Tag Archives: Security and Compliance

Select App Access Controls can now be applied at the organizational unit

What’s changing 

Google Workspace Admins can now configure a number of App Access Control (AAC) policies at the Organizational Unit (OU) level. Previously, this was only possible at the domain level. Specifically, this applies to: 


Who’s impacted

Admins


Why it’s important

We know that users rely on a variety of tools to do their best work, including third-party apps. However, not every third-party app aligns exactly with every organization’s security policies. App access controls give customers and partners the ability to control access to third-party apps and how those apps access Google Workspace data. This update gives admins added flexibility, allowing them to set App Access Controls as they see fit at the OU level, rather than across their entire domain.


Additional details

For Google Workspace education editions, the “User requests to access unconfigured apps setting” can now be configured at the OU level. Visit the Help Center to learn more about managing access to unconfigured third-party apps for users designated under the age of 18.

Getting started


Rollout pace


Availability

  • Available to all Google Workspace customers

Resources


User enrollment for managed iOS devices is now generally available

What’s changing 

In late 2023, we introduced user enrollment in beta, an additional option for iOS mobile management. User enrollment separates work and personal data on iOS devices, giving admins control over Workspace data on the device while users retain privacy over their personal data. Beginning today, user enrollment is now generally available. For more information, use our Help Center or reference our original announcement.


Getting started



Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus, Enterprise Standard, Enterprise Essentials, Enterprise Essentials Plus, Frontline Standard, Frontline Starter, Business Plus, Cloud Identity Premium, Education Standard, Education Plus and Nonprofits customers.


Set client-side encryption as the default mode for new emails, events, and files on mobile

What’s changing 

Admins can now set client-side encryption (CSE) to be on by default on Android and iOS for: 
  • Newly drafted Gmail messages and replies 
  • Newly created Google Calendar events 
  • Newly uploaded Google Drive files

Client-side encryption in Gmail


Admins can now set client-side encryption as the default mode for users on both web and mobile that regularly handle sensitive data. This allows organizations the flexibility to meet their compliance and regulatory requirements and reduce the burden on change management programs. Each new email, event and uploaded file on mobile is automatically client-side encrypted with customer managed keys meaning the user is compliant with their org’s policy from the outset. For organizations with strict regulatory or sovereignty requirements, this can help them close compliance gaps by defaulting users to the preferred mode for handling sensitive data while on the go. 

For more information, check out our original announcement.

Getting started


Rollout pace


Availability

  • Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative.

Resources


Easily manage and secure your school’s accounts and mobile devices centrally in Google Admin console with the Endpoint Education Upgrade

What’s changing

This year, we announced Endpoint Education Upgrade, which adds enterprise endpoint management features to your Google Workspace for Education edition. Using endpoint management, admins can better manage and secure the phones and tablets used across their school directly from the Admin console.

Note that advanced endpoint management features are already included with Google Workspace for Education Standard and Plus.

Who’s impacted

Admins


Why you’d use it


Using the Endpoint Education Upgrade, admins can configure a wide range of account and device management features, helping to make your organization's data more secure across your users' mobile devices, desktops, laptops, and other endpoints. For example, you can:
  • Control what Android & iOS app can be installed on a device, who can log into it (for domain owned devices), and where it can access your data.
  • Protect devices from loss or theft with admin rules for alerts, location tracking, access restrictions, and remote data wipes.
  • Manage company-owned devices or set up Android work profiles, so users can safely access your school account on the go.
  • Require stronger device passwords and more.
Visit the Help Center for a complete list of endpoint management features.


Getting started


Rollout pace

  • The Endpoint Education Upgrade will be available for purchase through your current Google Workspace for Education reseller and select channel partners on February 29, 2024. If you do not currently have a Google Workspace for Education reseller, you can find one here.


Availability

  • Endpoint Education Upgrade is available by user based license or device based license (coming soon) — it is not a domain wide license. You can purchase Endpoint Education Upgrade licenses through your current Google Workspace for Education reseller and select channel partners. 

  • If you have Education Fundamentals and wish to upgrade instead of purchasing individual Endpoint Education Upgrade licenses, you can easily upgrade to Education Standard or Education Plus.

Resources

Now generally available: Import and convert sensitive Excel files into client-side encrypted Google Sheets

What’s changing

You can now import and convert sensitive Excel files into Google Sheets with client-side encryption. When collaborating with external and internal stakeholders, you may find yourself working across both Google Sheets and Microsoft Excel. This update keeps your work moving by layering interoperability on top of the privacy benefits of client-side encryption: users are in direct control of their encryption keys and the identity service that they choose to authenticate for those keys.


This feature was previously announced in August 2023 as part of an open beta.

Additional details 

With this release: 
  • You can only import .xslx Excel file types. 
  • Additional Excel and tabular file types are not supported. 
  • During import, unsupported Excel features in Sheets will be ignored. 
  • The maximum file size is 10MB. 
  • The maximum number of cells that can be imported is 10 million. 

Getting started

Local data storage exports your organization’s Workspace data into the geographic location of your choice, launching in beta

What’s changing 

Today, we’re introducing Google Workspace’s new feature, local data storage. This feature allows admins to export their organization’s Workspace data into the geographic location or locations of their choice. These are the available options for this feature: 
  • User data: Specify users, groups, organizational units or your entire organization 
  • Export frequency: Opt for continuous or one-time exports 
  • Storage settings: Specify the geographic location of the Google Cloud storage bucket that the data is exported to, who can access the data, and more settings within the Google Cloud storage bucket.

When creating a new export, you can choose to export your data continuously into your own storage bucket



Who’s impacted

Admins


Why you’d use it

This update allows admins to export their organization's Workspace data into their own Google Cloud Storage (GCS) bucket located in a geographic location of their choice to meet their data sovereignty, compliance, and data archival needs. 

Getting started


Rollout pace


Availability

  • Available to Google Workspace Enterprise Plus customers with Assured Controls add-on
    • If you don’t currently have the Assured Controls add-on, please contact us or reach out to your sales rep for more information.

Resources


Use comments & action items on your client-side encrypted Google Docs

What’s changing 

You can now collaborate with others on client-side encrypted Google Docs to add, edit, reply, filter, or delete comments. You can also assign action items to yourself or others. This added functionality helps bring parity to unencrypted docs while also ensuring your data is behind encryption keys you control, including the identity provider used to access those keys. 


This feature is available as an open beta, which means you can use it without enrolling in a specific beta program. While this feature is available for Google Docs initially, with support coming for Google Sheets and Slides in the future.




Additional details

Note that when sharing encrypted files, you can only assign “viewer” or “editor” permissions — the “comment only” permission is not supported.


Comments are saved each time the document is autosaved. If you restore the document to a previous version, the comments added to the document in that version are also restored.

Getting started

Rollout pace



Availability

  • Available to Google Workspace Enterprise Plus, Education Standard and Education Plus customers

Resources


Extending Trusted Types to Gmail

What’s changing

Last year, we improved the client-side security of Google Docs, Sheets, Slides, Forms, Sites, Drawings, Drive, and Calendar with Trusted Types. This browser-based runtime feature limits the uses of Document Object Model (DOM) APIs that are used by the apps listed above or third-party extensions. Trusted Types also reduce the possibility of Document Object Model Cross Site Scripting (DOM XSS), which continues to be one of the most critical threats to web security. 

DOM XSS occurs when a cyber attacker injects malicious code into a web page, which can then be executed by the victim's browser. This can allow the cyber attacker to steal cookies, hijack sessions, and even take control of the victim's computer. 

To defend against this, we’re excited to announce the expansion of Trusted Types to Gmail. This will provide a defense against DOM XSS and further enhances our advanced data protection controls to keep users and data safe across more of the apps they use everyday. 


Who’s impacted 

Developers (relying on any Chrome extensions that modify DOM APIs.) 


Additional details 

This new enforcement mode will require third-party extensions to use typed objects instead of strings when assigning values to DOM APIs. Once Trusted Types are fully enforced, the Trusted Types directive will be present in the Content Security Policy (CSP) header: 

Content-Security-Policy: require-trusted-types-for 'script';report-uri https://mail.google.com/mail/cspreport 


Getting started 

  • Admins: There is no admin control for this feature. 
  • Developers: 
    • To make code Trusted Types compliant, signal to the browser that data being used within the context of these DOM APIs is trustworthy by creating a Trusted Type special object. 
    • There are several ways to be Trusted Types compliant, such as removing the offending code, using a library (such as safevalues or DOMPurify), or creating a Trusted Types policy. To ensure a seamless experience for users, we recommend employing these techniques before Trusted Types enforcement is rolled out. Failure to make code Trusted Types compliant may cause feature breakages for third-party extensions as their DOM manipulations will be blocked by the browser. 
  • End users: There is no end user setting for this feature. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers and users with personal Google Accounts 

Resources 

Google Workspace Updates Weekly Recap – December 15, 2023

2 New updates

Unless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both Rapid and Scheduled Release at the same time. If not, each stage of rollout should take no more than 15 business days to complete.


We have begun enforcing 2-step verification for all admin accounts 
Two-step verification (2SV) is a critical security measure that has been proven to reduce password-based hijacking by more than 50%. We are committed to protecting the security of our users and are taking additional steps to help customers guard against data compromise and prevent account takeovers.

We have begun enforcing 2SV for all admin accounts and will continue this enforcement on an ongoing basis. As of December 2023, this change is already in effect for some customers. When this goes into effect for your organization, you will receive the following notifications:
  • 30 days prior to enforcement in your domain: Super admins will receive various email and in-app notifications informing them of the forthcoming enforcement, encouraging them to verify their admins’ 2SV status. 
  • Once enforcement goes into effect in your domain: All admins will receive email and in-app notifications upon signing into their accounts for the next thirty days. If they do not enable 2SV within this time period, they will be locked out and will need to follow these steps to recover an administrator account.
We highly encourage all administrators to turn on 2SV as soon as possible. Visit the Help Center for more details and further guidance.



Dynamic groups limit increased to 500 
We’re increasing the number of dynamic groups a customer can have from 100 to 500. Dynamic groups are defined as groups whose membership is managed automatically based on specific criteria, such as a user’s department or location. This increase gives admins more flexibility to create dynamic groups as needed and cuts down on manual group management tasks that would otherwise be required. | Rolling out now to Rapid Release and Scheduled Release domains at a gradual pace (up to 15 days for feature visibility). | Available for Google Workspace Frontline Standard, Enterprise Standard and Enterprise Plus, Education Standard and Education Plus, Enterprise Essentials Plus, and Cloud Identity Premium customers only. | Learn more about dynamic groups.


Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.


Meet Add-ons SDK available in Developer Preview 
The Google Meet Web Add-ons SDK is available through our Developer Preview Program. Developers can use the SDK to bring their app experience right into Meet. End users can install, open, and collaborate in apps right inside a meeting, either as the meeting focal point, or in the sidebar — all without ever leaving Meet. | Learn more about Meet Add-ons SDK .

Huddly cameras bring continuous framing to Google Meet Series One room kits 
As part of our initiative to bring adaptive framing to Google Meet meeting rooms, we’re proud to announce that you can now access Huddly’s continuous framing capability available as part of the Series One room kit hardware devices. | Available to all Google Workspace customers using Google Meet Series One room kits only. | Learn more about Google Meet Series One.

Record and share your name pronunciation across Google Workspace products 
From your Google account settings, you can now record your name and share its pronunciation with other users. The pronunciation can be played from your profile card across various Google Workspace tools such as Gmail or Google Docs on web or mobile devices. | Available to Google Workspace Business Starter, Business Standard, Business Plus, Essentials Starter, Enterprise Essentials, Enterprise Essentials Plus, Enterprise Standard, Enterprise Plus, Frontline Starter, Frontline Standard, and Nonprofits customers only. | Learn more about name pronunciation. 

Easy access to people, documents, building blocks and more in Google Docs 
When moving to a blank line within your Doc, you will see an “@” button with the option to select, search and insert smart chips, such as people, dates, timers, or files, building blocks, calendar events, groups and more. | Learn more about bringing smart canvas features to the forefront of your workflow

Excuse assignments in Google Classroom 
Teachers can mark an assignment for a particular student as “Excused” instead of giving it a 0-100 score. This will exclude that particular assignment from the student’s overall grade. | Learn more about excusing assignments. 

Introducing interactive questions for YouTube videos in Google Classroom 
Educators can now turn any YouTube video into an interactive lesson by adding questions for their students to answer throughout the video. | Available to Education Plus and the Teaching and Learning Upgrade only. | Learn more about interactive videos. 

Introducing the Bitbucket app for Google Chat 
We’re adding Bitbucket for Google Chat. Bitbucket is a Git-based code and CI/CD tool optimized for teams using Atlassian’s Jira. | Learn more about Bitbucket app for Google Chat. 

Use “Profile Discovery” to display basic information only in search results, available in open beta 
Google Workspace admins can now turn on “Profile discovery” for their users. When turned on, users can customize how they appear across Google products to people who search for them by their phone number or email. Specifically, you can choose how you want your name to be displayed and how your profile picture will be displayed. | Learn more about Profile Discovery.


Completed rollouts

The features below completed their rollouts to Rapid Release domains, Scheduled Release domains, or both. Please refer to the original blog posts for additional details.


Rapid Release Domains: 
Scheduled Release Domains: 
Rapid and Scheduled Release Domains: 

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Custom notifications for Google Chat data loss prevention rules are now generally available

What’s changing 

Earlier this year, we announced the beta availability for admins to display custom notifications when a Google Chat message is blocked or intercepted based on data loss prevention rules. Beginning today, this feature will become generally available on web and mobile. 


Custom notifications give admins the opportunity to provide their users with more context about why they were blocked from sending a specific message, what they can do to unblock themselves, and include links to additional resources, such as organization guidelines for sensitive data with actionable recommendations. For more information, please reference our original announcement.

Getting started

  • Admins: 
    • Custom notifications can be set per each data protection rule at the domain, Organizational Unit (OU), or group level. 
    • When creating a rule, in Step 4: Actions, under “User Message”, select “customize message”.  Custom notifications can also be applied to existing DLP rules. If admins do not customize the notification, the generic notification will be shown to users.
    • Visit the Help Center to learn more about preventing data leaks from Chat messages & attachments.


  • End users: There is no end user action required. Depending on your admin settings, you’ll see more detailed information if you’re trying to send a Google Chat message that meets conditions defined in a data loss prevention rule.


Rollout pace


Availability

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Standard, the Teaching and Learning Upgrade, Education Plus, and Frontline Standard customers
  • DLP for Chat is also available to Cloud Identity Premium users who are also licensed for Workspace editions that include Google Chat and Audit and investigation. Visit the Help Center for more information. 

Resources