Additional GCDS Instance:

Running a separate instance of GCDS on another server allows you to manage synchronization for the

acquired organization independently.

This avoids conflicts and simplifies management for different LDAP directories.

Multiple LDAP Version:

Upgrading to the multiple LDAP version of GCDS supports synchronizing data from multiple LDAP

directories.

This is useful for handling different organizations with distinct LDAP setups.

Steps for Setting Up:

Install a second instance of GCDS on a separate server.

Configure the new instance with the acquired organization's LDAP details.

If using the multiple LDAP version, upgrade your existing GCDS setup and configure rules for both

LDAP directories.

Test the synchronization to ensure proper setup and no conflicts.

Reference

Google Workspace Admin Help: Set Up GCDS

Inbound Gateway Configuration:

An inbound mail gateway ensures that all incoming emails are routed through specified servers.

Configuring the inbound gateway to recognize your Exchange server IP addresses prevents internal

emails from being marked as spam.

Steps to Configure:

Go to the Google Admin console.

Navigate to Apps > Google Workspace > Gmail > Advanced settings.

Scroll to the "Spam, Phishing, and Malware" section.

Configure the "Inbound Gateway" settings:

Add your Exchange server IP addresses.

Ensure these addresses are listed as trusted sources.

Reference

Google Workspace Admin Help: Configure Inbound Mail Gateway

Sign in to the Google Admin console.

From the Admin console Home page, go to "Security" and then "Login challenges."

Enable the "Employee ID login challenge" setting.

Configure the challenge by defining the employee IDs that users need to provide during the login

process.

Enabling Employee ID login challenges adds an additional layer of security without requiring 2-Step

verification. This helps prevent unauthorized access by ensuring that users provide an additional

piece of information known only to them.

Reference:

Google Workspace Admin Help - Configure login challenges

“?>>?b GF\]\rom the Admin console Home page, go to "Security."

Under "Security," select "API controls."

In the "API controls" section, click on "Manage Third-Party App Access."

Find the Google Drive API in the list.

Choose "Disable All Access" for Google Drive to ensure that no third-party apps have OAuth

permissions to Google Drive.

This configuration adheres to the policy set by the Chief Information Security Officer by preventing

third-party apps from accessing Google Drive via OAuth.

Reference:

Google Workspace Admin Help - Manage API client access

Sign in to the Google Admin console.

From the Admin console Home page, go to "Apps" and then "Google Workspace" and "Gmail."

Select "Compliance" and then "Content compliance."

Click on "Add another rule" to create a new content compliance rule.

In the new rule setup, specify conditions:

For "Email messages to affect," choose "Outbound" and "Internal - sending."

Under "Add expressions," select "If ANY of the following match the message" and choose

"Predefined content match," then select "Credit Card Numbers."

In the "Actions" section, select "Add more recipients" and specify the custom header your encryption

provider uses.

Save the rule.

This ensures that emails containing credit card numbers are flagged and encrypted by your third-

party encryption provider, fulfilling the security requirements set by your cyber security team.

Reference:

Google Workspace Admin Help - Set up rules for content compliance

When configuring Google Cloud Directory Sync (GCDS) to manage Google Group memberships from

an internal LDAP server, it’s crucial to ensure that manually managed groups are not inadvertently

deleted during the sync process. The correct setting to prevent this is found within the GCDS

configuration manager.

Access GCDS Configuration Manager:

Open the GCDS configuration manager on your server.

Navigate to Group Settings:

Go to the section where group settings are configured.

Update Group Deletion Policy:

Find the group deletion policy setting.

Change the policy to “don't delete Google groups not found in LDAP.”

Save Configuration:

Save the updated configuration to ensure that the settings are applied during the next

synchronization.

By updating this setting, GCDS will no longer delete Google Groups that are not found in LDAP,

thereby preserving manually managed groups.

Reference:

Google Cloud Directory Sync Admin Help

GCDS Configuration Guide

To prevent data exfiltration from Google apps on iOS devices, you need to configure the appropriate

settings in the Google Admin console.

Navigate to Device Management:

In the Google Admin console, go to Devices > Mobile and endpoints > Universal Settings > iOS

settings.

Configure Data Protection Settings:

Find the setting for "Allow items created with managed apps to open in unmanaged apps".

Clear this checkbox to prevent users from copying data from managed (work) apps to unmanaged

(personal) apps.

Save Changes:

Save the changes to ensure that the policy is enforced.

Verification:

Verify that the policy is applied by checking the behavior on an iOS device to ensure that data cannot

be copied from managed apps to unmanaged apps or third-party applications.

By clearing this checkbox, you enforce a policy that restricts the movement of data from managed

apps to unmanaged environments, thereby preventing data exfiltration.

Reference:

Manage iOS settings

Endpoint management settings

To recover user accounts deleted two weeks ago:

Sign in to the Admin console as a Super Admin.

Navigate to user management.

Use the filter to select "recently deleted" users.

Recover the deleted user accounts from the list.

Google Workspace allows recovery of deleted users within a 20-day window.

Reference:

Google Workspace Admin Help: Restore a recently deleted user

Access Admin Console: Log into your Google Workspace Admin Console.

Navigate to Alert Center: Go to Security > Alert Center.

Enable Alert Rule: Find and enable the “Suspended user made active” rule.

Configure Recipients: In the alert rule settings, add the CTO as an additional recipient under the

“Other Recipients” section.

Save Settings: Save the configuration. The CTO will now receive notifications whenever a suspended

user’s account is re-enabled, ensuring compliance with the new security policy.

Reference

Google Support: Alert Center

Create Secondary Calendar: As the team manager, create a new calendar under your Google account

specifically for tracking team vacations.

Access Settings: Go to the calendar settings and navigate to "Share with specific people".

Grant Access: Add your team members and give them "Make changes to events" access, allowing

them to add their vacation times directly to the calendar.

Educate Team: Inform team members on how to use this calendar to add their vacation times and

check others' schedules.

Monitor Usage: Regularly review the calendar to ensure it is being used correctly and effectively by

all team members.

Reference:

Google Workspace Admin Help - Share a Calendar

Google Workspace Admin Help - Create a Team Calendar

Admin Console: Log into the Google Admin console at admin.google.com.

Enable Advanced Mobile Management for Sales OU:

Navigate to Devices > Mobile & endpoints > Settings.

Select the Sales OU and turn on Advanced Mobile Management.

Set Up an Apple Push Certificate:

Go to Devices > Mobile & endpoints > Apple certificates.

Follow the instructions to obtain and upload an Apple Push Certificate.

Device Policies:

After setting up the Apple Push Certificate, configure the desired device policies such as password

policies, app distribution, and remote wipe capabilities.

Reference

Google Workspace Admin: Set up advanced mobile management

Google Workspace Admin: Set up an Apple Push Certificate