From the security health page, you can monitor the configuration of the following Drive settings:
- Drive sharing settings
- Warning for out-of-domain sharing
- Access Checker
- Drive add-ons
- Access to offline docs
- Desktop access to Drive
- File publishing on the web
- Google sign-in requirement for external collaborators
Drive sharing settings
You can confine Drive sharing within the boundary of your domain, or allow sharing outside of your domain.
Note: If you set up trust rules, recommendations related to Drive sharing settings won't be available on the security health page. For more information, see Create and manage trust rules for Drive sharing.
Supported editions: Enterprise Plus, Education
For more details, see the table below.
| Setting | Drive sharing settings |
| Status | Specifies the number of organizational units where Drive sharing is enabled |
|
Recommendation |
Confine file sharing within the boundary of your domain(s). This reduces data leak and data exfiltration risks. If sharing is required outside of a domain because of business needs, you have the flexibility to define how sharing is done per individual organizational units, or you can designate allowlisted domains. |
|
How to disable file sharing outside of your domain(s) |
In the Google Admin console, go to Apps For more details and instructions for changing your Drive sharing settings, see Set file sharing permissions. |
| Effect on your users | Users won’t be able share files outside of the domain. |
Google WorkspaceWarning for out-of-domain sharing
You can configure Drive settings to warn users when they share a Drive file with users outside the domain.
Note: If you set up trust rules, recommendations related to Warning for out-of-domain sharing won't be available on the security health page. For more information, see Create and manage trust rules for Drive sharing.
For more details, see the table below.
| Setting | Warning for out-of-domain sharing |
| Status | Specifies the number of organizational units where Drive sharing is enabled |
|
Recommendation |
Enable a warning when one of your users tries to share a file outside of your domain(s). This allows your users to confirm whether this action is the intended one, and reduces the risk of data leaks. |
|
How to enable a warning for out-of-domain sharing |
In the Google Admin console, go to Apps For additional instructions, see Set file sharing permissions. |
| Effect on your users | When an authorized user attempts to share a file outside the domain, they’ll be prompted with a warning message to confirm the sharing action. This reduces the risk of accidental data leaks. |
Access Checker
When a user shares a file via a Google product other than Docs or Drive (for example, by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to:
- Recipients only, your domain, or public (no Google account required)
- Recipients only, or your domain
- Recipients only
Under Access Checker in the Google Admin console, you can choose one of the three options above.
For more details, see the table below.
| Setting | Access Checker |
| Status | Specifies the number of organizational units where Access Checker is configured for Recipients only. |
|
Recommendation |
Configure Access Checker for Recipients only for all organizational units. This gives you control over the accessibility of links shared by your users, and reduces the risk of data leaks. |
|
How to configure Access Checker |
In the Google Admin console, go to Apps For more details and instructions, see Set file sharing permissions. |
| Effect on your users | When users share a link to a resource (for example, a Drive file), Google will prompt the user if the recipients don’t have access and suggest the configured sharing scope. |
Drive add-ons
Drive add-ons allow users to use Google Docs features built by other developers. For more details, see the table below.
| Setting | Drive add-ons |
| Status | Specifies the number of organizational units where users are allowed to install add-ons for Google Docs from the add-on store |
|
Recommendation |
To reduce the risk of data leaks, do not allow users to install add-ons for Google Docs from the add-on store. To support a specific business need, you can deploy specific add-ons for Google Docs that are aligned with your organizational policy. |
|
How to disallow the installation of Drive add-ons |
In the Google Admin console, go to Apps For more details and instructions, see Enable add-ons in Google Docs editors. |
| Effect on your users |
If this setting is disabled, your users won’t be able to install Google Docs add-ons. Note: This setting does not affect your users' ability to install add-ons from Google Workspace Marketplace. |
Access to offline docs
Administrators can allow users to enable offline access to docs. When docs are accessible offline, a copy of the document is stored locally.
For more details, see the table below.
| Setting | Access to offline docs |
| Status | Specifies the number of organizational units where access to offline docs is enabled |
|
Recommendation |
To reduce the risk of data leaks, disable access to offline docs. If you have a business reason to enable access to offline docs, enable this feature per organizational unit to minimize risk. |
|
How to disable access to offline docs |
In the Google Admin console, go to Apps For more details and instructions, see Enable offline access to Docs, Sheets, and Slides. |
| Effect on your users | If this setting is disabled, your users won’t be able to access offline docs. |
Desktop access to Drive
You can enable desktop access to Drive by deploying the Backup and Sync client. This client lets you sync your files between your computer and Google Drive, so you can access your most up-to-date files from any device and collaborate on work with others. However, to reduce the risk of data leaks, we recommend that you instead disallow desktop access to Drive.
For more details, see the table below.
| Setting | Desktop access to Drive |
| Status | Specifies the number of organizational units where desktop access to Drive is enabled |
|
Recommendation |
To reduce the risk of data leaks, disable desktop access to Drive. If you decide to enable desktop access, be sure that you enable it only for users with a critical business need. |
|
How to disable desktop access to Drive |
In the Google Admin console, go to Apps |
| Effect on your users | Your users won’t have desktop access to Drive. |
File publishing on the web
You can enable or disable file publishing on the web for your users. For more details, see the table below.
| Setting | File publishing on the web |
| Status | Specifies the number of organizational units where file publishing on the web is enabled. |
|
Recommendation |
Disable file publishing on the web for all organizational units. This reduces the risk of data leaks. |
|
How to disable file publishing on the web |
In the Google Admin console, go to Apps Under Sharing options, click OFF- Files owned by users in [your domain] cannot be shared outside of [your domain]. For more details and instructions, see Set file sharing permissions. |
|
Effect on your users |
Users in designated organizational units are allowed, or not allowed, to publish files on the web. Note: The disabling of file publishing does not revert publishing actions already taken by users. In addition, any new sites published will not be visible to external users. |
Google sign-in requirement for external collaborators
When you allow users to send sharing invitations to people outside of your domain, you can require Google sign-in for external users to view the file. For more details, see the table below.
| Setting | Google sign-in requirement for external collaborators |
| Status | Specifies the number of organizational units where Google sign-in is required for external collaborators |
|
Recommendation |
Configure all of your organizational units to require collaborators to sign in with a Google account. This reduces the risk of data leaks. |
|
How to enable the Google sign-in requirement |
In the Google Admin console, go to Apps You can also disable filing publishing outside of your domain by clicking OFF- Files owned by users in [your domain] cannot be shared outside of [your domain]. For more details and instructions, see Set file sharing permissions. |
| Effect on your users | If your users collaborate with external users, turning this feature on would require external users to sign in using a Google account. |
