Drive settings

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, and Drive Enterprise editions. Compare editions

ID:From the security health page, you can monitor the configuration of the following Drive settings:

Drive sharing settings

You can confine Drive sharing within the boundary of your domain, or allow sharing outside of your domain.

For more details, see the table below.

Setting Drive sharing settings
Status Specifies the number of organizational units where Drive sharing is enabled

Recommendation

Confine file sharing within the boundary of your domain(s). This reduces data leak and data exfiltration risks. 

If sharing is required outside of a domain because of business needs, you have the flexibility to define how sharing is done per individual organizational units, or you can designate whitelisted domains.

How to disable file sharing outside of your domain(s)

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Sharing settings. In the Sharing options section, click OFF.

For more details and instructions for changing your Drive sharing settings, see Set file sharing permissions.

Effect on your users Users won’t be able share files outside of the domain.

Warning for out-of-domain sharing

You can configure Drive settings to warn users when they share a Drive file with users outside the domain.

For more details, see the table below.

Setting Warning for out-of-domain sharing
Status Specifies the number of organizational units where Drive sharing is enabled

Recommendation

Enable a warning when one of your users tries to share a file outside of your domain(s). This allows your users to confirm whether this action is the intended one, and reduces the risk of data leaks.

How to enable a warning for out-of-domain sharing

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Sharing settings. In the Sharing options section, (if you click ON) be sure to check For files owned by users in [your domain] warn when sharing outside of [your domain].

For additional instructions, see Set file sharing permissions.

Effect on your users When an authorized user attempts to share a file outside the domain, they’ll be prompted with a warning message to confirm the sharing action. This reduces the risk of accidental data leaks.

Access Checker

When a user shares a file via a Google product other than Docs or Drive (for example, by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to:

  • Recipients only, your domain, or public (no Google account required)
  • Recipients only, or your domain
  • Recipients only

Under Access Checker in the Google Admin console, you can choose one of the three options above.

For more details, see the table below.

Setting Access Checker
Status Specifies the number of organizational units where Access Checker is configured for Recipients only.

Recommendation

Configure Access Checker for Recipients only for all organizational units. This gives you control over the accessibility of links shared by your users, and reduces the risk of data leaks.

How to configure Access Checker

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Sharing settings. At the root organizational unit, under Access Checker, click Recipients only.

For more details and instructions, see Set file sharing permissions.

Effect on your users When users share a link to a resource (for example, a Drive file), Google will prompt the user if the recipients don’t have access and suggest the configured sharing scope.

Drive add-ons

Drive add-ons allow users to use Google Docs features built by other developers. For more details, see the table below.

Setting Drive add-ons
Status Specifies the number of organizational units where users are allowed to install add-ons for Google Docs from the add-on store

Recommendation

To reduce the risk of data leaks, do not allow users to install add-ons for Google Docs from the add-on store.

To support a specific business need, you can deploy specific add-ons for Google Docs that are aligned with your organizational policy.

How to disallow the installation of Drive add-ons

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Features and Applications. Under Add-Ons, uncheck the Allow users to install Google Docs add-ons from add-ons store box.

For more details and instructions, see Enable add-ons in Google Docs editors.

Effect on your users

If this setting is disabled, your users won’t be able to install Google Docs add-ons. 

Note: This setting does not affect your users' ability to install add-ons from G Suite Marketplace.

Access to offline docs

Administrators can allow users to enable offline access to docs. When docs are accessible offline, a copy of the document is stored locally.

For more details, see the table below.

Setting Access to offline docs
Status Specifies the number of organizational units where access to offline docs is enabled

Recommendation

To reduce the risk of data leaks, disable access to offline docs. 

If you have a business reason to enable access to offline docs, enable this feature per organizational unit to minimize risk.

How to disable access to offline docs

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Features and Applications. In the Offline section, click Control offline access using device policies. All users will lose access to offline documents on all devices if managed device policies are not set.

For more details and instructions, see Enable offline access to Docs, Sheets, and Slides.

Effect on your users If this setting is disabled, your users won’t be able to access offline docs.

Desktop access to Drive

You can enable desktop access to Drive by deploying the Backup and Sync client. This client lets you sync your files between your computer and Google Drive, so you can access your most up-to-date files from any device and collaborate on work with others. However, to reduce the risk of data leaks, we recommend that you instead disallow desktop access to Drive.

For more details, see the table below.

Setting Desktop access to Drive
Status Specifies the number of organizational units where desktop access to Drive is enabled

Recommendation

To reduce the risk of data leaks, disable desktop access to Drive.

If you decide to enable desktop access, be sure that you enable it only for users with a critical business need.

How to disable desktop access to Drive

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Features and Applications. In the Drive section, click Do not allow the Backup and Sync application in your organization.

Effect on your users Your users won’t have desktop access to Drive.

File publishing on the web

You can enable or disable file publishing on the web for your users. For more details, see the table below.

Setting File publishing on the web
Status Specifies the number of organizational units where file publishing on the web is enabled.

Recommendation

Disable file publishing on the web for all organizational units. This reduces the risk of data leaks.

How to disable file publishing on the web

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Sharing settings.

Under Sharing options, click OFF- Files owned by users in [your domain] cannot be shared outside of [your domain].

For more details and instructions, see Set file sharing permissions.

Effect on your users

Users in designated organizational units are allowed, or not allowed, to publish files on the web. 

Note: The disabling of file publishing does not revert the publishing actions taken by users when they were previously allowed to publish on the web.

Google sign-in requirement for external collaborators

When you allow users to send sharing invitations to people outside of your domain, you can require Google sign-in for external users to view the file. For more details, see the table below.

Setting Google sign-in requirement for external collaborators
Status Specifies the number of organizational units where Google sign-in is required for external collaborators

Recommendation

Configure all of your organizational units to require collaborators to sign in with a Google account. This reduces the risk of data leaks

How to enable the Google sign-in requirement

In the Google Admin console, go to Apps > G Suite > Drive and Docs > Sharing settings. Under Sharing options, click Require Google sign-in for external users to view the file.

You can also disable filing publishing outside of your domain by clicking OFF- Files owned by users in [your domain] cannot be shared outside of [your domain].

For more details and instructions, see Set file sharing permissions.

Effect on your users If your users collaborate with external users, turning this feature on would require external users to sign in using a Google account, or it would require them to create one for free if they don’t have one yet.
Was this article helpful?
How can we improve it?