This official feed from the Google Workspace team provides essential information about new features and improvements for Google Workspace customers.
rss_feed

The Workspace Policy API provides a centralized, comprehensive view of your security settings, eliminating the need to navigate to numerous pages in the Admin console.

With our latest update, we are introducing mutate endpoints (Create, Update, Delete) alongside existing read-only capabilities (Get, List) for data loss prevention (DLP) rules and detectors. This allows super admins to programmatically manage and fully automate the entire lifecycle of their DLP policies, from initial creation to real-time activation and deactivation.

Note this is an API-only launch for capabilities currently supported in the Admin console.

About DLP

DLP lets Workspace admins control external file sharing to prevent sensitive information leaks. It scans files for violations, triggering incidents and protective actions like content blocking.

How DLP works:

  • Admins define rules for sensitive content across Drive, Gmail, Chat, and Chrome.
  • DLP scans content for DLP rule violations that trigger DLP incidents.
  • DLP enforces the rules you defined and violations trigger actions, such as alerts.
  • Admins are alerted for DLP rule violations.
Summary of capabilities supported by mutate endpoints for DLP

Getting started

  • Admins: You must be a super admin to use the Policy API. See our developer documentation to learn more about the Policy API. You can also use GAM, an open source tool for managing Workspace, which now supports the Policy API.
  • End users: This is an admin-only capability.

Rollout pace

Availability

  • Available to all Google Workspace customers and Workspace Individual subscribers

Resources

Read More

Data loss prevention (DLP) for Google Calendar is now generally available to protect sensitive information shared within event details. Previously available in beta, this feature allows you to create and apply data protection rules that scan calendar event titles, descriptions, and locations for sensitive content, such as credit card numbers or national identification numbers.

Key functionalities include:

  • Choice of actions: Admins can choose to audit when an event is saved with sensitive content, warn users about sensitive content in their event, or block event creation or updates if a DLP policy is violated.
  • Event details: DLP rules scan free-text fields in the event, including the event’s title, description, and location fields.
  • Owner-based policies: Rules are applied based on the organizational unit (OU) of the owner (event organizer on primary calendars or calendar owner on secondary calendars), consistent with other Workspace DLP configurations.
  • User notifications: With DLP policies for Calendar, users receive immediate feedback when sensitive data is detected. On the web, users see a pop-up notification explaining the issue. Admins can also customize this message with more specific details. If a meeting update is blocked on Android, iOS, or via the Calendar API, the user will receive an automated email notification explaining the policy violation and why changes to the meeting invite were not successful.

Getting started

  • Admins: The feature will be OFF by default and can be enabled at the organizational unit (OU) or group level. Visit the Help Center to learn more about DLP for Calendar.
  • End users: There is no end user setting for this feature.
DLP settings in the admin console to configure policies for sensitive data, including actions and alerts when creating Calendar events
An end user is prompted with a message asking them to remove sensitive information

Rollout pace

Availability

  • Enterprise: Enterprise Standard and Plus
  • Education: Education Fundamentals, Standard, and Plus
  • Other Editions: Enterprise Essentials; Frontline Standard and Plus

Resources

Read More

Data loss prevention (DLP) rules for non-Workspace file attachments and associated proximity conditions are now generally available. These new capabilities enable organizations to target files with specific parameters, such as blocking the sharing of sensitive file formats or identifying files that contain specific strings in their titles.

Using these new content conditions, admins can set up various DLP rules for added protection, such as:

  • File names: Block files containing text string “funkyword”
  • File extensions: Block .java files
  • File types: Block custom mime type such as application/custom_app
  • Proximity matching: Detect “routing number” in proximity of 100 characters of “account number”

Additional details

In addition to file-based conditions, administrators can utilize associated proximity conditions to identify sensitive information in the file. This feature allows for the detection of sensitive data that appears within a specified distance of other predefined data types, regular expressions, or word lists.

For example, a rule can be configured to trigger when a bank account number is found within 100 characters of a routing number. By identifying data in context, proximity matching helps administrators reduce false positives and more accurately secure financial information or proprietary content.

Key functionality in DLP rules for file attachments and associated proximity conditions include:

  • Ability to match against common or custom MIME types and system file categories
  • Support for scanning attachments in Gmail, Drive, and Chat to set rules across communication channels 
  • Granular distance settings for proximity matching, allowing admins to define a range of up to 1,000 characters between matched conditions

Getting started

  • Admins: When configuring DLP rules in the admin console, admins can locate the new content conditions of file extension, file name, and file type under content conditions. Admins can also select the option of proximity matching to set a maximum distance between two pieces of matched texts. Visit the Help Center to learn more.
  • End users: There is no end user setting for this feature.
Content conditions for DLP in the Admin console to configure policies for sensitive file attachments

Rollout pace

Availability

  • Enterprise: Enterprise Standard and Plus
  • Education: Education Fundamentals, Standard, and Plus
  • Other Editions: Enterprise Essentials; Frontline Standard and Plus

Resources

Read More

Previously, data transfers from corporate Google Workspace accounts to third-party apps were restricted. We’re now recalibrating these restrictions to allow for a "trusted ecosystem" between managed apps.

With this release, users are now able to maintain efficient workflows and securely move data between corporate Workspace accounts and other authorized, managed third-party applications without being blocked. For added data protection, this capability strictly prevents the transfer of that data to personal accounts within the same managed Google application or to unmanaged personal apps.

For example, a user is able to copy a client's email address from their corporate Gmail account and successfully paste it into a managed third-party CRM application. When they try to paste that same email address into their personal Gmail account, they are blocked and receive the following message: "This information can only be shared within your organization's Google Workspace apps.”

Getting started

  • End users: There is no end-user setting for this feature.

Rollout pace

Availability

  • Enterprise: Enterprise Standard and Plus
  • Education: Education Standard and Plus
  • Other Editions: Frontline Standard; Enterprise Essentials Plus; Cloud Identity Premium

Resources

Read More

Admins can now bulk export client-side encrypted (CSE) Slides using Vault or Data Export (takeout), and then convert those exports into PowerPoint files. This allows your organization to retain complete ownership, access, and control of sensitive data in a highly portable format.

Eligible Google Workspace admins can sign up for the CSE Office Interop beta program, which provides immediate access to CSE compatible export, import, takeout and office editing features. Organizations who’ve previously signed up for the beta program should see this feature in their domains now.

Getting started

  • Admins: Admins with eligible Workspace licenses can sign up for the CSE Office Interop beta. We’ll provide more information on how to get started if you’re accepted.
  • End users: This launch has no impact on end users.

Rollout pace

Availability

  • Enterprise: Enterprise Plus
  • Education: Education Standard and Plus
  • Other Editions: Frontline Plus, Assured Controls, Assured Controls Plus

Resources

Read More

Administrators can now apply a global context-aware access (CAA) policy to all SAML applications within their organization. This update introduces a default assignment that serves as a universal security baseline, automatically protecting any SAML-based app that does not have a specific policy already assigned. By establishing this "secure-by-default" posture, IT teams can help protect internal data and third-party SaaS tools as new applications are integrated into their ecosystem.

This global control significantly reduces the administrative burden of managing security for applications at scale. Instead of manually configuring rules for every individual SAML app, administrators can set a single policy to cover their entire environment. Specific application-level policies will still take precedence, allowing for granular control where needed while the global policy acts as a reliable safety net.

These default policies support both Monitor and Active modes, providing flexibility in how security requirements are phased in. Detailed audit logs will capture these enforcement events, and remediation messages help end users understand how to resolve access issues independently.

Admins can configure CAA policies for all SAML apps in the Admin console under Security > Context-aware Access > General settings

Admins can configure CAA policies for all SAML apps in the Admin console under Security > Context-aware Access > General settings.

Getting started

Rollout pace

Availability

  • Enterprise: Enterprise Standard and Plus
  • Education: Education Standard and Plus
  • Other Editions: Frontline Standard and Plus; Enterprise Essentials Plus; Cloud Identity Premium

Resources

Read More

What’s changing

We are updating the schema and event modeling for several Admin audit log events, specifically some of the events related to account security, Gmail, and Drive settings, along with other admin-defined setting audit logs. These improvements aim to make the logs more understandable, detailed, and precise.  A complete list of the updates can be found in the Help Center

The updates involve changes to event names, event types, and the volume of these affected log events. Some legacy events may be redundant as a part of this change. If you're using any legacy events, some of the updates might require changes to your existing queries, alerts, and reports to get the full benefit of the changes. Both the new and old events will continue to be available for you to make the necessary changes.

Who’s impacted

Admins 

Why it matters

Granular audit logs are critical to helping organizations investigate cybersecurity incidents and understand their data usage. The changes announced today expand the depth of analysis that can be performed.  

Rollout pace

Getting started

  • Admins:  As the changes become available, you can get started with your analysis in either the Audit and Investigation tool
  • End users: There is no end user setting for this feature.

Availability

  • Available for Google Workspace with Audit Log eligible licenses.  To learn more about the Audit Log availability for your license types, please review this article

Read More

What’s happening

Gmail is enhancing user security by enabling the Cross-Origin Opener Policy (COOP). As a result, developers of websites and browser extensions opening or manipulating the Gmail page may have to update their code to ensure continued functionality when enforcement begins on January 20, 2026. There is no action needed from Workspace admins or end users.

COOP background

Cross-Site Search (XS-Search) is a type of Cross-Site Leaks (XS-Leaks) attack that targets query-based search systems, like Gmail. Attackers exploit this vulnerability by gaining control of a Gmail window, either by opening a new popup or accessing an existing one via its window handle. Once they have this access, they can gather information via a side channel to determine if specific search results exist by repeatedly loading different search terms, thereby leaking sensitive user data.

COOP is a web security feature designed to isolate the web applications from untrusted origins. This measure will prevent attackers from accessing Gmail's window handle, thereby protecting users from various Cross-Site Search (XS-Search) attacks that rely on window handles for collecting side-channel information, such as frame counting. This also significantly hinders attacks like cache probing, which rely on timing and other observations for resources that Gmail loads for search results. While these attacks don't directly collect side-channel information through the window handles themselves, COOP prevents repeated searches and thereby increases difficulty and reduces effectiveness, making them far less of a threat.

Who’s impacted

Websites or browser extensions that open Gmail in a pop-up window and interact with that window by accessing its properties (closed, location, length, focus) or invoking its functions (close, postMessage). Also, browser extensions that are injected into Gmail page and access the opener handle which is a reference to the window that opened the current Gmail page.

Additional details

To enforce COOP, the Cross-Origin-Opener-Policy header will be present in the response:

Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gmail-web-coop-coep"
Report-To:{"group":"gmail-web-coop-coep","endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gmail-web"}]}

Getting started

  • Developers:
    • For websites and browser extensions opening Gmail, refactor the offending code to avoid accessing the window properties or functions through the window handle and instead, utilize alternative APIs to achieve the desired functionality (e.g., chrome.tabs, Messaging).
    • For browser extensions injected into the Gmail page, instead of trying to communicate with or access the opener, the browser extension should be updated so it doesn't need to interact with it at all and the extension's logic should be revised to work independently. If that is not possible, browser extensions can use existing APIs (e.g., chrome.tabs) to implement their logic.
  • Admins: There is no admin control for this feature.
  • End users: There is no end user setting for this feature. 

Rollout pace

  • Enforcement will begin on January 20, 2026. Rollout will be extended (potentially longer than 15 days for feature visibility).

Resources


Read More

What’s changing 

When your primary systems are compromised, you need a dependable partner to keep your organization operational. Our new Business Continuity editions are designed to serve as a robust backup solution that works in tandem with your primary, non-Google Workspace collaboration platform, providing a secure and familiar environment that can be activated when you need it most. 

We are introducing two distinct offerings to meet your specific needs: 

1. Business Continuity 
This edition is a true disaster recovery solution designed for a "cold" standby scenario. It provides a secure, isolated environment to ensure your leadership and critical teams can communicate and collaborate during a crisis. 

  • Core Functionality: Allows for syncing your active directory, ensuring your user directory is available when needed. 
  • Usage: Intended for limited use, with access to Google Workspace and generative AI tools like Gemini and NotebookLM for up to 21 days per year. 

2. Business Continuity Plus 
This is our full-featured solution for organizations that require a "hot" standby environment with more data readily available to drive immediate adoption and productivity. It is designed to keep your core functions operating with minimal disruption. 

  • Core Functionality: In addition to allowing for syncing directory, this edition allows for data syncing across any product, including but not limited to email, calendar, drive, chat and more. We recommend using a partner-based solution for implementation. 
  • Usage: Provides extended access to Google Workspace and generative AI tools for up to 60 days per year. 

Learn more about these new offerings in our main blog post: Break free from Microsoft 365’s lock-in, vulnerabilities, and outages with Google Workspace and partners

Getting started 

  • Admins: These solutions are intended for organizations who do not use Google Workspace for their primary collaboration platform. Contact your Google rep or partner to discuss suitability and purchase options. 
  • End users: No end user impact. 

Availability 

  • Available everywhere Google Workspace is sold. These solutions are intended for organizations who do not use Google Workspace for their primary collaboration platform. 

Resources 

Read More

What’s changing

Generally available today, Gmail client-side encryption (CSE) users can send end-to-end encrypted (E2EE) emails to anyone, even if the recipient uses a different email provider. Recipients will receive a notification and can easily access the encrypted message via a guest account, ensuring secure communication without the hassle of exchanging keys or using custom software. 

This capability, requiring minimal efforts for both IT teams and end users, abstracts away the traditional IT complexity and substandard user experiences of existing solutions, while preserving enhanced data sovereignty, privacy, and security controls. 


Securely viewing an E2EE email in a restricted version of Gmail 


Users sending an email will see a notification when composing their message 

Getting started 

  • Admins: This feature will be OFF by default and can be enabled at the OU and Group level. Visit the Help Center to learn more about turning Gmail E2EE on or off for your organization. Visit the Help Center for a Client-side encryption setup overview
  • End users: This feature will be on by default for users that have access to Gmail Client-side encryption. Visit the Help Center to learn more about Gmail Client-side encryption

Rollout pace


Availability 

Available for Google Workspace: 

  • Enterprise Plus with the Assured Controls add-on. 

Resources 



Read More

What’s changing 

Access Transparency, Access Management, and Access Approvals now cover Gemini App data. These features provide admins full transparency into when Gemini App data is viewed for support purposes, control over which Google support staff can view this data, and control over when this data can be viewed by Google for support purposes. 

The addition of Gemini App data to Access Transparency, Access Management, and Access Approvals expands on Google’s data commitments on customer data ownership, security, and privacy. 

  • Access Transparency provides real time logs whenever customer data is accessed by Google staff. 
  • Access Management allows admins to limit which Google staff can access their data such as US or EU Google staff. 
  • Access Approvals allow admins to require Google to request for explicit approval prior to accessing their data related to a support action. 

These controls have been extended to cover Gemini App data in addition to Gmail, Calendar, Drive, Docs, Sheets, Slides, Drawings, Sites, Chat, meet, and Gemini in Workspace data. 



Getting started 


Rollout pace 

  • This feature is available now. 

Availability 

  • Access Transparency is available for users with Enterprise Plus licenses 
  • Access Approvals is available for users with Assured Controls or Assured Controls Plus licenses 
  • Access Management is available for users with Assured Controls Plus licenses 

Resources 



Read More

What’s changing 

To support more granular incident investigations and to expand access to this critical security data, we’ve made a few changes to the Gmail Audit Logs. 

1. Addition of the Gmail log events to the audit and investigation tool 
Gmail log events, previously only available to customers with access to the Security investigation tool (Security > Security center > Investigation tool), will now also be available to customers with access to the audit and investigation tool (Reporting > Audit and investigation) when Gmail is enabled as an application. This is change is now available. 

2. Addition of the Gmail log events to the AdminSDK Reports API 
Gmail log events are now available in the Google Workspace Admin SDK Reports API, providing programmatic access to this data. 

3. Gemini Data Access Logging for Gmail log events 
Addressing customer feedback for more granularity in reporting on how Gemini accesses data, a “message content accessed” log event will now be triggered when the Gemini app or Gemini for Workspace apps access Gmail messages on behalf of a user. Those events will have a client type of “API” and an actor application name of “Gemini or Gemini for Workspace”. These events will become available to customers gradually over the next few weeks. 

Who’s impacted 

Admins 

Why it matters 

Granular audit logs are critical to helping organizations investigate cybersecurity incidents and understand their data usage. The changes announced today expand access to this critical data and expand the depth of analysis that can be performed. 

Rollout pace 

  • Gradual rollout - please see launch timing notes for each change listed above. 

Getting started 


Availability 

  • Available for Google Workspace with audit log eligible licenses. To learn more about the audit log availability for your license types, please review this Help Center article.




Read More

What’s changing 

To simplify the admin experience for creating rules and monitoring alerts, we are combining reporting rules with activity rules: 

Google Workspace Enterprise Plus, Enterprise Essentials Plus, Education Plus, Cloud Identity Premium, Chrome Enterprise Premium and Enterprise Standard customers will retain all the functionality of the activity rules experience and can now also create rules without thresholds. Thresholds are applied cumulatively across user actions, not on a per-activity basis. 


New threshold mode, which triggers rule every time the event occurs 

For Google Workspace Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, and Enterprise Essentials customers, all existing reporting rules will automatically be converted to activity rules. Admins gain the ability to configure notification frequencies and access more descriptive alerts. However, applying thresholds and actions to rules are not available for these Workspace editions. 


Admins will now be able to set notification frequency to limit the number of alerts or emails they receive 

Who’s impacted 

Admins 

Why it matters 

Reporting rules inform admins what happened, while activity rules help admins control what happens. By combining reporting rules with activity rules, admins receive the benefits of a more streamlined workflow with additional ways to work with rules and gain insights from more detailed reporting. 

Additional details 

Additionally, “Reporting rules” will be shown as “Activity rules” in various locations within the Admin console, including the “Add rules” user interface at Security > Investigation tool > Create activity rule

Getting started 

Admins: 
  • Visit the Help Center to learn more about creating and managing activity rules
  • With this change, admins with the “Reports” privilege have automatically been assigned the “Activity Rules View” and “Activity Rules Manage privileges”. Super admins have these privileges assigned by default. These privileges can also be assigned to a custom admin role. 
End users: 
  • There is no end user action required. 

Rollout pace 


Availability 

Available for Google Workspace: 

  • Business Starter, Standard and Plus 
  • Enterprise Standard and Plus 
  • Enterprise Essentials, Enterprise Essentials Plus 
  • Education Fundamentals, Standard and Plus 
  • Cloud Identity Premium 

Resources 



Read More

What’s changing 

Client-side encryption supports ediscovery and data portability for our customers. After an export using Vault or the data export tool (takeout), admins can decrypt the previously client-side encrypted content. This launch now adds full support with a conversion tool so that admins can convert decrypted Google Sheets into a Microsoft Excel file.

The conversion tool allows customers of client-side encryption to maintain ownership over, access to, and perform analysis of sensitive data.

Getting started 



The converter tool, which enables conversions of exported Google Sheets files into Microsoft Office format. 

Rollout pace 


Availability 

Available for Google Workspace customers with 

  • Enterprise Plus 
  • Education Standard and Plus 
  • Frontline Plus 

Resources 



Read More

What’s changing 

The Shared Signals Framework (SSF) is a community supported initiative of the OpenID Foundation, focused on developing and maintaining a standardized protocol for cross-system communication between security platforms to share security insights and events. To support the SSF initiative, Google Workspace is implementing a SSF Receiver to ingest Continuous Access Evaluation Profile (CAEP) signals. This feature is available in closed beta for Google Workspace customers and interested partners. Eligible customers and security platform providers can use this form to express interest in the closed beta

Who’s impacted 

Admins 

Why it matters 

Our closed beta of the Shared Signals Framework (SSF) offers an example use case: session revocation. When Google Workspace gets a signal to revoke a session, the user's session is automatically invalidated, which cuts down the time a potentially compromised user has system access. This highlights SSF's strength: enhancing security by improving cross-system communication and speeding up responses to security events. 

Getting started 

  • Admins: If you are a security platform interested in transmitting CAEP signals to Google Workspace, or a Google Workspace customer interested in testing the Shared Signals integration in your domain, please express your interest by filling out this form
    • Please note: While we are in a Closed Beta development phase, we intend to gradually onboard both security platforms and customers. Submission of the form does not guarantee acceptance to the Closed Beta. We will reach out to those who’ve submitted the form if there is availability. 
  • End users: There is no end user setting for this feature. 

Availability 

Available for Google Workspace: 
  • Enterprise Plus



Read More

What’s changing 

Admins can now apply Context-Aware Access (CAA) policies to apps which use OpenID Connect (OIDC), which are a subset of OAuth apps that are authenticated using Google sign-in. Admins can use a single setting to apply CAA policies to all OIDC apps by default. We are not providing per app access control for individual apps at this moment. The new OIDC setting can also be applied in monitor mode for admins to gauge potential end user impact before applying in active mode. 

CAA creates granular access control security policies for apps based on attributes, such as user identity, location, device security status, and IP address, and they can be applied to users on personal and managed devices. Expanding CAA to encompass OIDC apps means admins can ensure their users are able to access or are blocked from accessing these apps according to the broader security parameters of their organizations. 

Admins can configure CAA policies for OIDC apps in the Admin console under Security > Context-Aware Access > General settings 

Getting started 

  • Admins: CAA for OIDC apps can be configured at the OU level. Visit the Help Center to learn more about context-aware access, creating context-aware access levels, and assigning access levels to third-party apps
  • End users: If enabled by your admin, you can access certain apps when authenticating using your Google sign-in. Or you may see a message letting you know that you cannot use Google sign-in to authenticate with certain apps or you may see remediation messages which will provide some options on how to unblock apps. 

Rollout pace 


Availability 

Available for Google Workspace: 
  • Frontline Standard and Plus 
  • Enterprise Standard and Plus 
  • Education Standard and Plus 
  • Enterprise Essentials Plus 
  • Also available for Cloud Identity Premium 

Resources 

Read More

What’s changing 

We’re introducing a new approval workflow option for enterprise users to request access to third-party apps that have not been explicitly configured via App Access Control (AAC) by an admin. This only applies to apps which have not been configured. If a user is able to access an app today based on the policies configured by their admin, then there will be no change and they will continue to be able to access the app. 

When end users attempt to access unconfigured third-party apps and get blocked, they will see an error screen with an option to raise a review request to admins. After the user submits a request, admins will be able to review the end user requests in app access control and make a decision. 

This feature gives enterprise users a clear process for requesting access to apps they need, reducing the likelihood of them being completely blocked and improving their productivity. For admins, it provides a centralized and efficient way to manage and configure access for new applications within their organization, while maintaining control over data security. 

An example of the dialog that the end user will see when access is blocked, with an opportunity to request access 


The dialog an end user will see if they choose to request access 


The interface in the Admin console where admins can see and process access requests from users 


The interface admins can use to configure access by OU 


Who’s impacted 

Admins and end users 

Getting started 

  • Admins: 
    • This feature will be ON by default and can be enabled at the organizational unit (OU) level. You can enable the setting for users to request access to unconfigured apps in the Admin console under API Controls Settings. Visit the Help Center to learn more about user requests for unconfigured apps
  • End users: 
    • There is no end user setting for this feature. When the approval workflow is enforced, users will see a new screen that allows them to request access to the app from their admin. 

Rollout pace 


Availability

  • Available to all Google Workspace customers 

Resources 


Read More

What’s changing 

Admins can now select “Warn” as an action when deploying context-aware access (CAA) levels. When applied, end users will see a warning message if they do not meet their admin defined conditions for accessing Google Workspace applications. They can click “See details” to see more information about why they received the warning – for example, they may be notified that their operating system is outdated and requires an update. The warning provides a useful reminder for the user to take action otherwise access could be blocked in the future. 

It’s important to note that “Warn” mode will not block users from accessing a particular app or service and they will have the option to proceed despite the warning. “Warn” mode helps educate users if they’re trying to access apps in a less secure situation and how to remediate this risk, while reducing the workload required by admins to socialize best practices. 
Example of a warning notification 


Example of what a user might see when they click “See details” 

Additional details 

  • Warning messages will be shown to users once every 48 hours if their device and session continues to not meet access levels to ensure minimizing end user friction. 
  • "Access Warning Sent” and “Access Warning Viewed by User” events can be reviewed in the CAA audit logs and in the security investigation tool for select Google Workspace customers. 

Getting started 


Admin app access level assignment flow

Rollout pace 


Availability 

Available for Google Workspace: 
  • Frontline Standard and Frontline Plus 
  • Enterprise Standard and Enterprise Plus 
  • Education Standard and Education Plus 
  • Enterprise Essentials Plus 
  • Cloud Identity Premium 

Resources 

Read More

Update 2 (September 3, 2025): We updated this post to indicate that the rollout will start the second week of December 2025. Previously, the rollout was planned to start on August 26. 

Update (August 15, 2025): We updated this post to indicate that the rollout will start on August 26. Previously, the rollout was planned to start on August 19. 

What’s changing 

Earlier this year, we launched an improved version of the OAuth consent screen to the Apps Script IDE and unpublished Editor Add-ons that allows users to specify which individual scopes they would like to authorize for that script. For example, if a script requests access to a user’s Sheets and Forms files, and the users only intends to use the script with Sheets files, they can decide to only allow access to their spreadsheets and not their forms. 


This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes. 

We’re excited to announce that this more granular OAuth consent screen will be expanding to an additional Apps Script execution type. Soon, published Editor add-ons powered by Apps Script will also present users with this more granular consent screen when requesting an OAuth grant. This will allow users of these add-on types to provide partial OAuth consent when authorizing new add-ons. A reminder that this also includes reconsenting to add-ons when OAuth grants expire.

Additional details 

To prepare for the release of this new consent flow, we suggest that Editor add-on developers refer to the ScriptApp and AuthorizationInfo classes. These allow Apps Script developers to programmatically interact with the scopes granted for a script. This allows developers to put in such safeguards as short-circuiting a script execution if not all scopes are granted. For more information, refer to the developer documentation. To test these changes, please see the documentation on Testing Editor Addons

Getting Started 

  • Admins: There is no admin control for this feature.
  • Developers and end users: This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on scripts they’ve already authorized. 

Rollout pace 


Availability 

  • Available to all Google Workspace customers and Workspace Individual Subscribers
Read More

What's Changing

We’re adding an additional data field for Google Meet log events: encryption_type, which will indicate whether standard cloud encryption or client-side encryption was used for a call endpoint. This information can also be called using the Admin Reports SDK API under the values: cloud_encryption and cse_encryption.


Example of a meeting without client-side encryption and a meeting with standard encryption. The encryption type will be captured in Meet log events going forward.

Rollout Pace:


Availability:

Available in the audit and investigation tool for all Google Workspace customers and for select Google Workspace customers in the Security Investigation tool, as well as the Admin Reports SDK API.
Read More

Useful Links

Join the official community for Google Workspace administrators

In the Google Cloud Community, discuss the latest features with Googlers and other Google Workspace admins like you. Learn tips and tricks that will make your work and life easier. Be the first to know what's happening with Google Workspace.

Learn about more Google Workspace launches

On the “What’s new in Google Workspace?” Help Center page, learn about new products and features launching in Google Workspace, including smaller changes that haven’t been announced on the Google Workspace Updates blog.

Learn about our customers

Discover how a diverse range of organizations, from small businesses and nimble startups to globally recognized Fortune 500 corporations, leverage the collaborative power of Google Workspace. Explore examples of how teams of are streamlining workflows and driving productivity by utilizing Google-Workspace.