Configuring Google Workspace security settings

Security Health

The security health page (Security > Security health) allows you to monitor the configuration of your security-related Admin console settings—all from one location in the Google Admin console—and to make changes to those settings.

Security Dashboard

Get an overview of different security reports in one location with Security dashboard (Security > Dashboard).

Compare current data with historical data for actionable insights

Reorder, remove and add custom charts to stay relevant with your organization’s security needs

Investigation Tool

As a super administrator, you can use the security investigation tool to identify, triage, and take action on security and privacy issues in your domain.

1. Head to Investigation tool (Security > Investigation tool)

2. Select the Data source and customize the search conditions based on your investigation needs

3. Take the necessary actions in the search results including quarantining a message, changing ownership of a file, and more

4. Save, share and change ownership with other administrators

Device Inventory

Keep an inventory of the computers and mobile devices your company owns to track details such as device type and who the device

is assigned to.

1. From the Admin console home page, go to Devices

2. Select Company Owned Inventory > Import Company owned devices +

3. Select the type of device and click Download import template

4. Update the fields in the template and Upload File.

Passcode Enforcement

Protect your organization's data by requiring users to set a screen lock or password on managed mobile devices.

With advanced mobile management, you can set minimum password characteristics and require that users reset their password regularly.

1. Sign into Admin console

2. Select Devices > Settings > Universal Settings

3. Select General and choose Mobile management to enable organizational settings

4. Select Password requirements to apply Basic or Advanced Password settings

Device Approval, Block & Wipe

As an administrator, you can individually review user-owned devices that request access to work data.

1. Click on devices > mobile endpoints> select the device you want to look at

2. Click on “more” and select “wipe account” to wipe the device

3. Back in the device selection menu, click on the “block” icon (the stop sign) to block the device

Advanced Endpoint Management: Block Compromised Device

Admins can prevent users from using compromised mobile devices to access their corporate account data.

Blocking compromised devices reduces data leak, harmful software, and malicious insider risks.

1. Click on Devices > Settings > Universal settings

2. Click on General > Mobile management to ensure advanced MDM is turned on

3. In the settings page for universal settings, click on Security

4. Scroll down to compromised devices and hit the edit button (the pencil icon)

5. Tick the boxes for “block compromised android devices” and “block jailbroken ios devices”

6. Save changes

Advanced Endpoint Management: Device analytics, reporting, device audits

Admins can get a report of activities on computers and mobile devices that are used to access the organization's data.

1. Click on devices > Mobile devices > “your device name”

2. Click on more > view audit info

This shows the audit log for device activity

To access the reports on mobile devices, scroll down to User reports > devices > mobile on the left pane

Advanced Endpoint Management: Encryption and device lockdowns

Admins can remotely lock a device to protect its data- when the option is enabled, users have to unlock the device with a passphrase before having access to corporate data

Turn on encryption:

1. Click on Devices > Settings > Universal settings

2. Click on security > scroll down to encryption and click the edit button (the pencil icon)

3. Tick the box for “require device encryption”

4. Save changes

Advanced Endpoint Management: Wi-Fi provisioning

Admins can configure Wi-Fi, Ethernet, Virtual Private Network (VPN) access, network certificates for managed devices enrolled in the organization.

1. Click on Devices > networks > create wi-fi network

2. Choose which platforms should have access to the network

3. Fill in the details for your network e.g. name, SSID, whether to automatically connect, security type and passphrase

4. Add in any other configurations you need e.g. proxy servers

5. Save changes

Advanced Endpoint Management: Company-owned device

Used by admins to keep an inventory of the computers and mobile devices the company owns, track details such as device type and who the device is assigned to.

1. Click on Devices > company-owned inventory > import new devices (plus icon on the top right)

2. Select device type and download the template and fill it up with the device serial number and asset tag

3. Uploaded completed CSV file

Advanced Endpoint Management: Android Enterprise (Work profile)

Use work profiles to separate the organization’s apps from personal apps. Users’ bring your own device (BYOD) personal space remains private and available only to them.

1. Click on Devices > Settings > android settings

2. Click on the work profile section

3. Click edit (the pencil icon) on the work profile setup section

4. Tick the box for “enable work profile creation”

5. Choose whether to enforce creation of work profile or make it optional

6. Click edit on the work profile password section

7. Choose whether you wish to enforce password requirements only on work profile apps

8. Save changes

Advanced Endpoint Management: iOS Data Exfiltration Prevention

Prevent data from being copied from a managed app to an unmanaged app (Data protection), turn off certain apps, and control what work data syncs to built-in iOS apps.

1. Sign into the Admin Console as a Super Admin or Delegated Admin

2. Select Devices > Settings > iOS Settings

3. Select Data Sharing > Data Protection and un-select Allow users to copy work data to personal apps