Google Cloud Print Auditing

Using GAT+ it’s possible as an  Admin to audit your domain’s cloud print environment.

From the ‘Home Page’, selecting ‘Printers’ will take you to the printer queue audits.

From the ‘Home Page’, selecting ‘Printers’

Once  there you have the usual wide range of GAT search selection criteria

 search selection criteria.

GAT lets you search under a wide range of search options.

GAT lets you search under a wide range of search options.

You can see all “Printer jobs”

 

Enter the Printer jobs tab to see all queued and completed prints, here you can view details of the print. For each print job, you will see the email of the user who initiated the print, date of the print job and the title of the file.

There is an option to remove the print job if its still in the print queue.

select to remove print job

In User audit, Print tab you will see full details of the print jobs by your users summarized.

In User audit, Print tab you will see full details of the print jobs by your users summarised.

Here you can sort your users by details such as the number of jobs printed, printers they have access to, last time they printed, etc.

With GAT Google Cloud Print audit another important data leakage gap has been closed, information leaving the premises in hard copy. In-house printers are of course covered by local printer server management and audit software, but Cloud Print opened up a new avenue allowing direct printing to any chrome enabled PC with a printer. This printing was ‘off the radar’ until now.

Auditing Cloud Print also fills an important accounting need for educational organizations who have adopted Cloud Print widely. This will allow Admins to allocate costs appropriately.

Internet Censorship in Schools: Block Bad Language

Amplified IT have produced a spreadsheet which is now widely used in many schools as the basis of their Reg. Ex. searches for bad or homophobic words.
We have slightly added to each of the four reg. ex. rules they published and made them available as templates for all our educational domains using GAT Shield.

Schools who use these can now apply them in Shield with just a click of a mouse. Our templates also contain many other useful examples that can be used and expanded upon by Admins.

reg ex searches

Review the words covered by the different Amplified IT templates

GAT Shield - Amplified IT Rule Templates.

Calendar Audit

Calendar Discovery

GAT+ supports full domain wide automatic calendar discovery and exposure classification.

GAT discovers all calendars, even those imported automatically. It also classifies them by exposure type.

Here’s a short video tutorial about the Google Calendar Audit

 

GAT can reveal all google calendars in your domain

You can click on the Apply Custom filter button to search for a particular calendar.

Apply Custom filter button to search for a google calendar

There are a multitude of different search operators you can use and also combine together to find the right calendar.

 

User Audit, Calendar Tab

In addition GAT has extended the User audit to show the numbers of calendars per user and the number of events per user, both past and scheduled.

see google calendar's past and future events with GAT+

The values under Calendars, Past events, Future events and Total columns are all clickable. Clicking on any value will take you to the Calendar audit section so you can view those events in detail.

 

Event Discovery

In addition to the automatic calendar discovery, GAT can report on domain-wide automatic event discovery.

select 'calendar events'

With the addition of ‘events’ reporting, Admins can now examine the past and future appointment list of users on the domain. This can be particularly useful for departing employees who may have future appointments management need to be aware of.

select the dropdown arrow

Managing Past/Future events:

  • Ability to delete an instance of an event
  • Ability to delete all recurring events
  • Remove users from events and/or recurring events

 

Delegated Audits – Notes to Delegated Audit Admins

If you have been nominated as a delegated auditor by the Domain Super Admin, you can now audit all the documents (and possibly emails) of the group over which you have been given audit authority.

To start an audit, select the ‘More’ menu you see at the top of your G Suite screen.

Select the 'More' menu

 

Select one or other of ‘General Audit Tool – Email Extension’ or ‘General Audit Tool for Google Apps’

This will now bring up an Audit screen. From here you can audit both your own environment and those of the other members of the group. You will see a screen similar to below.

 

This is a GAT audit screen

 

Depending on your environment ‘Emails’ may or may not be present.

This tool lets you see where all the documents of your group are being shared to or from. It also allows you to search through all the documents of the group for certain key-words. You can schedule reports to be alerted to certain events, such as documents being shared outside the domain. In fact what you can be alerted to is almost endless. 

 

If you are a line manager you may be interested in using the tool so see what your staff are doing in terms of productivity.

Start by selecting the ‘Docs Audit’, the result will cover all the members of your group.

How many documents are employees creating and sharing on a daily basis?

 

Then select the docs audit

 

Let’s start with ‘Documents Created’ and let’s look at the results for today (we can expand to weekly and monthly by moving the ‘From’ date further back).

In the Docs Audit tool, we pick documents created and enter today’s date.

This shows 18 new items in total, 2-word docs, 2 files uploaded, 5 folders, 7 spreadsheets, and one item thrown to trash. Of these, only one was an internal collaboration (in yellow). Clicking on any number shows you exactly those documents in full detail.

 

But that is not the whole story for the day’s work.

How many documents did the staff work on? For this, we select ‘Document’s Changed

 

select ‘Document’s Changed’

 

Here we see the number has grown bigger, for while the staff created 18 document’s today, they actually worked on 38.

Again the breakdown is as described above except now we know three of those documents were external and shared ‘In’, 1 was public, 1 was public with link, 1 was an external collaboration and 12 were internal collaborations.

But even this is not the whole story, how many documents did our staff actually look at today?

For the answer to this question we select ‘Document’s Viewed’.

Go to 'Between dates' and select 'Documents Viewed'

 

Here we see they viewed 48 documents. Of which 4 were shared in and 4 shared out. So that’s 8 separate items of external collaboration.

In the case of each search, the document listings are shown in some detail below.  However, you can also save the reports as a Google spreadsheet, or download as a spreadsheet to your PC (these report listings that have even more detail).

 

If your department or group has costs allocated against it for space usage, you are going to be interested in how much ‘space’ you are using.

Cost – To answer the cost question simply click on the icon showing the 2 ‘uploaded files’

 

click on the 2 ‘uploaded files’ icon

 

In this case, it shows one of those files was trashed (but it’s still taking up your ‘paid for’ space) and the size of the two files was just 6.3 kB.

To see the drive space used by each user simply click on ‘View all Users’ from any screen.

You can then sort up or down based on the column ‘Docs Quota’

 

See ‘Docs Quota’ column

 

Security – how do we address that?

We can see we have been addressing security at every stage of the process, identifying clearly files that are shared ‘In’ or ‘Out’, made ‘Public’ or even just shared ‘Internally’. Security is inherent to every part of our reporting process. You will see as you run the reports who owns the files, who they are shared with, who can edit them, who has updated them and who has visited them.

All of this detail is also reported in the spreadsheet that can be generated as part of a daily audit, a weekly audit or a monthly audit (in fact you can set the window to be any period you choose).

 

How do I get this type of information sent to me daily?

Two simple steps 1) Filter (as above) and 2) Schedule.

We show you how to set up a Policy or an Audit and have the right people notified in our post  Using GAT to detect a sharing policy violation

Footnote: On Engagement

Audit engagement in the General Audit Tool

G Suite Admin Guides Chrome Management

(See Granting GAT Additional Access rights and GAT Device Audits also)

Google Chrome Management

G Suite provides device management for Chrome OS devices and also lets you manage the Chrome browser (installing apps, managing security settings etc.) on PC and Mac.

Management is all done through the G Suite Admin Console

There is an additional licence required to manage Chrome OS devices, however, managing the Chrome Browser on PC and Mac is included as part of your G Suite for Business licence.

Note: When associating a name with a Chrome Device in the Admin panel, use the user email address from your domain. This will enable GAT to link the device with the user reports and allow cross reporting.

Managing the Chrome Browser

Note: If you wish to use Chrome Management on PC or Mac the Chrome Browser must be installed using the Chrome for Business MSI package which can be downloaded here

Chrome Management settings are accessed by logging into the G Suite Admin Console and going to Device Management > Chrome

access Chrome Management settings by logging into G Suite Admin Console (https://admin.google.com) and go to Device Management > Chrome

To manage the Chrome Browser settings click on “User Settings”. These settings apply both to the Chrome Browser on PC/Mac (installed using the .msi) and to the Chrome Browser on managed Chrome OS devices.

From here you have options to:

  • Allow or block particular types of Chrome apps and extensions
  • Pre-install Apps and Extensions
  • Choose which Apps and Extensions are Pinned to the Chrome Launcher
  • Manage the Chrome Web Store experience
  • Adjust Security Settings (like use of the password manager, incognito mode, browser history etc)
  • Set a proxy server
  • Set a Homepage and Pages to Load on Startup
  • Allow or Block certain types of content (such as cookies, JavaScript Plugins etc.

Managing Chrome OS devices

The other screens under “Chrome” are exclusively for Chrome OS devices and require a separate licence from Google.

 

With Chrome OS devices you have options to configure

  • Public Sessions – Configure settings for public session mode.
  • Device Settings – Enforcing device enrollment, enable or disable Guest Mode, restrict sign into a set list of users etc
  • Network Settings – Configure WiFi, Ethernet and VPN settings.
  • Devices – View and audit enrolled Chrome OS devices.

 

Enrolling Chrome devices that have already been used

You need to first enrol your Chrome devices to enforce policies on them set in your Admin console. Each device you enrol adheres to the Chrome settings you set in the Admin console until you wipe or recover the device. Note that if you “powerwash” the device, you will not be able to enrol it. If you need to reset the device, see Wipe device data.

New devices should always be manually enrolled. Devices that have been previously enrolled, deprovisioned, wiped and placed back into pending are eligible for automatic enrollment if the policy is enabled.

 

See this link below for more details.

 

Related Resources:

Filter Chrome users by latitude or longitude with GAT Shield

How to Whitelist Third Party Apps

A frequent request we get is, ‘Can we ban all third-party apps and only allow (whitelist) the ones we want?’ That is now possible in G Suite and can be refined using the General Audit Tool.

As a Super Administrator go to the G Suite Admin panel

one image out of a few that show you how to whitelist third party apps

From here, under ‘G Suite’, find the settings for Drive, General settings. Once there disable ‘Allow users to install Google Drive apps’.

Once done, only Super Administrators can add third-party apps to the domain.

Return to the Admin panel and select ‘Marketplace Apps’

image showing you how to add the apps approved for your domain

Clicking on the ‘Add apps’ icon (shown above on right) allows you to select the appropriate third party apps that you wish to allow run on your domain.

Once you have added an App for your domain you can further refine the App use policy by using the GAT ‘Apps’ audit tool.

From there select the Apps you have allowed …

elect the Apps you allowed in the GAT console

Add additional policy to that App by clicking on the ‘+’ symbol in the listing and allowing or banning the app for a User, Google Group or Organization Unit.

See here for a detailed explanation of that process. 

Seeing Everyone’s Future – Getting Many Calendar Event Reports at Once

We recently introduced a greatly enhanced calendar audit. In addition to auditing the security and exposure of calendars, you can also audit calendar events, past and future. As with all GAT audits, you can audit for user, group, OU or the entire domain. This tech tip is a great way to see what everyone is planning going forward.

In the Calendars Audit, select the ‘Events’ tab.

  1. Set the period to ‘future’, this will show all forward events set for the next year.
  2. Ask to see only those created today (Select from today’s date, no need to put an end date)
  3. Click ‘Search’, it does not matter if no events are returned, a search chip has been created.
  4. This is the search chip, which we pass to the scheduler.
  5. To have this run every day, select ‘Schedule’

In ‘Schedule’ you can customize how and when you want to run this report.

In the example above we decided to run it as a policy, meaning it will only report when there is something to report.

We also created a Custom Cron expression, (click on the ‘Add your Cron expression’ link to be taken to a page which builds the ‘Cron expression’ for you and you can then paste this into the ‘Scheduler’ field. In our choice, we picked to run every day at 07.58 am.

This will give you a daily report, for all new future events created yesterday. 

How to Save Your GAT Searches for Later Use

One of the nice things about the General Audit Tool is that you can build detailed and complex searches. These searches can then be saved for use as audits, policy checks, or simply to be used again to save time.

In this tech tip, we are going to look at saving a search.

First, let’s build a ‘complex’ search.

In the screenshots below, I am building a search for all documents owned by members of the group ‘sales@bsn.ie’, however, I want to exclude the member of the group sales called ‘robert@bsn.ie’.

I would also like to narrow my search to spreadsheets only.

Finally, I’d like to save this whole search for later use as a single ‘click’

1) Find all documents owned by the group ‘sales’.

‘Clear Filter’ to start a fresh search.

2) Find all documents owned by the user ‘robert’ (remember to click ‘Search Documents’).

3) when the results are returned, negate that search to give us all documents not owned by the user ‘robert’.

4) Select ‘Clear Filter’ again and search for only spreadsheets in the domain.

5) Go to ‘Recent Filters’ and combine the last three searches using the ‘AND’ operator – click ‘show’.

6) This builds the single complex chip which you would like to save for future use. Select ‘Schedule/Save’ in order to preserve this search string.

7) Instead of scheduling the job as you would normally do, simply ‘Disable’ the job and click on ‘Update’.

This search chip will then be preserved for you.

8) When you run the General Audit Tool in the future, the complex chip you just built will be loaded automatically for you in ‘Recent Filters’.

Simply click on it to run at any time.

Groups Audit Explained

GAT supports a separate audit for Groups. The purpose of this audit is two-fold. It will report on the ownership, membership and access rights for each group, along with details like aliases, managers etc.  It can also be used to detect and report new or changed groups. These are important security features.

Google Groups Audit dashborad

You can search and filter by a range of criteria

GAT filters

You can manage the groups directly

a partial view of GAT's Groups management console

Clicking on the group name will take you directly to the Google Group management console.

Groups with a large number of members will have the members hidden by default

Clicking on the number will show the full list of members.

The GAT Groups audit also shows some important sharing and collaboration information concerning the group and the collective membership of the group.

In this part of the audit there are six column titles, moving the mouse cursor over each column title pops up a tool-tip explaining the information in the column.

The following are extended explanations

%Docs – The percentage of total docs in the domain used by members of this group. (Note used is more inclusive than ‘owned’, representing all the documents they have access to.)

%In – The percentage of total ‘shared in’ documents in the domain, shared into members of this group.

%Out – The percentage of total shared-out documents in this domain shared out by members of this group

#Group Docs – Shared documents created by members of this group (private only documents are excluded).

#Shared to Group – The number of documents owned by members of the group that have been shared explicitly to the group (i.e. to the group name). This gives a good idea of how engaged the members of the group are with sharing with the rest of the group in total.

#Shared to Members – The number of documents owned by members of the group share to at least one other member of the group.

These last 6 figures give important information about the behaviour of the group, as a group, with respect to Google Drive.  They can be key indicators for group level collaboration.

Google+ Audits with GAT+

Google+ logo

 

 

 

Google+ is a straightforward audit API from Google, but GAT tries to do what it always does best, bring you the maximum detail in the minimum number of search actions.

Auditing Google + with GAT

With our GAT+ audit, all the columns and search criteria are self explanatory, all you need to do is pull the figures you are looking for.

We are also folding the Google+ audit, along with most of our other audits into our ‘User Centered’ audit.

From the Home Page, under the ‘Users’ audit

Users icon

 

 

Select the Google+ Tab and search for any user, group or OU to see the Google+ detail for that individual or range of individuals.

The search context is preserved as you move across the tabs.

How to search for Google+ by User

GAT has always had a User audit, and over 2013 we gradually expanded this as we realized our Admins want to audit people, not just functions.

Through the user audit GAT has pivoted 90 degrees to give you the full audit view from the user perspective.