With multiple security and privacy controls in place, organizations need a centralized location where they can prevent, detect, and remediate threats. The Google Workspace security center provides advanced security information and analytics, and added visibility and control into security issues affecting your domain. It brings together security analytics, actionable insights and best practice recommendations from Google to empower you to protect your organization, data and users.
As an administrator, you can use the security dashboard to see an overview of different security center reports. The security health page provides visibility into your Admin console settings to help you better understand and manage security risks. Furthermore, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain. Administrators can automate actions in the investigation tool by creating activity rules to detect and remediate such issues more quickly and efficiently. For example, you can set up a rule to send email notifications to certain administrators if Drive documents are shared outside the company.
The alert center for Google Workspace provides all Google Workspace customers with alerts and actionable security insights about activity in your domain to help protect your organization from the latest security threats, including phishing, malware, suspicious account, and suspicious device activity. You can also use the alert center API to export alerts into your existing ticketing or SIEM platforms.
The security health page (Security > Security health) allows you to monitor the configuration of your security-related Admin console settings—all from one location in the Google Admin console—and to make changes to those settings.
Get an overview of different security reports in one location with Security dashboard (Security > Dashboard).
Compare current data with historical data for actionable insights
Reorder, remove and add custom charts to stay relevant with your organization’s security needs
As a super administrator, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.
Head to Investigation tool (Security > Investigation tool)
Select the Data source and customize the search conditions based on your investigation needs
Take the necessary actions in the search results including quarantining a message, changing ownership of a file, and more
Save, share and change ownership with other administrators
Administrators can control how users in their organization share Google Drive files and folders. For example, whether users can share files with people outside of their organization or whether sharing is restricted to only trusted domains. Optional alerts can be established to remind users to check that files aren't confidential before they are shared outside of the organization.
Google Meet takes advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to secure your information and safeguard your privacy. Our array of default-on anti-abuse measures that include anti-hijacking measures for both web meetings and telephony dial-ins, keep your meetings safe.
For users on Chrome, Firefox, Safari and new Edge we don't require or ask for any plugins or software to be installed, Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines. On mobile, we recommend that you install the Google Meet app from Apple App Store or the Google Play Store.
We support multiple 2 Step Verification (2SV) options for Meet that are both secure and convenient - hardware and phone-based security keys, as well as Google prompt. Meet users can enroll their account in Google’s Advanced Protection Program (APP). APP provides our strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. For more information, check out this page.
The protection of information on mobile and desktop devices can be a key concern for customers. Google Workspace customers can use endpoint management to help protect corporate data on users’ personal devices and on an organization’s company-owned devices. By enrolling the devices for management, users get secure access to Google Workspace services and organizations can set policies to keep devices and data safe through device encryption and screen lock or password enforcement. Furthermore, if a device is lost or stolen, corporate accounts can be remotely wiped from mobile devices and users can be remotely signed out from desktop devices. IT admins can also manage and configure Windows 10 devices through the Admin console, and users can use existing Google Workspace account credentials to login to Windows 10 devices and access apps and services with single sign-on (SSO). Reports enable customers to monitor policy compliance and get information about users and devices. You can obtain further information on endpoint management here.
Keep an inventory of the computers and mobile devices your company owns to track details such as device type and who the device
is assigned to.
From the Admin console home page, go to Devices
Select Company Owned Inventory > Import Company owned devices +
Select the type of device and click Download import template
Update the fields in the template and Upload File.
Protect your organization's data by requiring users to set a screen lock or password on managed mobile devices.
With advanced mobile management, you can set minimum password characteristics and require that users reset their password regularly.
Sign into Admin console
Select Devices > Settings > Universal Settings
Select General and choose Mobile management to enable organizational settings
Select Password requirements to apply Basic or Advanced Password settings
As an administrator, you can individually review user-owned devices that request access to work data.
Click on devices > mobile endpoints> select the device you want to look at
Click on “more” and select “wipe account” to wipe the device
Back in the device selection menu, click on the “block” icon (the stop sign) to block the device
Admins can prevent users from using compromised mobile devices to access their corporate account data.
Blocking compromised devices reduces data leak, harmful software, and malicious insider risks.
Click on Devices > Settings > Universal settings
Click on General > Mobile management to ensure advanced MDM is turned on
In the settings page for universal settings, click on Security
Scroll down to compromised devices and hit the edit button (the pencil icon)
Tick the boxes for “block compromised android devices” and “block jailbroken ios devices”
Save changes
Admins can get a report of activities on computers and mobile devices that are used to access the organization's data.
Click on devices > Mobile devices > “your device name”
Click on more > view audit info
This shows the audit log for device activity
To access the reports on mobile devices, scroll down to User reports > devices > mobile on the left pane
Admins can remotely lock a device to protect its data- when the option is enabled, users have to unlock the device with a passphrase before having access to corporate data
Turn on encryption:
Click on Devices > Settings > Universal settings
Click on security > scroll down to encryption and click the edit button (the pencil icon)
Tick the box for “require device encryption”
Save changes
Admins can configure Wi-Fi, Ethernet, Virtual Private Network (VPN) access, network certificates for managed devices enrolled in the organization.
Click on Devices > networks > create wi-fi network
Choose which platforms should have access to the network
Fill in the details for your network e.g. name, SSID, whether to automatically connect, security type and passphrase
Add in any other configurations you need e.g. proxy servers
Save changes
Used by admins to keep an inventory of the computers and mobile devices the company owns, track details such as device type and who the device is assigned to.
Click on Devices > company-owned inventory > import new devices (plus icon on the top right)
Select device type and download the template and fill it up with the device serial number and asset tag
Uploaded completed CSV file
Use work profiles to separate the organization’s apps from personal apps. Users’ bring your own device (BYOD) personal space remains private and available only to them.
Click on Devices > Settings > android settings
Click on the work profile section
Click edit (the pencil icon) on the work profile setup section
Tick the box for “enable work profile creation”
Choose whether to enforce creation of work profile or make it optional
Click edit on the work profile password section
Choose whether you wish to enforce password requirements only on work profile apps
Save changes
Prevent data from being copied from a managed app to an unmanaged app (Data protection), turn off certain apps, and control what work data syncs to built-in iOS apps.
Sign into the Admin Console as a Super Admin or Delegated Admin
Select Devices > Settings > iOS Settings
Select Data Sharing > Data Protection and un-select Allow users to copy work data to personal apps