Today’s post is the third in our four-part blog series on Google Apps advanced security. You can read part one here and part two here. The complete guide to Google Apps security can be downloaded here.
In the last two posts, we reviewed the security settings for Google Calendar, Drive, Sites and Contacts. Today, we will highlight the advanced security settings for Gmail.
You should use three DNS (domain name system) records to improve email deliverability and reduce spam sent from from your domain: SPF, DKIM, and DMARC. An SPF (sender policy framework) record identifies the mail servers authorized to send email for your domain. A DKIM (DomainKeys identified mail) record helps validate that an email was sent by a domain. The DMARC (domain-based message authentication, reporting and conformance) record specifies how to handle outbound email that doesn’t pass SPF and/or DKIM validation settings. DMARC helps reduce email spam and spoofing.
Learn more from Google about using SPF, DKIM and DMARC records.
People access email in many ways: via browsers on laptops, in Gmail on smartphones, and with POP/IMAP email clients on desktops. As Administrator, you may prevent offline access in the browser, prohibit mobile sync, and/or disallow access to email via POP/IMAP protocols. You can also disable automatic forwarding, to prevent people from forwarding email to other accounts. (If you used all of the above settings, people would need to access Gmail with a browser while online. Secure, yes—but likely not very convenient.)
Learn more from Google about offline Gmail access, mobile management (and sync), POP/IMAP access, and automatic forwarding settings.
Compliance and other security settings
You may configure Gmail to automatically delete or move email messages to “Trash” after a specific number of days. You may also configure a specific label to be used to prevent a message from being auto-deleted. For example, all emails labeled “keep” or “important” can be retained. People would need to apply the label to emails they wish to keep.
Some organizations choose to append a footer message to all email. Such footers typically contains either a legal notification or a marketing message. The contents of the footer can be customized by any Google Apps Administrator.
You may also choose how Gmail accounts interact with other mail services. For example, you may prohibit “read receipts” to be sent. (Remember: “read receipts” may “leak” information as to when people read email.) You might enable mail delegation, to allow an executive to “delegate” an associate full-access to the executive’s email account. Or, if your organization uses Google+, you might enable other Google+ users to contact people once via email—even if the recipient’s email address isn’t public. Salespeople and product managers may find this feature useful.
Learn more from Google about email retention, custom footers, read receipts, mail delegation, and email Google+ contact settings.
Learn more from Backupify about how to restrict, route, filter and archive Gmail with “Setting up external mail servers for Google Apps.”
Mobile (and Chrome) device management
Google offers Administrators several mobile device management tools beyond the standard lock, locate and remote wipe capabilities (covered in “How to secure a Google Apps domain”). You choose which devices connect, define how they’re secured, and specify the WiFi networks they access.
Administrators control which devices can link and sync with an organization’s account. In most cases, you’ll want both Google Sync and Android Sync services enabled to allow iOS and Android devices to connect. (Android users should install the Google Apps Device Policy app.) Some organizations may manage Google Glass and/or Chrome OS devices. Check a box to allow Google Glass users to use Glass with organizational accounts, or enroll Chromebooks (and Chromeboxes) if your organization has purchased Chrome device management.
You may enforce password, encryption and application-related policies on many mobile devices. As Administrator, you can choose to require a device password, set a minimum password length, and select the time until a device locks. You also may choose to encrypt device data.
Some management features apply only to Android devices. For example, Google Play Private Channel allows your organization to distribute apps to Android users. An application auditing setting allows Administrators to view apps installed on managed devices. While a WiFi networks setting lets you define wireless network settings (for devices running Android 2.2 or newer).
Learn more from Google about mobile device management or Chrome device management.
Groups for business
As Administrator, you set the highest level of visibility allowed for Google Groups for Business: groups may be public or restricted to members of the organization.
You determine who may create groups: administrators, people in the organization, or anyone on the Internet. (Allowing anyone on the Internet to create a Group would be an unusual choice for many organizations.)
You also choose whether Group owners can allow members outside the organization. If not, an Administrator can add members from outside the organization to a group.
Finally, you select whether or not new Groups are visible—or hidden from the Group directory. And you may allow Group owners to hide Groups from the Group directory.
Learn more from Google about Google Groups for Business.
Talk and Google+ Hangouts
Talk and the new Hangouts both offer chat and video calling features, although they’re distinctly different services. The future of messaging in Google Apps is Hangouts, but Talk is still available. The two are similar, but not fully equivalent. Notably, Talk supports open communication standards (e.g., SIP, or session initiation protocol, and XMPP, or extensible messaging and presence protocol); the new Hangouts does not. (See Google’s comparison chart for details.)
Talk/Hangouts security settings mostly block collaborative capabilities. An Administrator may prevent people from making voice and video calls, and/or block chat with Google Account users outside the organization. Other than that, an Administrator chooses whether chat history is “on” or “off” by default, but people may change this setting.
Learn more from Google on how to enable, configure and use Google+ Hangouts.
In the next post, we will highlight the need-to-know settings for other Google services, including Chrome, Google+, and Vault. We will also go over data recovery for the Google Apps Suite.
For the complete story on how to enhance the security of your Google Apps domain data, please download the complete guide to advanced security configuration and compliance below and be on the look out for more content like this in our Google Apps training guide series.