Tag Archives: identity

Google Workspace Updates Weekly Recap – January 7, 2022

New updates 

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers. 



PPTX file limit increase in Google Slides 
You can now import PPTX files up to 300MB into Google Slides using Office Editing mode — previously, 100MB was the maximum. Once imported, you can save back your edits to the underlying PPTX file. | Available to all Google Workspace customers and users with personal Google accounts. | Learn more.



Previous announcements 


The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details. 



Use a new enterprise certificate condition to set context-aware access rules for company-managed devices 
When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. | Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers. | Learn more. 



For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).

Use a new enterprise certificate condition to set context-aware access rules for company-managed devices

Quick launch summary 

When configuring context-aware access rules, you can now use a new signal to determine whether a device is company-owned. By using new enterprise certificates as an alternative context-aware signal to determine if a device is a company-managed asset, you can set more specific context-aware policies that are appropriate based on the trustworthiness of the device. 
admin console screen to configure context-aware access rules
The Admin console screen to configure context-aware access rules using enterprise certificate condition


Getting started 

Rollout pace 

  • This feature is now available for all eligible users. 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business, and Cloud Identity Free customers 

Resources 

Making dynamic groups more powerful with custom user attributes and OrgUnit queries

What’s changing 

Google Groups are a convenient way for Workspaces users to collaborate and a powerful tool for admins to apply consistent security and access policies to sets of users or devices. Dynamic groups further enhance this functionality by allowing group membership to be automatically updated based on parameters such as location, department, or job title. 

Today we are further extending the functionality of dynamic groups in two important ways: 
  • First, dynamic groups can now be defined by querying custom user attributes. This functionality is available as an open beta (no sign up required). 
  • Second, dynamic groups can also be defined based on users’ membership in Organizational Units (OUs). This feature is now generally available. 

Who’s impacted 

Admins only 


Why you’d use it 

Dynamic groups can be used for email distribution lists, access control, group based policy, and more. Compared to regular Google Groups they have the added benefit that memberships are automatically kept up-to-date. Automating membership management increases security, reduces errors, and alleviates user frustration while minimizing the burden on admins. 

These new features expand the utility of dynamic groups for organizations that take advantage of custom user attributes and organizational units. They can further tailor dynamic groups to meet the specific needs of their organization. For example these organizations could now: 
  • Create a dynamic group for all users of a subsidiary (an organizational unit) based in a particular city or state. 
  • Create a dynamic group with all users with a custom attribute of a “job_skill” or “speciality”. 

Getting started 

  • Admins: To take advantage of this new dynamic group functionality, you will need to have already defined custom user fields or organizational units
    • Once this is in place you can test membership queries and then create / update dynamic groups to take advantage of them. 
      • To query a customer attribute “EmployeeNumber” (based on this sample schema): user.custom_schemas.employmentData.EmployeeNumber == '123456789' 
      • To query all direct members of an organizational unit: user.org_unit_id==orgUnitId('03ph8a2z1enx4lx') 
      • To query all direct and indirect members of an organizational unit: user.org_units.exists(org_unit, org_unit.org_unit_id==orgUnitId('03ph8a2z1khexns')) 
  • End users: Not available to end users. 

Rollout pace 

  • Custom user attribute queries are available now for all users in open beta (no sign up required) 
  • Organizational unit based dynamic group queries are now generally available for all users. 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, and Education Plus customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as G Suite Basic and Business customers 

Resources 

Set user language programmatically with the Directory API

Quick launch summary 

With this launch, you can use Google Workspace Admin SDK Directory API to customize a per user language preference via the user create/update flow. 

Previously, the AdminSDK only allowed one customer level language setting that applied to all users, which could then be changed individually via the Admin console, or by the user. We hope this will make it easier to set up and manage your users at scale. 


Getting started 

Rollout pace 

Availability 

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers 

Resources 

Assign SSO profile to organizational units or groups with the SAML Partial SSO feature, now generally available

What’s changing

Earlier this year, we announced a beta for assigning SSO profiles to organizational units or groups. This feature is now generally available and allows admins to specify groups or organizational units (OUs) to authenticate a subset of your users using Google.

Who’s impacted

Admins

Why it’s important

Currently, when you configure SSO with a third-party identity provider, the setting applies to your entire domain. However, there are some instances where you may want a subset of your users, such as vendors or contractors, to authenticate with Google instead. The Partial SSO feature gives you the flexibility to specify the authentication method for various users in your organization as needed.


Getting started



  • End users: No action required.

Rollout pace


Availability

  • Available to Google Workspace Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, and Nonprofits, as well as G Suite Basic and Business customers
  • Available to all Cloud Identity customers
  • Not available to Google Workspace Essentials customers

Resources


Control session length for Google Cloud Console and gcloud CLI now generally available

Quick Summary 

In 2019, we announced a beta that allows Google Workspace, Google Cloud Platform (GCP), and Cloud Identity admins to set a fixed session duration for specific apps and services. This is now generally available. After the session expires, users will need to re-enter their login credentials to continue to access: 

Giving admins more control over how often users need to re-authenticate makes it more difficult for the wrong people to obtain that data if they gain unauthorized access to a device. 

Visit the Help Center for more information about mobile apps and third-party identity providers.

Getting started

  • Admins: This feature will be OFF by default and can be enabled at the OU level. You can find session length controls at Admin console > Security > Google session control. Visit the Help Center to learn more about how to set session length for Google Cloud services
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace


Availability

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers, and Google Cloud Identity Free and Premium customers

Google OAuth incremental authorization improvement

Posted by Vikrant Rana, Product Manager, and Badi Azad, Group Product Manager

Summary

Google Identity strives to be the best stewards for Google Account users who entrust us to protect their data. At the same time, we want to help our developer community build apps that give users amazing experiences. Together, Google and developers can provide users three important ways to manage sharing their data:

  1. Give users control in deciding who has access to their account data
  2. Make it easier and safer for users to share their Google Account data with your app when they choose to do so
  3. Make it clear to users the specific data they are sharing with apps

What we are doing today

In service of that stewardship, today we are announcing an OAuth consent experience that simplifies how users can share data with apps. This experience also improves the consent conversion for apps that use incremental authorization, which requests only one scope. Users can now easily share this kind of request with a single tap.

Screenshot compares the previous screen and the new screen you see when Example app wants to access your account

Previous Screen                                               New Screen

A quick recap

Let’s summarize a few past improvements so you have a full picture of the work we have been doing on the OAuth consent flow.

In mid-2019, we significantly overhauled the consent screen to give users fine-grained control over the account data they chose to share with a given app. In that flow, when an app requested access to multiple Google resources, the user would see one screen for each scope.

In July 2021, we consolidated these multiple-permission requests into a single screen, while still allowing granular data sharing control for users. Our change today represents a continuation of improvements on that experience.

Screenshot that shows the option to select what Example app can access

The Identity team will continue to gather feedback and further enhance the overall user experience around Google Identity Services and sharing account data.

What do developers need to do?

There is no change you need to make to your app. However, we recommend using incremental authorization and requesting only one resource at the time your app needs it. We believe that doing this will make your account data request more relevant to the user and therefore improve the consent conversion. Read more about incremental authorization in our developer guides.

If your app requires multiple resources at once, make sure it can handle partial consent gracefully and reduce its functionality appropriately as per the OAuth 2.0 policy.

Related content

Assign SSO profile to organizational units or groups with the new SAML Partial SSO beta

What’s changing 

Currently, you can configure to authenticate your users using a third-party identity provider — this configuration applies to all users within your domain. Now, you have the option to specify groups or organizational units (OUs) to authenticate a subset of your users using Google. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins 


Why you’d use it 

Currently, when you configure SSO with a third-party identity provider, the setting applies to your entire domain. However, there are some instances where you may want a subset of your users, such as vendors or contractors, to authenticate with Google instead. The Partial SSO beta gives you the flexibility to specify the authentication method for various users in your organization as needed.



Getting started

Image description: Within the Admin console, navigate to Security > Settings > Set up single sign-on (SSO) with a third party iDP > Manage SSO Profile assignments to specify a specific OU or Group who should identify using Google.

Rollout pace



Availability

  • Available to all Google Workspace and Cloud Identity customers


Resources


Enhanced desktop security for Windows is now available for Google Workspace Business Plus customers

Quick launch summary

Google Workspace Business Plus customers can now manage and secure Windows devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. Now, Business Plus Admins can:

  • Set Windows policies in the admin console which will ensure that all Windows 10 devices used to access Workspace are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network.

See our previous announcement for more details on the Windows 10 management features and benefits and the Help Center to learn more about enhanced desktop security for Windows.

Getting started 


Rollout pace

  • This feature is available now.


Resources


Apply context-aware access policies to mobile and desktop applications

What’s changing 

Admins can now assign existing or new context-aware access levels to Google desktop and mobile applications. 

Applying context-aware access levels to mobile and desktop applications


Who’s impacted 

Admins and end users 



Why it’s important 

With context-aware access, you can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). Expanding these policies to other Google Workspace entry points—such as the Google Drive for desktop app or using Gmail on a mobile browser—gives admins greater control over how, when, and where users can access Workspace resources. 



Getting started 


Rollout pace 


Resources