10 Things Google Admins Should Be Able to Do With Workspace for Education Plus
Google Workspace for Education provides academic institutions with a suite of productivity, communication, and collaboration tools that are intuitive, reliable, and secure. As one of the four (4) editions, Google Workspace for Education Plus is the ultimate all-in-one solution that transforms instruction and learning.
Equipped with the features included with the other editions, administrators, teachers, and students will also benefit from Education Plus-specific ones like live streaming for up to 100,000 domain viewers in Google Meet, automated sync of rosters from any Student Information System to Google Classroom, and ease of access to information with Cloud Search. Also, IT staff with Google Admin responsibilities will find value in the enhanced controls and advanced security settings and analytics like the following:
After purchasing Education Plus licenses, you will need to decide how to license users since it is not a site license. Google Admins do not have to manually assign them to domain users, but can automate license delegation by turning on the setting in the Google Admin console.
Once enabled, Google Admins can bulk assign licenses to every user in their Google Workspace domain. This is only effective if you have an OU structure that has suspended and active users separated. Otherwise, the licenses will also be applied to suspended users in the OU. Additionally, when you suspend users, without an automated process you will have to move the suspended user to a suspended OU and also remove the license.
CDW Amplified for Education recommends not using Google’s auto-assign feature but using GCDS (if you are already using it for user provisioning), GAM, or if you purchased through CDW Amplified for Education – our free licensing tool. More on the options can be found in this post.
With Education Plus, the Alert Center becomes more actionable because of the ability to pivot to the Investigation Tool. Prior to assigning Education Plus licenses, there was not an easy way to review logs beyond the Admin logs, reviewing Vault, or asking an end-user. With the Investigation Tool, Google Admins can not only view the potential threat but mitigate it as well.
Google Admins work to prevent security attacks and to mitigate breaches if hackers or viruses find their way around the firewall. Education Plus allows for investigating a user’s actions across data sources. If, for example, a user’s account is compromised, Google Admins can search one data source, like Gmail log events, and then pivot to search another, like Drive log events, from that user’s account.
To investigate a user across data sources after completing the first search:
Education Plus allows Google Admins to share their Investigation Tool findings with another Super Admin. This saves time and resources because teams can access and view the same query without having to recreate it.
An effective way for Google Admins to monitor their institution’s domain security is to monitor the security dashboard. The security report panel displays data that can be used to keep track of domain trends.
To view the dashboard:
For Google Admins who want to focus on the most important panels, Education Plus allows them to customize their dashboard experience. By clicking Customize dashboard, located in the upper-right corner, they can Add widgets to add charts by clicking+ or hide charts by clicking–. While in edit mode, Google Admins can also reorder charts by moving them up or down, or shifting them to another column.
No effective security system is complete without an alert for transpiring attacks or automated remediations. With Google Workspace for Education Plus, Google Admins can create activity rules that help detect, prevent, and mitigate security issues. These rules can be configured to send an alert or to take action based on searches in the Investigation tool.
To create a rule from an Investigation tool search:
One way Google Admins keep institutional data and information safe is by monitoring internal and external file sharing. On the security dashboard, there is a File Exposure report that examines:
The different types of file sharing methods and which shared files have been viewed frequently: At the bottom half of the File Exposure report page, view a table that lists the top viewed files that were shared from your domain (this table is displayed by default when the File Exposure report is open). The table lists the file names, the top viewed files, the sharing method, and the owners of the files. Click EXPORT to export all information in the table. By default, the table displays data for the time range specified at the top of the page but the top viewed files can be displayed for just one date by clicking that date in the line graph.
Which outside domains the files have been shared to: Navigate to Security>Dashboard>File exposure and select DOMAINS. From there, Google Admins can see a list of domain names, a list of the number of files that were shared to that domain, and they can export a spreadsheet of files that were shared.
Which DLP rules have been triggered: DLP prevents users from sharing sensitive content within Google Drive files outside the company domain by scanning Drive files and creating policy-based actions that can be triggered when any sensitive content is detected. Available actions include sending an email to super administrators, sending an email to the user who created, edited, or uploaded a file with sensitive content, or blocking sharing of any file with sensitive content.
The Google Admin console, like many other tools with data retention, only maintains data logs for 30 to 180 days. With Google Workspace for Education Plus, Google Admins can collect multiple data logs and export them to the Google Cloud platform so they can be kept longer than the Admin console permits with BigQuery.
To create a BigQuery project begin exporting data by going to Reports > Audits and then select BigQuery Export. Data will be exported into two tables: Activity and Usage. The Activity table reports on user actions, such as login, Drive sharing or Meet participation and the Usage table, on the other hand, contains aggregate data on things like Drive storage usage per user, teacher posting frequency in Classroom, or number of Meets organized by a user.
With Context-Aware Access, Google Admins can create control policies to delegate which users have access to which apps based on attributes such as identity, location, device security status, and IP address. Use cases include wanting to:
Allow access to apps only from institution-issued devices
Allow access to Drive only if a user storage device is encrypted
Restrict access to apps from outside the institution’s network
Google Workspace for Education Plus gives Google Admins access to the Security Sandbox, which can scan email attachments from inside and outside the institution’s domain. Google Admins can determine when attachments are scanned by setting up Gmail to scan all supported attachment types, setting up rules to specify which attachments are scanned, or setting up content compliance rules to manage suspicious files. Attachments identified as security threats are then sent to the recipient’s spam folder.
Make teaching more efficient, elevate the student experience, and keep information and data secure at your institution by purchasing or upgrading to Google Workspace for Education Plus. Contact an account manager to get started.
