Tag Archives: Gmail

The Complete Guide to Google Apps Administration

Send to Kindle


The ultimate google apps administration guideFor those of you following along, we recently just completed a blog series highlighting everything you need to know in order to become a successful Google Apps administrator. Today, we’ve launched The Complete Guide to Google Apps Administration, which can be downloaded for free with a single click. To help readers maximize the value of Google Apps, the Complete Guide to Google Apps Administration includes the five separate ebooks covering the following:

This box set is not just for Google Apps beginners – quite the contrary. Even the most seasoned Google Apps administrators will likely learn something new within the box set. The complete series for Google Apps admin will ensure you’re maximizing the value of the suite at your company. Use the wisdom within the pages to ensure you get the most out of Google Apps.

Do yourself a favor and make yourself an indispensable force to be reckoned with today -download the complete box set of Google Apps Administration training guides below.  For more information on Google Apps administration, subscribe to the blog.

Guide to Google: The Advanced Security Settings for Gmail

Send to Kindle

Today’s post is the third in our four-part blog series on Google Apps advanced security. You can read part one here and part two here. The complete guide to Google Apps security can be downloaded here.

Advanced Security Guide

In the last two posts, we reviewed the security settings for Google Calendar, Drive, Sites and Contacts. Today, we will highlight the advanced security settings for Gmail.


DNS settings

You should use three DNS (domain name system) records to improve email deliverability and reduce spam sent from from your domain: SPF, DKIM, and DMARC. An SPF (sender policy framework) record identifies the mail servers authorized to send email for your domain. A DKIM (DomainKeys identified mail) record helps validate that an email was sent by a domain. The DMARC (domain-based message authentication, reporting and conformance) record specifies how to handle outbound email that doesn’t pass SPF and/or DKIM validation settings. DMARC helps reduce email spam and spoofing.

Learn more from Google about using SPF, DKIM and DMARC records.

Gmail access

People access email in many ways: via browsers on laptops, in Gmail on smartphones, and with POP/IMAP email clients on desktops. As Administrator, you may prevent offline access in the browser, prohibit mobile sync, and/or disallow access to email via POP/IMAP protocols. You can also disable automatic forwarding, to prevent people from forwarding email to other accounts. (If you used all of the above settings, people would need to access Gmail with a browser while online. Secure, yes—but likely not very convenient.)

Learn more from Google about offline Gmail access, mobile management (and sync), POP/IMAP access, and automatic forwarding settings.

Compliance and other security settings

You may configure Gmail to automatically delete or move email messages to “Trash” after a specific number of days. You may also configure a specific label to be used to prevent a message from being auto-deleted. For example, all emails labeled “keep” or “important” can be retained. People would need to apply the label to emails they wish to keep.

Some organizations choose to append a footer message to all email. Such footers typically contains either a legal notification or a marketing message. The contents of the footer can be customized by any Google Apps Administrator.

You may also choose how Gmail accounts interact with other mail services. For example, you may prohibit “read receipts” to be sent. (Remember: “read receipts” may “leak” information as to when people read email.) You might enable mail delegation, to allow an executive to “delegate” an associate full-access to the executive’s email account. Or, if your organization uses Google+, you might enable other Google+ users to contact people once via email—even if the recipient’s email address isn’t public. Salespeople and product managers may find this feature useful.

Learn more from Google about email retention, custom footers, read receipts, mail delegation, and email Google+ contact settings.

Learn more from Backupify about how to restrict, route, filter and archive Gmail with “Setting up external mail servers for Google Apps.”

Mobile (and Chrome) device management

Google offers Administrators several mobile device management tools beyond the standard lock, locate and remote wipe capabilities (covered in “How to secure a Google Apps domain”). You choose which devices connect, define how they’re secured, and specify the WiFi networks they access.

Administrators control which devices can link and sync with an organization’s account. In most cases, you’ll want both Google Sync and Android Sync services enabled to allow iOS and Android devices to connect. (Android users should install the Google Apps Device Policy app.) Some organizations may manage Google Glass and/or Chrome OS devices. Check a box to allow Google Glass users to use Glass with organizational accounts, or enroll Chromebooks (and Chromeboxes) if your organization has purchased Chrome device management.

You may enforce password, encryption and application-related policies on many mobile devices. As Administrator, you can choose to require a device password, set a minimum password length, and select the time until a device locks. You also may choose to encrypt device data.

Some management features apply only to Android devices. For example, Google Play Private Channel allows your organization to distribute apps to Android users. An application auditing setting allows Administrators to view apps installed on managed devices. While a WiFi networks setting lets you define wireless network settings (for devices running Android 2.2 or newer).

Learn more from Google about mobile device management or Chrome device management.

Groups for business

As Administrator, you set the highest level of visibility allowed for Google Groups for Business: groups may be public or restricted to members of the organization.

You determine who may create groups: administrators, people in the organization, or anyone on the Internet. (Allowing anyone on the Internet to create a Group would be an unusual choice for many organizations.)

You also choose whether Group owners can allow members outside the organization. If not, an Administrator can add members from outside the organization to a group.

Finally, you select whether or not new Groups are visible—or hidden from the Group directory. And you may allow Group owners to hide Groups from the Group directory.

Learn more from Google about Google Groups for Business.

Talk and Google+ Hangouts

Talk and the new Hangouts both offer chat and video calling features, although they’re distinctly different services. The future of messaging in Google Apps is Hangouts, but Talk is still available. The two are similar, but not fully equivalent. Notably, Talk supports open communication standards (e.g., SIP, or session initiation protocol, and XMPP, or extensible messaging and presence protocol); the new Hangouts does not. (See Google’s comparison chart for details.)

Talk/Hangouts security settings mostly block collaborative capabilities. An Administrator may prevent people from making voice and video calls, and/or block chat with Google Account users outside the organization. Other than that, an Administrator chooses whether chat history is “on” or “off” by default, but people may change this setting.

Learn more from Google on how to enable, configure and use Google+ Hangouts.

In the next post, we will highlight the need-to-know settings for other Google services, including Chrome, Google+, and Vault. We will also go over data recovery for the Google Apps Suite.

For the complete story on how to enhance the security of your Google Apps domain data, please download the complete guide to advanced security configuration and compliance below and be on the look out for more content like this in our Google Apps training guide series.

Email Content Scanning, Backup and Archiving in Google Apps

Send to Kindle

Today’s post is the final post in a three-part blog series on how to set up your Google Apps account with external mail servers. You can read part one here and part two here. The complete guide to setting up external mail servers in Google Apps can be downloaded here.

Google Apps External Mail Server Guide

In the first two blog posts, we provided an introduction to integrating Google Apps with external mail servers and the process for setting up long-term split email delivery. Today, we will become experts of email content scanning, backup and archiving for Google Apps.

Email content scanning (and routing!)

Google Apps offers automated email content scanning.

Google defines three distinct purposes for scanning: for content compliance, for objectionable content, and for attachment compliance.

The first two scan messages and text attachment content. Attachment compliance scans attachments based on attachment name, type or size. Note that attachments other than text files are not scanned for file content.

As the Google Apps administrator, you define three things:

  • Which messages to scan,
  • What scans should look for, and
  • What to do when a match is made.

The last bit makes content scanning relevant in this guide: a message that matches your scan criteria can be re-routed.

Scanning may help ensure compliance with organization policies. For example, your company might establish a policy of never permitting inbound or outbound attachments. Mail with attachments could simply be rejected, notifying the sender of the rejection. Alternatively, email with attachments could be delivered, but with attachments removed.

Which messages to scan

First, choose which messages to scan. As with routing options, you may define different scans for different organization units. Or, you may choose to scan all mail for your Google Apps account domains.

Scanning may be restricted to external mail (outbound and/or inbound) or internal email (outbound and/or inbound). Any one — or all — of the four options may be selected. The default selection is all four sets.

What to scan for (or, scan criteria)

Next, you’ll specify what to look for.

Content compliance and objectionable content scans may be set to scan for text strings or patterns. You’ll define these strings using regular expressions (regexp), a common method of specifying a search patterns in text.

For example, a regular expression configured to find any string containing “am Gibs” would return a match when scanning a document containing the name “William Gibson”.

Within a scan, you may specify searches for multiple regular expressions. You can choose whether the scan must match any or all of the terms.

Learn more from Google: “Guidelines for using regular expressions

What to do when a match occurs

When a message or attachment matches one of your regular expressions, Gmail offers two options: reject the email, or modify it. Rejected email returns it to the sender. You can explain the rejection with customized rejection notice text.

Modified mail will be delivered. Note, however, that one of the ways to modify the email is to change the recipient: so modified mail may be delivered to someone other than the specified recipient!

Modifications that may be made to email include modifying the header or subject, flagging a message as spam, changing the mail route, and replacing or adding recipients. Additionally, attachments may be removed.

Learn more from Google: “Content compliance setting”, “Objectionable content setting”, and “Attachment compliance setting

Restrict delivery

You may choose to limit the exchange of email between specific domains for groups of users.

A school district might choose to limit students to emailing within the district, while allowing faculty and staff to email anyone. A business might provide a long-term contractor a company email address, but limit the contractor to sending email internally from that account.

To configure this, log in to your Google Apps admin console. Go to Google Apps > Settings for Gmail > Advanced settings. Choose your domain or organizational unit and go to “Restrict delivery”.

Learn more from Google: “Restrict delivery setting

Backup and archiving

A backup provides a copy. And, since digital copies are essentially indistinguishable from originals, a backup copy can replace a missing original. An effective email backup system changes whenever a person’s email data changes, and offers fast retrieval and restoration of email. The best email backup systems provide retrieval and restoration even when the entire original email system is unavailable. Example: Backupify for Google Apps provides a cloud-to-cloud backup system that backs up email up to three times a day, and offers fast retrieval and restoration of missing email.

An archive is essentially a backup set that never changes. An archive preserves an historical picture: a snapshot of email preserved at a specific point in time. An email archive search will always return the same results: today, tomorrow, and any time in the future. The purpose of an archive is preservation, not restoration. Example: Google Apps Vault offers archiving and retention of email based on administrator defined policies.

System settings for data retention and user access help define the difference between a backup and an archive. If people can retrieve and restore recently deleted email easily, that’s a backup. If email is permanently preserved and not user accessible, that’s an archive.

A legacy mail server may also provide email backup and/or archiving. You’d either configure the server for long-term dual delivery, or route all mail through the server. Running this legacy server will incur additional costs. You need to determine if the business benefit is worth the additional cost for your organization.

Learn more from Backupify: “When to backup, and When to archive

Learn more from Google: “What is Google Apps Vault?

We hope you found the Google Apps guide to setting up external mail servers blog series interesting and useful. If you would like to read the complete eBook, please download it below. Be on the look out for additional eBooks in our Google Apps training guide series!

The 11 Steps To take BEFORE You Delete a User From a Google Apps Domain

Send to Kindle

When the time comes to remove a user from a Google Apps domain, administrators are faced with two apparently mutually exclusive goals:

  • Delete the user account to recover the $50 annual seat license fee
  • Preserve all the data in the user account in the event it’s still needed

Google Apps domain administrators can square that circle with these simple de-provisioning steps.

1. Change the Departing User’s Password
Changing the departing user’s password accomplishes two goals. First, it locks the user out of the account, preventing any post-departure access (malicious or otherwise). Second, it allows you, the admin, to log into that account to perform any changes or data transfers not possible from the Google Apps Administrator Control Panel. (If the account has 2-Step Verification installed, you’ll need to disable it, too.) You can change the user’s password from the Users & Organization Tab in your Control Panel. After selecting a new password, be sure to click the Reset Sign-In Cookies link to end any logged-in sessions the departing user may still be running.

2. Download a Snapshot of the User Account for Safekeeping
Downloading the complete contents of a user account to an offline file is a best practice before altering or deleting the account. This preserves the data in the user’s core Google apps — Gmail, Contacts, Calendar, Drive and Sites – as it was before the de-provisioning process, maintaining records-retention compliance and ensuring no vital data is lost. To download a Snapshot of a complete Google Apps user account, go to www.snapshottool.com and follow the instructions.

3. Identify an Account “Executor”
Someone at your organization is going inherit the departing user’s responsibilities, and thus their data — at least in the short run. Identify that employee, as he or she will become the Executor of the data in the departed account, transferring or responding to it as needed. (In many cases, the Domain Administrator and the Executor are one in the same, so you may be giving all these permissions to yourself.)

4. Set Up the Departing User’s Vacation Auto-Responder
Log into the departing user’s account with the new password, then set up the vacation auto-responder to inform correspondents that the user is no longer with your organization, and to identify to whom they should direct all future inquiries. (Likely this will be the aforementioned Executor.) Be sure to enable the auto-responder for recipients both inside and outside your domain. The message should be similar to the following:

“As of Jan. 1, 2014, John Doe is no longer with Acme Incorporated. Please direct all future business correspondence to Jane Q. Public, who will handle Mr. Doe’s accounts. You can reach Ms. Public at jqpublic@acmeinc.com.”

5. Delegate Access to the Departing User’s E-mail
The account Executor will need access to any pending correspondence in the departing user’s mailbox, especially if the departure was sudden or occurred on less than friendly terms. Fortunately, you can designate access to a Google Apps mail account to anyone else on your domain. The delegate — who, again, will likely be the Executor — won’t be able to change account permissions, passwords or chat on the original user’s behalf, but the delegate can send and receive mail from the account until it is suspended or deleted. To delegate mail access, log into Gmail as the departed user and follow the delegation instructions in the Mail Settings menu.

6. Transfer Ownership of the Departing User’s Google Docs
When the account that owns a Google Doc is deleted, that document is deleted as well — even if it was shared with other domain users. Put more simply, deleting a user deletes every critical document that user ever created. Fortunately, the Google Apps Administrator Control Panel offers a method to bulk-transfer ownership of all a user’s Google Drive documents to another domain user’s account. In other words, you can make the Executor the owner of all a departing user’s Docs in a matter of seconds, ensuring that this data stays online and accessible even after the original owner is de-provisioned. The Executor can then transfer individual document ownership on a case-by-case basis.

7. Add the Departing User’s Contacts to the Google Apps Directory
If you have enabled contact sharing to create a common Google Apps Directory of business-oriented contacts for your domain, you may want to add at least some of the departing user’s Contacts to the Directory. If the departing user was the exclusive point of reference for a key customer or partner, you may want to make that external contact’s address available to everyone. There is no native functionality for adding external contacts to the Directory, but the free version of SherpaTools allows administrators to import contacts in bulk to the Directory, and for individual users to share contacts with the Directory.

8. Delegate Access to the Departing User’s Calendars
If the departing user managed a shared calendar, or simply had a series of company appointments that the Executor must now manage, it is important to transfer control of those calendars. Simply log in as the departing user, and then follow the Share With Specific Users instructions to give the Executor the Edit Events And Manage Sharing access level for the appropriate calendars. The Executor can then dole out calendar permissions as needed.

9. Transfer Ownership of the Departing User’s Groups
From the Google Apps Administrator Control Panel, select Users, select the departing user’s account, then select Groups to see a list of all groups of which the departing user is a member. Then click the Edit Group Membership link. Add the Executor as a member to each of these groups and, if the departing user is the Owner of the group, elevate the Executor to Owner status. The Executor can then later assign Ownership to the appropriate employee(s).

10. Audit the Departing User’s Non-Core Google Apps Services
While Google Apps domains directly control a user’s Gmail, Docs, Contacts, Calendars and Sites, a Google Apps domain account can be used to access dozens of non-core Google Apps services, including AdWords, Google Analytics, Blogger, Feedburner, Google Voice and YouTube. When you finally delete the departing user, his or her non-core accounts will also be deleted — along with all the content in those accounts. You don’t want your website’s Feedburner RSS feed or Google Analytics account to disappear when you delete the departing user.

Most of these non-core services have straightforward methods for transferring ownership of, or access to, an account. Virtually all of them enable adequate data export via Google’s Takeout. Log into every non-core Google service your organization uses with the departing user’s credentials, then assess whether key data needs to be transferred before you delete the departing user.

You should perform the same steps for any Google Apps Marketplace products installed on your domain to ensure no critical functionality or data is lost when you remove the departing user’s account. All the Marketplace Apps installed on your domain are listed in the Google Apps Administrator Control Panel.

11. Set a Calendar Reminder For Yourself to Delete the Departing User In 90 Days
While you’re probably anxious to delete an account and immediately recover the $50 annual seat license fee, it’s a smart idea to keep the account around for a few months just to make sure that A) the departing employee isn’t reinstated, B) no critical data is placed out of easy access while your organization adjusts to the departure and C) your non-core services audit was accurate and complete.

12. Delete the Departing User’s Account
Yes, finally.

13. Create a Group With the Same Mail Address As the Deleted User
Just because you deleted a departing user doesn’t mean people outside your organization will stop sending him or her important emails. While your domain’s catch-all email address can handle these misdirected emails, you may not want the catch-all recipient to be the only person dealing with the departed user’s correspondence. Instead, set up a Group with the same email address as the one formerly used by the deleted user, and then add the Executor and any other relevant recipients to the Group. This will ensure that anyone who didn’t receive the auto-responder has his or her mails routed to the appropriate recipient.

Follow these steps and you can remove a Google Apps user from your domain with minimal risk to your data and your business.

Setting up and editing external mail servers in conjunction with adding or removing users can be a complex process. We created a guide to integrate Google Apps with your email Server, check it out and let us know if you find it useful.

Google Apps Recovery: Restore Lost Google Drive Documents

Send to Kindle

Google Drive is different from most other Google Apps in two ways: Google Drive has much more serious sharing and ownership controls than other Google Apps; Google Drive does not automatically empty its Trash folder. These two facts make Google Drive document recovery somewhat more interesting than restoring other lost Google Apps data. 

Because Google Drive does not automatically empty its Trash folder — unlike every other Google App, which permanently deletes trashed items after 30 days — the first place you should look for a missing Google Drive file is the Trash.

You can find the Trash folder under the More link in the left column of Drive. Simply navigate into trash, do a quick search for any missing Google Drive documents or files and see if your desired item turns up. If so, just select the checkbox next to the trashed item(s) and then click the Restore button at the top of the page. No muss, no fuss.

Things get complicated when a missing Google Drive file isn’t in the Trash. There are four likely causes for this, and only two of them are easily remedied.

Scenario 1: The owner revoked your access to the Google Drive document

If you aren’t the owner of the document in question, the only reason you can see it in Google Drive is because the actual owner shared the file with you. If the owner changed the sharing status to prevent you from viewing the file, the item will effectively disappear from your Google Drive.

The easiest way to check is to simply ask the document owner. If, however, you don’t remember who the owner is (or the owner has changed hands), a fallback is to search your Gmail for the message that informed you the original owner had shared the document with you. Just search Gmail for the document title and you should find it.

When you locate the email, just click the included GDrive link and, if you are greeted with a message stating you don’t have permission to access the file, you know that the owner has revoked sharing. To regain access privileges, just click the Request Access link on the error page and the owner will be alerted of your desire to view the file. After that, it’s up to the owner to re-share the file with you.

Scenario 2: Someone renamed the document

If your missing document has been shared with multiple people and any or all of those persons has Editor or Owner privileges, it’s entirely possible that your missing document isn’t gone; it’s just renamed.

Again, the easiest way to check is to search your Gmail for the original sharing notification email. Just search Gmail for the document title you remember and then click the sharing link within. If a document opens, but it has a new file name, you know what’s happened.

Scenario 3: The owner relocated the document

This situation is a bit particular. A document owner moving a shared document around in their Google Drive folder structure wouldn’t normally affect your access to the file unless you were given access to a shared folder, rather than a shared document. In this case, you would have access to any item in the shared folder but, once the document is removed from the shared folder, your access to the document is removed as well.

Treat this scenario the same as someone directly revoking your access. Contact the folder owner and access him to restore your document access (or just move the document back into the shared folder).

Scenario 4: The owner permanently deleted the original

This is the Kobayashi Maru; the no-win scenario. If the document owner trashes a document and then permanently deletes it out of the Google Drive Trash, it is gone — forever. Google can’t get it back. To solve this conundrum, you’ll need to follow the example of one James T. Kirk and change the rules.

To restore a permanently deleted Google Drive document, you’ll need a third-party backup of your Google Drive data like Backupify for Google Apps — so you can enjoy the convenience of one-click Drive restore. You can try Backupify’s Sites backup and restore free for 15 days.

Check out all the posts in our Google Apps Recovery series: