Tag Archives: identity

Enhanced desktop security for Windows is now available for Google Workspace Business Plus customers

Quick launch summary

Google Workspace Business Plus customers can now manage and secure Windows devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. Now, Business Plus Admins can:

  • Set Windows policies in the admin console which will ensure that all Windows 10 devices used to access Workspace are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network.

See our previous announcement for more details on the Windows 10 management features and benefits and the Help Center to learn more about enhanced desktop security for Windows.

Getting started 


Rollout pace

  • This feature is available now.


Resources


Apply context-aware access policies to mobile and desktop applications

What’s changing 

Admins can now assign existing or new context-aware access levels to Google desktop and mobile applications. 

Applying context-aware access levels to mobile and desktop applications


Who’s impacted 

Admins and end users 



Why it’s important 

With context-aware access, you can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). Expanding these policies to other Google Workspace entry points—such as the Google Drive for desktop app or using Gmail on a mobile browser—gives admins greater control over how, when, and where users can access Workspace resources. 



Getting started 


Rollout pace 


Resources 

Automate unmanaged account onboarding with the User Invitation API beta

What’s changing


We’re adding a User Invitation API to the Cloud Identity API. This new API allows you to identify and manage unmanaged accounts

Unmanaged accounts are users with consumer Google accounts that share your organization's email address. The API will enable you to manage these accounts at scale, and automate sending of invites to these users to transfer their account to a managed state. to a managed state. 

The User Invitation API is initially available as an open beta, which means you can use it without enrolling in a specific beta program. See our documentation to learn more about how to use the API


Who’s impacted 

Admins 


Why you’d use it 

Unmanaged accounts occur when a user registers for a personal Google account using an email address that matches your domain. These accounts generally exist because a user has previously signed up for a personal Google Account using their work or educational email address. 

If your organization then signs up for Google Workspace or Cloud Identity and attempts to provision a managed account with the same primary email address, the conflict needs to be resolved. 

Previously, you could only manage these existing accounts via the Admin console. The User Invitation API provides another option which can help automate resolution of these conflicts, and can make it easier to manage these conflicts at scale. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to all Google Workspace customers, G Suite Basic and Business customers, and Cloud Identity customers 

Resources 

Automatic group membership management with dynamic groups, now generally available

Quick launch summary 

Dynamic groups are now generally available. Dynamic groups work the same as other Google Groups, but with the added benefit that their memberships are automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. 


By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 


See our beta announcement for more details and example use cases for dynamic groups. Note that at launch, you won’t be able to manage policies—like context-aware access policies—using dynamic groups. We are working on adding this functionality in the future, and will announce it on the Workspace Updates blog when it’s available. 


This joins our other recent announcements for features that make it easier to manage groups within your organization. You can now also assign groups as security groups, set group membership expiration, and see indirect membership visibility and membership hierarchies via API. We hope these features make it easier to use groups to meet the access, security, and communication needs of your organization. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Education Fundamentals, or G Suite Basic, Business, and Nonprofits customers 

Resources 

Security groups now generally available

Quick launch summary 

We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers 

Resources 

Group membership expiration now generally available

Quick launch summary 

The Cloud Identity Groups API feature that enables you to set expirations for group memberships is now generally available. It was previously available in beta


This enables admins to set an amount of time that users and service accounts are members of a group. Once the specified time has passed, users will be removed from the group automatically. Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. 




This launch is another enhancement to the Cloud Identity Groups API. We recently also made the indirect membership visibility and membership hierarchy APIs generally available. Together, these make it easier to manage permissions and access control in your organization. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 

Indirect membership visibility and membership hierarchy APIs now generally available

Quick launch summary 

We’re making it easier to identify, audit, and understand indirect group membership via the Cloud Identity Groups API. Specifically, we’re making the membership visibility and membership hierarchy APIs generally available. These were previously available in beta. 

Using “nested” groups to manage access to content and resources can help decrease duplication, simplify administration, and centralize access management. However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access and why. These APIs help provide all of the information you need to understand complex group structures and hierarchies, and can help you make decisions about who to add to or remove from your groups. 

See our beta announcement for more information and use cases for the APIs


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 

Deploy and manage Google Credential Provider for Windows via the Admin console

What’s changing 

You can now deploy and manage Google Credential Provider for Windows (GCPW) in the Admin console. Previously, you had to edit registry entries to manage GCPW. The new, organization-specific installation file and setting management in the Admin console makes it easier to deploy and manage GCPW in your organization. 


Who’s impacted 

Admins 


Why you’d use it 

GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can: 
  • Sign in to a Microsoft Windows 10 device using their Google Workspace Account. 
  • Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges. 
  • Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials. 
With this launch, you can configure and manage GCPW in the Admin console instead of in each device’s registry settings. This can make setting up and updating GCPW deployments less manual and time-consuming for if you don’t have standard software deployment tools. 


Additional details 

Device setup and management: To set up GCPW on a new device, download a GCPW installation file customized for your company from the Admin console. After GCPW is installed, you can manage GCPW settings in the Admin console. When a user signs in to a device managed with GCPW, GCPW fetches and applies the settings from in the Admin console. GCPW settings in the Admin console may take up to one hour to be implemented on the device. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console

Settings available in the Admin console: You can manage most of the settings in the Admin console that you can in registry settings, including offline access, multiple account management, and more. 

Working with existing registry settings: Admin console settings supersede registry settings. To continue to use registry settings instead of Admin console settings, leave GCPW settings in the Admin console as “not configured.” 



Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers. 

Resources 

Use Secure LDAP to log into MacOS with Google credentials

Quick launch summary 

You can now use Secure LDAP on MacOS devices. Once enabled, users can log in to MacOS devices with their Google Workspace or Cloud Identity login credentials. 

This can help simplify access management by using a single directory—the Workspace identity and access management (IAM) platform—to manage access to MacOS devices. In turn, this can help improve security by providing a single place to set up identity and access policies, and reduce your dependency on legacy identity infrastructure. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Business Plus, Enterprise Standard, and Enterprise Plus, G Suite Education and Enterprise for Education, and Cloud Identity premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, as well as G Suite Basic, Business, and Nonprofits customers 

Resources 

Make specific applications exempt from session length policy

What’s changing 

Last year, we launched an open beta that enabled Cloud Identity admins to configure a session length (a.k.a. “reauth”) for Google Console and Cloud SDK. Now, we’re enhancing session length controls by allowing you to exempt specific applications from the reauth policy. We hope this will make it easier to roll out this feature in your domain. 


Who’s impacted 

Admins 


Why you’d use it 

The Google Cloud session control feature applies a session length to Google’s own GCP admin tools, as well as customer-owned and third-party applications that use the cloud-platform scope. When the configured session length expires, the application will require the user to reauthenticate to continue operating, analogous to what would happen if an admin revoked the refresh tokens for that application. The reauthentication requirement can help reduce unauthorized access to sensitive data. 

We heard your feedback that there are some scenarios that make it difficult to roll this out. For example, some applications do not gracefully handle the reauth scenario, causing confusing application crashes or stack traces. Some other applications are deployed for server-to-server use cases with user credentials instead of the recommended service account credential, in which case there is no user to periodically reauthenticate. Customers impacted by these scenarios are unable to roll out session controls to any applications as it will cause these apps to work improperly. 

This update allows you to add these apps to a trusted list, temporarily exempting the apps from session length constraints, while implementing session controls for all other GCP admin surfaces. 
The previous session control settings page in the Admin console 

The new session control settings page in the Admin console. Note the new “Exempt trusted apps” checkbox. 

Getting started 

  • Admins: This feature will be OFF by default and can be enabled manually using the “Exempt Trusted apps” setting. For more information on how to review the apps currently requiring cloud-platform scopes, and how to add those apps to the Trusted list, visit our Help Center
  • End users: There is no end user setting for this feature. 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits, and Cloud Identity customers

Resources