Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
From the security health page, you can monitor the configuration of Google Drive settings for your organization.
Before you begin
For the steps to get to the security health page in the Admin console, go to Get started with the security health page.
On this page
- Drive sharing settings
- Warning for out-of-domain sharing
- Access Checker
- Drive add-ons
- Access to offline docs
- Desktop access to Drive
- File publishing on the web
Drive sharing settings
You can confine Drive sharing within the boundary of your domain, or allow sharing outside of your domain.
If you set up trust rules, recommendations related to Drive sharing settings won't be available on the security health page. For more information, go to Create and manage trust rules for Drive sharing.
Supported editions: Enterprise Plus, Education
Setting | Drive sharing settings |
Status | Specifies the number of organizational units where Drive sharing is enabled |
Recommendation |
Confine file sharing to your domain to reduce data leaks and data exfiltration risks. If sharing is required outside of a domain because of business needs, you have the flexibility to define how sharing is done by individual organizational units, or you can designate allowlisted domains. |
If you turn off Drive sharing | Users won’t be able share files outside of the domain. |
Turn off file sharing outside of your domain
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settingsSharing options.
- Click Off.
For more details and instructions for changing your Drive sharing settings, go to Manage external sharing for your organization.
Warning for out-of-domain sharing
You can configure Drive settings to warn users when they share a Drive file with users outside the domain.
If you set up trust rules, recommendations related to Warning for out-of-domain sharing won't be available on the security health page. For more information, go to Create and manage trust rules for Drive sharing.
Setting | Warning for out-of-domain sharing |
Status | Specifies the number of organizational units where Drive sharing is turned on |
Recommendation |
Turn on a warning when one of your users tries to share a file outside of your domain. This allows your users to confirm whether this action is intentional and reduces the risk of data leaks. |
Effect on your users |
When an authorized user attempts to share a file outside the domain, a warning message prompts them to confirm the sharing action. This reduces the risk of accidental data leaks. |
Turn on a warning for out-of-domain sharing
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settingsSharing options.
- In the Sharing options section:
- If you choose Allowlisted Domains, also check the Warn when files owned by users or shared drives in your organization are shared with users in allowlisted domains box.
- If you choose On, also check the Warn when files owned by users or shared drives in your organization are shared outside of your organization box.
For additional instructions, go to Manage external sharing for your organization.
Access Checker
When a user shares a file using a Google product other than Google Docs or Drive (for example, by pasting a link in Gmail), Google checks that the recipients have access. If not, when possible, the user can choose a file-sharing option:
- Recipients only, your domain, or public (no Google account required)
- Recipients only, or your domain
- Recipients only
Under Access Checker in the Google Admin console, you can choose one of the previous three options.
Setting | Access Checker |
Status | Specifies the number of organizational units where Access Checker is configured for Recipients only. |
Recommendation |
Configure Access Checker for Recipients only for all organizational units. This gives you control over the accessibility of links shared by your users and reduces the risk of data leaks. |
Effect on your users | When users share a link to a resource (for example, a Drive file), Google will prompt the user if the recipients don’t have access and suggest the configured sharing scope. |
Configure Access Checker
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settingsSharing options.
- At the root organizational unit, under Access Checker, choose Recipients only.
For more details and instructions, go to Manage external sharing for your organization.
Drive add-ons
Drive add-ons allow users to use Google Docs features built by other developers.
Setting | Drive add-ons |
Status | Specifies the number of organizational units where users are allowed to install add-ons for Docs from the add-on store |
Recommendation |
To reduce the risk of data leaks, do not allow users to install add-ons for Docs from the add-on store. To support a specific business need, you can deploy add-ons for Docs that are aligned with your organizational policy. |
Effect on your users |
If you turn off this setting, your users won’t be able to install Docs add-ons. This setting does not affect your users' ability to install add-ons from Google Workspace Marketplace. |
Disallow the installation of Drive add-ons
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Features and Applications.
- Click Add-Ons.
- Uncheck the Allow users to install Google Docs add-ons from add-ons store box.
- Click Save.
For more details and instructions, go to Allow or restrict add-ons in Docs editors.
Access to offline docs
You can allow users to turn on offline access to docs. When docs are accessible offline, a copy of the document is stored locally.
Setting | Access to offline docs |
Status | Specifies the number of organizational units where access to offline docs is turned on. |
Recommendation |
To reduce the risk of data leaks, turn off access to offline docs. If you have a business reason to allow access to offline docs, turn on this feature by organizational unit to minimize risk. |
Effect on your users | If you turn off this setting, your users won’t be able to access offline docs. |
Turn off access to offline docs
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Features and Applicationschoose Control offline access using device policies.
If managed device policies are not set, all users will lose access to offline documents on all devices.
Desktop access to Drive
You can let users sync and access their Drive files on their computers by setting up Drive for desktop for your organization.
Setting | Desktop access to Drive |
Status | Specifies the number of organizational units where desktop access to Drive is turned on |
Recommendation |
To reduce the risk of data leaks, limit or turn off access to Drive for desktop. If you decide to allow desktop access, turn it on only for users with a critical business need and allow it only on authorized devices. |
Effect on your users | If you turn off this setting, your users won’t have desktop access to Drive. |
Turn off desktop access to Drive
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Google Drive for desktopEnable Drive for desktop.
- Uncheck the Allow Google Drive for desktop in your organization box.
For more details and instructions, go to Set up Drive for desktop for your organization.
File publishing on the web
You can turn file publishing on the web on or off for your users.
Setting | File publishing on the web |
Status | Specifies the number of organizational units where file publishing on the web is turned on |
Recommendation |
To reduce the risk of data leaks, turn off file publishing on the web for all organizational units. |
Effect on your users |
Users in designated organizational units are allowed or not allowed to publish files on the web. Disabling file publishing does not revert publishing actions already taken by users. Any new sites published aren't visible to external users. |
Turn off file publishing on the web
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settingsSharing options.
- Uncheck the When sharing outside of your organization is allowed, users in your organization can make files and published web content visible to anyone with the link box.
For more details and instructions, go to Manage external sharing for your organization.