Workspace Security Policies
Chrome Device Management Security Configurations
Google Workspace
Proprietary + Confidential
Overview
Implementing security best practices for Google Workspace is crucial for protecting sensitive information, complying with regulations, maintaining a good reputation, ensuring school continuity, and saving costs.
The following slides outline the recommended Google Workspace for Education settings to configure within your kura or school. ��We recognise some kura and schools may have particular configurations in place to suit the needs of their particular learning environment. In such cases, we respect that kura and schools may choose not to follow a specific recommendation.��
We’re so glad you’re joining us in updating your
Google Workspace policies.
Proprietary + Confidential
Need Help?
Use the direct link to the Admin Console page to jump straight to the setting.��Refer to the Help Centre Guide for further information
Select the video & join our Google experts who provide a short overview of the setting and answer common questions
Look out for Tips along the way
Tip!
Proprietary + Confidential
Settings
01
02
03
04
Chrome Devices
Apps & Extensions
Chrome Device settings
Chrome User Settings
�
Proprietary + Confidential
Chrome Devices
Proprietary + Confidential
End of Life Devices
Regularly check your school Chrome devices to ensure your aware of when they will reach the auto update expiration date. Have a plan in place for replacing expired devices.
Proprietary + Confidential
Proprietary + Confidential
Outdated versions of Chrome OS
Regularly check your devices ChromeOS version, and avoid having devices on old versions of ChromeOS to provide most up to date security, protection and features to your users.
Proprietary + Confidential
Proprietary + Confidential
Apps & Extensions Settings
Proprietary + Confidential
Apps & Extensions Allowlist
School Administrators should block all apps and only allow installation of applications they have approved via the application allowlist.
Tip! Enable the ability for users to request extensions
Proprietary + Confidential
Proprietary + Confidential
Android reporting for users and devices
Enable Android app reporting in the Google Admin console, to see if a force-installed app installed correctly on user devices, and which Android apps have been installed.
Proprietary + Confidential
Proprietary + Confidential
Chrome Devices Settings
Proprietary + Confidential
Force re-enrolment
Enable device force re-enrolment for school owned devices to ensure when a device is wiped, the device is automatically re-enrolled to the school domain.
Proprietary + Confidential
Proprietary + Confidential
Enable verified access
Enable additional protection of School Data by enforcing devices to require to be run in verified boot mode.
Proprietary + Confidential
Proprietary + Confidential
Restrict sign-in to domain managed users
For all School owned devices only allow sign in to devices for school users by restricting sign to your School's domain managed users
Tip! User *@yourdomain.org to restrict to domain users only
Proprietary + Confidential
Proprietary + Confidential
Enable automatic updates and Chrome variations
Enable automatic updates for chrome to ensure devices are kept up to date to the latest version of Chrome.
Proprietary + Confidential
Proprietary + Confidential
ChromeOS Updates - Allow reboots and enforce updates
Enable devices to automatically reboot to enforce ChromeOS updates to keep devices up to date automatically.
Proprietary + Confidential
Proprietary + Confidential
Report device OS information
By enabling OS reporting devices send their current OS state information such as OS version, boot mode, and update status.
Proprietary + Confidential
Proprietary + Confidential
Report device user tracking
Track recent users of your School devices by enabling tracking.
Proprietary + Confidential
Proprietary + Confidential
Prevent virtual machines and ADB sideloading
Prevent use of virtual machines to support Linux apps and ADB Sideloading.
Proprietary + Confidential
Proprietary + Confidential
Chrome User Settings
Proprietary + Confidential
Configure appropriate idle settings
Set idle settings to automatically logout the users or put the device to sleep after 10 minutes of inactivity.
Proprietary + Confidential
Proprietary + Confidential
Incognito Mode
Disable incognito mode to prevent users from using Chrome Browser in incognito mode.
Proprietary + Confidential
Proprietary + Confidential
SafeSearch and YouTube Restricted Mode
Apply the use of Google SafeSearch and restrict access to restricted Youtube content to protect students
Proprietary + Confidential
Proprietary + Confidential
Strict treatment for mixed content & control use of insecure content exceptions
Use strict treatment for Chrome browser and ChromeOS devices to treat insecure HTTP audio, video, and image mixed content.
Proprietary + Confidential
Proprietary + Confidential
Signing into secondary accounts
Disable school users from signing into secondary accounts allowing them to switch windows in the browser or Google Play store once they have logged into their device.
Proprietary + Confidential
Proprietary + Confidential
External storage devices
Disable school users from using external storage devices on School owned Chrome Devices.
Proprietary + Confidential
Proprietary + Confidential
Managed browser cloud reporting
Enable managed browser cloud reporting to get automatic browser profile and system information sent to the Google Admin console.
Tip! Force install the Endpoint Verification extension to complete reporting setup
Proprietary + Confidential
Proprietary + Confidential
Safe browsing protection level
Enable Safe Browsing in Chrome to help protect your School users from websites that may contain malware or phishing content.
Proprietary + Confidential
Proprietary + Confidential
Download restrictions
Prevents users from downloading dangerous files, such as malware or infected files by blocking all malicious downloads.
Proprietary + Confidential
Proprietary + Confidential
Password alert for re-use
If School users reuse their password on a website that you didn’t authorize, Chrome sends the URL to Google Safe Browsing to determine its reputation. If the website contains phishing content, users are prompted to change their password.
Proprietary + Confidential
Proprietary + Confidential
Sites with intrusive ads
Block ads on websites with intrusive ads to provide School users with a better browsing experience.
Proprietary + Confidential
Proprietary + Confidential
Relaunch Notification
Force Chrome Browser to relaunch after a specific time when an update has been installed to apply the update.
Proprietary + Confidential
Proprietary + Confidential
Linux virtual machines
Block School users from Linux virtual machine access.
Proprietary + Confidential
Proprietary + Confidential
Need Support?
Feedback
We would love to hear your feedback to hear how you went, and what improvements you would like to see.
Please send any feedback to digital.services@education.govt.nz
�
Proprietary + Confidential
You have completed one module!
Congratulations!
Proprietary + Confidential