Tag Archives: Security and Compliance

Updates for managing iOS devices: user enrollment is now supported; purchase and distribute apps using the Apple Volume Purchase program

What’s changing 

We’re expanding mobile device enrollment options for iOS devices to include user enrollment. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. 


Additionally, admins can use the Apple Volume Purchase Program (VPP) to purchase and disturbed apps in bulk to user-enrolled iOS devices in their organization. 


Who’s impacted 

Admins and end users 


Why you’d use it 

Managing how Workspace data is accessed is a cornerstone of security. The new user enrollment option ensures end users can keep their personal data separate from their work data, while admins can ensure their users are using and accessing apps appropriately. 


Using the VPP, admins can efficiently curate a suite of work-related apps—both free and paid—for their team. This streamlined process not only simplifies the deployment of essential business apps but also ensures that employees have access to the right apps they need to be productive and efficient, all within the secure perimeter of our MDM platform.


Getting started

Admins: 
  • Volume Purchasing Program:
    • To begin, admins need to access Apple’s volume purchasing program with their Business Manager credentials. Through the VPP, admins can purchase app licenses that can be distributed to their employee’s devices in bulk. 

From the Apple Business Manager, you can purchase app licenses in bulk.


Once purchased, admins will need to download the content token, which needs to be uploaded into the Admin console.


VPP tokens can be uploaded in the Admin console at Devices > Mobile and endpoints > iOS settings > Apple Volume Purchase Program (VPP).


For complete instructions, use this Help Center about distributing iOS apps with Apple VPP and applying settings for iOS devices.

  • End users:

The user enrollment process starts when a user signs-in to an app for the first time or re-signs into an app. They’ll be prompted to begin downloading the configuration profile, which will open in an internet browser with more instructions and information. Once the profile has been downloaded, the user will be directed to their devices settings to complete user enrollment.




Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers

Resources




Understand the impact of Context-Aware Access policies with Monitor Mode

What’s changing 

Admins can now use Monitor Mode to understand the implications of a Context-Aware Access (CAA) policy before deploying it to their end users. Monitor Mode will not block end users. Instead, it will show how the policy will block user access overtime, which admins can review in the CAA audit logs. Monitor Mode is available for Google Workspace, other Google Apps & third party SAML apps.

Applying Monitor Mode to context-aware access policies

Monitor Mode reports


Who’s impacted

Admins


Why you’d use it 

Before assigning Context-Aware Access levels, it’s critical for admins to understand the impact this will have on their end users. Using Monitor Mode helps admins fully understand the end user impact before deploying them in active mode, which can help avoid disruptions while helping admins make more informed decisions regarding their security strategies. 


Getting started


Configure Android zero-touch devices directly from the Admin console

What’s changing 

We’re integrating the Android Zero-Touch iFrame with the Admin console for a better, more seamless experience for admins. Zero-Touch devices are devices which have been purchased from Zero-Touch resellers and used in company owned mode. 

Directly from the admin console, admins will be able to: 
  • Set Google Workspace provided configurations for zero-touch devices. 
  • Link Workspace accounts with zero-touch accounts, ensuring devices will always enroll under Google endpoint management. They’ll also have the ability to unlink accounts if needed. Note that one Workspace account can be linked to multiple zero-touch accounts, but a zero-touch account can be linked to only one Workspace account.
In the Admin console, navigate to Devices > Mobile & endpoints > Settings > Enrollment > Android Zero touch 



Who’s impacted

Admins


Why you’d use it 

This update makes it easier for admins to specify a Zero touch configuration for their company owned devices directly from the Admin console. For enterprise mobility management partners (EMMs) this also minimizes the number of Google APIs and portals they need to interact with as well. Zero-touch devices will always enroll an account according to the GEM provided configuration — users cannot bypass this, even if they factory reset the device.

We strongly recommend that you continue to use the Zero-Touch customer portal if you need to:
  • View a list of your zero-touch company owned devices
  • Create more than one custom configuration
  • Set or remove configurations from a device

Getting started


Admins: 

Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials and Enterprise Essentials Plus, Frontline Starter and Frontline Standard customers.
  • Available to Cloud Identity Premium customers.

Resources


Configure and bind multiple Android Enterprise Mobility Management providers

What’s changing 

You can now bind multiple Android enterprise mobility management providers (EMM) to your Google Workspace account. Previously, you could only bind a single EMM within your organization. This update gives you more control over how devices in your organization are managed. Specifically, it offers: 


More flexibility: You can choose the right EMM for each user group in your organization. For example, you can use one EMM for engineers and another for retail staff. 


Enhanced control: You can now have multiple instances of the same EMM provider, for example a cloud instance and an on-premise instance, to manage different sets of users. 


Easier migrations: You can now run multiple EMMs in parallel, allowing them to perform phased migrations from an old EMM to the new EMM over time.



Additional details


Private apps
We strongly recommend that admins familiarize themselves with how binding multiple EMMs will impact availability of private apps. You can find more information in our Help Center regarding creating web apps and distributing private apps.


Google Play store
If you’re binding multiple EMMs to a Google Workspace or Google Cloud identity account, you must use your EMM iframe and not play.google.com/work to access the managed Google Play store.

Getting started


Rollout pace

  • This feature is available now for all users.

Availability


  • Available to all Google Workspace customers.


Resources

Google Workspace Updates Weekly Recap – September 29, 2023

3 New updates 

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.

Improved paste values experience in Google Sheets 
Previously, when pasting a number in Google Sheets using Paste special > Values only, the content pasted was only the text from the original range of cells. For example, for the date 9/21/2023, paste values only would paste the date serial number of 45190. To improve upon this feature, the default for paste values for numbers will include values and the number format, meaning all of your numbers will retain their formatting as you are working in Sheets. | Available now to all Google Workspace customers and users with personal Google Accounts. 
Improved paste values experience in Google Sheets
Different certificates for signing and encrypting messages in Gmail 
If your organization uses different certificates for signing and encrypting messages, you can now use the Gmail CSE API to upload different encryption and signature public certificates for each user. | Rolling out to Rapid Release domains now; launch to Scheduled Release domains planned for October 9, 2023. | Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. | Visit the Help Center to learn more about using the Gmail CSE API to manage user certificates


Allow certificate mismatches for client-side encrypted messages 
In some cases, the email address associated with a user’s certificate might be different from their primary email address — this is known as a certificate mismatch. Admins can now opt to allow certificate mismatches, which means their end users will be able to decrypt and read messages with a mismatch. It should be noted that we recommend allowing certificate mismatches only when this feature is absolutely required for our organization. | Rolling out to Rapid Release domains now; launch to Scheduled Release domains planned for October 9, 2023. | Available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. | Visit the Help Center to learn more about allowing certificate mismatches for client-side encrypted messages in Gmail.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Create, modify, and insert email templates within Groups messages 
When you’re using Groups to send messages, you can save a composed message as a template to reuse in the future. | Learn more about email templates within Groups messages

Additional space manager capabilities in Google Chat 
We’re adding two new controls to the list of space manager capabilities in Google Chat that were introduced earlier this year to ensure effective conversations take place in spaces. The new “Manage apps” and “Manage webhooks” options will allow space managers to control the ability of space members to add and remove apps and webhooks to a space. | Learn more about new space manager capabilities

Easily link to a specific message in Google Chat 
Building upon the recent updates in Google Chat, such as message views, in-line replies and larger spaces, we’re introducing message linking, an additional feature that helps teams collaborate more effectively. | Learn more about message linking

Easily add or remove groups of members to a space in Google Chat 
We’re introducing a new app for Google Chat called Bulk Member Manager that enables space managers and space members, who have permission to manage members, to easily add or remove members to or from a space in bulk. | Learn more about the Bulk Member Manager app

The next phase of digital whiteboarding for Google Workspace 
In late 2024, we will wind down the Jamboard whiteboarding app as well as continue with the previously planned end of support for Google Jamboard devices. | This update impacts all Google Workspace customers who use the Jamboard app or 55-inch Jamboard device. | Learn more about the winding down of the Jamboard whiteboarding app

Updates regarding the transition from spaces organized by topic to in-line threading in Google Chat 
In 2022, we introduced in-line threading for Google Chat and since March 2023, all newly created spaces in Google Chat are in-line threaded by default. On September 30, 2023, we will begin taking the next step toward a single, streamlined flow of conversation in Google Chat: all existing spaces organized by conversation topic will be upgraded to the in-line threaded experience. We’d like to share more information regarding the migration, what to expect, as well as what’s next for Google Chat. | Learn more about in-line threading in Google Chat

Client-side encryption in Gmail is now available on mobile devices 
We’re expanding client-side encryption in Gmail to Android and iOS devices, so you can read and write encrypted messages directly from your device. | Learn more about client-side encryption in Gmail on mobile devices.

Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported 
Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. | Learn more about Access to Less Secure Apps (LSA).



Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.

Rapid Release Domains:



Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported

What’s changing 

As part of our commitment to user safety, Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. This antiquated sign-in method, known as Less Secure Apps (LSAs), puts users at an additional risk since it requires sharing Google Account credentials with third-party apps and devices that can make it easier for bad actors to gain unauthorized access to your account. 


Instead, you’ll need to use the option to Sign-In with Google, which is a safer and more secure way to sync your email to other apps. Sign-in with Google leverages industry standard and more secure OAuth method of authentication already used by the vast majority of third-party apps and devices. 


We previously announced this change in 2019, and are now ready to share an updated timeline regarding this change:


Access to Less Secure Apps (LSA) will be turned off in two stages: 
  1. Beginning June 15, 2024:
    • The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect during this time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP. 

    • The IMAP enable/disable settings will be removed from users’ Gmail settings.

    • If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024.

  2. Beginning September 30, 2024:

As part of this change, Google Sync will also be sunsetted: 
  • Beginning June 15, 2024: New users will not be able to connect to Google Workspace via Google Sync.
  • September 30, 2024: Existing Google Sync users will not be able to connect to Google Workspace. Here is how you can transition your organization off Google Sync. To find Google Sync usage in your organization, please go to the Admin Console, navigate to Devices > Mobile & Endpoints > Devices, and filter by Type: Google Sync.


See below for more specific guidance for admins, end users, and developers regarding this change.


Who’s impacted

Admins and end users


Getting Started

Admins
Preparing your end users
In order for your end users to continue using these types of apps with their Google Workspace accounts, they must switch to a more secure type of access called OAuth. You’ll receive more information via email with affected users in your organization in the coming months. We recommend that you share the user instructions (included below) to help them make the necessary changes. 


Mobile Device Management (MDM) Impact
If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, POP or Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:
 

June 15, 2024

MDM push of password based IMAP, CalDAV, CardDAV, STMP, POP and Exchange ActiveSync (Google Sync) will no longer work for customers who try to connect to an LSA for the first time.

If you use Google Endpoint Management, you will not be able to turn on "Custom Push Configuration" settings for CalDAV and CardDAV.

September 30, 2024

MDM push of password based IMAP, CalDAV, CardDAV, SMTP and POP will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. 


MDM push of password based Exchange ActiveSync (Google Sync)  will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.


If you use Google Endpoint Management, “Custom push configuration-CalDAV” and “Customer push configuration-CardDAV” (more details about the settings here) will stop being effective. 



Scanners and other devices
If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device. 


End users
If you are using an app that accesses your Google Account with only a username and password, take one of the following actions to continue to access your email, calendar, or contacts. If you do not take one of the following actions by September 30, 2024, you will begin receiving an error message that your username-password combination is incorrect and you will not be able to log in. 


Email Applications

Outlook 2016 or Earlier

Move to Microsoft 365 (formerly known as Office 365, a web-based version of Outlook) or Outlook for Windows or Mac, both of which support OAuth access.

Alternatively you can use Google Workspace Sync for Microsoft Outlook

Thunderbird or another email client

Re-add your Google Account and configure it to use IMAP with OAuth.

The mail app on iOS or MacOS, or Outlook for Mac and use only a password to login

You’ll need to remove and re-add your account. When you add it back, select “Sign in with Google” to automatically use OAuth.

MacOS:

iOS:




Calendar Applications
  • If you use an app that uses password based CalDAV to give access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your Google Workspace account.
  • If your Google Workspace account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more.


Contacts Applications
  • If your Google Workspace account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More.

  • If your Google Workspace account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.


All Other Applications
If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.



Developers
To maintain compatibility with Google Workspace accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps


Users with personal Google accounts: In the coming weeks we will be removing the IMAP enable/disable toggle from your Gmail settings. IMAP access is always enabled over OAuth and your current connections will not be impacted. No action is required of users. 

Availability

  • This change impacts all Google Workspace customers.

Resources


Import and convert sensitive Excel files into client-side encrypted Google Sheets

This announcement was made at Google Cloud Next ‘23. Visit the Workspace Blog to learn more about latest security updates and the next wave of AI innovation in Workspace.


What’s changing

Launching in open beta, you can now import and convert sensitive Excel files into Google Sheets with client-side encryption. Your encrypted Excel file won’t be changed, even as you change the encrypted Sheets file.

In Google Sheets, navigate to File > Import.


Additional details

With this release:
  • You can only import encrypted .xslx Excel file types. Additional Excel and tabular file types are not supported.
  • During import, unsupported Excel features in Sheets will be ignored.
  • The maximum file size is 20MB.
  • The maximum number of cells that can be imported is 5 million.

Getting started

Rollout pace

Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Stronger protection for additional sensitive actions taken in Gmail

What’s changing 

Last year, we introduced stronger safeguards around sensitive actions taken in your Google Workspace accounts. We’re extending these protections to sensitive actions taken in Gmail, specifically actions related to: 
  • Filters: creating a new filter, editing an existing filter, or importing filters. 
  • Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings. 
  • IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not) 

When these actions are taken, Google will evaluate the session attempting the action, and if it’s deemed risky, it will be challenged with a “Verify it’s you” prompt. Through a second and trusted factor, such as a 2-step verification code, users can confirm the validity of the action. If a verification challenge is failed or not completed, users are sent a “Critical security alert” notification on trusted devices.

If a risky action is taken, you'll be prompted with a "Verify it's you" challenge.



Additional details

Note that this feature only supports users that use Google as their identity provider and actions taken within Google products. SAML users are not supported at this time. See below for more information.

Getting started

Rollout pace


Availability

  • Available to all Google Workspace customers and users with personal Google Accounts 

Resources

Resolve conflict accounts faster with the new Conflict Accounts Management tool

What’s changing 

We’re introducing an automated workflow to help reduce the manual effort needed to turn unmanaged accounts into managed accounts. Unmanaged accounts are users who independently created a Google account using one of your organization's domains. 




Admins can access the feature within the Admin console under Account settings > Conflicting accounts management. Here, they can specify their preferences for how to resolve unmanaged accounts when provisioning users for their domains. This preference will apply only when users are provisioned using the public Directory API with URL parameter resolveConflictAccount set to true. 

  • Automatically invite users to transfer unmanaged accounts 
    • Admins can specify how many daily follow-up messages should be sent.
    • If a user declines or does not accept the transfer invitation, admins can specify which next steps should be taken. 
    • Further, admins will have the option to take over the email address of users who decline or ignore the invite. 

  • Replace unmanaged accounts with managed ones 
    • Note that data owned by the account will not be imported.
    • The user will receive a temporary account address, which they’ll need to manually replace with a @gmail.com address of their choice. 
    • They’ll receive an email notification of this, and are informed they cannot use the original email any longer. 
    • Refer to this documentation for more information

  • Don’t create new accounts if unmanaged accounts exist.



Who’s impacted

Admins and end users


Why you’d use it 

Conflict accounts refer to personal Google accounts that get registered with a corporate email address. These accounts cannot be managed by admins, which is outside of the scope of protection admins can apply to keep work data secure. Further, reconciling conflicting accounts creates churn for admins and adds to the workload of onboarding users to Google Workspace & Google Cloud.


While admins can mitigate these accounts using the transfer tool or the “UserInvitation” API functionality, the Conflict Accounts Management tool is a scaled solution for larger customers, helping reduce time spent migrating to business accounts and accelerating adoption of Google Workspace and Google Cloud.

Getting started


  • Admins: 
    • Visit the Help Center to learn more about using the Conflict Accounts Management tool and unmanaged accounts.

  • End users: Depending on your admin configuration:
    • You’ll be invited to transfer your account — if accepted, your admin will have the ability to manage your account.
    • If you do not accept the request, your admin may replace your unmanaged account with a managed one. In that case, you’ll receive a new @gmail.com address and retain your content in this unmanaged, personal Google account.

Rollout pace



Availability

  • Available to all Google Workspace customers

Resources


Set Context Aware Access policies for 1P & 3P applications to access Workspace APIs

What’s changing 

Admins can now use context-aware access to block users' access to Workspace Applications via other Google (1st party) & non Google (3rd party) applications. With context-aware access, you can set different access levels to Workspace applications based on a user’s identity and the context of the request (location, device security status, IP address). 




Why it’s important 

Context aware access for APIs will enable customer admins to extend existing user/device CAA context access controls to end users attempting to access Google Workspace Applications via other Google & Non Google applications. Extending these policies to APIs that request Google Workspace core data gives admins another layer of control and security and helps protect against data exfiltration. 


Getting started 


Rollout pace 

  • This feature is available now.

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers 

Resources