Google-Workspace-Administrator Exam Dumps - Google Workspace Administrator Questions and Answers

To securely share data using Google Vault for an investigation:

Suspend the user's account to prevent further changes to their data.

Use Google Vault to search for all associated user data relevant to the investigation.

Export the data securely from Google Vault. These steps ensure that the data remains intact and secure throughout the investigation process.

References:

Google Workspace Admin Help - Export data from Google Vault

Google Workspace Admin Help - Manage user accounts

Organizational Units (OUs):

Create separate OUs for each company under the root OU.

This allows for customized settings and policies per company.

Visibility Settings:

Customize the directory visibility settings to ensure each company's users are only visible within their own directory.

Navigate to Directory Settings in the Admin console.

Set up visibility rules to apply to the specific OUs:

Go to Directory > Directory settings.

Click Visibility settings.

Select the OU for each company and customize the visibility settings accordingly.

References

Google Workspace Admin Help: Manage Directory Visibility

Google Workspace Admin Help: Set Up an Organizational Unit

Enable Context-Aware Access:

In the Google Admin console, go to Security > Context-Aware Access.

Enable the context-aware access feature.

Create Access Levels:

Define access levels based on geographic locations (Canada, Italy, and the United States).

Use IP address ranges or other location indicators to specify these regions.

Assign Access Levels:

Assign the created access levels to the Google Workspace services, specifically corporate Gmail and Drive.

Ensure that only users accessing from the specified regions can access these services.

Apply and Monitor:

Save and apply the settings.

Monitor access logs to ensure compliance and security.

References:

Google Workspace Admin Help: Set up context-aware access

Google Workspace Admin Help: Manage context-aware access levels

Change Enrollment Controls to Place Chrome device in user organization:

To ensure that newly enrolled Chrome devices are placed in the organizational unit (OU) of the device administrator rather than the top-level OU, you need to change the enrollment settings in Google Workspace.

In the Admin console, navigate to Devices > Chrome > Settings > Enrollment controls. Set the option to place Chrome devices in the user’s organization during enrollment. This aligns the devices with the correct OU based on the enrolling user's OU.

References:

Google Workspace Admin Help: Manage Chrome device enrollment

Google Workspace Admin Help: Enrollment settings

To prevent external, inbound messages from known senders from being incorrectly classified as spam, add the sender's domain to an allowlist in the Admin console.

Access Gmail Settings in Admin Console:

Go to the Google Admin console.

Navigate to Apps > Google Workspace > Gmail > Spam, Phishing, and Malware.

Add Approved Senders:

In the Spam settings, find the section for “Email whitelist” or “Approved senders”.

Click on “Configure” to add a new entry.

Specify the Sender’s Domain:

Enter the domain of the external sender that needs to be allowed.

Save the changes to update the whitelist.

Verify and Monitor:

Ensure that the settings are applied and monitor the spam filter to confirm that the known sender’s emails are no longer being flagged as spam.

By adding the sender’s domain to an allowlist, you instruct the spam filter to accept emails from this domain, reducing false positives.

References:

Prevent mail from being marked as spam

Approved sender list in Gmail

Access the Admin Console:

Log in to the Google Workspace Admin console at https://admin.google.com/ .

Configure Email Routing:

Navigate to "Apps" > "Google Workspace" > "Gmail" > "Default routing".

Set Up Split Delivery:

Create a new default routing rule.

Under "Add setting," click on "Routing."

In the "Add setting" box, under "Inbound," select "Configure" next to "Routing."

Under "Add setting," name your routing policy.

In the "Email messages to affect" section, specify the conditions for the rule (e.g., recipients in the new-company.com domain).

Route to On-Premises Server:

In the "Route" section, select "Modify message" > "Add more recipients."

Enter the on-premises email server information (e.g., SMTP relay server) to forward emails to the on-premises server.

Save the rule and ensure it is active.

Test the Configuration:

Send test emails to ensure that emails are correctly routed to the on-premises server as per the split delivery setup.

Monitor the email flow and make adjustments if necessary to ensure smooth operation during the peak season.

References

Google Workspace Admin Help: Set up routing for your domain or organization

Google Workspace Admin Help: Configure routing for mail in Google Workspace

To ensure that inbound messages from the third-party filtering product are not seen as a spam attack, you should list the IP addresses of the product as an Inbound Gateway. This configuration tells Gmail that the emails coming from these IP addresses are trusted and should not be flagged as spam due to the volume of mail being received.

References:

Google Workspace Admin Help - Configure an inbound mail gateway

Google Workspace Admin Help - Prevent email spoofing and spam using the Inbound Gateway setting

Access Admin Console: Log into your Google Workspace Admin Console.

Navigate to Reports: Go to the Reports section in the Admin Console.

Token Audit Log: Within the Reports, access the "Token Audit" log. This log provides details on OAuth tokens issued to applications by your users.

Review Applications: Review the list of applications that have been granted access to your Google Workspace data. This will include information about the scopes (types of data) that each application can access.

Compile List: Compile a list of all the applications from the token audit log. Include details about the data they have access to and the number of users using each application.

Export Data: You can export this data to a spreadsheet for further analysis and reporting to your chief compliance officer.

References

Google Support: Token audit log

Create Secondary Calendar: As the team manager, create a new calendar under your Google account specifically for tracking team vacations.

Access Settings: Go to the calendar settings and navigate to "Share with specific people".

Grant Access: Add your team members and give them "Make changes to events" access, allowing them to add their vacation times directly to the calendar.

Educate Team: Inform team members on how to use this calendar to add their vacation times and check others' schedules.

Monitor Usage: Regularly review the calendar to ensure it is being used correctly and effectively by all team members.

References:

Google Workspace Admin Help - Share a Calendar

Google Workspace Admin Help - Create a Team Calendar

2-Step Verification (2SV):

2-Step Verification adds an extra layer of security by requiring users to verify their identity using a second factor in addition to their password. This helps protect against unauthorized access, even if the password is compromised.

Google Authenticator:

Google Authenticator is a mobile app that generates time-based one-time passcodes (TOTP) for 2SV. It works even when the device is offline, providing a secure and reliable second factor for authentication.

Implementation Steps:

Enable 2-Step Verification:

Go to the Google Admin console (admin.google.com).

Navigate to Security > Authentication > 2-Step Verification.

Turn on 2-Step Verification for the organization.

Deploy Google Authenticator:

Instruct users to download the Google Authenticator app from their respective app stores (iOS or Android).

Provide guidance on setting up Google Authenticator with their Google Workspace accounts.

Users will scan a QR code provided during the setup process to link their account with the Authenticator app.

Advantages of Google Authenticator:

Security: It provides a highly secure method of 2-step verification as the codes are generated on the user's device and change every 30 seconds.

Ease of Use: It's easy to set up and use, with a straightforward user interface.

Offline Functionality: Codes can be generated even without internet access, ensuring consistent access to 2SV codes.

Why Other Options Are Less Suitable:

A. Enable additional security verification via email:

Email-based verification is less secure than app-based 2SV because email accounts can be more easily compromised.

C. Deploy browser or device certificates via Google Workspace:

While device certificates add security, they are typically used for device management and access control rather than for 2-step verification purposes.

D. Configure USB Yubikeys for all users:

USB Yubikeys are highly secure and suitable for 2SV, but they require physical distribution and management of hardware tokens, which can be logistically complex and costly. Given the context of disabled peripheral access, this option might contradict the policy of the Chief Information Security Officer.

References:

Google Workspace Admin Help: Set up 2-Step Verification

Google Workspace Security: 2-Step Verification