This article is written for Google Workspace for Education administrators.

Many schools want to stop students from sharing Google Drive files with each other. It causes numerous classroom management issues and information security issues.

Although Google added features to restrict drive sharing with outside school domains (see Set Drive users' sharing permissions), it doesn't prevent students from sharing files inside the domain.

This article explains how Safe Doc chrome extension limits students' activities of sharing Google Drive files inside your organization. If you have yet to install Safe Doc, please apply for a 30 days trial.

Overview of 3 approaches

Safe Doc solves the Drive sharing problem in 3 ways.

  1. Remove the Share feature. Students are prohibited from sharing any files to others, because the student cannot find the Share feature anywhere in Drive, Docs, Sheets, Slides etc.
    Remove the Share feature in Drive
  2. Block shared Drive file links. Even students receive shared file links from other students, Safe Doc will scrutinize the files and block them as per your configuration.
    Block viewing shared file links
  3. Revoke the file sharing permissions. Unauthorized sharing to other students will be revoked, while sharing to teachers is unrestricted.
    Revoke Google Drive Sharing Illustration

Approach 1 is more aggressive and easier to configure than Approach 2 and Approach 3. You may take any approach or combine them for tighter grip on information spread.

The 3 approaches are managed by 3 separate standalone policies.

Approach 1. Remove the Drive Share feature

The approach aggressively removes the Share feature in Google Drive and Docs editors.

What's changing?

Safe Doc removes all menus and buttons that trigger the Share feature in Drive. They present in various ways.

In Google Drive, when students right click any file, the context menu has 2 menus, Share and Get shareable link. The two menus bring up the Share permission edit dialog. So do the 2 buttons in the toolbar.

In Docs / Sheets / Slides / Drawings / Jamboard / Sites, there is a striking Share button on the top right corner. It also exists in menu File > Share. In Forms, the Sharing is called Add collaborators.

Remove share menus and buttons in Google Drive
Remove share menus and buttons in Google Drive
Remove Share menus and buttons in Google Docs
Remove Share menus and buttons in Google Docs
Remove the Share buttons and menus in Google Slides
Remove the Share buttons and menus in Google Slides
Remove "add collaborators" (sharing feature) in Google Forms
Remove "add collaborators" (sharing feature) in Google Forms
Safe Doc removes the Share button in Jamboard app
Safe Doc removes the Share button in Jamboard app
Safe Doc removes the Share button in the Sites app
Safe Doc removes the Share button in the Sites app

How to configure it?

Assume you have deployed Safe Doc and understand Safe Doc configuration by policies.

Set the policy BlockDriveShare to true. Add the policy if you don't have it.

"BlockDriveShare": {
  "Value": true
}

Approach 2. Block Drive shared file links

Setting up this approach is much more challenging and it’s easy to make errors. Improper setup can have a severe impact on the security of your domain.

From the perspective of a student receiving a shared file, Safe Doc decides if the link shall be blocked when they opened the file. The benefits of this approach are

  • More precise control on the content your students can view.
  • It does not block essential file sharing from students to teachers.

If you have deployed Safe Doc, the BlockDriveSharedLinks policy is the focus of this approach. By configuring the policy, you will be able to

  • block specific drive file or folder by their IDs
  • block all files or folders from specific emails
  • block all files or folders from specific organizational units (OU)

The BlockDriveSharedLinks policy is an Object including 5 subsidiary properties.

  • Blacklist. This is the blacklist of drive files sources. The file/folder IDs or owners in this list are blocked.
  • BlacklistExceptions. As the name implies, the owner who matches this list is taken out from the black list.
  • DelegateAdminEmail. This admin email is used by the case of blocking by OUs.
  • ServiceAccountEmail. The service account used by Safe Doc, explained in Appendix I.
  • ServiceAccountPrivateKey. The service account used by Safe Doc, explained in Appendix I.

Block specific drive file or folder

This is useful when you don't want students to see a document or file public shared in your school domain.

For example, you have a staff related notice Google Doc shared within your school domain, but you want students to be excluded from the viewer list.

If the document shareable link is https://docs.google.com/document/d/1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A/edit?usp=sharing

put the file id, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A, to the Blacklist, like

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A"
    ]
  }
}

When students click the shared link to the document, s/he is given a warning page instead of the real document.

Shared Google Drive File Blocked by Safe Doc
Shared Google Drive File Blocked by Safe Doc

Google drive files or folders all have similar identifier as above, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A. It's easy to spot the file id in a shareable link. You can add as many file IDs as you need in the Blacklist array.

Block all files from specific senders

You will be able to configure Safe Doc to block documents owned and shared by someone or some domain. When students click the shareable links from the blacklisted senders, s/he is redirect to the warning page like above.

To use this feature, you need to set up

  1. Appendix I: Set up a service account
  2. Appendix II: Domain wide Authority Delegation (Part 1)
  3. Appendix III: Enable Drive SDK
  4. Appendix IV: Encrypt and protect your service account information

Then configure the BlockDriveSharedLinks policy in following format.

  1. List potential bad file owner emails in the Blacklist
  2. List a few emails that shall be trusted in the BlacklistExceptions
  3. Copy and paste the encrypted service account information as the ServiceAccountEmail and ServiceAccountPrivateKey from the Appendix IV: Encrypt and protect your service account information

An * wildcard here means all [email protected] characters. To block all senders, use *@*. For more examples, see the BlockDriveSharedLinks policy.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "*@gmail.com",
      "*@spam.company.com"
    ],
    "BlacklistExceptions": [
      "[email protected]"
    ],
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Block all files from owners in specific OUs

To use this feature, you need to set up

  1. Appendix I: Set up a service account
  2. Appendix II: Domain wide Authority Delegation (Part 1 and Part 2)
  3. Appendix III: Enable Drive SDK
  4. Appendix IV: Encrypt and protect your service account information

The BlockDriveSharedLinks policy needs slightly more work here.

  1. List the OUs you want to block in the Blacklist
  2. Take out few OUs as exceptions in the BlacklistExceptions
  3. Specify an admin account email in the DelegateAdminEmail field. It can be your own admin email or a separate admin account (preferred) from Appendix II: Domain wide Authority Delegation (Part 2)
  4. Copy and paste the encrypted service account information as the ServiceAccountEmail and ServiceAccountPrivateKey from the Appendix IV: Encrypt and protect your service account information

An * wildcard here means all non-forward slash characters. Note the values of OU are organizational unit paths. A organizational unit path is a forward-slash representation of organizational unit, for example. /Level 1 OU/Level 2 OU/Level 3 OU is equivalent to Root domain name > Level 1 OU > Level 2 OU > Level 3 OU. The beginning / is equivalent to your Root domain name.

The policy example below blocks files owned by and shared from Grade 4 and Grade 5 students. It blocks non-teachers shared drive links. For more examples, see the BlockDriveSharedLinks policy.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "/Students/Elementary School/Grade 4",
      "/Students/Elementary School/Grade 5",
      "/Staff/*"
    ],
    "BlacklistExceptions": [
      "/Staff/Teachers"
    ],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Examples

Example 1: Suppose Safe Doc is installed for Grade 3 OU students, set the policy to stop Grade 3 OU students from seeing files from Grade 4 OU and Grade 5 OU.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "/Students/Elementary School/Grade 4",
      "/Students/Elementary School/Grade 5"
    ],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Example 2: To stop public shared pirated movies, set a policy as shown below. It blocks external sources while keeps open for resources from your own school and trusted school allies.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "*@*"
    ],
    "BlacklistExceptions": [
      "*@your.school.domain.edu",
      "*@trusted.school.domain.edu"
    ],
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Important notes

  • Make sure the Safe Doc chrome extension URL chrome-extension://mmhppocgfdombmapajfeafhecobfcjpk is not blocked in the URL blocking policy setting. Otherwise all drive file links will be blocked.
  • Make sure your firewall and/or proxy does not block these domains.
    • https://oauth2.googleapis.com
    • https://www.googleapis.com
  • The values in Blacklist, BlacklistExceptions and DelegateAdminEmail are all case-sensitive. In other word, the blocking may fail if you blacklist /students where the correct value is /Students.
  • Blacklisting organizational units must be explicit. If you use the email pattern "*@*" only to blacklist OUs, it won't work. Instead, specify explicitly the OU path patterns "/*", "/*/*" and "/*/*/*" to block them.
  • If you mix email conditions and OU conditions, the email conditions take precedent over the OU conditions. The blacklisting is determined in such order.
    1. Evaluate email conditions in Blacklist
    2. Evaluate email conditions in BlacklistExceptions
    3. Evaluate OU conditions in Blacklist
    4. Evaluate OU conditions in BlacklistExceptions
  • For security purposes, you should apply the following settings in the Devices > Chrome > Settings of Admin Console.
    • block the URL chrome://policy and
    • disable developer tools

Approach 3. Revoke Drive shared permissions

Setting up this approach is much more challenging and it’s easy to make errors. Improper setup can have a severe impact on the security of your domain.

This approach watches for events of students sharing their files, inspects and revokes unauthorized students' file sharing.

If you have deployed Safe Doc, the AutoRevokeDriveSharing policy is the focus of this approach.

The AutoRevokeDriveSharing policy is an Object including 5 subsidiary properties, similar to Approach 2.

  • Blacklist. This is the blacklist of collaborators for whom the shared permissions will be revoked.
  • BlacklistExceptions. As the name implies, the collaborator who matches this list is taken out from the black list.
  • DelegateAdminEmail. This admin email is used for inspecting the OU where the collaborator is located.
  • ServiceAccountEmail. The service account used by Safe Doc, explained in Appendix I.
  • ServiceAccountPrivateKey. The service account used by Safe Doc, explained in Appendix I.

To use this feature, you need to set up

  1. Appendix I: Set up a service account.
  2. Appendix II: Domain wide Authority Delegation (Part 1 and Part 2)
  3. Appendix III: Enable Drive SDK.
  4. Appendix IV: Encrypt and protect your service account information

Example: Revoke shared permissions to students not teachers

The follow policy configuration example is to revoke shared permissions to any other students under the OUs /Students/* and /Students/*/*. Sharing to other people in the domain is unrestricted, e.g. the teachers, or the IT technicians and other staff.

"AutoRevokeDriveSharing": {
  "Value": {
    "Blacklist": [
      "/Students/*",
      "/Students/*/*"
    ],
    "BlacklistExceptions": [],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

The following is a demonstration. Student A shares a Google Doc with 4 collaborators, 3 students B, C, D and 1 teacher E. Safe Doc detects that B, C, D are students in the Blacklist OUs. The Editor permissions shared to them are revoked.

Notes of Approach 3

  • The revoking operation is not instant. There is an up to 15 min delay.
  • This approach does not revoke permissions shared before the policy is effective.
  • If you have set up Approach 2, the only additional step is to authorize these scopes https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive to your existing service account in the Appendix II: Domain wide Authority Delegation (Part 1). No new service accounts are required.
  • Make sure your firewall and/or proxy does not block these domains.
    https://oauth2.googleapis.com
    https://www.googleapis.com
  • The values in Blacklist, BlacklistExceptions and DelegateAdminEmail are all case-sensitive. In other word, the permission revoking may fail if you blacklist /students where the correct value is /Students.
  • If you mix email conditions and OU conditions in Blacklist and BlacklistExceptions, the implementation of Blacklist and BlacklistExceptions is different from the ones in BlockDriveSharedLinks. The blacklisting is determined in such order.
    1. Evaluate email conditions in Blacklist
    2. Evaluate OU conditions in Blacklist
    3. Evaluate email conditions in BlacklistExceptions
    4. Evaluate OU conditions in BlacklistExceptions
  • For security purposes, you should apply the following settings

Appendix I: Set up a service account

What's a service account?

A Google service account is a robotic account that is used by applications to access Google APIs. It's not a Google Workspace domain user account. But it can impersonate users in a Google Workspace domain and access user's data when a super administrator allows so. To learn more, please visit Google's official service account documentation.

Why need a service account?

Safe Doc chrome extension runs on students' devices. As an enterprise applications, Safe Doc needs to call the Google Drive/Admin API to know the ownership of a Drive shared file without the manual authorization on the students' part.

To do so, Google provides a mechanism called Google Workspace domain-wide delegation of authority to a service account. As a domain super administrator, you will create a service account for your own domain, authorize the service account to call Google APIs on behalf of users without users' consent.

How to set up a service account?

It's recommended to read Google's documentation of Perform Google Workspace Domain-Wide Delegation of Authority to understand how it works. Also, please create a new service account for Safe Doc. Do not reuse your existing service accounts, for security purposes.

Video tutorial

The video tutorial can help you quickly walkthrough the service account setup. It demonstrates 5 major tasks, creating a new Google Cloud Project, creating a service account and private key, set up the OAuth consent screen, enable domain-wide delegation on the service account, and enable Google APIs for the service account.

Step-by-step breakdown

Create a service account

  1. Go to Google Cloud Platform > IAM & Admin > Service Accounts page.
  2. Click Create Project.
    Google Cloud Platform Service Account Page
  3. Click the + Create service account button
    Create Service Account button
  4. Under Service account details, type the Service account name, Service account ID and description, and click Create.
    Create service account details
  5. The Grant this service account to project (optional) section that follows is not required. Click Continue.
  6. Click Done.
  7. In the Actions column of the created service account, click the 3 dots and click Create key.
    Create key for service account
  8. In the popped dialog, select JSON and click Create. The private key is now downloaded to your computer. It serves as the only copy of this key, so keep it securely.
    Create Private key for service account in JSON
  9. Click Close on the Private key saved to your computer dialog and return to the table of your service accounts.

Set up OAuth consent screen

  1. Go to Google Cloud Platform > APIs & Services > OAuth consent screen.
  2. In the User Type, Choose Internal and click Create.
    Internal User Type on OAuth consent screen
  3. In the App information, input the App name (e.g. Safe Doc), User support email (e.g. your email), and Email addresses under Developer contact information (e.g. your email). Other fields are optional. Click Save and Continue.
    Edit OAuth consent screen
  4. In the Scopes screen, click Save and Continue.

Enable Google Workspace domain-wide delegation on the service account

  1. Go back to Google Cloud Platform > IAM & Admin > Service Accounts page. Select your created project if it asks for selecting a recent project.
  2. In the Actions column of the created service account, click the 3 dots and click Edit.
    Edit service account
  3. In the service account details, click chevron-down iconShow domain-wide delegation and check Enable Google Workspace Domain-wide Delegation. Make a note of the Unique ID (Client ID). And Click Save.
    Enable Domain-wide delegation for Google Service account

Enable Google APIs for the service account

  1. Go to Google Cloud Platform > APIs & Services > Library page.
  2. Search for Google Drive API.
  3. In the Google Drive API page, click Enable.
    Enable Google Drive API in GCP
  4. Search for Admin SDK API.
    Enable Admin SDK API in GCP

Appendix II: Domain wide Authority Delegation

Why setting up Domain Wide Authority Delegation?

You authorize the service account you created in Appendix I: Set up a service account the permissions to know the ownership of shared files and optionally the permission to know the OU of the owner or collaborator.

Steps to enable domain wide authority delegation

Part 1. Delegate the domain-wide authority to the service account. You must be signed in as a super administrator for this task.

  1. Log into your admin console (admin.google.com)
  2. Go to Security > API Permissions > Domain wide delegation
  3. Click Add new.
  4. In the Client ID field, enter the client ID you obtained from service account, e.g. 11472844441827617231.
  5. In the OAuth scopes (comma-delimited) field, depending on the feature you wanted, enter either
    1. If you use approach 2 and block shared drive files in OU level, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly
    2. If you use approach 2 and only block shared drive files by owner emails, specify https://www.googleapis.com/auth/drive.metadata.readonly
    3. If you also use approach 3, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive
  6. Click the Authorize button.

Part 2 (Optional). Set up a limited-privilege admin account.

This is for the service account to impersonate as an admin to read the file owner's organization unit information. You must be signed in as a super administrator for this task.

If you don't follow the steps, see Google's official guide Create, edit, and delete custom admin roles.

  1. Log into your admin console (admin.google.com)
  2. Go to Admin roles.
  3. Click Create new role.
  4. Enter a name (e.g. Delegate Admin) and a description (e.g. Delegate Admin for Safe Doc) for the role, then click Continue.
  5. In the Select Privileges step, check Users > Read privilege. The dependent Organizational Units > Read privilege checkbox would also be automatically selected. So are the counterparts in Admin API privileges.
  6. click Continue.
  7. In the Review Privileges step, click Create Role.
  8. Now in the newly created Admin Role, click Assign role to make a user as an admin.
  9. Click Assign Role.

Appendix III: Enable Drive SDK

Why to enable Drive SDK?

Even though you have granted Safe Doc the Google Drive API scope to detect the ownership of shared Drive files, that's not enough. Google provides admins an extra barrier to stop API access to Google Drive, regardless of the legitimacy of the source.

Steps to enable Drive SDK

Following Google's help document Allow third-party apps for Drive files, enable Drive SDK for your students' OUs for which this Safe Doc Drive file blocking feature is used.

  1. Sign in to Admin Console.
  2. Go to Apps > Google Workspace > Drive and Docs > Features and Applications.
  3. Select your students' OU.
  4. In the Drive SDK, check Allow users to access Google Drive with the Drive SDK API.
  5. Click Save.

Appendix IV: Encrypt and protect your service account information

Because the service account is a powerful tool provided by Google, use it carefully. It's your responsibility to protect your own service account credentials.

Safe Doc requires 2 service account related properties under the BlockDriveSharedLinks policy, ServiceAccountEmail and ServiceAccountPrivateKey.

It's strongly recommended to encrypt your service account email and private key using the following Service Account Encryption Tool for Safe Doc mini tool (embedded in the page, not a downloaded tool).

  1. Make sure you have downloaded the service account private key JSON file
  2. In the Your Service Account Private Key JSON File field, select the downloaded JSON file
  3. Click Encrypt.
  4. The Encrypted Service Account Values will display the encrypted service account properties ready for policy configuration.
  5. Click the Content copy icon button to copy the values.

Final thoughts

Since sharing is a core concept of Google Drive, it's nearly impossible to completely stop students from getting a copy of the shared file. To some extent, Safe Doc makes the process harder for students and slows the spread of inappropriate content.

If you find glitches or have ideas, please email support@xfanatical.com.


You may also like