Block Google Drive Sharing Files

This article is written for Google Workspace for Education Administrators.

Many schools want to stop students from sharing Google Drive files with each other. It causes numerous classroom management issues and information security issues.

Although Google added features to restrict drive sharing with outside school domains (see Set Drive users' sharing permissions), it doesn't prevent students from sharing files inside the domain.

This article explains how Safe Doc chrome extension limits students' activities of sharing Google Drive files inside your organization. If you have yet to install Safe Doc, please apply for a 30 days trial.

Overview of 3 approaches

Ideally, schools expect to disallow students sharing files with other students and only allow sharing with teachers. Unfortunately, it's technically impossible.

Safe Doc solves the Drive sharing problem in 3 alternatives.

1. Remove the Share feature. This approach removes all the Share buttons and menu items in anywhere in Drive, Docs, Sheets, Slides etc. Students cannot share any Drive files with other students, including the teacher.
   
2. Block shared Drive file links. Even students receive shared file links from other students, Safe Doc will scrutinize the files and block them as per your configuration. For instance, Student B, C and D shares Google Docs with Student A, when A clicks those Doc links, Safe Doc block them. If the Teacher shares a Google Doc with Student A, Safe Doc won't block it and Student A can open the Doc link.
   
3. Revoke the file sharing permissions. Unauthorized sharing to other students will be revoked, while sharing to teachers is unrestricted. For example, Student A shares a Google Doc with Student B, C, D and the Teacher, Safe Doc revokes the sharing permissions with Student B, C and D while keeps the sharing with the Teacher.
   

Approach 1 is more aggressive and easier to configure than Approach 2 and Approach 3. You may take any approach or combine them for tighter grip on information spread.

Approach 1. Remove the Drive Share feature

The approach aggressively removes the Share feature in Google Drive and Docs editors.

What's changing?

Safe Doc removes all menus and buttons that trigger the Share feature in Drive. They present in various ways.

In Google Drive, when students right click any file, the context menu has 2 menus, Share and Get shareable link. The two menus bring up the Share permission edit dialog. So do the 2 buttons in the toolbar.

In Docs / Sheets / Slides / Drawings / Jamboard / Sites, there is a striking Share button on the top right corner. It also exists in menu File > Share. In Forms, the Sharing is called Add collaborators.

When a file is selected in Google Drive, a "Manage access" shareable link appears in sidebar that allows you to share that file with your contacts. Safe Doc removes that Manage Access option.

How to configure it?

Assume you have deployed Safe Doc and understand Safe Doc configuration by policies.

Set the policy BlockDriveShare to true. Add the policy if you don't have it.

"BlockDriveShare": {
  "Value": true
}

Approach 2. Block Drive shared file links

From the perspective of a student receiving a shared file, Safe Doc decides if the link shall be blocked when they opened the file. The benefits of this approach are

• More precise control on the content your students can view.
• It does not block essential file sharing from students to teachers.

If you have deployed Safe Doc, the BlockDriveSharedLinks policy is the focus of this approach. By configuring the policy, you will be able to block all files or folders from specific organizational units (OU)

The BlockDriveSharedLinks policy is an Object including 5 subsidiary properties.

• Blacklist. This is the blacklist of drive files sources. If the file owner's email address or OU is in this list, then the shared link is blocked.
• BlacklistExceptions. If the file owner's email address or OU is also in this list, then the shared link is permitted.
• DelegateAdminEmail. This admin email is used by the case of blocking by OUs.
• ServiceAccountEmail. The service account used by Safe Doc, explained in Appendix I.
• ServiceAccountPrivateKey. The service account used by Safe Doc, explained in Appendix I.

Block specific drive file or folder

This is useful when you don't want students to see a document or file public shared in your school domain.

For example, you have a staff related notice Google Doc shared within your school domain, but you want students to be excluded from the viewer list.

If the document shareable link is https://docs.google.com/document/d/1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A/edit?usp=sharing

put the file id, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A, to the Blacklist, like

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A"
    ]
  }
}

When students click the shared link to the document, s/he is given a warning page instead of the real document.

Google drive files or folders all have similar identifier as above, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A. It's easy to spot the file id in a shareable link. You can add as many file IDs as you need in the Blacklist array.

Block all files from specific senders

You will be able to configure Safe Doc to block documents owned and shared by someone or some domain. When students click the shareable links from the blacklisted senders, s/he is redirect to the warning page like above.

To use this feature, you need to set up

1. Appendix I: Set up a service account
2. Appendix II: Domain wide Authority Delegation (Part 1)
3. Appendix III: Enable Drive SDK
4. Appendix IV: Encrypt and protect your service account information

Then configure the BlockDriveSharedLinks policy in following format.

1. List potential banned file owner email addresses in the Blacklist
2. List trusted email addresses in the BlacklistExceptions
3. Copy and paste the encrypted service account information as the ServiceAccountEmail and ServiceAccountPrivateKey from the Appendix IV: Encrypt and protect your service account information

An * wildcard here means all non-@ characters. To block all senders, use *@*. For more examples, see the BlockDriveSharedLinks policy.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "*@gmail.com",
      "*@spam.company.com"
    ],
    "BlacklistExceptions": [
      "[email protected]"
    ],
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Block all files from owners in specific OUs

To use this feature, you need to set up

1. Appendix I: Set up a service account
2. Appendix II: Domain wide Authority Delegation (Part 1 and Part 2)
3. Appendix III: Enable Drive SDK
4. Appendix IV: Encrypt and protect your service account information

The BlockDriveSharedLinks policy needs slightly more work here.

1. List the OUs you want to block in the Blacklist
2. Take out few OUs as exceptions in the BlacklistExceptions
3. Specify an admin account email in the DelegateAdminEmail field. It can be your own admin email or a separate admin account (preferred) from Appendix II: Domain wide Authority Delegation (Part 2)
4. Copy and paste the encrypted service account information as the ServiceAccountEmail and ServiceAccountPrivateKey from the Appendix IV: Encrypt and protect your service account information

An * wildcard here means all non-forward slash characters. Note the values of OU are organizational unit paths. A organizational unit path is a forward-slash representation of organizational unit, for example. /Level 1 OU/Level 2 OU/Level 3 OU is equivalent to Root domain name > Level 1 OU > Level 2 OU > Level 3 OU. The beginning / is equivalent to your Root domain name.

The policy example below blocks files owned by and shared from Grade 4 and Grade 5 students. It blocks non-teachers shared drive links. For more examples, see the BlockDriveSharedLinks policy.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "/Students/Elementary School/Grade 4",
      "/Students/Elementary School/Grade 5",
      "/Staff/*"
    ],
    "BlacklistExceptions": [
      "/Staff/Teachers"
    ],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Examples

Example 1: Suppose Safe Doc is installed for Grade 3 OU students, set the policy to stop Grade 3 OU students from seeing files from Grade 4 OU and Grade 5 OU.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "/Students/Elementary School/Grade 4",
      "/Students/Elementary School/Grade 5"
    ],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Example 2: To stop public shared pirated movies, set a policy as shown below. It blocks external sources while keeps open for resources from your own school and trusted school allies.

"BlockDriveSharedLinks": {
  "Value": {
    "Blacklist": [
      "*@*"
    ],
    "BlacklistExceptions": [
      "*@your.school.domain.edu",
      "*@trusted.school.domain.edu"
    ],
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

Important notes

• Make sure the Safe Doc chrome extension URL chrome-extension://mmhppocgfdombmapajfeafhecobfcjpk is not blocked in the URL blocking policy setting. Otherwise all drive file links will be blocked.
• Make sure your firewall and/or proxy does not block these domains.
  • https://oauth2.googleapis.com
  • https://www.googleapis.com
• The OU values in the Blacklist and BlacklistExceptions include all nested OUs. For example, a "Blacklist": ["/Students"] means blocking all students under the /Students OU and sub OUs /Students/Grade 1, /Students/Grade 2, /Students/Grade 3/Exams etc.
• For security purposes, you should apply the following settings in the Devices > Chrome > Settings of Admin Console.
  • block the URL chrome://policy and
  • disable developer tools

Approach 3. Revoke Drive shared permissions

This approach watches for events of students sharing their files, inspects and revokes unauthorized students' file sharing.

If you have deployed Safe Doc, the AutoRevokeDriveSharing policy is the focus of this approach.

The AutoRevokeDriveSharing policy is an Object including 5 subsidiary properties, similar to Approach 2.

• Blacklist. This is the blacklist of collaborators for whom the shared permissions will be revoked.
• BlacklistExceptions. As the name implies, the collaborator who matches this list is taken out from the black list.
• DelegateAdminEmail. This admin email is used for inspecting the OU where the collaborator is located.
• ServiceAccountEmail. The service account used by Safe Doc, explained in Appendix I.
• ServiceAccountPrivateKey. The service account used by Safe Doc, explained in Appendix I.

To use this feature, you need to set up

1. Appendix I: Set up a service account.
2. Appendix II: Domain wide Authority Delegation (Part 1 and Part 2)
3. Appendix III: Enable Drive SDK.
4. Appendix IV: Encrypt and protect your service account information

Example: Revoke shared permissions to students not teachers

The follow policy configuration example is to revoke shared permissions to any other students under the OUs /Students except OUs /Students/Grade 10, /Students/Grade 11 and /Students/Grade 12. Safe Doc does not revoke students sharing with other people in the domain, e.g. the teachers, or the IT technicians and other staff.

"AutoRevokeDriveSharing": {
  "Value": {
    "Blacklist": [
      "/Students",
    ],
    "BlacklistExceptions": [
      "/Students/Grade 10",
      "/Students/Grade 11",
      "/Students/Grade 12",
    ],
    "DelegateAdminEmail": "[email protected]",
    "ServiceAccountEmail": "7a04e3d4373e5759f78e493ab296fb26ee93b...(truncated for demo purpose)",
    "ServiceAccountPrivateKey": "3251af946a10775edbb8080790b3c849d3b7...(truncated for demo purpose)"
  }
}

The following is a demonstration. Student A shares a Google Doc with 4 collaborators, 3 students B, C, D and 1 teacher E. Safe Doc detects that B, C, D are students in the Blacklist OUs. The Editor permissions shared to them are revoked.

Notes of Approach 3

• The revoking operation is not instant. There is an up to 15 min delay.
• This approach does not revoke permissions shared before the policy is effective.
• If you have set up Approach 2, the same policy configuration can be applied to the policy in Approach 3. The only additional step is to authorize these scopes https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive to your existing service account in the Appendix II: Domain wide Authority Delegation (Part 1). No new service accounts are required.
• Make sure your firewall and/or proxy does not block these domains.
  • https://oauth2.googleapis.com
  • https://www.googleapis.com
• For security purposes, you should apply the following settings in the Devices > Chrome > Settings of Google Admin Console.
  • Block the URL chrome://policy
  • Disable developer tools

Appendix I: Set up a service account

What's a service account?

A Google service account is a robotic account that is used by applications to access Google APIs. It's not a Google Workspace domain user account. But it can impersonate users in a Google Workspace domain and access user's data when a super administrator allows so. To learn more, please visit Google's official service account documentation.

Why need a service account?

Safe Doc chrome extension runs on students' devices. As an enterprise applications, Safe Doc needs to call the Google Drive/Admin API to know the ownership of a Drive shared file without the manual authorization on the students' part.

To do so, Google provides a mechanism called Google Workspace domain-wide delegation of authority to a service account. As a domain super administrator, you will create a service account for your own domain, authorize the service account to call Google APIs on behalf of users without users' consent.

How to set up a service account?

It's recommended to read Google's documentation of Perform Google Workspace Domain-Wide Delegation of Authority to understand how it works. Also, please create a new service account for Safe Doc. Do not reuse your existing service accounts, for security purposes.

Video tutorial

The video tutorial can help you quickly walkthrough the service account setup. It demonstrates 5 major tasks, creating a new Google Cloud Project, creating a service account and private key, set up the OAuth consent screen, enable domain-wide delegation on the service account, and enable Google APIs for the service account.

Step-by-step breakdown

Create a service account

1. Go to Google Cloud Platform > IAM & Admin > Service Accounts page.
2. Click Create Project.
   
3. Click the + Create service account button
   
4. Under Service account details, type the Service account name, Service account ID and description, and click Create.
   
5. The Grant this service account to project (optional) section that follows is not required. Click Continue.
6. Click Done.
7. At the newly created service account, make a note of the OAuth 2 Client ID. Then in the Actions column, click and click Manage keys.
   
8. In the Keys page, click Add Key > Create new key.
   
9. In the popped dialog, select JSON and click Create. The private key is now downloaded to your computer. It serves as the only copy of this key, so keep it securely.
   
10. Click Close on the Private key saved to your computer dialog and return to the table of your service accounts.

Set up OAuth consent screen

1. Go to Google Cloud Platform > APIs & Services > OAuth consent screen.
2. In the User Type, Choose Internal and click Create.
   
3. In the App information, input the App name (e.g. Safe Doc), User support email (e.g. your email), and Email addresses under Developer contact information (e.g. your email). Other fields are optional. Click Save and Continue.
   
4. In the Scopes screen, click Save and Continue.

Enable Google APIs for the service account

1. Go to Google Cloud Platform > APIs & Services > Library page.
2. Search for Google Drive API.
3. In the Google Drive API page, click Enable.
   
4. Search for Admin SDK API.
   

Appendix II: Domain wide Authority Delegation

Why setting up Domain Wide Authority Delegation?

You authorize the service account you created in Appendix I: Set up a service account the permissions to know the ownership of shared files and optionally the permission to know the OU of the owner or collaborator.

Steps to enable domain wide authority delegation

Part 1. Delegate the domain-wide authority to the service account. You must be signed in as a super administrator for this task.

1. Log into your admin console (admin.google.com)
2. Go to Security > API Permissions > Domain wide delegation
3. Click Add new.
4. In the Client ID field, enter the client ID you obtained from the service account OAuth Client ID column, e.g. 11472844441827617231.
5. In the OAuth scopes (comma-delimited) field, depending on the feature you wanted, enter either
   1. If you use approach 2 and block shared drive files in OU level, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly
   2. If you use approach 2 and only block shared drive files by owner emails, specify https://www.googleapis.com/auth/drive.metadata.readonly
   3. If you also use approach 3, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive
6. Click the Authorize button.

Part 2 (Optional). Set up a limited-privilege admin account.

This is for the service account to impersonate as an admin to read the file owner's organization unit information. You must be signed in as a super administrator for this task.

If you don't follow the steps, see Google's official guide Create, edit, and delete custom admin roles.

1. Log into your admin console (admin.google.com)
2. Go to Admin roles.
3. Click Create new role.
4. Enter a name (e.g. Delegate Admin) and a description (e.g. Delegate Admin for Safe Doc) for the role, then click Continue.
5. In the Select Privileges step, check Users > Read privilege. The dependent Organizational Units > Read privilege checkbox would also be automatically selected. So are the counterparts in Admin API privileges.
6. click Continue.
7. In the Review Privileges step, click Create Role.
8. Now in the newly created Admin Role, click Assign role to make a user as an admin.
9. Click Assign Role.

Appendix III: Enable Drive SDK

Why to enable Drive SDK?

Even though you have granted Safe Doc the Google Drive API scope to detect the ownership of shared Drive files, that's not enough. Google provides admins an extra barrier to stop API access to Google Drive, regardless of the legitimacy of the source.

Steps to enable Drive SDK

Following Google's help document Allow third-party apps for Drive files, enable Drive SDK for your students' OUs for which this Safe Doc Drive file blocking feature is used.

1. Sign in to Admin Console.
2. Go to Apps > Google Workspace > Drive and Docs > Features and Applications.
3. Select your students' OU.
4. In the Drive SDK, check Allow users to access Google Drive with the Drive SDK API.
5. Click Save.

Appendix IV: Encrypt and protect your service account information

Because the service account is a powerful tool provided by Google, use it carefully. It's your responsibility to protect your own service account credentials.

Safe Doc requires 2 service account related properties under the BlockDriveSharedLinks policy, ServiceAccountEmail and ServiceAccountPrivateKey.

It's strongly recommended to encrypt your service account email and private key using the following Service Account Encryption Tool for Safe Doc mini tool (embedded in the page, not a downloaded tool).

1. Make sure you have downloaded the service account private key JSON file
2. In the Your Service Account Private Key JSON File field, select the downloaded JSON file
3. Click Encrypt.
4. The Encrypted Service Account Values will display the encrypted service account properties ready for policy configuration.
5. Click the button to copy the values.

Final thoughts

Since sharing is a core concept of Google Drive, it's nearly impossible to completely stop students from getting a copy of the shared file. To some extent, Safe Doc makes the process harder for students and slows the spread of inappropriate content.

If you find glitches or have ideas, please email support@xfanatical.com.

You may also like

• Prevent Students from Publishing Google Docs to Web
• Block Email as Attachment in Google Docs