Ten Ways to Configure the Google for Education Admin Console to Secure Your Domain

Securing your Google for Education Admin console is a critical step in protecting your institution’s data, ensuring privacy, and maintaining a safe and secure digital learning environment. The Google for Education Admin console is a powerful control panel that allows IT administrators to manage users, devices, apps and security settings across their domain. 

Verify Your Domain and Save Time With the Student Information System (SIS) Register Import

Once you have signed up for Google Workspace for Education and verified your domain, you can then start provisioning your users and defining your domain structure. You can automatically provision users, groups and contacts based on the user data in your LDAP server with Google Workspace directory sync.

Domain authentication protocols such as configuring SPF, DKIM and DMARC prevent institution’s legitimate outgoing emails from being marked as SPAM by receiving servers. Domain authentication also stops spammers from impersonating your organisation by spoofing or phishing.

Differentiate Services for Users With Organisational Units and Google Groups

Organisational units let you segment your user population and give different services and permissions to different organisational units. For example, separating student and staff accounts into different organisational units allows IT administrators to turn off mail for students and leave it on for staff. 

Organisational units follow a parent-child waterfall structure. Child organisational units inherit the settings from the parent, but can be changed to fit the needs of the child organisational unit. Some schools separate users per year group and others by user profiles or schools. Placing devices and shared drives in their own organisational units makes it easier to manage setting changes and secure infrastructure. 

Organisational units are great for setting up general access for various user profiles, but sometimes, certain users need customised app access. Users can only sit in one organisational unit, but can belong to multiple groups. Placing users in access groups can be a great way to manage a subset of privileges, such as giving the student IT digital leaders access to Google Chat but turning it off for all students at an OU level.

In general, education institutions restrict group creation to admins only. Regularly reviewing permissions granted to individual users and groups ensures policy compliance and privacy.

Secure Access With Strong User and Domain Authentication

Strong authentication processes ensure that only authorised individuals have access to sensitive data and systems. As an administrator, you can control how long different users can access the Google Cloud console and Cloud SDK without having to re-authenticate. For example, you might want users with elevated privileges, such as headteachers, to re-authenticate more frequently than regular users such as students. Weak passwords are a common vulnerability within schools. Enforce strong passwords by setting a minimum password length (e.g. 8-12 characters) and requiring a combination of uppercase letters, lowercase letters, numbers, and symbols. Setting password expiration periodically for high-risk accounts such as admin accounts is also advisable.

Implementing multi-factor authentication further enhances security and you can make 2SV mandatory for specific organisational units (OUs) or all users in your domain. This is particularly important for sensitive accounts, such as administrators and staff members who have access to student data.

Limit and Control Admin Access

Google administrator roles allow designated individuals to perform various administrative tasks, such as managing users, configuring security settings, and ensuring compliance with organisational policies. Super Admins have access to all features in the Google Admin console and Admin API and can manage every aspect of your organisation's account, including sensitive data and settings. The super admin role should only be assigned to trusted, high-level personnel, like IT Directors and Headteachers. 

Assigning custom admin roles gives users the tailored permissions they need to perform their duties. For example, a "User Management Admin" should not have access to modify security settings or manage devices. Designated users, such as education leaders and support staff, may need to temporarily visit a class to support teachers and students and perform the actions a co-teacher can do in Google Classroom. To utilise this feature, a user needs an Education Plus licence assigned as well as a custom admin role with the manage class privilege. 

Classroom analytics is useful for educational leaders and specialists to get better visibility into Classroom data, including if assignments are being completed, how grades are trending, and how Classroom is being adopted. This functionality can be designated to Education Plus users by assigning the “View analytics data for users and their classes” privilege to users through a custom admin role.

Admin activity can be monitored by setting up alerts for changes made by admin accounts, especially for sensitive actions such as modifying user roles, deleting accounts, or changing security settings.

Manage and Secure Sharing User Data

Data privacy is critical in an educational setting, particularly when it involves 

minors. You can limit who can share data, how data is shared, and with whom. 

Data retention policies on Google Vault preserve data as needed. 

Within Google Drive’s application settings you can restrict file sharing to your domain only and prevent sensitive data from being shared externally as required. Sharing settings can be differentiated by groups or organisational units. 

The default settings, when directory is enabled, allow users to find the profile information of other users using autocomplete lists, contacts, and searches. Configuring up to 100 custom directories and assigning directories by organisational unit restricts the profile data that users have access to.

Configure App Settings to Ensure Data Protection

In Google Meet, restricting students’  from creating video calls ensures video calls are hosted with teachers present. Tracking chat history and managing who can create spaces are other ways to ensure safe digital communication channels within a school context. Existing Google Groups and their default settings can be secured to ensure unnecessary access is not shared. Conversation visibility in groups can be limited to owners and managers by default, which means that conversations are not accidentally searchable by students or the public.

In addition Google Calendar settings can be changed to ensure the default sharing settings are private to the user or domain. For example, if you limit your organisation's external sharing to Free/Busy and a calendar is shared with others, they will only see events as “busy.”

With app access control settings, Google Workspace for Education admins have enhanced control over how third-party applications (apps) interact with their organisation's Google data when users sign in using their Google Workspace for Education accounts. Admins can limit the scope of data that third-party apps can access by configuring API access restrictions. 

Secure devices and endpoints

Google for Education is widely used on Chromebooks, which are inherently secure, but further management options are available through Chrome Education Upgrade licences. Enrolling ChromeOS devices into a domain allows administrators to enforce device policies such as sign-in and download restrictions and controlling which websites and apps are accessible. Administrators can also enable automatic updates to ensure Chromebooks are protected against known vulnerabilities. ChromeOS device auto

updates have increased from 8 to 10 years. 

ChromeOS devices can be used for secure digital testing options such as locked mode with Google Forms quiz features. Configure user data settings to “Do not erase local user data” for the duration of the assessment period to avoid student data loss if the device needs to be rebooted or loses power. 

ChromeOS device management is key for tracking lost devices or preventing theft by forcing devices to re-enrol. If the device is enrolled in your organisation, you can remotely wipe local device and user data for troubleshooting, data removal, or other reasons. 

Google’s mobile device management (MDM) features enforce security policies on Android or iOS devices. It's advisable to require device encryption to protect sensitive data on mobile devices. In the event of a lost or stolen device, wiping an account

from a device ensures that your institution’s data is not exposed.

Monitor and respond to security events

Configuring security alerts allows administrators to proactively monitor and respond to potential threats. You can set up email notifications for suspicious activities such as failed login attempts, password changes, or changes to security settings.

By utilising the security health page with Education Plus and Standard, you can gain insights into your domain's security posture and take proactive steps to mitigate potential threats. Some of the domain risks assessed by the security health page include external sharing, unauthenticated email, and unencrypted email connections.

Compliance and Privacy

Domain administrators can leverage predefined templates when creating data protection rules. These templates offer a list of recommended rules for Google Chat, Drive, and Chrome activities to prevent data leaks from messages, attachments, uploaded files, and images. Data loss rules to automatically scan emails and documents for sensitive information (such as student personal data or confidential school records) and restrict sharing or emailing of such data.

Regularly update and review security settings

The landscape of cyber threats is constantly evolving, so it’s essential to regularly 

update your security settings and protocols. By utilising the extensive features of the Google Admin console, IT administrators can create a secure, collaborative, and productive digital learning environment for students and staff alike. Stay informed about security updates by regularly checking Google Workspace Updates blog and service notifications in the legal and compliance section of the admin console.