Google Workspace Updates: January 2025

Prevent the downloading, printing, or copying of files by all users with Enhanced IRM for Google Drive Data-Loss Prevention

Thursday, January 9, 2025

Historically, this feature has only been applicable to users with either the “viewer” or “commenter” role, which has left administrators unable to apply the setting to users with either “owner” or “editor” roles. To address this, we’re expanding IRM to be applicable to all users, including file editors and owners, when it is applied by a Data Loss Prevention (DLP) rule.

The new Enhanced IRM action, as seen in the DLP Rule creation flow.

Additional details

When an editor or owner is affected by IRM, they will retain the ability to copy and paste document content, but they may only do so within that document. Attempting to paste content outside of the document will not succeed. For more information, please refer to the help center content.

Getting started

Admins: DLP rules and CAA levels are applied per-file based on how these rules are configured.
End users: Only administrators can set IRM for all user roles on a file. File owners may still only set IRM for viewers and commenters. If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.

A view of the file owner’s IRM setting when an overriding administrator setting is present.

Rollout pace

Rapid and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on January 9, 2025

Availability

IRM controls are available for all Google Workspace customers
Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:

Enterprise Standard and Plus
Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
Frontline Standard
Enterprise Essentials and Enterprise Essentials Plus

Resources

What’s changing Google Drive’s Information Rights Management (IRM) capability protects documents from data exfiltration actions, specifically downloading, printing, and copying. This is useful for making sure that sensitive content is protected from data leakage.

Historically, this feature has only been applicable to users with either the “viewer” or “commenter” role, which has left administrators unable to apply the setting to users with either “owner” or “editor” roles. To address this, we’re expanding IRM to be applicable to all users, including file editors and owners, when it is applied by a Data Loss Prevention (DLP) rule.

The new Enhanced IRM action, as seen in the DLP Rule creation flow.

Additional details

Getting started

Admins: DLP rules and CAA levels are applied per-file based on how these rules are configured.
End users: Only administrators can set IRM for all user roles on a file. File owners may still only set IRM for viewers and commenters. If a file has both an administrator-applied IRM setting and a file owner setting on it, the administrator setting takes priority. Once this feature is enabled, all entry points for downloading, printing, and copying will be removed from Google Drive, Docs, Sheets, and Slides on all platforms. Visit the Help Center to learn more about stopping, limiting, or changing how your files are shared.

A view of the file owner’s IRM setting when an overriding administrator setting is present.

Rollout pace

Rapid and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on January 9, 2025

Availability

IRM controls are available for all Google Workspace customers
Data Loss Prevention Rules and Context-Aware Access conditions are available for Google Workspace:

Enterprise Standard and Plus
Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
Frontline Standard
Enterprise Essentials and Enterprise Essentials Plus

Resources

Google Meet provides additional privacy for livestreaming with new eCDN On-Premises API

Thursday, January 9, 2025

Earlier this year, we introduced Enterprise Content Delivery Network (eCDN) to enhance livestreaming in Google Meet. When configured by admins, eCDN has the potential to reduce bandwidth consumption to a fraction of the traffic volume through peer-assisted media delivery.

However, environments that have additional security requirements would not be able to benefit from the network traffic savings enabled by eCDN. That changes today with the introduction of the eCDN On-Premises API for Google Meet, which admins can use to configure their network for eCDN while keeping classified IP addresses and network information private. Specifically, IP addresses will be replaced with self-assigned peering group names and encrypted information for session description protocol (SDP) handshakes. This ensures that no IP information is shared with Google, so customers can take advantage of eCDN while adhering to their own security guidelines.

Admin console > Apps > Google Workspace > Google Meet > Meet video settings > eCDN

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on January 9, 2025

Availability

Available for all Google Workspace customers

Resources

What’s changingEarlier this year, we introduced Enterprise Content Delivery Network (eCDN) to enhance livestreaming in Google Meet. When configured by admins, eCDN has the potential to reduce bandwidth consumption to a fraction of the traffic volume through peer-assisted media delivery.However, environments that have additional security requirements would not be able to benefit from the network traffic savings enabled by eCDN. That changes today with the introduction of the eCDN On-Premises API for Google Meet, which admins can use to configure their network for eCDN while keeping classified IP addresses and network information private. Specifically, IP addresses will be replaced with self-assigned peering group names and encrypted information for session description protocol (SDP) handshakes. This ensures that no IP information is shared with Google, so customers can take advantage of eCDN while adhering to their own security guidelines.

Admin console > Apps > Google Workspace > Google Meet > Meet video settings > eCDN

Who’s impactedAdminsWhy it’s importantThe eCDN On-Premises API can be used to deploy eCDN for Google Meet live streaming in a way that allows the eCDN tracker service to optimize peering topologies without access to internal network information such as IP addresses or subnets. A customer-supplied service uses the API to replace all IP address information with arbitrary text labels. The service also manages encryption of SDP offers/answers using encryption keys that are never made available to Google. Any decryption needed by client peers is performed completely inside the customer's own network. No network information is sent outside the organization's network, not even to Google. This ensures that bandwidth-optimized media delivery via eCDN can also be implemented in sensitive environments without compromising organizations’ internal security guidelines.Getting started

Admins: Visit the Help Center to learn more about configuring your network grouping using the API, as well as our developer documentation.

End users: There is no end user action required.

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on January 9, 2025

Availability

Available for all Google Workspace customers

Resources

Google Workspace Admin Help: Host large live streams with less bandwidth using eCDN

Developer Documentation: Work with the Meet eCDN On-Premises API

Use Gemini to interact with PDFs in Google Drive’s overlay file previewer

Thursday, January 9, 2025

As a result, you can seamlessly switch between multiple files while leveraging AI capabilities using Gemini in Drive to do things like:

using Gemini to interact with PDFs in Google Drive’s overlay file previewer

Getting started

Admins: To access Gemini in the side panel of Workspace apps, users need to have smart features and personalization turned on. Admins can turn on default personalization setting for their users in the Admin console.
End users:

To access this feature, double-click on a PDF from the Google Drive file list and click on "Ask Gemini" (star button) in the top right corner.
Note: When Gemini initially launched in Workspace, PDFs viewed in Drive opened in a new browser tab to allow interaction with the Gemini side panel. With this update, the default behavior will open a file in the overlay file previewer. If you prefer for PDFs to open in a new tab by default, you can update your PDF opening default behavior in your Drive settings. If you previously set a preferred PDF opening default behavior in your Drive setting, your default open behavior will remain the same.
Visit the Help Center to learn more about using Gemini in Drive to work with PDFs.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on January 9, 2025

Availability

Available for Google Workspace customers with these add-ons:

Gemini Business
Gemini Enterprise
Gemini Education
Gemini Education Premium
Google One AI Premium

Resources

Google Help: Use Gemini in Drive to work with PDFs

What’s changingEarlier this year, we introduced the ability to use Gemini in Google Drive to interact with PDFs. To improve your viewing experience when reviewing PDFs from Drive, we’re excited to announce that Gemini in the side panel of Drive is now integrated into Drive's overlay file previewer.
As a result, you can seamlessly switch between multiple files while leveraging AI capabilities using Gemini in Drive to do things like:

Getting started

Admins: To access Gemini in the side panel of Workspace apps, users need to have smart features and personalization turned on. Admins can turn on default personalization setting for their users in the Admin console.
End users:

To access this feature, double-click on a PDF from the Google Drive file list and click on "Ask Gemini" (star button) in the top right corner.
Note: When Gemini initially launched in Workspace, PDFs viewed in Drive opened in a new browser tab to allow interaction with the Gemini side panel. With this update, the default behavior will open a file in the overlay file previewer. If you prefer for PDFs to open in a new tab by default, you can update your PDF opening default behavior in your Drive settings. If you previously set a preferred PDF opening default behavior in your Drive setting, your default open behavior will remain the same.
Visit the Help Center to learn more about using Gemini in Drive to work with PDFs.

Rollout pace

Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on January 9, 2025

Availability Available for Google Workspace customers with these add-ons:

Gemini Business
Gemini Enterprise
Gemini Education
Gemini Education Premium
Google One AI Premium

Resources

Google Help: Use Gemini in Drive to work with PDFs

Granular OAuth consent in Google Apps Script IDE executions

Wednesday, January 8, 2025

This screenshot shows the current OAuth consent screen, which requires the user to authenticate all or none of the requested OAuth scopes.

This screenshot shows the old OAuth consent screen, which requires the user to authenticate all or none of the requested OAuth scopes.

Starting today, the OAuth consent screen will now let users specify which individual OAuth scopes they would like to authorize. For example, if a script requests access to a user’s Sheets and Forms files, and the users only intends to use the script with Sheets files, they can decide to only allow access to their spreadsheets and not their forms. This affords users the benefit of more granular control over what data their 3P applications are allowed to access.

This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes.

Additional details

To complement the release of this new consent flow, we’re also adding methods to the ScriptApp and AuthorizationInfo classes that let Apps Script developers programmatically interact with the scopes granted for a script. Refer to the developer documentation for more information.

After a user grants permission to a script, Apps Script might request OAuth consent again in the following cases:

The user, who has granted consent to a subset of the requested OAuth scopes, tries to run a part of the script that was not previously authorized.
The script is updated in such a way that it requires permission for additional scopes.
The user revoked access to the script from their Google Account settings.

All past execution failures will be logged in the execution history. Each OAuth failure will contain a hyperlink that users can use to provide the permissions that were missing.

Getting Started

Admins: There is no admin control for this feature.
Developers and end users:

Granular OAuth consent is only available for scripts that have finished migrating to the V8 runtime. If you would like to utilize granular consent on one of the few remaining Rhino scripts, you can manually migrate to V8 by following these instructions.
This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on scripts they’ve already authorized.
The new consent screen will be launched first to the Apps Script IDE (i.e. executing a script directly from Apps Script). The consent screen will launch to the remaining surfaces in the future:

Google Ads Script
Macro executions
Trigger executions
Web app executions
API Executions
Chat apps
Add-ons

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on January 8, 2025, with expected completion by January 24, 2025

Availability

Available to all Google Workspace customers and Workspace Individual Subscribers

Resources

What’s changingGoogle offers a wide variety of APIs that Google Apps Script developers can use to build features for Google users. The data access that these APIs can reference is governed by the OAuth scopes of each Workspace application, which users are required to authorize before a script can run. Historically, the OAuth consent screen has asked the user to authorize all of the necessary OAuth scopes to run a given script.

This screenshot shows the old OAuth consent screen, which requires the user to authenticate all or none of the requested OAuth scopes.

Starting today, the OAuth consent screen will now let users specify which individual OAuth scopes they would like to authorize. For example, if a script requests access to a user’s Sheets and Forms files, and the users only intends to use the script with Sheets files, they can decide to only allow access to their spreadsheets and not their forms. This affords users the benefit of more granular control over what data their 3P applications are allowed to access.

This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes.

Additional detailsTo complement the release of this new consent flow, we’re also adding methods to the ScriptApp and AuthorizationInfo classes that let Apps Script developers programmatically interact with the scopes granted for a script. Refer to the developer documentation for more information.
After a user grants permission to a script, Apps Script might request OAuth consent again in the following cases:

The user, who has granted consent to a subset of the requested OAuth scopes, tries to run a part of the script that was not previously authorized.
The script is updated in such a way that it requires permission for additional scopes.
The user revoked access to the script from their Google Account settings.

All past execution failures will be logged in the execution history. Each OAuth failure will contain a hyperlink that users can use to provide the permissions that were missing.

Getting Started

Granular OAuth consent is only available for scripts that have finished migrating to the V8 runtime. If you would like to utilize granular consent on one of the few remaining Rhino scripts, you can manually migrate to V8 by following these instructions.
This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on scripts they’ve already authorized.
The new consent screen will be launched first to the Apps Script IDE (i.e. executing a script directly from Apps Script). The consent screen will launch to the remaining surfaces in the future:

Google Ads Script
Macro executions
Trigger executions
Web app executions
API Executions
Chat apps
Add-ons

Rollout pace

Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on January 8, 2025, with expected completion by January 24, 2025

Availability

Available to all Google Workspace customers and Workspace Individual Subscribers

Resources

Developer Documentation: Migrating scripts to the V8 runtime

Developer Documentation: Class ScriptApp

Updates

Prevent the downloading, printing, or copying of files by all users with Enhanced IRM for Google Drive Data-Loss Prevention

Additional details

Getting started

Rollout pace

Availability

Resources

Google Meet provides additional privacy for livestreaming with new eCDN On-Premises API

Who’s impacted

Why it’s important

Getting started

Rollout pace

Availability

Resources

Use Gemini to interact with PDFs in Google Drive’s overlay file previewer

Getting started

Rollout pace

Availability

Resources

Granular OAuth consent in Google Apps Script IDE executions

Additional details

Getting Started

Rollout pace

Availability

Resources

Filter by product

Filter by date

Subscribe by feed

Subscribe by email

Localized Google Workspace Updates

Useful Links

Join the official community for Google Workspace administrators

Learn about more Google Workspace launches