Managing Google Workspace Part 3: MDM Basics, Vault, Reporting and Domains

Andrew Despres - Nov 5 - - Dev Community

Preamble:
This space will be utilized to synthesize my notes and help improve my learning process while I study for the Google Workspace Professional Administrator certification. I will be doing a similar process for other certifications I work on in the future. Please follow along for Google Workspace notes and feel free to ask any questions or, if I get something wrong, offer suggestions to correct any mistakes.

Part 3
Mobile Devices
Google Workspace offers Mobile Device Management (MDM) to help administrators with managing devices that have been logged into with tenant accounts. There are 3 types of MDM offered dependent on your Google Workspace licensing:

  1. Basic
  2. Advanced
  3. Unmanaged

You can locate your MDM settings in the Google Admin Panel by going to:

Devices> Mobile and Endpoints> Universal Settings> General

Image description

The Basic settings options is agentless. This means that no further software or policy installation must be performed by you on the device itself. This will allow you to apply simple password controls, wipe work accounts off of devices and more.

Advanced settings give you more robust control of mobile devices connected to your tenant, but, will require a Device Policy app installed (Android only) in order to be utilized. Some advanced settings include enforce password requirements, managing of apps, remote wiping of devices and more.

Unmanaged will turn off MDM and will offer you no control of devices. However, you will still be able to view and log with devices access work data.

You can learn more about the full features of Basic and Advanced MDM features of Google Workspace in the following support article:

Compare mobile management features

How to Handle Lost/Stolen Devices
Dealing with a lost or stolen device can be stressful and frustrating. With Google Workspace MDM, there are 3 main methods of dealing with a lost device.

  1. Block Device - Prevents a device from syncing data
  2. Wipe Account - Deletes corporate data from the work account of the device
  3. Delete the Device - Requires the user to log into their corporate account again in order to access corporate data.

You can find these settings in the Google Admin Panel by going to:

Devices> Mobile and Endpoints> Devices

Another method you can use to remove access from user devices is resetting their sign-in cookies. You can do this in the Admin console by going to:

Directory> User> Select User Account> Security> Sign-in Cookies> Reset

Image description

Device Management Rules
You can automate your MDM with Google Workspace using Device Management Rules. For example you can automatically block a devices access to your corporate data if suspicious activity is detected. This can make managing your corporate devices a lot easier day to day. You can create your own rules or use predefined templates to begin using automated device management. These rules can be assigned across your whole tenant, or, you can narrow your scope by using OUs or Groups to deploy your rules. To create rules in the Admin Console you will need to go to:

Rules> Device Management Rules> Add Rule

You can also manage desktop OS devices like Windows, MacOS and Linux using Endpoint Verification. This allows administrators the ability to get device details about the OS. You can turn on Endpoint Verification by going to:

Devices> Mobile and Endpoints> Settings> Universal> Data Access> Endpoint Verification

With this enabled, you will then need to install the Endpoint Verification extension in the users Chrome browser. This can be done either by letting your users install the extension themselves, or, forcing the installation of the extension by an administrator using the Chrome Management section in the Admin Panel. To force the install go to:

Devices> Chrome> Apps and Extensions> Users and Browsers

Once here, click the Add+ button and add Chrome App or Extension by ID. You can then search for the chrome extension ID and then click save. You can force everyone in your tenant to install this extension by deploying it to the top OU, or you can limit who installs this extensions by using a sub-OU or group.

Image description

This will also help you utilize Context Aware Access (CAA) and Enhanced Desktop Security for Windows. CAA gives you control over which apps users can access based on the context of several factors such as whether their device complies with IT policies, user identity, location and IT address. You can find Context Aware Access settings in the Admin Panel by going to:

Security> Access and Data Control> Context-Aware Access

Image description

Google Vault
Google Vault is the eDiscovery and archiving tool for Google Workspace. It allows you to retain, hold, search and export your users Google Workspace data. Google Vault retains the following data types for users in your tenant:

  1. Gmail messages
  2. Drive Files
  3. Calendar Event
  4. Chat messages (Note Conversation history must be turned on)
  5. Meet Recordings
  6. Google voice for Google Workspace text messages, voicemail transcripts and call logs.
  7. Google Sites
  8. Classic Hangout messages

Google Vault has 2 Retention rules:

Default: This is a global rule that applies to your whole organization. This can be changed to meet your default retention needs across your whole organization. This rule will apply as long as no custom retention rules or Legal Holds apply.

Custom: Custom rules offer more flexibility like being able to apply a rule to a single OU, date ranges and specific apps. For example you may want a 1 year retention rule as your default rule, but for Executives within your company you may need to retain data for up to 5 years to meet legal requirements.

Image description

NOTE Misconfiguring Data Retention rules can cause permanent data loss. Take caution before changing your data retention rules!

To access you Retention rules and make change go to:

  1. http://vault.google.com and login as a Super Admin
  2. Click Retention
  3. Click Custom Rules> Create
  4. Select the Service you want the rule to apply to
  5. Select the OU you want to apply the custom rule to
  6. Select a duration value. (Default value is indefinite)

Image description

Finding data in Google Vault requires you to create Matters. A Matter will include the following data:

  1. Saved Search queries
  2. A list of accounts with data on litigation hold
  3. List of accounts that can access the matter
  4. Export sets for the matter
  5. Audit trail of the matter

Once a matter has been created you can utilize operators to refine your search in Vault including Boolean logic like AND, OR, NOT and AROUND. Once you have found the data you require you can then Export the data. Please note that data exports are only valid for 15 days. Once you have created an export make sure to download it contents onto your local machine.

Below is an example of what a Matter looks like when you want to search for retained Data:

Image description

Audit Logs
Audit logs are an important troubleshooting tool and Google Workspace offers quite a robust set of auditing tools. To access Audit Logs in the Admin Panel go to:

Security> Security Center> Investigation Tool

Here you can select your Data Source and add conditions to help narrow your search. Searching can be performed using Attributes like Username, DocumentID, Date, DeviceID etc.

Image description

You can also automate Audit Logs and have alerts emailed directly to you after a significant change is made in your Google Workspace tenant based on System-Defined Rules. To configure this simply go to the Rules section in the Admin Panel. You can receive up to 25 emails every 2 hours when incidents occur.

Image description

Another important tool that you will need to know how to use is the Email Log Search. In the Email Log search you will find that incoming and outgoing messages have different delivery status messages. These will be important to determine the outcome of any incoming outgoing messages from your tenant. To find the Email Log search in the Admin panel go to:

Reporting> Email Log Search

Email related logs are kept for 30 days. You can search using the following attributes:

  1. Date
  2. Sender or Recipient IP address
  3. Subject or MessageID

If you require to search for data older than 30 days you will need the MessageID you are trying to audit.

Image description

Domains
When you sign up for Google Workspace you will need to prove ownership of your domain. This is done using TXT, MX or CNAME records with your DNS provider. Once this is completed whatever domain you have chosen will become your primary domain for Google Workspace. This will look something like mycompany.com and allow you to send emails with your custom domain instead of using a generic email account from Gmail, Outlook or Yahoo.

There are also Secondary and Alias domains. These types of domains will provide different functionality and effects on your users and it will depend on your use case on which you should be selecting.

Alias Domain: This will give each user in your domain an email alias. If your primary domain is mycompany.com and you also wanted to have your users have access to use mycompany.ca, you can setup an Alias domain. This way someone outside of your Google Workspace tenant can email your users using either email domain. Note that this will not require any additional cost for licenses with Google Workspace as no additional licensing would be required for your users to utilize these alias email addresses.

Secondary Domain: This is a domain you purchase in order to create new accounts. This may be useful to help manage different teams, or maintain different businesses but keep all of your users under the same Admin Panel. You wouldn't be able to apply different settings to users across each Domain unless you have separate OUs for each domains users. Please note that additional licensing costs would be required as you would need to create new user accounts in order to utilize the secondary domain.

NOTE
Domain verification will be required for setting up both Alias and Secondary domains.

You can add an Alias or Secondary domain in the Admin Panel by going to:

Account> Domains> Manage Domains

Image description

This concludes part 3 of Managing Google Workspace. I hope these notes have helped you understand how and why it may be important to configure features of Core Google Workspace Applications. If you have any questions or notice an error please leave me comment.

. . .