This article is written for G Suite for Education (GSFE) administrators.

Many schools want to stop students from sharing Google Drive files with each other. It causes numerous classroom management issues and information security issues.

Although Google added features to restrict drive sharing with outside school domains (see Set Drive users' sharing permissions), it doesn't prevent students from sharing files inside the domain.

This article explains how Safe Doc chrome extension limits students' activities of sharing Google Drive files inside your organization. If you have yet to install Safe Doc, apply a 30 days trial.

Overview of 2 approaches

Safe Doc solves the Drive sharing problem in 2 ways.

  1. Remove the Share feature. Students are prohibited from sharing any files to others.
    Remove the Share feature in Drive
  2. Block shared Drive file links. Even students receive shared file links from other students, Safe Doc will scrutinize the files and block them as per your configuration.
    Block viewing shared file links

Approach 1 is more aggressive and easier to configure than Approach 2. You may take either approach or combine the two for tighter grip on information spread.

Approach 1. Remove the Drive Share feature

The approach aggressively removes the Share feature in Google Drive and Docs editors.

What's changing?

Safe Doc removes all menus and buttons that trigger the Share feature in Drive. They present in various ways.

In Google Drive, when students right click any file, the context menu has 2 menus, Share and Get shareable link. The two menus bring up the Share permission edit dialog. So do the 2 buttons in the toolbar.

In Docs / Sheets / Slides / Drawings, there is a prominent Share button on the top right corner. It also exists in menu File > Share. In Forms, the Sharing is called Add collaborators.

Remove share menus and buttons in Google Drive
Remove share menus and buttons in Google Drive
Remove Share menus and buttons in Google Docs
Remove Share menus and buttons in Google Docs
Remove the Share buttons and menus in Google Slides
Remove the Share buttons and menus in Google Slides
Remove "add collaborators" (sharing feature) in Google Forms
Remove "add collaborators" (sharing feature) in Google Forms

How to configure it?

Assume you have deployed Safe Doc and understand Safe Doc configuration by policies.

Set the policy BlockDriveShare to true. Add the policy if you don't have it.

"BlockDriveShare": {
  "Value": true
}

Approach 2. Block Drive shared file links

From the perspective of a student receiving a shared file, Safe Doc decides if the link shall be blocked when they opened the file. The benefits of this approach are

  • More precise control on the content your students can view.
  • It does not block essential file sharing from students to teachers.

If you have deployed Safe Doc, the BlockDriveSharedLinks policy is the focus of this approach. By configuring the policy, you will be able to

  • block specific drive file or folder
  • block all files from specific emails
  • block all files from specific organizational units (OU)

The BlockDriveSharedLinks policy is an Object including 3 subsidiary settings.

  • Blacklist. This is the blacklist of drive files sources. The file or owner who matches this list is blocked.
  • BlacklistExceptions. As the name implies, the owner who matches this list is taken out from the black list.
  • DelegateAdminEmail. This admin email is used by the case of blocking by OU.

Block specific drive file or folder

This is useful when you don't want students to see a document or file public shared in your school domain.

For example, you have a staff related notice Google Doc shared within your school domain, but you want students to be excluded from the viewer list.

If the document shareable link is https://docs.google.com/document/d/1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A/edit?usp=sharing

put the file id, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A, to the Blacklist, like

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A"
      ]
    }
  }
}

When students click the shared link to the document, s/he is given a warning page instead of the real document.

Shared Google Drive File Blocked by Safe Doc
Shared Google Drive File Blocked by Safe Doc

Google drive files or folders all have similar identifier as above, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A. It's easy to spot the file id in a shareable link. You can add as many file IDs as you need in the Blacklist array.

Block all files from specific senders

You will be able to configure Safe Doc to block documents owned and shared by someone or some domain. When students click the shareable links from the blacklisted senders, s/he is redirect to the warning page like above.

To use this feature, you need to set up Domain Wide Authority Delegation (Part 1) and Enable Drive SDK.

Then configure the BlockDriveSharedLinks policy in following format. First list potential bad file owner emails in the Blacklist, and then list a few emails that shall be trusted in the BlacklistExceptions.

An * wildcard here means all non-@ characters. To block all senders, use *@*. For more examples, go to Safe Doc Policy Configuration page.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "*@gmail.com",
        "*@spam.company.com"
      ],
      "BlacklistExceptions": [
        "the.good.science.guy@gmail.com"
      ]
    }
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Block all files from owners in specific OUs

To use this feature, you need to set up Domain Wide Authority Delegation (Part 1 and/or Part 2) and Enable Drive SDK.

The BlockDriveSharedLinks policy needs slightly more work here. First list the OUs you want to block in the Blacklist, and then take out few OUs as exceptions in the BlacklistExceptions. Most importantly, specify an admin account email in the DelegateAdminEmail field. It can be your own admin email or a separate admin account from Part 2 of Domain Wide Authority Delegation.

An * wildcard here means all non-forward slash characters. Note the values of OU are organizational unit paths. A organizational unit path is a forward-slash representation of organizational unit, for example. /Level 1 OU/Level 2 OU/Level 3 OU is equivalent to Root domain name > Level 1 OU > Level 2 OU > Level 3 OU. The beginning / is equivalent to your Root domain name.

The policy example below blocks files owned by and shared from Grade 4 and Grade 5 students. It blocks non-teachers shared drive links. For more examples, go to Safe Doc Policy Configuration page.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "/Students/Element School/Grade 4",
        "/Students/Element School/Grade 5",
        "/Staff/*"
      ],
      "BlacklistExceptions": [
        "/Staff/Teachers"
      ],
      "DelegateAdminEmail": "safedoc@your.school.domain.edu"
    }
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Examples

Example 1: Suppose Safe Doc is installed for Grade 3 OU students, set the policy to stop Grade 3 OU students from seeing files from Grade 4 OU and Grade 5 OU.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "/Students/Element School/Grade 4",
        "/Students/Element School/Grade 5"
      ],
      "DelegateAdminEmail": "safedoc@your.school.domain.edu"
    }
  }
}

Example 2: To stop public shared pirated movies, set a policy as shown below. It blocks external sources while keeps open for resources from your own school and trusted school allies.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "*@*"
      ],
      "BlacklistExceptions": [
        "*@your.school.domain.edu",
        "*@trusted.school.domain.edu"
      ]
    }
  }
}

Appendix I: Domain wide Authority Delegation

Why setting up Domain Wide Authority Delegation?

In order for Safe Doc to know who owns the shared file and which OU the owner belongs to, Safe Doc needs OAuth2 permissions to access Google Drive API and Admin SDK API. You authorize Safe Doc such permissions to access the ownership of shared files behind the scene.

Steps to enable domain wide authority delegation

Part 1. Grant API access to Safe Doc

  1. Log into your admin console (admin.google.com)
  2. Go to Security > API Permissions > Domain wide delegation
  3. Click Add new.
  4. In the Client ID field, enter 101884342214916550934
  5. In the OAuth scopes (comma-delimited) field, depending on the feature you wanted, enter either
    1. If you want to block shared drive files in OU level, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly
    2. If you only block shared drive files by owner emails, specify https://www.googleapis.com/auth/drive.metadata.readonly
  6. Click the Authorize button.

Part 2 (Optional). Set up a limited-privilege admin account. This is for Safe Doc to impersonate as an admin to read the file owner's organization unit information. You must be signed in as a super administrator for this task.

If you don't follow the steps, see Google's official guide Create, edit, and delete custom admin roles.

  1. Log into your admin console (admin.google.com)
  2. Go to Admin roles.
  3. Click Create new role.
  4. Enter a name (e.g. Delegate Admin) and a description (e.g. Delegate Admin for Safe Doc) for the role, then click Continue.
  5. In the Select Privileges step, check Users > Read privilege. The dependent Organizational Units > Read privilege checkbox would also be automatically selected. So are the counterparts in Admin API privileges.
  6. click Continue.
  7. In the Review Privileges step, click Create Role.
  8. Now in the newly created Admin Role, click Assign role to make a user as an admin.
  9. Click Assign Role.

Appendix II: Enable Drive SDK

Why to enable Drive SDK?

Even though you have granted Safe Doc the Google Drive API scope to detect the ownership of shared Drive files, that's not enough. Google provides admins an extra barrier to stop API access to Google Drive, regardless of the legitimacy of the source.

Steps to enable Drive SDK

Following Google's help document Allow third-party apps for Drive files, enable Drive SDK for your students' OUs for which this Safe Doc Drive file blocking feature is used.

  1. Sign in to Admin Console.
  2. Go to Apps > G Suite > Drive and Docs > Features and Applications.
  3. Select your students' OU.
  4. In the Drive SDK, check Allow users to access Google Drive with the Drive SDK API.
  5. Click Save.

Final thoughts

Since sharing is a core concept of Google Drive, it's nearly impossible to completely stop students from getting a copy of the shared file. To some extent, Safe Doc makes the process harder for students to reach their distracted goal.

If you find glitches or have ideas, please leave a comment below or email support@xfanatical.com.

You may also need to Prevent Students from Publishing Google Docs to Web or Block Email as Attachment in Google Docs to limit information spread.

0 0 vote
Article Rating