GSP1256

Overview

As an administrator of an organization, one of the main goals is to protect user data and prevent devices from being compromised, all while enabling users to operate their devices as needed.

The Google Admin console allows you to view and manage the security settings for a user. You can enable and adjust some basic security settings in the Google Admin console to improve the overall security of your organization, data, and users.

For example, you can block an extension using Safe Browsing, which safeguards against non-persistent threats, making it harder for malicious web pages to compromise the operating system. You can also set up a device idle setting to protect your device and data from unauthorized access, especially in public or shared environments. Additionally, you can set up 2-step verification (2SV), which adds an extra layer of protection to your account or device by requiring a second form of verification, beyond just a password.

In this lab, you create an OU and learn how to configure security settings.

Objectives

In this lab, you’ll learn how to use the Google Admin Console to perform the following tasks:

• Create an organizational unit.
• Block an extension.
• Modify URL and attachment blocking settings (Safe Browsing/Download restriction policies).
• Control device idle settings.
• Set up 2-Step Verification.

Prerequisites

To get the most from this lab, familiarity with Google Admin Console terminology is recommended.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access the Google Admin console for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

Start your lab

When you are ready, click Start Lab in the upper left.

Sign in to the Google Workspace Admin Console

To access the Google Workspace Admin Console, you must find your credentials and then sign in.

Find your lab's User Email and Password

To access the resources and console for this lab, locate the User Email and Password in the Lab Details panel. This panel is on the left or at the top, depending on the width of the browser window. Use these credentials to log in to the Google Workspace Admin Console.

If your lab requires other resource identifiers or connection-related information, they appear on this panel as well.

Sign in to the Admin Console

1. Click Open Google Workspace Admin Console.

Tip: Open the tabs in separate windows, side-by-side.

Note: If you see the Verify your account dialog:

• Click Next.
• Click the prefilled user.
• Click Use another account.

2. On the Sign in page, log in using the User Email and Password details provided.

3. When prompted, click I understand and ACCEPT TERMS OF SERVICE to accept all terms and conditions.

After a few seconds, the Admin Console opens.

4. Right-click VERIFY DOMAIN in either the yellow box at the top or the red box in the Domains card, and select Open link in new tab.

   Note: To complete this step in a real-life scenario, you'd need to add an actual DNS record.

5. Click the new tab, called Domain setup, to complete the Google Workspace domain verification steps.

6. On the Let's set up your domain page, click Get Started.

7. Select the My domain uses a different host checkbox and then click Continue.

8. At the bottom of the Add verification code page, select the Come back here and confirm once you have updated the code on your domain host checkbox, and then click Confirm.

9. Wait until it says Your domain is verified! and then close the Domain setup tab.

   Note: Do not click Activate Gmail.

10. Return to the Admin Console tab and refresh the page.

Task 1. Create an organizational unit (OU) structure

An organizational unit refers to a group that an administrator can create in the Google Admin console, used to apply settings to a specific set of users. By default, all users are placed in the top-level (parent) organizational unit. All settings you make in the Admin console apply to this top-level organizational unit and, therefore, to all users and devices in your account.

Child organizational units inherit the settings from the parent, but can be changed to fit the needs of the child organizational unit.

In this task, you create a ChromeOS Security Agent organizational unit.

1. In the Admin console, from the Navigation menu (), select Directory > Organizational units.

2. Click Create organizational unit to create a new OU.

3. For Name of organizational unit, enter ChromeOS Security Agent.

4. (Optional) For Description, enter ChromeOS Security Team.

5. Click CREATE.

Click Check my progress to verify the objective. Create an organizational unit (OU) structure

Task 2. Block an extension

Blocking an extension in the Google Admin console prevents users from installing or using specific Chrome extensions, enabling administrators to maintain a secure and managed browsing environment. By adding an extension to the blocklist, administrators can control the extensions used by their users, ensuring a more productive and secure browsing experience.

In this task, you block the Zoom Chrome extension.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Apps and extensions > Users and Browsers.

2. Select the ChromeOS Security Agent organizational unit.

3. Hover over the Add app icon (+) and select Add from Chrome Web Store.

4. Click Extensions.

5. Search for the Zoom Chrome Extension.

6. Click Select.

7. In the Installation Policy drop-down menu, select Block.

8. Click SAVE.

Click Check my progress to verify the objective. Blocking an extension

Task 3. Update URL and attachment blocking settings (Safe Browsing/Download restriction policies)

URL Blocking setting

As an administrator, you can block access to harmful, inappropriate, or unauthorized content, such as phishing sites, malware hubs, or non-work-related websites. Organizations can reduce risks, improve security, and maintain a more focused work environment by blocking unwanted URLs.

In this task, you block a specific URL from the Google Admin console.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Users and browser settings.

2. Select the ChromeOS Security Agent organizational unit.

3. Type URL Blocking in the Search or Add Filter text box and press Enter.

4. Click on URL blocking under Content.

5. In the Blocked URLs field, add the URL https://www.facebook.com/.

6. Save the changes.

Safe Browsing/Download restriction policies

Safe Browsing and Download restriction policies enable administrators to control and restrict user access to harmful or unwanted downloads.

To prevent users from downloading files, the best option is to set up the Download Restriction policy.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Users and browser settings.

2. Select the ChromeOS Security Agent organizational unit.

3. Type Chrome Safe Browsing in the Search or Add Filter text field and press Enter.

4. Under Chrome Safe Browsing, select Download Restrictions.

5. For the download restrictions Configuration, choose Block malicious downloads and dangerous file types.

6. Click Save.

Click Check my progress to verify the objective. Safe Browsing/Download restriction policies

Task 4. Configure device idle settings

Device idle settings allow administrators to configure automatic lock or logout features for devices after a specified period of inactivity, requiring users to re-authenticate to regain access. This security feature helps protect user accounts and devices from unauthorized access, reducing the risk of data breaches and security threats.

1. In the Admin console, from the Navigation menu (), select Devices > Chrome > Settings > Users and browser settings.

2. Select the ChromeOS Security Agent organizational unit.

3. Type Power and shutdown in the Search or Add Filter text field and press Enter.

4. Click Idle settings.

5. Select Logout from the Action on lid close drop-down menu.

6. Select Shutdown for AC idle action.

7. Enter 600 for AC idle delay in seconds.

8. Select Logout from the drop-down menu for Battery idle action.

9. Enter 600 for Battery idle delay in seconds.

10. Click Save.

Click Check my progress to verify the objective. Device idle settings

Task 5. Set up 2-Step Verification

The 2-Step Verification feature provides an additional layer of security against cybercriminals attempting to steal login credentials and access sensitive business information. Enabling 2-step verification is the most crucial step you can take to safeguard your organization. This security measure mandates users to confirm their identity with something they know (like a password) and something they have (such as a physical key or access code sent to a device). This method is also known as multi-factor authentication (MFA) or 2-factor authentication (2FA).

1. In the Admin console, from the Navigation menu (), select Security > Authentication > 2-step verification. You may need to select Show More to view the Security option.
2. Select the ChromeOS Security Agent organizational unit.
3. Check the option Allow users to turn on 2-Step Verification.
4. Under Enforcement select On.
5. Click Override.

Click Check my progress to verify the objective. Setting up 2-Step Verification

Congratulations!

In this lab, you configured security settings to block apps and extensions to protect users from potential threats. You also set up URL and attachment settings to block access to harmful, inappropriate, or unauthorized content and websites. Additionally, download restriction policies were implemented to prevent user access to harmful or unwanted websites and downloads. Finally, you concluded by setting up device idle and 2SV settings.

Next steps / Learn more

• Manage policies for ChromeOS devices
• Chrome policies for users or browsers
• Cloud-managed Chrome Browser

ChromeOS training and certification

...helps you make the most of ChromeOS technologies. Our classes include sale and technical skills to help you get up to speed quickly and continue your learning journey. The Professional ChromeOS Administrator Certification helps you demonstrate your expertise and validate your ability to transform businesses and schools with ChromeOS.

Manual Last Updated February 27, 2025

Lab Last Tested February 27, 2025

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.