WorryFree Computers   »   [go: up one dir, main page]

Quick launch summary 
We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers 
Resources 
Labels: , , , , ,

Quick launch summary 
The Cloud Identity Groups API feature that enables you to set expirations for group memberships is now generally available. It was previously available in beta


This enables admins to set an amount of time that users and service accounts are members of a group. Once the specified time has passed, users will be removed from the group automatically. Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. 




This launch is another enhancement to the Cloud Identity Groups API. We recently also made the indirect membership visibility and membership hierarchy APIs generally available. Together, these make it easier to manage permissions and access control in your organization. 


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 
Resources 
Labels: , , , , ,

Quick launch summary 
We’re making it easier to identify, audit, and understand indirect group membership via the Cloud Identity Groups API. Specifically, we’re making the membership visibility and membership hierarchy APIs generally available. These were previously available in beta. 

Using “nested” groups to manage access to content and resources can help decrease duplication, simplify administration, and centralize access management. However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access and why. These APIs help provide all of the information you need to understand complex group structures and hierarchies, and can help you make decisions about who to add to or remove from your groups. 

See our beta announcement for more information and use cases for the APIs


Getting started 

Rollout pace 

Availability 
  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 
Labels: , , , ,

What’s changing 
You can now deploy and manage Google Credential Provider for Windows (GCPW) in the Admin console. Previously, you had to edit registry entries to manage GCPW. The new, organization-specific installation file and setting management in the Admin console makes it easier to deploy and manage GCPW in your organization. 


Who’s impacted 
Admins 


Why you’d use it 
GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can: 
  • Sign in to a Microsoft Windows 10 device using their Google Workspace Account. 
  • Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges. 
  • Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials. 
With this launch, you can configure and manage GCPW in the Admin console instead of in each device’s registry settings. This can make setting up and updating GCPW deployments less manual and time-consuming for if you don’t have standard software deployment tools. 


Additional details 
Device setup and management: To set up GCPW on a new device, download a GCPW installation file customized for your company from the Admin console. After GCPW is installed, you can manage GCPW settings in the Admin console. When a user signs in to a device managed with GCPW, GCPW fetches and applies the settings from in the Admin console. GCPW settings in the Admin console may take up to one hour to be implemented on the device. If you already installed GCPW on a device, you can set a token to manage GCPW from the Admin console

Settings available in the Admin console: You can manage most of the settings in the Admin console that you can in registry settings, including offline access, multiple account management, and more. 

Working with existing registry settings: Admin console settings supersede registry settings. To continue to use registry settings instead of Admin console settings, leave GCPW settings in the Admin console as “not configured.” 



Getting started 

Rollout pace 

Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers. 

Resources 
Labels: , , , ,

Quick launch summary 
You can now use Secure LDAP on macOS devices. Once enabled, users can log in to macOS devices with their Google Workspace or Cloud Identity login credentials. 

This can help simplify access management by using a single directory—the Workspace identity and access management (IAM) platform—to manage access to macOS devices. In turn, this can help improve security by providing a single place to set up identity and access policies, and reduce your dependency on legacy identity infrastructure. 


Getting started 
Rollout pace 
Availability 
  • Available to Google Workspace Business Plus, Enterprise Standard, and Enterprise Plus, G Suite Education and Enterprise for Education, and Cloud Identity premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Enterprise Essentials, as well as G Suite Basic, Business, and Nonprofits customers 
Resources 
Labels: , , ,

What’s changing 
Last year, we launched an open beta that enabled Cloud Identity admins to configure a session length (a.k.a. “reauth”) for Google Console and Cloud SDK. Now, we’re enhancing session length controls by allowing you to exempt specific applications from the reauth policy. We hope this will make it easier to roll out this feature in your domain. 


Who’s impacted 
Admins 


Why you’d use it 
The Google Cloud session control feature applies a session length to Google’s own GCP admin tools, as well as customer-owned and third-party applications that use the cloud-platform scope. When the configured session length expires, the application will require the user to reauthenticate to continue operating, analogous to what would happen if an admin revoked the refresh tokens for that application. The reauthentication requirement can help reduce unauthorized access to sensitive data. 

We heard your feedback that there are some scenarios that make it difficult to roll this out. For example, some applications do not gracefully handle the reauth scenario, causing confusing application crashes or stack traces. Some other applications are deployed for server-to-server use cases with user credentials instead of the recommended service account credential, in which case there is no user to periodically reauthenticate. Customers impacted by these scenarios are unable to roll out session controls to any applications as it will cause these apps to work improperly. 

This update allows you to add these apps to a trusted list, temporarily exempting the apps from session length constraints, while implementing session controls for all other GCP admin surfaces. 
The previous session control settings page in the Admin console 

The new session control settings page in the Admin console. Note the new “Exempt trusted apps” checkbox. 

Getting started 
  • Admins: This feature will be OFF by default and can be enabled manually using the “Exempt Trusted apps” setting. For more information on how to review the apps currently requiring cloud-platform scopes, and how to add those apps to the Trusted list, visit our Help Center
  • End users: There is no end user setting for this feature. 
Rollout pace 
Availability 
  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits, and Cloud Identity customers
Resources 
Labels: , , ,

What’s changing 
We’re announcing new integrations with our BeyondCorp Alliance partners Check Point and Lookout. The integrations, initially available in beta, are built using the Devices API and enable customers to use third party signals in context-aware access decisions. 


Who’s impacted
Admins 


Why it’s important 
In the BeyondCorp security model, device inventory, state, and security posture are central to making context-aware access decisions. So far our context-aware access solution obtained these signals from first party (i.e. Google) sources, such as Endpoint Verification. However our vision has always been to help customers to fully leverage their existing investments in security tools and controls, add key functionality and signals to Google’s context-aware access to achieve superior access control security posture for our customers. The BeyondCorp Alliance is a group of partners that share our Zero Trust vision and who are committed to working with us to help our joint customers make it a reality. 


Today, we are excited to announce the first integrations (in beta) with our BeyondCorp Alliance partners Check Point and Lookout, to use third party signals in our context-aware access decisions. For example, the mobile threat defence system might detect malware on the device and notify Google about a reduced security assurance, and customer-defined access rules can reduce the level of access allowed from such devices, without impacting access for that user from other devices or for other users. The integrations are built using the new Devices API we announced earlier this year. The API was designed to be used by partners in the BeyondCorp Alliance to add device security metadata, and also by customers to manage their device fleet. 


Getting started 
  • Admins: Google customers who use Checkpoint or Lookout as their mobile threat defense solutions can benefit from the integration. Visit our Help Center for more information and to learn more about how to set up third-party partner integrations. You can also see blog posts by our partners to see more about how you can use Check Point or Lookout solutions as part of this integration. 
  • End users: No impact for end users. 
Rollout pace 
Availability 
  • Available to Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Enterprise Standard, as well as G Suite Basic, Business, Education, and Nonprofits customers
Resources 
Labels: , , , , ,

[Updates] 
March 7, 2023: All devices with the Google Apps Device Policy will lose access during March 2023. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. See below for more information and instructions.

January 26, 2022: The new user registration flow on Google Apps Device Policy will be blocked and users may see errors during the registration process.


October 21, 2021: We have adjusted the timing for this change. Now, Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. Existing Google Apps Device Policy app users must switch to Android Device Policy before March 19, 2022 to continue syncing work data. Previously, we stated that users must switch before October 26, 2021. 

What’s changing 
Last year, we announced that a new Android management client, Android Device Policy, would replace the legacy Google Apps Device Policy client. We’re now discontinuing the legacy client. 


To ensure that devices enrolled by users with advanced management will continue to sync and have access to data, users in your organization must switch to Android Device Policy before March 19, 2022. Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. If users still have Google Device Policy on this date, they won't be able to sync their devices or access data.
 

To switch to Android Device Policy, users must have an Android 6.0 Marshmallow or later device that supports a work profile. For users with devices that don’t meet these requirements, consider switching to basic mobile device management


Devices enrolled by users with basic management must move to Android 6.0 Marshmallow or later before March 19, 2022 to continue enforcing a screen lock. If a user's device can't be upgraded to Android 6.0 or later, their device will continue to sync and retain access to data, however it will not be able to enforce a screen lock. 


Who’s impacted 
Admins and end users 


Why it’s important 
The latest Android devices and operating system (OS) versions provide improved security features. Moving to Android 6.0 (Marshmallow) or newer can help ensure all devices are protected by the latest security features, and can take advantage of improvements in the Android enterprise experience


Getting started 

Rollout pace 
  • Rapid and Scheduled Release domains: All devices must complete the upgrade by March 19, 2022. Google Apps Device Policy app won't be available for new enrollments beginning January 19, 2022. Android Device Policy is available now for all users. 

Availability 
  • Available to Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits customers
  • Not available to Workspace Essentials 

Resources 
Labels: , , ,

What’s changing 
Dynamic groups let you create a group with membership that is automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. You can manage dynamic groups in the Cloud Identity Groups API and the Admin console. 

Dynamic groups is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 
Admins and developers with group create and user read privileges


Why you’d use it 
Dynamic groups work the same as other Google Groups with the added benefit that their memberships are automatically kept up-to-date. This means you can use them for the same functions, including for distribution lists, access-control list (ACL) management, and more. By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 

Here are some examples of how you can use dynamic groups. You can create groups of: 
  • All users based in your New York office, which you can then use for email communications related to that office location. 
  • All engineers, which you can then use to provide access to specific tools. 


Additional details 
At launch, you won’t be able to manage policies such as context-aware access policies using dynamic groups. Once available, you will be able to create a dynamic group which you could then use to manage specific context-aware access policies. We are working on adding this functionality in the future, and will announce it on the G Suite Updates blog when it’s available. 


Getting started 


Rollout pace 
  • This feature is available now for all eligible users. 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Essentials, G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, and Cloud Identity Free customers 
Resources 
Labels: , , , , , ,

What’s changing 
We’re adding the ability to set expirations for group memberships using the Cloud Identity Groups API. This enables admins to set an amount of time that users are members of a group. Once the specified time has passed, users will be removed from the group automatically. 

Membership expiry is currently available as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 
Admins and developers 


Why it’s important 
Groups are a powerful way to manage permissions and access control in your organization.In many cases,, there’s a known amount of time that a user should be a member of a group. This can make managing membership time consuming, and increases the possibility that a user has overly-broad access. 

Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. This can help: 
  • Increase security by ensuring users do not have long lived membership in groups, and that your group memberships don’t become too expansive. 
  • Manage security groups by using group membership with our recent launch of security groups
  • Reduce admin time and administration costs by automating some group management tasks 
Getting started 
Rollout pace 
  • This feature is available now for all users. 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 
Resources 
Labels: , , , , , ,

Quick launch summary 
We recently announced betas for two new features related to service accounts. Now, these features are generally available: 
  • Support for service accounts in Google Groups, which makes it easier to use service accounts with groups while increasing security and transparency. Learn more
  • Use service accounts with Google Groups APIs without domain-wide delegation, which enables service accounts to perform critical business processes without compromising your strong security and compliance posture. Learn more

Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. Use the announcements linked above to learn more about the features and how you can use them. 

Learn more about these and other launches in our Security Blog post highlighting 10 new security and management controls for security at scale

Service accounts in Google Groups 

Getting started 
Rollout pace 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , , ,

Quick launch summary 
With this launch, we’ll show whether apps are Google verified in the Admin console on the app details page and the App Access Control summary page. We hope this visibility will make it easier to make informed decisions about access to G Suite data within your organization. 

Apps often require access to G Suite data to help your users get work done. Google works with app developers to make sure that third-party apps comply with Google privacy and security requirements. 

If apps meet certain verification requirements, they are considered “Google verified”. If they don’t complete the verification process, they are considered “unverified” and might be subject to restrictions. You can control which apps can access sensitive G Suite data via App access control, and choose to authorize unverified apps if you want. 


Getting started 

Rollout pace 
Availability 
  • Available to all G Suite and Cloud Identity customers 
Resources 
Labels: , , , ,

Quick launch summary 
You can now view a list of all apps installed on Windows 10 devices that you manage with Windows device management. The list includes when the app was first installed, the current version, and the publisher. You can use this information to identify devices that have malicious or untrusted apps on them. 

Note that this feature requires the device to be enrolled in Windows device management. Learn more about our enhanced security for Windows or how to view Windows device details in the Admin console

See apps installed on managed Windows 10 devices 


Getting started 
Rollout pace 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 
Resources 
Labels: , , ,

Quick launch summary 
We’re adding two new APIs to the Admin SDK Directory API


Sign user out of all sessions 
This new endpoint allows an admin to programmatically sign a user out of all web and device sessions. This can help manage account access when users leave an organization, if a device is lost or misplaced, or if a user forgot to sign out of a shared device. We do not recommend using this to sign users out and force a sign-in periodically; you can explore the Google web session control feature for that use case. 


Turn off 2-Step Verification 
This new endpoint allows an admin to turn 2-Step Verification (2SV) off programmatically. This action also removes all 2SV methods on the account. Note that in some cases, 2SV cannot be turned off for a user due to other policies that may be in effect. For example, a user may be enrolled in the Advanced Protection Program, or “2SV enforced” is turned on; in such cases the API will fail with an appropriate error code and message. 

Note that both of these actions can already be performed via the Admin console. The current launch makes them accessible via API as well so they can be integrated into automated offboarding workflows. 


Getting started 
  • Admins and developers: This feature will be available via the Admin SDK Directory API. Use the API documentation to learn more about the new endpoints to sign users out or turn off 2-Step Verification
  • End users: There is no end user setting for this feature. 
Rollout pace  
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , ,

What’s changing 
We’re making security groups available in beta. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes. They enable admins to: 
  • Apply a label to any existing Google Group to distinguish it from email-list groups. 
  • Provide strong guarantees that: 
    • External groups (owned outside your organization) and non-security groups cannot be added as a member of a security group. 
    • Security labels, once assigned to a group, cannot be removed. 
Soon, you’ll be able to use more granular admin roles to separate administration of security and non-security groups. Keep an eye on the G Suite Updates blog for an announcement when that rolls out. 


Who’s impacted 
Admins and developers 


Why you’d use it 
Groups are used in a variety of ways. This can include groups that help teams communicate and collaborate, as well as groups that control access to important apps and resources. Security groups can help customers manage these categories of groups differently to increase their overall security posture. 

For example, if you have compliance or regulatory requirements for managing access control, you may have set up naming conventions to keep track of which groups were used for this purpose. With security groups, you can now assign a security label to these groups and more easily manage them without having to use workarounds like naming conventions. 


Getting started 
Rollout pace 
  • This feature is available now for all users in beta. 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , , ,

Quick launch summary 
In April, we announced a beta which enabled admins to control access to SAML apps based on context. Now, we’re making this feature generally available. 

You can use Context-Aware Access (CAA) to create granular access control policies for pre-integrated SAML apps or custom SAML apps based on attributes including the user, location, device security status, and IP address. This can improve your security posture by reducing the chances that there’s unintended access to specific apps and the data in them. 

See our beta announcement for more details on how the feature works and how you can use it. CAA can be used for SAML apps (policy evaluation on sign-in) that use Google as the identity provider. A third-party identity provider (IdP) can also be used (third-party IdP federates to Google Cloud Identity and Google Cloud Identity federates to SAML apps). Visit our Help Center to see how to set up single sign-on for managed Google Accounts using third-party Identity providers.


Getting started 
  • Admins: This feature will be available by default. Any policies created during the beta will persist when the feature becomes generally available. 
  • End users: No end-user impact until turned on by the admin. 
Rollout pace 
Availability 
  • Available to G Suite Enterprise, G Suite Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, G Suite for Nonprofits, G Suite Essentials, and Cloud Identity Free customers 
Resources 
Labels: , , , ,

What’s changing 
We’re adding full support for service accounts in Groups in beta. This builds on our recent announcements of a new Cloud Identity Groups API beta and the ability to use service accounts with Groups APIs without domain-wide delegation. With this launch, you can now: 
  • Add service accounts from primary and secondary domains without turning the “Allow external members in the group” setting on. 
  • See the service account member type on the Groups page and audit logs in the Admin console. 
  • Add, remove, and manage service account membership via the Admin console and Cloud Identity Groups API. 


Who’s impacted 
Admins and developers 


Why it’s important 
Groups are a critical tool for customers to manage their G Suite deployment. Many customers use service accounts with Groups to automate user management, manage migrations, and integrate G Suite with other apps, tools, and services. 

Until now, it was difficult to use service accounts in groups due to limitations in the functionality. This launch fixes many challenges and makes it easier to use service accounts with groups while increasing security and transparency. 



Additional details 
The feature does not affect Admin SDK Group APIs. 



Getting started 


Rollout pace 
  • This feature is available now for all users. 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , ,

What’s changing 
Service accounts can now have direct access to Groups APIs without needing domain-wide delegation and admin impersonation. This means you can: 

Who’s impacted 
Admins and developers 


Why it’s important 
Using service accounts with Groups can help provide sufficient data access for business apps and enable the automation of various admin tasks. 

Previously, you had to use domain-wide delegation and admin impersonation to provide service accounts with sufficient data access. This was a cumbersome process, which could result in overly broad privileges for the service account and audit logs that were hard to interpret. 

By enabling direct API access, we’re making it easier to use service accounts to enable critical business apps and processes while making it easier to maintain a strong security and compliance posture. 


Getting started 
Rollout pace 
  • API role assignments: This feature is available now for all users 
  • Admin console roles page updates: Rapid and Scheduled release domains: Gradual rollout (up to 15 days for feature visibility) starting on August 26, 2020 
  • Service account API access: This feature is available now for all users 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , ,

Quick launch summary 
We’re changing the manner in which user profile photos are displayed across Google products and services, and updating how admins can manage those photos. 

Last year, we removed a photo setting in Gmail that allowed users to set a different profile photo in Gmail than their Google Account. Starting today, users who still have two different profile photos will be migrated to a single profile photo. No action is needed by users, the current Google Account photo will become their only profile photo. This will ensure users are seen and recognized consistently across different products and interfaces. 

We’re also giving admins the ability to set the single Google Account profile photo for users. You can add, replace, or delete an existing profile photo for users through the Admin console or through the Admin SDK Directory API

Previously set Google Account profile photos are kept in a user’s Album Archive, available at get.google.com/albumarchive. New profile photos set by users or admins will also be stored here. 

Note that if a user updates their photo, the photo will be visible to everyone, across Google products. If an admin adds a photo to a user’s account, it will only be visible to users within their organization and external users they interact with. Learn more about what information others can see across Google services


Getting started 
A user’s Google Account photo will be used for their profile photo 


Rollout pace 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , ,

What’s changing 
We’re launching a new Cloud Identity Groups API. This will enable you to create and manage Google Groups and their memberships for your domain via API. Previously, API support for group management was available only via the Admin SDK and therefore was accessible only to domain admins. With this launch, the APIs can be accessed by admins as well as non-admins. Once you create groups via the API, you can view and manage them through the Google Groups web UI (groups.google.com), through the Admin console, or via the API. 

Using the new API you can: 
  • Create and delete groups 
  • See and update group metadata 
  • Add members to and remove members from a group 
  • Modify member roles within a group 
See our developer documentation for more details on how to use the Cloud Identity Groups API


Who’s impacted 
Admins, developers, and end users 


Why you’d use it 
Groups are an important tool to manage communication, access, and security for organizations. Adding the ability to create and manage groups via an API can help make group management more scalable and efficient. 


Additional details 
Available to admins, developers, and end users 
Business teams can create and manage groups they own without being granted admin permissions, preventing them from managing additional, unnecessary groups and saving the admin team time. This allows teams to manage their work more efficiently without creating any security risks from assigning admin permissions when they are only needed for this specific task. 


Getting started 
Rollout pace 
  • This feature is available now for all users in beta. 
Availability 
  • Available to all G Suite customers 
Resources 
Labels: , , , , ,