Monitor the health of your Drive settings

Security health page

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

From the security health page, you can monitor the configuration of Google Drive settings for your organization.

Before you begin

For the steps to get to the security health page in the Admin console, go to Get started with the security health page.

On this page

Drive sharing settings

You can confine Drive sharing within the boundary of your domain, or allow sharing outside of your domain.

If you set up trust rules, recommendations related to Drive sharing settings won't be available on the security health page. For more information, go to Create and manage trust rules for Drive sharing.

Supported editions: Enterprise Plus, Education

Setting Drive sharing settings
Status Specifies the number of organizational units where Drive sharing is enabled

Recommendation

Confine file sharing to your domain to reduce data leaks and data exfiltration risks. 

If sharing is required outside of a domain because of business needs, you have the flexibility to define how sharing is done by individual organizational units, or you can designate allowlisted domains.

If you turn off Drive sharing Users won’t be able share files outside of the domain.

Turn off file sharing outside of your domain

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsand thenSharing options.
  4. Click Off.

For more details and instructions for changing your Drive sharing settings, go to Manage external sharing for your organization.

Warning for out-of-domain sharing

You can configure Drive settings to warn users when they share a Drive file with users outside the domain.

If you set up trust rules, recommendations related to Warning for out-of-domain sharing won't be available on the security health page. For more information, go to Create and manage trust rules for Drive sharing.

Setting Warning for out-of-domain sharing
Status Specifies the number of organizational units where Drive sharing is turned on

Recommendation

Turn on a warning when one of your users tries to share a file outside of your domain. This allows your users to confirm whether this action is intentional and reduces the risk of data leaks.

Effect on your users

When an authorized user attempts to share a file outside the domain, a warning message prompts them to confirm the sharing action. This reduces the risk of accidental data leaks.

Turn on a warning for out-of-domain sharing

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsand thenSharing options.
  4. In the Sharing options section: 
    • If you choose Allowlisted Domains, also check the Warn when files owned by users or shared drives in your organization are shared with users in allowlisted domains box.
    • If you choose On, also check the Warn when files owned by users or shared drives in your organization are shared outside of your organization box.

For additional instructions, go to Manage external sharing for your organization.

Access Checker

When a user shares a file using a Google product other than Google Docs or Drive (for example, by pasting a link in Gmail), Google checks that the recipients have access. If not, when possible, the user can choose a file-sharing option:

  • Recipients only, your domain, or public (no Google account required)
  • Recipients only, or your domain
  • Recipients only

Under Access Checker in the Google Admin console, you can choose one of the previous three options.

Setting Access Checker
Status Specifies the number of organizational units where Access Checker is configured for Recipients only.

Recommendation

Configure Access Checker for Recipients only for all organizational units. This gives you control over the accessibility of links shared by your users and reduces the risk of data leaks.

Effect on your users When users share a link to a resource (for example, a Drive file), Google will prompt the user if the recipients don’t have access and suggest the configured sharing scope.

Configure Access Checker

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsAnd thenSharing options.
  4. At the root organizational unit, under Access Checker, choose Recipients only.

For more details and instructions, go to Manage external sharing for your organization.

Drive add-ons

Drive add-ons allow users to use Google Docs features built by other developers.  

Setting Drive add-ons
Status Specifies the number of organizational units where users are allowed to install add-ons for Docs from the add-on store

Recommendation

To reduce the risk of data leaks, do not allow users to install add-ons for Docs from the add-on store.

To support a specific business need, you can deploy add-ons for Docs that are aligned with your organizational policy.

Effect on your users

If you turn off this setting, your users won’t be able to install Docs add-ons. 

This setting does not affect your users' ability to install add-ons from ​Google Workspace​ Marketplace.

Disallow the installation of Drive add-ons

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Features and Applications.
  4. Click Add-Ons.
  5. Uncheck the Allow users to install Google Docs add-ons from add-ons store box.
  6. Click Save.

For more details and instructions, go to Allow or restrict add-ons in Docs editors.

Access to offline docs

You can allow users to turn on offline access to docs. When docs are accessible offline, a copy of the document is stored locally.

Setting Access to offline docs
Status Specifies the number of organizational units where access to offline docs is turned on.

Recommendation

To reduce the risk of data leaks, turn off access to offline docs. 

If you have a business reason to allow access to offline docs, turn on this feature by organizational unit to minimize risk.

Effect on your users If you turn off this setting, your users won’t be able to access offline docs.

Turn off access to offline docs

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Features and Applicationsand thenchoose Control offline access using device policies

    If managed device policies are not set, all users will lose access to offline documents on all devices.

For more details and instructions, go to Set up offline access to Docs editors.

Desktop access to Drive

You can let users sync and access their Drive files on their computers by setting up Drive for desktop for your organization.

Setting Desktop access to Drive
Status Specifies the number of organizational units where desktop access to Drive is turned on

Recommendation

To reduce the risk of data leaks, limit or turn off access to Drive for desktop.

If you decide to allow desktop access, turn it on only for users with a critical business need and allow it only on authorized devices.

Effect on your users If you turn off this setting, your users won’t have desktop access to Drive.

Turn off desktop access to Drive

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Google Drive for desktopAnd thenEnable Drive for desktop.
  4. Uncheck the Allow Google Drive for desktop in your organization box.

For more details and instructions, go to Set up Drive for desktop for your organization

File publishing on the web

You can turn file publishing on the web on or off for your users.  

Setting File publishing on the web
Status Specifies the number of organizational units where file publishing on the web is turned on

Recommendation

To reduce the risk of data leaks, turn off file publishing on the web for all organizational units.

Effect on your users

Users in designated organizational units are allowed or not allowed to publish files on the web. 

Disabling file publishing does not revert publishing actions already taken by users. Any new sites published aren't visible to external users.

Turn off file publishing on the web

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsAnd thenSharing options.
  4. Uncheck the When sharing outside of your organization is allowed, users in your organization can make files and published web content visible to anyone with the link box.

For more details and instructions, go to Manage external sharing for your organization.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu