A Google Vault and Endpoint admin guide

Using premium or enterprise versions of Google Workspace for Business? Then you probably already know that Google Vault and Endpoint are included in your subscription, and that their job is to enhance data security from the inside out.

But as a Google administrator, you should know how Google Vault and Google Endpoint will factor into your work and impact other administrators at your organization.

To begin, let’s explore the role of endpoint management in your admin duties.

What is Google Endpoint?

Most Google Workspace for Business plans include Google Endpoint. Which means you’re able to enroll and configure employee devices more seamlessly than you might otherwise.

If you’re an IT manager, you already have plenty of experience with endpoint security—most likely as a part of prior Microsoft 365 administration efforts.

Google Endpoint operates in a similar way, pushing email configurations and server certificates to users’ devices, enforcing pass codes, locating lost devices, and so forth. But reviewers tend to rate Google Endpoint higher than Microsoft Endpoint in terms of ease of integration, service, support, evaluation, and contracting.

Because of its simple approach, Google Endpoint offers a good reinforcement to your BYOD policy, which is important as hybrid work models become more popular.

Google’s version can also wipe accounts even without installing any software on users’ Android or iOS devices. The software also offers endpoint management for Windows, Chrome OS, MacOS, and Linux.

According to a Gartner review, Context-Aware Access is an especially attractive feature of Google Endpoint, since managers can more easily gain control and restrict access until users meet certain criteria.

In terms of other favorite features, the ability to disable IMAP/POP is a close second.

Admin tip:

Check out this overview to start managing your org’s devices with Google Endpoint.

What is Google Vault--and why is it important? 

As mentioned earlier, Google Vault is available in premium and enterprise versions of Google Workspace. 

During legal disputes or investigations, organizations may need to locate electronic versions of documents and data to make their case. Google Vault is designed to help organizations perform that eDiscovery and determine their data retention policies.

Essentially, Google Vault can help you retain and export your org’s data, from messages in Google chat or Gmail to files in Google Drive, calls, text messages, and more.

First things first: Start with compliance and eDiscovery

If you haven’t performed eDiscovery before, you may feel intimidated by all the moving parts. Take a breath; you won’t be creating a data retention policy on your own.

To begin, follow these best practices to help educate yourself and other company stakeholders.

• Get the right people in the room. From the get-go, involve policy makers and implementors from other departments, such as Legal, IT, Compliance, and Security. Keep the conversation going so everyone knows what your policies involve.
• Explore Google Vault together. Do policy makers and admins understand the eDiscovery process in Google? Strategize how to protect and manage your sensitive, business-critical data. Choose your policies and governance details around Google Workspace tools. Most importantly, train other admins or colleagues who will collect and produce the data you need to retain.
• Empower your end users. You can assume most users know what they’re doing (after all, Google Workspace is intuitive—right?) but if users aren’t up to speed, your data retention efforts can fall apart. Educate users at scale so they know how to leverage their Google applications, labels, and governance that are critical to their workflow.
• Assess the results. Are end users complying with compliance? To find out, set up annual assessments that show which users are identifying and implementing your best practices. If users miss the mark, provide additional training (BrainStorm makes this easy) and reassess to show success.
• Save documentation. In case of an eventual audit, agency reporting, and/or litigation, preserve documentation of your training assessments alongside whatever other data you retain in Google Vault.

Admin tip:

The basics: what to do in Google Vault

Once you and other stakeholders have created a solid data retention policy, you’ll use Google Vault to:

• Archive files and data
• Create legal holds
• Search by user, file name/type, content, etc.
• Export and audit reports
• Suspend user accounts instead of deleting them (recommended)

Among other actions, in Vault you can set data retention rules, hold onto data from a specific unit or entire domain, and prevent data loss when employees move on from your organization.

Vault also makes it easy to track user activity and export information for further review. File types include Chrome, PST, MBox, CSV, XML, or PDF (for printouts and redactions).

Admin tip:

Google Vault is NOT a data backup tool. Instead, use it to determine which data you want to retain and for how long. You'll be notified automatically when it's time to expunge certain data.

If in doubt, always involve Legal and other key stakeholders in the finer points of your data retention policy.

How to sign into Google Vault and assign users

As with all things Google, the administrative end of Vault is fairly straightforward. To sign in, just navigate to vault.google.com and enter your employee credentials.

As an admin for Google Workspace, you can also turn Vault on or off for others in your organization.

1. Place intended users and devices in the ‘top-level’ organizational unit within Vault.
2. If you want to give access to different departments (Legal, HR, Finance, etc.), enter them as a child organizational unit below the top-level unit.
3. Likewise, these child accounts may need separate organizational units for the apps they will access data for (Gmail, Google Drive, etc.) Learn more
4. While not recommended, you can also give Vault access to everyone in your organization. If so, they will see the Vault icon in their list of Google Workspace apps.

Admin tip:

Learn more about assigning and controlling Vault privileges at Google support.

Leveraging the Google Vault API

With the Google Vault API, you can easily manage tasks in Vault, create/edit any saved queries, place or remove holds, start/download exports, and more.

Admin tip:

Use this API reference documentation page to learn more about the Vault API’s methods and resources.

What is the Google admin console?

As a Google Workspace admin, you’re probably already familiar with the admin console, which lets you control your organization’s profile, domains, support, migration, devices, users, and so on.

Go to admin.google.com to access the dashboard. To personalize your controls, click on “more controls” to add controls you use most (or hide ones that you don’t).

Common Google admin tasks include:

• Adding or removing users and managing organizational hierarchies
• Adding or removing groups, editing membership, roles, and permissions
• Adding or assigning admin roles to others across the organization
• Configuring settings for your domain’s Google Workspace apps
• Tracking usage, security, and other activity within the reports section

A word about admin training

Earlier, we referenced the need to train end users on their Google Workspace apps—not just to boost overall adoption and see a ROI for your technology—but because the more savvy users are about their software, the more secure your organization will be.

On a practical level, you also need to ensure all potential admins are well versed in the Google Workspace admin tools mentioned above. How can you scale that learning?

BrainStorm has you covered. Let our change experts help you envision, plan, and scale your efforts across the IT team, legal/compliance teams, HR, L&D, and any other relevant departments that will have access to Google Workspace admin tools (and Vault, in particular).

To learn how to scale your training efforts, visit our Google Workspace solutions page.