name to be displayed and how your profile picture will be displayed. 

This feature is available in open beta, which means no additional sign-up is required to use the feature.








In the Admin console, under Directory Settings > Profile editing, you can turn “Profile discovery” on or off for your users.

To help people recognize you, we’ll share basic information needed to confirm your identity. After you interact with someone, they'll typically see your full name, profile picture, and more from your Google Account.




Getting started

Rollout pace



Availability

  • Available to all Google Workspace customers

Resources

Custom notifications for Google Chat data loss prevention rules are now generally available

What’s changing 

Earlier this year, we announced the beta availability for admins to display custom notifications when a Google Chat message is blocked or intercepted based on data loss prevention rules. Beginning today, this feature will become generally available on web and mobile. 


Custom notifications give admins the opportunity to provide their users with more context about why they were blocked from sending a specific message, what they can do to unblock themselves, and include links to additional resources, such as organization guidelines for sensitive data with actionable recommendations. For more information, please reference our original announcement.

Getting started

  • Admins: 
    • Custom notifications can be set per each data protection rule at the domain, Organizational Unit (OU), or group level. 
    • When creating a rule, in Step 4: Actions, under “User Message”, select “customize message”.  Custom notifications can also be applied to existing DLP rules. If admins do not customize the notification, the generic notification will be shown to users.
    • Visit the Help Center to learn more about preventing data leaks from Chat messages & attachments.


  • End users: There is no end user action required. Depending on your admin settings, you’ll see more detailed information if you’re trying to send a Google Chat message that meets conditions defined in a data loss prevention rule.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, the Teaching and Learning Upgrade, Education Plus, and Frontline Standard customers
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 

Resources


Updated grace periods for resolving policy violations in managed iOS devices

What’s changing 

Ensuring only managed applications can access sensitive information is vital to security. Currently, when admins make a policy change that results in an app going from unmanaged to managed, if a policy violation is detected, a 24-hour grace period is given to users to comply with the change. After this grace period, users will lose the ability to access their Google Workspace account. 


Moving forward, we’re adjusting a few components to how this grace period operates to boost compliance and prevent inadvertent circumvention. Specifically:

Grace Period 

Situation

Next Steps



None 

-The managed apps policy violation is detected during the device enrollment.

-The managed apps policy violation by an app is detected after 24 hrs from the moment the admin changes the policy.

Users will be prompted to install the app from the Google Device Policy app for IOS or they will lose access to Google Workspace.

Visit the Help Center to learn more.


24 hours

The managed apps policy violation by an app is detected within the 24hrs from the moment the admin changes the policy. 



Who’s impacted

Admins and end users


Why it’s important

Improving these safeguards helps ensure that  only managed applications can access sensitive organization information. If the managed applications do not meet the requirements of the access policies set by admins, managed application access to Workspace data is deactivated until users take the proper steps.


Getting started


Rollout pace

Availability

  • Available to Google Workspace Frontline Starter and Frontline Standard, Business Plus, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus; Enterprise Essentials and Enterprise Essentials Plus and Cloud Identity Premium customers

Resources


Turn on snippets for additional context surrounding data loss prevention rule violations

What’s changing 

Admins can now view “Sensitive Content Snippets” for data loss prevention (DLP) rules. This applies to DLP events for Drive, Chat, and Chrome. When turned on, snippets will log the matched content that triggered a DLP violation in the security investigation tool. Admins can use the information captured in the snippet to better identify actual security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Getting started

  • Admins: 
    • Make sure any admins who need to review the snippets have the "view sensitive content" privilege. Only super admins have the ability to hide or unhide sensitive data.

    • This feature will be OFF by default and can be turned on in the Admin console by going to Security > Data Protection > Data Protection Settings > Sensitive Content Storage.
      • To view snippets in the security investigation tool, select any row from the “Description column” and scroll down to “Sensitive Content Snippets”. Here you’ll see the matched detector ID, the matched content starting character, and the matched content length.

    • Visit the Help Center to learn more about viewing content snippets that trigger DLP rules, using Workspace DLP to prevent data loss, and the security investigation tool.

  • End users: There is no end user impact or action required.

Rollout pace


Availability

  • Available to Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus, and Enterprise Essentials Plus customers
  • Also available to Cloud Identity Premium and BeyondCorp Enterprise customers

Resources

Set client-side encryption as the default mode for new emails, events, and files

What’s changing

Admins can now set client-side encryption (CSE) to be on by default for:

  • Newly created Gmail messages, Google Calendar events. 
  • Newly created Google Docs, Sheets, and Slides files.
  • Newly uploaded Google Drive files.

Admins can set client-side encryption as default on for users in Organizational Units (OUs) that regularly handle sensitive data requiring additional encryption. This allows organizations the flexibility to meet their compliance and regulatory requirements and reduce the burden on change management programs. Users are prompted to create a CSE object natively in each app meaning their emails, events and files are encrypted by default with customer-managed keys and are private from Google. For organizations with strict regulatory or sovereignty needs, this can help them close compliance gaps by defaulting users to the preferred mode for handling sensitive data.  

Drive:


Gmail:

This is available on the web initially, with support coming for mobile apps in the future. 

Who’s impacted

Admins and end users


Why it matters

This feature is important for Google Workspace admins as it improves users compliance behavior without sacrificing productivity and increases control for admins implementing data control policies. It also includes improved audit logs, providing more detail for admins compiling regulatory compliance reports.

Workspace already uses the latest cryptographic standards to encrypt data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving organizations authoritative control and privacy as the sole owner of private encryption keys and the identity provider of the encryption keys. It gives organizations higher confidence that any third party, including Google and foreign governments, cannot access their confidential data. Users can continue to collaborate across their preferred apps in Workspace while IT and compliance teams can ensure that sensitive data stays compliant with regulations. 


Getting started

Rollout pace


Availability

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative.

Resources


Access Google Vault audit logs alongside other Workspace audit logs

What’s changing

We’re excited to announce the general availability of an improved Google Vault audit log experience. As a result of this change, you can now find Vault audit logs in the Admin console alongside other Google Workspace apps like Gmail, Google Drive, and more. Beginning in January, Vault audit logs can be accessed by the Reports API, which you can use to actively monitor your domain’s Vault usage. We’ll share more information here on the Workspace Updates blog when this functionality becomes available.

Aligning the location and functionality of Vault audit logs with other Workspace apps creates a consistent experience for admins and reduces the need to search for information in various locations. It also enables audit logs in the admin console to be compliant with our new regionalized data processing capabilities.

Additional details

The duration, access and visibility of Vault audit logs will remain the same and will continue to require the “manage audits” permission. The Vault audit logs can be accessed through the Vault reports and matter audits links as well as from the Admin Console. Visit the Help Center to learn more about setting up Vault privileges.


Getting started

  • Admins: Visit the Help Center to learn more about Vault log events.
  • End users: There is no end user impact or action required.


Rollout pace



Availability


  • Available to Google Workspace Business Plus, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus customers or customers with the Vault add-on license

Resources


Monitor insider risk of Google Workspace data with Chronicle

What’s changing 

Admins can now more seamlessly integrate their Google Workspace data with Chronicle (Google’s cloud-native Security Operations platform), to quickly detect, investigate and take action on risky activity and threats. Admins can now leverage reduced time spent syncing data from Workspace to Chronicle, as well as Chronicle’s curated preconfigured out-of-the-box detections.




Who’s impacted

Admins

Why it matters 

As an admin, you can already use the Alert Center to view notifications and take action on potentially issues within your domain. Now you can take this a step further by using Chronicle, leveraging its rich risk management capabilities and recommendations:
  • Chronicle can help detect and investigate potential threats at every level of sophistication by monitoring your data in real time. 
  • Data insights are available at your fingertips, with rich context and visualization alongside industry best recommendations, helping you make better decisions faster. 
  • Further, you can deploy Chronicle’s out-of-the-box use cases, helping to cut down on time spent building rules and playbooks. 
  • You can also build and automate repeatable playbooks with full-fledged security orchestration, automation and response capabilities (SOAR).

Getting started


Rollout pace

  • This feature is available now.

Availability

  • Available to Google Workspace Enterprise Standard and Enterprise Plus customers 

Resources


More insights to help admins troubleshoot Google Meet hardware issues

What’s changing 

In 2022, we introduced several improvements for managing Google Meet hardware devices. These improvements included surfacing additional information about device issues, such as a description of the issue, when the issue was detected, and more. Today, we’re taking these improvements one step further by providing admins with even more data points. Specifically, admins will now be able to see the following types of usage data:


Issues: device health problems that are detected and persist over time. This is existing functionality and will continue to include the following issue types:
  • Device offline
  • Missing microphone
  • Missing speaker
  • Missing camera
  • Missing controller
  • Missing display
  • Missing default microphone
  • Missing default speaker
  • Missing default camera
  • Missing default whiteboard camera

Activities: records of how a hardware device is being used at any given time, including:
  • Meet call 
  • Zoom call 
  • Webex call
  • Bring-your-own-device mode [or computer connected]
  • Local present
  • Whiteboard camera present 
  • Peripheral firmware update 


Events: any notable point-in-time occurrence that can be useful for admins looking to troubleshoot issues, including:
  • Operating system update 
  • Feedback filed
  • Restart

Who’s impacted

Admins


Why it matters

The health and functionality of your Meet hardware fleet is critical for connection and collaboration. As such, it’s important that admins have the information and context they need to troubleshoot issues across their fleet. With these additional data points, admins will have even greater insight and context into issues, allowing them to troubleshoot and resolve them faster.


Additional details

Google Meet Hardware devices that do not run ChromeOS (such as Poly X30, X50, X70) will only support activity data for Meet calls at this time.


Getting started



Rollout pace


Availability

  • Available to all Google Workspace customers with Google Meet hardware devices

Resources

Updates for managing iOS devices: user enrollment is now supported; purchase and distribute apps using the Apple Volume Purchase program

What’s changing 

We’re expanding mobile device enrollment options for iOS devices to include user enrollment. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. 


Additionally, admins can use the Apple Volume Purchase Program (VPP) to purchase and disturbed apps in bulk to user-enrolled iOS devices in their organization. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Managing how Workspace data is accessed is a cornerstone of security. The new user enrollment option ensures end users can keep their personal data separate from their work data, while admins can ensure their users are using and accessing apps appropriately. 


Using the VPP, admins can efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform.


Getting started

Admins: 
  • Volume Purchasing Program:
    • To begin, admins need to access Apple’s volume purchasing program with their Business Manager credentials. Through the VPP, admins can purchase app licenses that can be distributed to their employee’s devices in bulk. 

From the Apple Business Manager, you can purchase app licenses in bulk.


Once purchased, admins will need to download the content token, which needs to be uploaded into the Admin console.


VPP tokens can be uploaded in the Admin console at Devices > Mobile and endpoints > iOS settings > Apple Volume Purchase Program (VPP).


For complete instructions, use this Help Center about distributing iOS apps with Apple VPP and applying settings for iOS devices.

  • End users:

The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.




Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers

Resources