A lot on the Google Workspace admin console has changed this year. These new features have made administrators’ lives easier. In this blog, you’ll learn about the most significant updates this year.
A. New streamlined experience for managing users and domains
1. Adding a user
B. Domain management updates
6. Security groups
7. Disabling file transfer in Google Chat
C. New Product Updates and Alert Cards in the Admin Console
8. Alert cards
9. App access control panel update in the admin console
D. Enhanced Content Classification, Governance, and DLP with Google Drive Labels
10. Drive labels
11. Automated classification using Workspace Dat Loss Prevention (DLP)
12. Labels-driven sharing restrictions with Workspace Data Loss Prevention (DLP) integration
E. Deeper Insights Into Gmail Security Events
13. Access the Alert Centre notifications directly from the admin console toolbar.
14. New Rules homepage in the admin console makes security simpler
15. Enable offline support for Google Calendar
F. Upcoming Google Workspace Admin Console Updates
A. New streamlined experience for managing users and domains in the Admin console
On 23rd June 2021, Google released multiple updates that brought forth a redesigned experience to how users are added, renamed, and deleted. The workflows around domain management and changing the primary domain were also improved. This made it easier to find items that need to be managed and simplified the understanding of how Google Workspace is deployed within administrators’ organizations. More specifics regarding the change include:
1. Adding a user
When you select “Add a user” on the admin console, you will see a new full-screen dialog that displays the most important fields first. This includes the user’s primary and secondary email addresses and domain information.
2. Assigning passwords
There is also the option to have the user’s password generated automatically or to create the password yourself. You may also enable the option for users to be prompted to update their password when they first log in. The default setting is for a password to be generated automatically and then reset by the user when they first sign in. It is recommended that you utilize this setting since it helps you comply with industry security standards. Additionally, the user’s profile photo can be uploaded.
3. Assigning profile pictures
It is now easier for admins to allow users to change their profile photos. This setting is available under the “more” drop-down menu on the user management section in the admin console.
4. Updating a user
Additional information about what happens to the old email address and the impact on Google chat availability has been included in the user update popup. To avoid confusion, the call to action for changing a user’s name has been renamed from “Rename user” to “Update user.”
5. Deleting a user
The account deletion interface has been made user-friendly and provides more information on what happens during user deletion, alternatives to user deletion, and data transfer options. Once you delete a user you will be provided with additional information such as when the user’s data transfer will begin, the user’s suspended state and the duration admins have to restore the account if the need arises.
B. Domain management updates
The domain management workflow has also seen several improvements. This page is typically accessed on the admin console by navigating to Domains > Manage domains. The improvement includes the addition of an “Action” column where admins can perform quick actions such as removing users, adding users, setting up redirects, among other actions. The domain status can now be easily viewed in the “Status” column and indicates status updates such as “Verified”, “Gmail activated”, or “Verify domain”. In addition to this, you can also verify or activate a domain within the column and also view additional information on how Gmail was configured for the specific domain. The “Type” column, contains additional details about the domain type such as primary or test domains. Additional information and help centre articles can also be found for each type of domain.
6. Security groups
On 24th August 2021, Google made security groups generally available, notably having been previously released as a beta in 2020. This feature helps you distinguish, regulate, audit, and monitor groups used specifically for permission access and control purposes. This allows admins to apply labels to existing Google Groups in order to distinguish them from email list groups. This also ensures that external groups and non-security groups cannot be added as members of a security group. Note that security labels cannot be removed once they have been assigned to a group. This is further enhanced by the update on 26th July 2021 that consisted of using dynamic security groups for group-based policies (Available to Google Workspace Enterprise Plus, Education Plus, and Cloud Identity Premium customers). The security groups update lets admins use dynamic groups to manage policies for their uses. This had only been previously achieved by applying policies to static groups and Organizational Units. This change has facilitated flexibility and greater control when managing Workspace policies for users in the organization, whereby policies applied to a dynamic group stay up-to-date automatically rather than applying policies to a specific group that is updated manually.
7. Disabling File Transfer in Google Chat
On 26th July 2021, the admin console was updated to enable administrators to disable or limit file sharing for users in Google Chat. Administrators are now able to Restrict or allow file-sharing or choose to allow only a specific type of file for users sending files both within and outside their organization. This further enhances the security of organizational data by helping prevent the sharing of confidential information within and outside the organization.
This further enhances the security of organizational data by helping prevent the sharing of confidential information within and outside the organization. Note that this update has no impact on links and as such Google Drive links will continue working as usual. There is also no impact on emojis. This feature will be turned off by default and can be enabled by admins at the domain or organizational unit level. Where file sharing in Google chat has been disabled by an administrator, users will find that the upload button has been disabled or changed. Where applicable, a text will be provided to explain the change as shown below:
This policy is also enforced on both mobile and web clients. This update is only applicable to Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, and Enterprise Essentials customers.
C. New Product Updates and Alerts cards in the Admin console
Starting November 15th, 2021 you will be able to stay up-to-date with product updates and alerts within the admin console with ease. This is facilitated by the new product updates and alert cards that are now displayed on the admin console home. This brings together critical information and dynamic updates within the landing page experience.
Recent posts regarding Google Workspace updates can now be accessed directly on the admin panel home, thus keeping you abreast of changes within the product. These updates could previously only be accessed by subscribing to the Google Workspace updates blog, or visiting the Pawa IT Africa blog for the latest updates.
8. Alerts card
The alerts card shows a summary of the latest events from the alert centre. Once you click on an alert you will be automatically redirected to the admin console alert centre. Additionally, only alerts with “Not started” or “In progress” status are displayed on the card. Alerts with a “Closed” status can however be viewed by opening the alert centre and filtering for alerts with the status “Closed”.
9. App access control panel update in the admin console.
The app access control panel lets you choose which third-party and internal apps have access to Google Workspace data. This panel has seen several improvements this year making it easier for admins to view configured applications that are either trusted or blocked, view a list of all the applications being accessed by users, and the list of Google services within the organization.
Performance improvements have also been made so as to enable the list of services to load faster than before. This feature can be accessed in the admin console by navigating to Security > API Controls > App Access Controls. To learn more about enabling and disabling applications and services click here.
D. Enhanced content classification, governance, and DLP with Google Drive labels
On 7th December 2021, Google announced the release of multiple features to enable the categorization of content and enhance the content protection scale. These features include:
10. Drive labels
This enables admins to configure custom labels for domains and then let users label their files within Google Drive. This feature had previously been announced previously in April 2019 under the name Drive metadata, as a beta feature. This update makes it easier to search and organize files based on the tags. Admins and end-users can use tags to ensure their content stays organized and accessible, helping them streamline their work.
11. Automated classification using Workspace data loss prevention (DLP)
This helps organizations to add Drive labels to their content based on the rules defined by the administrator, plus predefined content detectors. Content detectors are used to specify and Report content types that are of a sensitive nature. To learn more about content detectors click here. Automatic classification reduces the risk of error associated with the manual classification. This also helps where content has not yet been classified using Drive labels.
12. Labels-driven sharing restrictions with Workspace data loss prevention (DLP) integration
Sharing restrictions can now be applied by administrators to all files based on a given label. For example, a DLP administrator can configure a rule that prevents users from sharing any file labeled as “internal” and display a warning message anytime a user attempts to share the file outside the organization. The same rule could be extended to prevent the saved file from being downloaded or printed.
The three updates above work in tandem to aid in securing organizational data and form a strong information governance policy. To use this feature admins simply need to turn on the label feature and publish labels.
Users permitted to apply a given label will then be able to apply it to files in Google Drive. This is done by use of the drive context menu Drive details pin or the labels option in the File menu of Google sheets and slides.
Using the drive’s advanced search, users are able to search for files that they have access to with the given label. The organization can have one main label that is “badged” and will be prominently visible as a coloured rectangle in docs, sheets, and slides thus providing a visual reminder to the users to handle these files with care. Standard labels can also be configured by administrators and used to enforce the policy. The standard labels will however not have the same visual prominence as the “main” label. As shown below, an admin can then proceed to set up DLP policies based on the applied labels and the type of data they signify.
Note that this feature will be OFF by default and can be enabled at the domain level. Each label’s access controls can be managed at the group level.
- Finer-Grained IMAP control
On December 9th, 2021 Google announced that IMAP Settings can now be changed at the group level. This lets admins have more fine-grained control over trusted Mail clients within your organization. These settings could only previously be made at the OU or domain level.
- SAML Partial SSO
On November 19th, 2021 Google announced assigning SSO profiles to organizational units or groups is now generally available. This came after the feature had previously been announced as a beta feature earlier on 29th July 2021. What does this mean for your users? You were typically able to authenticate your users using a third-party identity provider, and this configuration would be applied to all of the users within your domain. This update lets you choose which groups or organizational units can be authenticated using Google. This would especially be effective for example in a scenario whereby you would want to prevent a subset of your users from using their Google account for authentication e.g vendors and contractors.
Admins can configure this by navigating to Security > Settings > Set up single sign-on (SSO) with a third party IdP > Manage SSO Profile assignments.
E. Deeper insights into Gmail security events
Starting 20th October 2021, Google Workspace admins will now have the ability to introspect deeper into security alerts. This has been facilitated by the integration between Virus Total and the alert Centre earlier announced on 26th July 2021. Whenever an alert contains a supported Virus Total entity such as a file attachment, hash, or IP address, the Virus Total report enrichment widget also referred to as the VT augment can be used directly in the alert Centre to populate additional information regarding the event. Note that virus total subscribers will have access to a more advanced version of the report. Users on the typical standard version of VirusTotal will be able to view:
- Observable identification that includes identifiers and characteristics that allow you to reference and share the threat with other analysts for further inspection.
- Threat reputation that consists of maliciousness assessments from more than 70 sources including but not limited to security companies, network blocklists, and antivirus Solutions.
- Threat time spread that enables you to determine when a threat was first observed in the wild and how long it has been active.
13. Access the Alert Centre notifications directly from the admin console toolbar.
Alert center’s events can now be quickly accessed anywhere in the admin console from the toolbar at the top of the page.
This is done by clicking on the new bell icon on the toolbar which results in a pop-up with 10 of the latest alerts with a brief description. Clicking on a specific alert allows you to open it within the alert center.
14. New Rules homepage in the Admin console makes security simpler
The rules home page in the admin console has been made easier to work with. Starting April 13th 2021, the rules homepage has been made available to all Google Workspace customers. How you create, view, and manage rules in the admin console has also been changed to make it easier. This has in part been achieved by consolidating the security rules and rules pages to make rule discovery and management easier. Enterprise standard and Enterprise plus customers can now use a rule template page that has been introduced to help admins quickly set up rules for common use cases. One-click rule analysis by the investigation tool has also been added to Enterprise plus customers thus simplifying their operations even more.
15. Enable offline support for Google Calendar
The 28 January 2021 update to Google Calendar on the web made it possible to use it offline. Once this is enabled you are able to view your calendar and events at any time in the future by weekday or month, or up to 4 weeks prior. This is especially useful in situations where one has unreliable internet access or is offline. Admins are able to turn on this feature by navigating in the admin console to Workspace > Calendar > Settings for Calendar > Advanced Settings > Calendar web offline and checking “Allow using Calendar on the web when offline”.
Once enabled, users will be able to turn on this feature on a per device basis.
F. Upcoming Google Workspace Admin Console Updates
Additional Google Access admin features are currently in beta and may be released in the coming year. Some of these include:
- Configuring member restrictions for groups.
This feature was announced as an open beta on 5th October 2021 and entails adding group-level controls that will allow administrators to restrict group membership based on internal or external members and member types such as service account, users or groups. Where restrictions are in place, admins will then receive an indication whenever they violate memberships and get a suggestion for actions to resolve the discrepancy.