Prevent MP3 files and other file types from being downloaded

Using the real-time alert rules within GAT Shield an admin can set up a rule to prevent certain file types from being downloaded to a user’s device.

To set up a download rule, go to the Configuration section of GAT Shield. And enter the Alert Rules section.

select "alert rules"

Click on the Add a rule button, and select File download.

Click on the Add a rule button, and select File download.

Once the menu appears, do the following:

  • Give the rule a meaningful name, in my case, I will prevent mp3 and mp4 files from being downloaded.  
  • Make sure to enable ‘Active’ so that the rule will be active once the rule set up is complete.
  • I entered mp3;mp4 I used a semicolon to separate the two file types. A semicolon is not necessary if only one file type is being covered.

Tick the boxes next to "active" and "cancel/delete download"

  • You have an option available to block files based on their file size as well. Anything equal to or above the value you have entered. For example, I can enter 20 MB. That means any mp3 or mp4 equal to or greater than 20 MB will be blocked from being downloaded others which are less won’t.  
  • The Cancel/delete download will be enabled because we want this rule to block and prevent downloads if left unchecked it would only notify you and not take any action.
  • Site exclusions are useful if you have some educational sites where downloading of mp3 or mp4 are allowed.

indicate which users will be covered by this rule.

  • Now we need to indicate which users will be covered by this rule. I have used the OU option, and I’ve selected the root user OU / and I have also included sub. Org units. This means my entire domain is covered by this rule (well actually users who have Shield deployed on their accounts). You can indicate a sub OU like /Students and enable the option to cover its sub-OUs if you wish.
  • You can also take actions like shutting the webpage down or showing a custom warning message to the students.
  • The last 3 options allow you to report the file name, capture the screen the user was on and take a picture of the user using the webcam of the device (if Shield Companion app is deployed as well).

All alerts will be sent to you via email and you can also find them in the Shield Alerts section.

Shield alerts tab

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.

 

GAT Shield’s Recursive User OU Search

GAT Shield now has recursive user ou search in shield browsing summary and URL access rules settings. This is a much-requested feature.
recursive user ou search

[New Feature] Automatically Block and Approve URL Sets with GAT Shield

Automatically block certain URLs during specific times of the day. For example, block Facebook between the hours of 9 AM and 6 PM Monday through Friday. This feature is very flexible. It allows you to curate a list of URLs that automatically become blocked at certain times. You can also choose to block all sites apart from ones in an ‘approved’ list.

time restriction url access control

See Who Violated Your Domain’s Usage Rules with GAT Shield

In the Shield Alerts section of GAT Shield, you can view all the instances where your users have violated any Alert Rules.

You can see the video instead of reading the post.

 

To know how to create an Alert Rule you can watch our video covering the topic.

In the Alerts Explorer, you can view a list of all the times a rule was violated.

You can see data such as the Rule name, The Rule type, Page info if it was a URL visit, how long ago the Rule was violated, the User who violated the rule and whether the Status of the alert was still open or acknowledged by an Admin.

See when rules were violated

Clicking the check mark will change the status indicator to a green Acknowledged status.

This is so you can let other Administrators on your domain know the alert was investigated.

By clicking the eye Icon you can get all the details of that alert, as well as the admin who acknowledged it.

Device information such as the rule violators Shield UUID, OS, IP details and location information is also available in this area.

Device information such as the rule violators Shield UUID, OS, IP details and location information can be seen with GAT Shield

Track Your Users’ Online Activities with GAT Shield

Using GAT Shield you can track your user’s browser activity throughout the day.

Below is a short tutorial explaining the feature. You can watch it instead of reading this post.

 

You can view what sites they spend most of their time on as well as their active time spent there.

 To start off we’re going to go to the User Activity section of GAT Shield.

Here we can see the timeline of any user.

Sites are ordered by the total duration of time spent, this will help you to quickly spot where the bulk of the time is spent by a user.

At the top left of this section, you can select the User you wish to view.

To the right, you can select the date you wish to investigate.

And in the top right you can choose to either view the data by Active time spent or view their activity in a 24-hour window.

user activity report in GAT Shield

The total chrome browser activity shows you a summary of the users total active time spent using their browser. Each colour represents a website, hovering over a colour will reveal it’s URL

See the sites visited while hovering over the report

Under this window, you can search for any specific website to see if your user is spending any of their time on that site. For example, you can see if your users are spending too much time on youtube.com

To the right, you can select the number of displayed sites.

See the amount of displayed sites in GAT Shield

Below you can view your users’ activity for every site they have visited. You can also see what percentage of the user’s day is spent on that site.

View a user's activity for every site they have visited

How to Locate and Track Devices with GAT shield

In this post, we’ll be covering User/Device Geolocation in GAT Shield.

You can view the video tutorial instead:

This feature will allow an Admin to track and locate all devices using advanced filters.

Start off by navigating to the User/Device Geo Reporting section in GAT Shield.

In this area you will have access to the Geolocation window, here you’ll see all devices currently enrolled on your domain being viewed by Shield UUID or you can also choose to view devices by IP.

See your enrolled devices

You’ll notice these numbers around the map, these are devices that are close to each other and have been grouped up together.

Clicking on the value will zoom in and spread the devices out more accurately.

After zooming in we can now see these computer icons, these are our devices.

If you click a device you will be shown it’s Shield UUID, OS, Public IP, City, Country, User and Last activity. You can also click to show the coordinates on Google Maps.

See the location of devices more accuratly

Scrolling down you will see a detailed list of all the devices connected to your domain.

You can view their Shield UUID, which is a universal unique ID given to every user per device, their Shield version, The serial number of the device, the OS, their public & private IP, location details as well as the user’s email and activity.

Further information on your selected device

Clicking the marker button will locate this user on the map.

The eye icon will give you more information about that user’s device, as well as details of their device such as CPU and memory usage.

In this example we’re going to search for any Windows devices that have more than one user logged into them, we’ll start off by clicking the filters button.

We’ll select OS and type the name of the operating system, in this example it’s Windows, we’ll then add another rule and select Other users, we’ll pick ‘is not empty’ and apply the filter.

Set instance filters

We now have my result, to see the other user who has logged into this device we’ll select the eye icon. I can now see that another user from a different domain has logged onto the same device as our user.

In our next example, we’ll look for how many devices a user has logged into, we’ll delete our filter and apply a new one, then we’ll select User and enter the email of the user we’re looking for.

We can see that this user has logged into five different devices. If we would like I can click the export data button and select between a direct CSV download or one to Google drive.

Select how you want to download the data

We’ll select Google Drive, a small window should appear. Simply click to view and download.

We can now see all the data from our search in the spreadsheet.

How to Install and Configure GAT Shield on Your Domain

In this how-to, we will be covering how to install and configure GAT Shield. Below is the video tutorial about the same topic:

To start off, go to the device management section of your admin console. Once here, select Chrome Management on the left side of the screen.

Next, select ‘user settings’. Now choose the route OU to install GAT Shield domain-wide. Alternatively, you can choose a sub OU and install it to that separately. Once you have that selected, scroll down to ‘force-installed apps and extensions’. Select ‘manage force installed apps’.

Select force installed apps

Now select ‘specify a custom app’. There are two versions of GAT Shield which are available. One open version and one closed. The open version allows the end user to see all the environment information from their Chrome browser, including where and how they are spending their time and other useful details about their Chrome environment. This version is also a recommended way for parents to monitor their child’s online activity.

Data seen in the GAT Shield 'open' and free version

 

The closed version will only display an icon but the end user can’t access it.

GAT Shield 'closed' version will only show an icon to the end user

Both versions IDs and URLs are available at the end of this post. Once the app is installed, every user who logs into their Chrome environment with zero domain credentials will have the app automatically installed. The end user cannot override this setting. Make sure to save changes. Next, we’ll get the GAT Shield companion app which allows Shield to capture a snapshot from the user’s webcam should they violate an alert rule. The ID and URL for this app is also available at the end of this post. Please follow the same installation procedure for GAT Shield for this companion app. Now we must scroll down to the task manager setting and select ‘block users from ending processes’ with the chrome task manager. Be sure to save your changes.

Select "block users from ending processes with Chrome task manager"

The next step, we’ll cover enabling serial number collection for Chrome devices. Please note this step requires the purchase of Google device manager. You can find out more information at the end of this post. GAT Shield can collect the serial numbers from the Chrome OS based device it is deployed to. This can be useful for asset tracking and ‘proof of use’ tracking. To enable this feature, we need to configure some additional settings in the G suite chrome management console. First, ensure all devices are enrolled on your domain. This will not work for any device that isn’t. Also, make sure that GAT Shield is deployed. Secondly, navigate to the Chrome management window then select Device Settings. Again you’ll have the choice to select either to route OU or a sub OU. Now for verified access, set it to enable for enterprise extensions and
enable for content protection and in addition at the following as the verified service account. This will also be at the end of this post to copy and paste over.

Remember to save when configured. Next, navigate to the chrome management section and select app management. Once there, search for the following app. You can find this code at the end of this post. Add it to your list of apps. Save when done.

search for the following app. You can find this code in the description of this video. Add it to your list of apps. Save when done.

Once the app is installed. Double click on the listing for the new app GAT Shield verifier. Select the user settings and set the switches as shown in the below image.

Adjust settings for GAT Shield

GAT Shield will now start reporting to device serial number in the Shield User device geo reporting section of the GAT shield tool. Now you should have GAT Shield fully deployed.

 

Further Information and code:

Closed version ID/URL

    • ID : khbkdfddenodbcodjcnfpgogceaegjpa

    • https://ext.generalaudittool.com/extension/gatshield/hidden/update.xml

Open version ID/URL
  • Production version (Open User Interface, end users can see it) :

    • ID : ipjhmihnfkijoeogfaedonidfncegkfe

    • https://ext.generalaudittool.com/extension/gatshield/ui/update.xml

Shield Companion App(webcam support) ID/URL

  • id : lncmmomdcmcilmblgmnlinenbinjklgg

  • https://ext.generalaudittool.com/extension/shield_companion/update.xml

Google Chrome device management is required for serial number collection with GAT Shield.

For the verified service account please paste:

verified-access-api@gat-shield-va.iam.gserviceaccount.com

Shield Verifier ID –  ceiljdpelbjifndpnihkmhpebidiklnm

What Are My Users Searching on Gmail, Google, Youtube and Other Search Engines

In GAT Shield a word cloud is displayed to show queries being searched by your users, this helps to highlight what students and staff are searching for across different search engines.

Like GAT+, GAT Shield allows you to refine your search by selecting a User, Group, OU or domain and then selecting which search engine you are interested in. To do this click on the ‘Apply custom filter’ button on the top right corner of the page.

Apply custom filter

Select the search parameters that you are interested in viewing, for this example I’ve selected an OU structure, the Google search engine and searches after July 1st 2018.

Select the search parameters you are interested in viewing

Now, I will see all of the queries being entered into Google for the Marketing user OU.

export this information to a CSV file

I can then export this information to a CSV file.

export this information to a CSV file.

See All Searches Happening on Your Organisation’s Chrome Devices and Chrome Browsers

In this how-to, we’ll be covering GAT Shield searches. we will show you how you can see all the searches happening on your organisation’s Chrome devices and Chrome browsers.

You can see the short video tutorial below:

In GAT Shield Searches, you’ll be able to see all the searches happening across your Chrome devices on your Chrome browsers. Here, you can see the query the user inputted and the search engine they used. How long ago they did the search and who it was. Clicking the ‘eye’ icon will allow you to see the details of that search in the GAT Shield instance details. You can get the shield UUID. This is a unique ID that can be used in the user device geo reporting section to find a device the search was performed on.

the 'search details' tab within the 'searches' audit in GAT Shield

In this example, we’ll use a filter to see if any searches from our domain contained a words ‘GitHub’. We’ll also name the filter ‘GitHub’ query. Now if we apply and save this filter, it will be applied and can be used again from the ‘save’ tab.

the 'search filters' in GAT Shield

Using the alert rules configuration section, you can add a rule that can detect searches and report them should they violate the rule. Here you can add a rule for searches. In this example, we’re using a regular expression to detect if a user types wolf or snake into a search engine. We’ve set it so that the rule will only be active for these two users. You can choose whether to only show a warning or also close their web page. With these buttons, you can report the site name take a screen shot and/or a snapshot from their webcam at the time of the search.

the 'edit alert rule' option in GAT Shield

We hope you found this post hopeful and if you have any questions, please don’t hesitate to reach out to us via email (support@generalaudittool.com) or live chat.