This official feed from the Google Workspace team provides essential information about new features and improvements for Google Workspace customers.
rss_feed

Admins can now bulk export client-side encrypted (CSE) Slides using Vault or Data Export (takeout), and then convert those exports into PowerPoint files. This allows your organization to retain complete ownership, access, and control of sensitive data in a highly portable format.

Eligible Google Workspace admins can sign up for the CSE Office Interop beta program, which provides immediate access to CSE compatible export, import, takeout and office editing features. Organizations who’ve previously signed up for the beta program should see this feature in their domains now.

Getting started

  • Admins: Admins with eligible Workspace licenses can sign up for the CSE Office Interop beta. We’ll provide more information on how to get started if you’re accepted.
  • End users: This launch has no impact on end users.

Rollout pace

Availability

  • Enterprise: Enterprise Plus
  • Education: Education Standard and Plus
  • Other Editions: Frontline Plus, Assured Controls, Assured Controls Plus

Resources

Read More

Administrators can now apply a global context-aware access (CAA) policy to all SAML applications within their organization. This update introduces a default assignment that serves as a universal security baseline, automatically protecting any SAML-based app that does not have a specific policy already assigned. By establishing this "secure-by-default" posture, IT teams can help protect internal data and third-party SaaS tools as new applications are integrated into their ecosystem.

This global control significantly reduces the administrative burden of managing security for applications at scale. Instead of manually configuring rules for every individual SAML app, administrators can set a single policy to cover their entire environment. Specific application-level policies will still take precedence, allowing for granular control where needed while the global policy acts as a reliable safety net.

These default policies support both Monitor and Active modes, providing flexibility in how security requirements are phased in. Detailed audit logs will capture these enforcement events, and remediation messages help end users understand how to resolve access issues independently.

Admins can configure CAA policies for all SAML apps in the Admin console under Security > Context-aware Access > General settings

Admins can configure CAA policies for all SAML apps in the Admin console under Security > Context-aware Access > General settings.

Getting started

Rollout pace

Availability

  • Enterprise: Enterprise Standard and Plus
  • Education: Education Standard and Plus
  • Other Editions: Frontline Standard and Plus; Enterprise Essentials Plus; Cloud Identity Premium

Resources

Read More

What’s changing

We are updating the schema and event modeling for several Admin audit log events, specifically some of the events related to account security, Gmail, and Drive settings, along with other admin-defined setting audit logs. These improvements aim to make the logs more understandable, detailed, and precise.  A complete list of the updates can be found in the Help Center

The updates involve changes to event names, event types, and the volume of these affected log events. Some legacy events may be redundant as a part of this change. If you're using any legacy events, some of the updates might require changes to your existing queries, alerts, and reports to get the full benefit of the changes. Both the new and old events will continue to be available for you to make the necessary changes.

Who’s impacted

Admins 

Why it matters

Granular audit logs are critical to helping organizations investigate cybersecurity incidents and understand their data usage. The changes announced today expand the depth of analysis that can be performed.  

Rollout pace

Getting started

  • Admins:  As the changes become available, you can get started with your analysis in either the Audit and Investigation tool
  • End users: There is no end user setting for this feature.

Availability

  • Available for Google Workspace with Audit Log eligible licenses.  To learn more about the Audit Log availability for your license types, please review this article

Read More

What’s happening

Gmail is enhancing user security by enabling the Cross-Origin Opener Policy (COOP). As a result, developers of websites and browser extensions opening or manipulating the Gmail page may have to update their code to ensure continued functionality when enforcement begins on January 20, 2026. There is no action needed from Workspace admins or end users.

COOP background

Cross-Site Search (XS-Search) is a type of Cross-Site Leaks (XS-Leaks) attack that targets query-based search systems, like Gmail. Attackers exploit this vulnerability by gaining control of a Gmail window, either by opening a new popup or accessing an existing one via its window handle. Once they have this access, they can gather information via a side channel to determine if specific search results exist by repeatedly loading different search terms, thereby leaking sensitive user data.

COOP is a web security feature designed to isolate the web applications from untrusted origins. This measure will prevent attackers from accessing Gmail's window handle, thereby protecting users from various Cross-Site Search (XS-Search) attacks that rely on window handles for collecting side-channel information, such as frame counting. This also significantly hinders attacks like cache probing, which rely on timing and other observations for resources that Gmail loads for search results. While these attacks don't directly collect side-channel information through the window handles themselves, COOP prevents repeated searches and thereby increases difficulty and reduces effectiveness, making them far less of a threat.

Who’s impacted

Websites or browser extensions that open Gmail in a pop-up window and interact with that window by accessing its properties (closed, location, length, focus) or invoking its functions (close, postMessage). Also, browser extensions that are injected into Gmail page and access the opener handle which is a reference to the window that opened the current Gmail page.

Additional details

To enforce COOP, the Cross-Origin-Opener-Policy header will be present in the response:

Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gmail-web-coop-coep"
Report-To:{"group":"gmail-web-coop-coep","endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gmail-web"}]}

Getting started

  • Developers:
    • For websites and browser extensions opening Gmail, refactor the offending code to avoid accessing the window properties or functions through the window handle and instead, utilize alternative APIs to achieve the desired functionality (e.g., chrome.tabs, Messaging).
    • For browser extensions injected into the Gmail page, instead of trying to communicate with or access the opener, the browser extension should be updated so it doesn't need to interact with it at all and the extension's logic should be revised to work independently. If that is not possible, browser extensions can use existing APIs (e.g., chrome.tabs) to implement their logic.
  • Admins: There is no admin control for this feature.
  • End users: There is no end user setting for this feature. 

Rollout pace

  • Enforcement will begin on January 20, 2026. Rollout will be extended (potentially longer than 15 days for feature visibility).

Resources


Read More

What’s changing 

When your primary systems are compromised, you need a dependable partner to keep your organization operational. Our new Business Continuity editions are designed to serve as a robust backup solution that works in tandem with your primary, non-Google Workspace collaboration platform, providing a secure and familiar environment that can be activated when you need it most. 

We are introducing two distinct offerings to meet your specific needs: 

1. Business Continuity 
This edition is a true disaster recovery solution designed for a "cold" standby scenario. It provides a secure, isolated environment to ensure your leadership and critical teams can communicate and collaborate during a crisis. 

  • Core Functionality: Allows for syncing your active directory, ensuring your user directory is available when needed. 
  • Usage: Intended for limited use, with access to Google Workspace and generative AI tools like Gemini and NotebookLM for up to 21 days per year. 

2. Business Continuity Plus 
This is our full-featured solution for organizations that require a "hot" standby environment with more data readily available to drive immediate adoption and productivity. It is designed to keep your core functions operating with minimal disruption. 

  • Core Functionality: In addition to allowing for syncing directory, this edition allows for data syncing across any product, including but not limited to email, calendar, drive, chat and more. We recommend using a partner-based solution for implementation. 
  • Usage: Provides extended access to Google Workspace and generative AI tools for up to 60 days per year. 

Learn more about these new offerings in our main blog post: Break free from Microsoft 365’s lock-in, vulnerabilities, and outages with Google Workspace and partners

Getting started 

  • Admins: These solutions are intended for organizations who do not use Google Workspace for their primary collaboration platform. Contact your Google rep or partner to discuss suitability and purchase options. 
  • End users: No end user impact. 

Availability 

  • Available everywhere Google Workspace is sold. These solutions are intended for organizations who do not use Google Workspace for their primary collaboration platform. 

Resources 

Read More

What’s changing

Generally available today, Gmail client-side encryption (CSE) users can send end-to-end encrypted (E2EE) emails to anyone, even if the recipient uses a different email provider. Recipients will receive a notification and can easily access the encrypted message via a guest account, ensuring secure communication without the hassle of exchanging keys or using custom software. 

This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls. 


Securely viewing an E2EE email in a restricted version of Gmail 


Users sending an email will see a notification when composing their message 

Getting started 

  • Admins: This feature will be OFF by default and can be enabled at the OU and Group level. Visit the Help Center to learn more about turning Gmail E2EE on or off for your organization. Visit the Help Center for a Client-side encryption setup overview
  • End users: This feature will be on by default for users that have access to Gmail Client-side encryption. Visit the Help Center to learn more about Gmail Client-side encryption

Rollout pace


Availability 

Available for Google Workspace: 

  • Enterprise Plus with the Assured Controls add-on. 

Resources 



Read More

What’s changing 

Access Transparency, Access Management, and Access Approvals now cover Gemini App data. These features provide admins full transparency into when Gemini App data is viewed for support purposes, control over which Google support staff can view this data, and control over when this data can be viewed by Google for support purposes. 

The addition of Gemini App data to Access Transparency, Access Management, and Access Approvals expands on Google’s data commitments on customer data ownership, security, and privacy. 

  • Access Transparency provides real time logs whenever customer data is accessed by Google staff. 
  • Access Management allows admins to limit which Google staff can access their data such as US or EU Google staff. 
  • Access Approvals allow admins to require Google to request for explicit approval prior to accessing their data related to a support action. 

These controls have been extended to cover Gemini App data in addition to Gmail, Calendar, Drive, Docs, Sheets, Slides, Drawings, Sites, Chat, meet, and Gemini in Workspace data. 



Getting started 


Rollout pace 

  • This feature is available now. 

Availability 

  • Access Transparency is available for users with Enterprise Plus licenses 
  • Access Approvals is available for users with Assured Controls or Assured Controls Plus licenses 
  • Access Management is available for users with Assured Controls Plus licenses 

Resources 



Read More

What’s changing 

To support more granular incident investigations and to expand access to this critical security data, we’ve made a few changes to the Gmail Audit Logs. 

1. Addition of the Gmail log events to the audit and investigation tool 
Gmail log events, previously only available to customers with access to the Security investigation tool (Security > Security center > Investigation tool), will now also be available to customers with access to the audit and investigation tool (Reporting > Audit and investigation) when Gmail is enabled as an application. This is change is now available. 

2. Addition of the Gmail log events to the AdminSDK Reports API 
Gmail log events are now available in the Google Workspace Admin SDK Reports API, providing programmatic access to this data. 

3. Gemini Data Access Logging for Gmail log events 
Addressing customer feedback for more granularity in reporting on how Gemini accesses data, a “message content accessed” log event will now be triggered when the Gemini app or Gemini for Workspace apps access Gmail messages on behalf of a user. Those events will have a client type of “API” and an actor application name of “Gemini or Gemini for Workspace”. These events will become available to customers gradually over the next few weeks. 

Who’s impacted 

Admins 

Why it matters 

Granular audit logs are critical to helping organizations investigate cybersecurity incidents and understand their data usage. The changes announced today expand access to this critical data and expand the depth of analysis that can be performed. 

Rollout pace 

  • Gradual rollout - please see launch timing notes for each change listed above. 

Getting started 


Availability 

  • Available for Google Workspace with audit log eligible licenses. To learn more about the audit log availability for your license types, please review this Help Center article.




Read More

What’s changing 

To simplify the admin experience for creating rules and monitoring alerts, we are combining reporting rules with activity rules: 

Google Workspace Enterprise Plus, Enterprise Essentials Plus, Education Plus, Cloud Identity Premium, Chrome Enterprise Premium and Enterprise Standard customers will retain all the functionality of the activity rules experience and can now also create rules without thresholds. Thresholds are applied cumulatively across user actions, not on a per-activity basis. 


New threshold mode, which triggers rule every time the event occurs 

For Google Workspace Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, and Enterprise Essentials customers, all existing reporting rules will automatically be converted to activity rules. Admins gain the ability to configure notification frequencies and access more descriptive alerts. However, applying thresholds and actions to rules are not available for these Workspace editions. 


Admins will now be able to set notification frequency to limit the number of alerts or emails they receive 

Who’s impacted 

Admins 

Why it matters 

Reporting rules inform admins what happened, while activity rules help admins control what happens. By combining reporting rules with activity rules, admins receive the benefits of a more streamlined workflow with additional ways to work with rules and gain insights from more detailed reporting. 

Additional details 

Additionally, “Reporting rules” will be shown as “Activity rules” in various locations within the Admin console, including the “Add rules” user interface at Security > Investigation tool > Create activity rule

Getting started 

Admins: 
  • Visit the Help Center to learn more about creating and managing activity rules
  • With this change, admins with the “Reports” privilege have automatically been assigned the “Activity Rules View” and “Activity Rules Manage privileges”. Super admins have these privileges assigned by default. These privileges can also be assigned to a custom admin role. 
End users: 
  • There is no end user action required. 

Rollout pace 


Availability 

Available for Google Workspace: 

  • Business Starter, Standard and Plus 
  • Enterprise Standard and Plus 
  • Enterprise Essentials, Enterprise Essentials Plus 
  • Education Fundamentals, Standard and Plus 
  • Cloud Identity Premium 

Resources 



Read More

What’s changing 

Client-side encryption supports ediscovery and data portability for our customers. After an export using Vault or the data export tool (takeout), admins can decrypt the previously client-side encrypted content. This launch now adds full support with a conversion tool so that admins can convert decrypted Google Sheets into a Microsoft Excel file.

The conversion tool allows customers of client-side encryption to maintain ownership over, access to, and perform analysis of sensitive data.

Getting started 



The converter tool, which enables conversions of exported Google Sheets files into Microsoft Office format. 

Rollout pace 


Availability 

Available for Google Workspace customers with 

  • Enterprise Plus 
  • Education Standard and Plus 
  • Frontline Plus 

Resources 



Read More

What’s changing 

The Shared Signals Framework (SSF) is a community supported initiative of the OpenID Foundation, focused on developing and maintaining a standardized protocol for cross-system communication between security platforms to share security insights and events. To support the SSF initiative, Google Workspace is implementing a SSF Receiver to ingest Continuous Access Evaluation Profile (CAEP) signals. This feature is available in closed beta for Google Workspace customers and interested partners. Eligible customers and security platform providers can use this form to express interest in the closed beta

Who’s impacted 

Admins 

Why it matters 

Our closed beta of the Shared Signals Framework (SSF) offers an example use case: session revocation. When Google Workspace gets a signal to revoke a session, the user's session is automatically invalidated, which cuts down the time a potentially compromised user has system access. This highlights SSF's strength: enhancing security by improving cross-system communication and speeding up responses to security events. 

Getting started 

  • Admins: If you are a security platform interested in transmitting CAEP signals to Google Workspace, or a Google Workspace customer interested in testing the Shared Signals integration in your domain, please express your interest by filling out this form
    • Please note: While we are in a Closed Beta development phase, we intend to gradually onboard both security platforms and customers. Submission of the form does not guarantee acceptance to the Closed Beta. We will reach out to those who’ve submitted the form if there is availability. 
  • End users: There is no end user setting for this feature. 

Availability 

Available for Google Workspace: 
  • Enterprise Plus



Read More

What’s changing 

Admins can now apply Context-Aware Access (CAA) policies to apps which use OpenID Connect (OIDC), which are a subset of OAuth apps that are authenticated using Google sign-in. Admins can use a single setting to apply CAA policies to all OIDC apps by default. We are not providing per app access control for individual apps at this moment. The new OIDC setting can also be applied in monitor mode for admins to gauge potential end user impact before applying in active mode. 

CAA creates granular access control security policies for apps based on attributes, such as user identity, location, device security status, and IP address, and they can be applied to users on personal and managed devices. Expanding CAA to encompass OIDC apps means admins can ensure their users are able to access or are blocked from accessing these apps according to the broader security parameters of their organizations. 

Admins can configure CAA policies for OIDC apps in the Admin console under Security > Context-Aware Access > General settings 

Getting started 

  • Admins: CAA for OIDC apps can be configured at the OU level. Visit the Help Center to learn more about context-aware access, creating context-aware access levels, and assigning access levels to third-party apps
  • End users: If enabled by your admin, you can access certain apps when authenticating using your Google sign-in. Or you may see a message letting you know that you cannot use Google sign-in to authenticate with certain apps or you may see remediation messages which will provide some options on how to unblock apps. 

Rollout pace 


Availability 

Available for Google Workspace: 
  • Frontline Standard and Plus 
  • Enterprise Standard and Plus 
  • Education Standard and Plus 
  • Enterprise Essentials Plus 
  • Also available for Cloud Identity Premium 

Resources 

Read More

What’s changing 

We’re introducing a new approval workflow option for enterprise users to request access to third-party apps that have not been explicitly configured via App Access Control (AAC) by an admin. This only applies to apps which have not been configured. If a user is able to access an app today based on the policies configured by their admin, then there will be no change and they will continue to be able to access the app. 

When end users attempt to access unconfigured third-party apps and get blocked, they will see an error screen with an option to raise a review request to admins. After the user submits a request, admins will be able to review the end user requests in app access control and make a decision. 

This feature gives enterprise users a clear process for requesting access to apps they need, reducing the likelihood of them being completely blocked and improving their productivity. For admins, it provides a centralized and efficient way to manage and configure access for new applications within their organization, while maintaining control over data security. 

An example of the dialog that the end user will see when access is blocked, with an opportunity to request access 


The dialog an end user will see if they choose to request access 


The interface in the Admin console where admins can see and process access requests from users 


The interface admins can use to configure access by OU 


Who’s impacted 

Admins and end users 

Getting started 

  • Admins: 
    • This feature will be ON by default and can be enabled at the organizational unit (OU) level. You can enable the setting for users to request access to unconfigured apps in the Admin console under API Controls Settings. Visit the Help Center to learn more about user requests for unconfigured apps
  • End users: 
    • There is no end user setting for this feature. When the approval workflow is enforced, users will see a new screen that allows them to request access to the app from their admin. 

Rollout pace 


Availability

  • Available to all Google Workspace customers 

Resources 


Read More

What’s changing 

Admins can now select “Warn” as an action when deploying context-aware access (CAA) levels. When applied, end users will see a warning message if they do not meet their admin defined conditions for accessing Google Workspace applications. They can click “See details” to see more information about why they received the warning – for example, they may be notified that their operating system is outdated and requires an update. The warning provides a useful reminder for the user to take action otherwise access could be blocked in the future. 

It’s important to note that “Warn” mode will not block users from accessing a particular app or service and they will have the option to proceed despite the warning. “Warn” mode helps educate users if they’re trying to access apps in a less secure situation and how to remediate this risk, while reducing the workload required by admins to socialize best practices. 
Example of a warning notification 


Example of what a user might see when they click “See details” 

Additional details 

  • Warning messages will be shown to users once every 48 hours if their device and session continues to not meet access levels to ensure minimizing end user friction. 
  • "Access Warning Sent” and “Access Warning Viewed by User” events can be reviewed in the CAA audit logs and in the security investigation tool for select Google Workspace customers. 

Getting started 


Admin app access level assignment flow

Rollout pace 


Availability 

Available for Google Workspace: 
  • Frontline Standard and Frontline Plus 
  • Enterprise Standard and Enterprise Plus 
  • Education Standard and Education Plus 
  • Enterprise Essentials Plus 
  • Cloud Identity Premium 

Resources 

Read More

Update 2 (September 3, 2025): We updated this post to indicate that the rollout will start the second week of December 2025. Previously, the rollout was planned to start on August 26. 

Update (August 15, 2025): We updated this post to indicate that the rollout will start on August 26. Previously, the rollout was planned to start on August 19. 

What’s changing 

Earlier this year, we launched an improved version of the OAuth consent screen to the Apps Script IDE and unpublished Editor Add-ons that allows users to specify which individual scopes they would like to authorize for that script. For example, if a script requests access to a user’s Sheets and Forms files, and the users only intends to use the script with Sheets files, they can decide to only allow access to their spreadsheets and not their forms. 


This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes. 

We’re excited to announce that this more granular OAuth consent screen will be expanding to an additional Apps Script execution type. Soon, published Editor add-ons powered by Apps Script will also present users with this more granular consent screen when requesting an OAuth grant. This will allow users of these add-on types to provide partial OAuth consent when authorizing new add-ons. A reminder that this also includes reconsenting to add-ons when OAuth grants expire.

Additional details 

To prepare for the release of this new consent flow, we suggest that Editor add-on developers refer to the ScriptApp and AuthorizationInfo classes. These allow Apps Script developers to programmatically interact with the scopes granted for a script. This allows developers to put in such safeguards as short-circuiting a script execution if not all scopes are granted. For more information, refer to the developer documentation. To test these changes, please see the documentation on Testing Editor Addons

Getting Started 

  • Admins: There is no admin control for this feature.
  • Developers and end users: This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on scripts they’ve already authorized. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers and Workspace Individual Subscribers
Read More

What's Changing

We’re adding an additional data field for Google Meet log events: encryption_type, which will indicate whether standard cloud encryption or client-side encryption was used for a call endpoint. This information can also be called using the Admin Reports SDK API under the values: cloud_encryption and cse_encryption.


Example of a meeting without client-side encryption and a meeting with standard encryption. The encryption type will be captured in Meet log events going forward.

Rollout Pace:


Availability:

Available in the audit and investigation tool for all Google Workspace customers and for select Google Workspace customers in the Security Investigation tool, as well as the Admin Reports SDK API.
Read More

What’s changing 

We’re introducing several changes to make the act of training custom AI models for data classification in Google Drive more efficient:
  • Multi-model Support: When AI classification first launched, the product supported training a single model for a single label field.  Now, customers can train up to five unique models.  Common use cases for multiple models are:
    • Models for different labels
    • Models for different fields of a single label
    • Multiple models for the same label & field combination, with different training datasets curated for separate audiences 



  • On-demand Training: Training AI classification models can be an interactive process.  With the former version of the product, the models would train on a predefined schedule.  Now, the administrator can decide when to train the model, initiating the training process on demand – enabling organizations to move at their own pace! 
  • Refreshed UI: We’ve redesigned the AI classification experience from the ground up with a new onboarding flow and model details page.  With the redesigned UI, Workspace Administrators will now see richer insights into the status of model training, metrics on their training data, model recall scores, and a history of their model versions. 

Who’s impacted 

  • Admins

Why it matters 

  • Powered by privacy-preserving AI models that can be uniquely trained on specific customer needs, AI classification automatically identifies, classifies, and labels files in Google Drive. This helps organizations standardize data classification and achieve labeling consistency at scale. Labels can then be used to trigger rules on files that can and cannot be shared through data loss prevention (DLP) controls, lifecycle management policies, as well as audit and reporting use cases. These latest enhancements give admins the flexibility to train models when they need to and for the specific and dynamic needs of their organization.

Getting started 

Rollout pace 

Availability 

Available for Google Workspace:
  • Enterprise Plus
  • Frontline Plus
  • Gemini Education Premium add-on
Anyone who previously purchased these add-ons will also receive this feature: 
  • Gemini Enterprise*
  • AI Security*
*As of January 15, 2025, we’re no longer offering the Gemini Business and Gemini Enterprise add-ons for sale. Please refer to this announcement for more details.

Resources 

Read More

What’s changing

The Information Rights Management (IRM) feature for Drive prevents the downloading, copying and printing of documents for viewers and commenters. Currently, individual file owners can use IRM to limit viewers and commenters from printing, copying, or downloading a file. Earlier this year, we launched the ability for admins to restrict these actions for users with edit permissions.

Now, individual file owners and shared drive managers can apply printing, copying, and downloading restrictions to users with edit permissions as well. Editors and owners can still edit the document itself, however they can only copy and paste document content within the document itself. 

As a whole, IRM controls give both admins and end users the ability to help prevent sensitive content from being leaked.


Getting started

  • End users: Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Note: If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.

Rollout pace


Availability

  • IRM controls are available for all Google Workspace customers
  • Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
    • Frontline Standard
    • Enterprise Essentials and Enterprise Essentials Plus

Resources

Read More

What’s changing 

Currently, you can join client-side encrypted calls from a computer or mobile device. Starting today, you can join client-side encrypted calls directly from Google Meet hardware devices. Simply select the meeting from the in-room agenda on any hardware device – you’ll be prompted to authenticate from a personal device, such as your phone or laptop, which will grant the room access to this specific meeting.

Joining a client-side encrypted meeting from a hardware device

Google Meet always encrypts call media in transit and at rest, ensuring only meeting participants and Google's data center services can decrypt it. Client-side encryption adds an additional layer of privacy by encrypting all media that is encrypted directly by each participant's browser using keys accessible only to them, meaning Google's servers and other service providers cannot decrypt or access the call content. This gives users greater control and confidentiality over their meeting communications, and this specific update gives users another way to join client-side encrypted calls.

Additional details

Client-side encrypted calls can be joined from meeting rooms in the host's organization or in the organization of an invited participant. A room does not need to be specifically invited to the meeting — access to client-side encrypted calls is determined by the identity of the individual participant. 

Getting started

  • Admins: 
    • In order for end users to use client-side encryptions, admins must connect Google Workspace to an external identity provider and encryption key service (IdP+key service). 
    • Visit the Help Center to learn more about managing client-side encryption for your organization. Also see our API documentation
    • Note: There is no additional configuration for room hardware if client-side encryption has already been configured.
    • Note: The KACLS server used for key management needs to support the delegate call. This call is used for authorizing a room to join a meeting on behalf of an authenticated user. Check with your KACLS vendor for details. 

  • End users: You can join a client-side encrypted call from a room in the same way you would join a call using regular encryption. Follow the additional instructions displayed on the room unit to authenticate on your personal device. Visit the Help Center to learn more about joining a client-side encrypted meeting from a Google Meet hardware device.

Rollout pace

Availability

Client-side encryption for Google Meet is available for Google Workspace:
  • Enterprise Plus
  • Education Standard and Plus
Joining an encrypted call is available for all Google Meet hardware devices

Resources

Read More

What’s changing 

Gmail now allows users with hardware keys, such as PIV/CAC smartcards, to directly manage their digital signature and encryption certificates within Gmail settings. Prior to this update, admins needed to upload encryption keys for their users – now users can configure their own keys in Gmail, without needing an admin. 

Gmail > Settings > Accounts > Encryption certificates

Additional details 

While Workspace encrypts data at rest and in transit by using secure-by-design cryptographic libraries, client-side encryption ensures that you have sole control over encryption keys and access to your data. Client-side encryption ensures sensitive data in the email body and attachments are indecipherable to Google servers — you retain control over encryption keys and the identity service to access those keys. For more information, check out our original announcement and the Workspace blog

Getting started 

  • Admins: In order for your users to add certificates from a hardware key, you must first enable and install the Workspace Hardware Keys application to user machines. 
  • End users: Visit the Help Center to learn more about using hardware keys for encryption. 

Rollout pace 


Availability 


Resources 

Read More

Useful Links

Join the official community for Google Workspace administrators

In the Google Cloud Community, discuss the latest features with Googlers and other Google Workspace admins like you. Learn tips and tricks that will make your work and life easier. Be the first to know what's happening with Google Workspace.

Learn about more Google Workspace launches

On the “What’s new in Google Workspace?” Help Center page, learn about new products and features launching in Google Workspace, including smaller changes that haven’t been announced on the Google Workspace Updates blog.

Learn about our customers

Discover how a diverse range of organizations, from small businesses and nimble startups to globally recognized Fortune 500 corporations, leverage the collaborative power of Google Workspace. Explore examples of how teams of are streamlining workflows and driving productivity by utilizing Google-Workspace.