This article is written for G Suite for Education (GSFE) administrators. Note this is an experimental feature of Safe Doc only available for schools.

Sharing is a key component of Google Drive. It bridges the informational communication between teachers and students without physical delivery. But why do I write this post to block this great feature?

Consider these scenarios.

  1. Grade 4 students shared past quizzes, tests and cheat sheets to Grade 3 students in forms of Google Docs, Sheets or Forms. Teachers don't have time to rewrite tests and quizzes every year.
  2. Same grade students, usually in the same Organizational Unit (OU), constantly share time wasting Google Docs with each other all day long. That disrupts the class disciplines.
  3. Students are able to find and access public resources (inside domain or external domain) without restrictions. For example, it's easy to find pirated movies in public shared Google Drives by googling movies site:drive.google.com.

Although Google added features to restrict drive sharing with outside school domains (see Set Drive users' sharing permissions), it doesn't prevent students from sharing files inside the domain.

This article explains how Safe Doc chrome extension blocks students from opening shared google drive links. If you don't know Safe Doc, check out Safe Doc 101.

Features

First of all, Safe Doc chrome extension does not rip away the sharing capability from the file owner. Instead, Safe Doc restricts which documents the recipients can see.

If you have deployed Safe Doc, the BlockDriveSharedLinks policy is the focus of this article. By configuring the policy, you will be able to

  • block specific drive file or folder
  • block all files from specific emails
  • block all files from specific OU

The BlockDriveSharedLinks policy is an Object including 3 subsidiary settings.

  • Blacklist. This is the blacklist of drive files sources. The file or owner who matches this list is blocked.
  • BlacklistExceptions. As the name implies, the owner who matches this list is taken out from the black list.
  • DelegateAdminEmail. This admin email is used by the case of blocking by OU.

Block specific drive file or folder

This is useful when you don't want students to see a document or file public shared in your school domain.

For example, you have a staff related notice Google Doc shared within your school domain, but you want students to be excluded from the viewer list.

If the document shareable link is https://docs.google.com/document/d/1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A/edit?usp=sharing

put the file id, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A, to the Blacklist, like

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A"
      ]
    }
  }
}

When students click the shared link to the document, s/he is given a warning page instead of the real document.

Shared Google Drive File Blocked by Safe Doc
Shared Google Drive File Blocked by Safe Doc

Google drive files or folders all have similar identifier as above, 1OjTLadGH3uxz-s1ODLZbFWi9HwKS3u9ycUJOzC3EI5A. It's easy to spot the file id in a shareable link. You can add as many file IDs as you need in the Blacklist array.

Block all files from specific senders

You will be able to configure Safe Doc to block documents owned and shared by someone or some domain. When students click the shareable links from the blacklisted senders, s/he is redirect to the warning page like above.

To use this feature, you need to set up Service Account Authority Delegation (Part 1).

Then configure the BlockDriveSharedLinks policy in following format. First list potential bad file owner emails in the Blacklist, and then list a few emails that shall be trusted in the BlacklistExceptions.

An * wildcard here means all non-@ characters. To block all senders, use *@*. For more examples, go to Safe Doc Policy Configuration page.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "*@gmail.com",
        "*@spam.company.com"
      ],
      "BlacklistExceptions": [
        "the.good.science.guy@gmail.com"
      ]
    }
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Block all files from owners in specific OUs

To use this feature, you need to set up Service Account Authority Delegation (Part 1 & 2).

The BlockDriveSharedLinks policy needs slightly more work here. First list the OUs you want to block in the Blacklist, and then take out few OUs as exceptions in the BlacklistExceptions. Most importantly, specify the delegate admin email created in the service account authority delegation step in the DelegateAdminEmail field.

An * wildcard here means all non-forward slash characters. Note the values of OU are organizational unit paths. A organizational unit path is a forward-slash representation of organizational unit, for example. /Level 1 OU/Level 2 OU/Level 3 OU is equivalent to Domain name > Level 1 OU > Level 2 OU > Level 3 OU, and / = Domain name.

The policy example below blocks files owned by and shared from Grade 4 and Grade 5 students. It blocks non-teachers shared drive links. For more examples, go to Safe Doc Policy Configuration page.

{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "/Students/Element School/Grade 4",
        "/Students/Element School/Grade 5",
        "/Staff/*"
      ],
      "BlacklistExceptions": [
        "/Staff/Teachers"
      ],
      "DelegateAdminEmail": "delegate.admin@your.school.domain.edu"
    }
  }
}

Blocked files (docs, sheets, slides etc) are redirected to the blocked page shown above.

Extra: Block File > Publish to the Web

Docs, Sheets, Slides and Drawings all have a menu item File > Publish to the web to makes files accessible and searchable to anyone within the domain as well as on the web. Although Google Drive is not involved in the published document, it kills our goal of stopping spreading bad documents.

Publish to the web feature in docs, sheets, slides and drawings
Publish to the web feature in docs, sheets, slides and drawings

Safe Doc can remove this capability by setting the following policy.

{
  "BlockWebPublish": {
    "Value": true
  }
}

Use Cases

Back to our original scenarios at the beginning of article. Let's see how to configure Safe Doc to address the problems.

  • Suppose Safe Doc is installed for Grade 3 OU students, set the policy to stop Grade 3 OU students from seeing files from Grade 4 OU and Grade 5 OU.
{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "/Students/Element School/Grade 4",
        "/Students/Element School/Grade 5"
      ],
      "DelegateAdminEmail": "delegate.admin@your.school.domain.edu"
    }
  }
}
  • To stop sharing between same OU (Grade 3) students, set the following policy
{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "/Students/Element School/Grade 3"
      ],
      "DelegateAdminEmail": "delegate.admin@your.school.domain.edu"
    }
  }
}
  • To stop public shared pirated movies, set a policy as shown below. It blocks external sources while keeps open for resources from your own school and trusted school allies.
{
  "BlockDriveSharedLinks": {
    "Value": {
      "Blacklist": [
        "*@*"
      ],
      "BlacklistExceptions": [
        "*@your.school.domain.edu",
        "*@trusted.school.domain.edu"
      ]
    }
  }
}

Appendix: Service Account Authority Delegation

Why setting up Service Account Authority Delegation?

In order for Safe Doc to know who owns the shared file and which OU the owner belongs to, Safe Doc needs OAuth2 permissions to access Google Drive API and Admin SDK API. Additionally, to avoid any manual authorization on students' Chromebooks, Safe Doc uses a service account to impersonate users in your school domain. This Google article will paint you a bird view, Perform G Suite Domain-Wide Delegation of Authority.

Steps to enable service account authority delegation

Part 1. Grant API access to Safe Doc

  1. Log into your admin console (admin.google.com)
  2. Go to Security > Advanced settings > Authentication > Management API client access
  3. In the Client Name field, enter 101884342214916550934
  4. In the One or More API Scopes, depending on the feature you wanted, enter either
    1. If you want to block shared drive files in OU level, specify
      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/drive.metadata.readonly
    2. If you only block shared drive files by owner emails, specify https://www.googleapis.com/auth/drive.metadata.readonly
  5. Click the Authorize button.

Part 2. Set up a limited-privilege admin account. This is for Safe Doc to impersonate as an admin to read the file owner's organization unit information. You must be signed in as a super administrator for this task.

  1. Log into your admin console (admin.google.com)
  2. Go to Admin roles.
  3. Click Create a new role.
  4. Enter a name (e.g. Delegate Admin) and a description (e.g. Delegate Admin for Safe Doc) for the role, then click Create.
  5. On the Privileges tab, check Users > Read privilege. Note the dependent Organizational Units > Read privilege checkbox is automatically selected as well.
  6. click Save.
  7. On the Admins tab, click Assign Admins.
  8. Type in a user email who would be assigned with this role. A new user without other admin roles is recommended for security purpose.
  9. Click Confirm Assignment.

Final thoughts

Since sharing is a core concept of Google Drive, it's nearly impossible to completely stop students from getting a copy of the shared file. To some extent, Safe Doc makes the process harder for students to reach their distracted goal. If you find glitches or have ideas, please leave a comment below or email support@xfanatical.com.