Prevent accidental data leaks on iOS devices

As an administrator, you can use data sharing settings to prevent users from potentially sharing Google Workspace data from their iOS device with people outside of your organization. These settings make it more difficult for users to move work data between corporate and personal accounts on the same iOS device. For example, you can prevent iOS users from copying text from a work email into a personal account and using an iOS share sheet (also known as an activity view), send work data to personal apps. 

Before you begin

  • You can prevent data sharing only from Google apps that support data protection. These apps are Gmail, Google Drive, Google Docs, Sheets, and Slides, Google Chat, and Google Meet. 
  • Some files might open in a non-Google Workspace app and not be covered by data protection.
  • The settings can’t stop all possible data leaks, such as copying from Apple Visual Look Up, taking screenshots, or using translation extensions. 

What are the settings?

You can turn on or off the following data sharing options: 

Allow copying and pasting of work data to personal accounts and apps

Allows users in their work accounts to copy content from a Google app that supports data protection to a Google app in their personal account or to a third-party app. Also allows users in any account to drag content between Google apps and to use the All inboxes feature (which combines messages from multiple Gmail accounts into one inbox).

Allow sending of work data to personal apps, including all non-Google Workspace apps on the iOS share sheet

Important: This setting does not apply to all documents and apps. For example, when you select this setting, it does not prevent users from sharing a .doc or .docx document to the Microsoft Word app, or a .xls or .xlsx document to the Microsoft Excel app.

Allows users in their work accounts to copy content from a Google app that supports data protection to some non-Google Workspace apps. To prevent users from using a share sheet to share files and data from their work account to non-Google Workspace apps, turn off this setting. 

If you turn this setting off and want to allow a specific non-Google Workspace app to receive work files and data, go to the app’s settings and select Allow this app to receive work data from the iOS share sheet. For details, go to Edit app settings.

Allow sharing of work data to personal accounts or to iOS Mail on the iOS share sheet

Allows users in their work accounts to share content in a Google app that supports data protection to a Google app in their personal account or to Apple Mail. To prevent users from using a share sheet to share files and data from their work account to a personal account or to Apple Mail, turn off this setting.

This setting applies only to data shared from Google Workspace apps. To prevent sharing with third-party apps:

  • Add work apps to your app list and make them managed. For details, go to Add a third-party app.
  • Require that work files, attachments, and links open only in managed apps with managed accounts. For details, go to Open docs in unmanaged apps.

Allow sharing of work data with AirDrop on the iOS share sheet

Allows users in their work accounts to share content from a Google app that supports data protection to Apple AirDrop using a share sheet. To prevent users from sharing Google Workspace items to AirDrop with a share sheet, turn off this setting.

Allow printing of work files

Allows users in their work accounts to print content in a Google app that supports data protection. To prevent users from printing Google Workspace files, turn off this setting.

Allow saving of work data to Files with iOS share sheet

Allows users in their work accounts to save content from a Google app that supports data protection to their device’s Files folder using a share sheet. To prevent users from saving content from their work account with the Save to Files option in a share sheet, turn off this setting.

Allow saving of work images and videos to iOS photos

Allows users in their work accounts to save Google Workspace images and videos to iOS photos. To prevent users from saving images or videos from their work account in Google apps, turn off this setting.

Allow assigning items to Contacts with iOS share sheet

Allows users in their work accounts to assign items from a Google app that supports data protection to Contacts using a share sheet. To prevent users from using the Assign to Contacts option in a share sheet from their work account, turn off this setting.

Turn settings on or off

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile & endpointsand thenSettingsand theniOS.
  3. Click Data sharingand thenData actions.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Choose an option: 
    • To prevent users from potentially sharing Google Workspace data externally, select Don't allow users to take actions that could share Google Workspace data externally.
    • To allow users to take some data sharing actions, select Allow users to take selected actions on iOS devices and choose your settings.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Changes can take up to 24 hours but typically happen more quickly. Learn more

Protect data with a managed configuration

When advanced mobile management for iOS devices is on, you can further protect your organization’s data by using a managed configuration. The following managed configuration prevents data sharing from unknown sources (typically non-Google Workspace apps) to users in a personal account or a corporate account with a different customer ID in a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet). To learn how to set up the managed configuration, go to Set up iOS apps with managed configurations.

<dict>
  <key>GoogleWorkspaceDataSharingActions</key>
  <dict>
        <key>RestrictSharingFromUnknownSourceOnlyToCustomer</key>
    <string>{customer_id}</string>
  </dict>
</dict>

Notes:

  • You can use this managed configuration with any mobile management provider that supports Managed App Configuration (AppConfig). Follow the mobile management provider's instructions to apply the managed configuration for Google Workspace apps using your Google Workspace customer ID.
  • The customer_id is a unique customer ID that’s assigned to your account. You can find it in your Google Admin console at Accountand thenAccount settingsand thenProfile.
  • To ensure that data sharing restrictions are enforced consistently, apply the managed configuration to all Google apps used by your organization.
  • For the managed configuration to work, the app must be a managed app and users must install it from the Google Device Policy app. For details, go to Edit app settings.
  • To prevent users from opening work files and links in unmanaged apps, go to Open docs in unmanaged apps.
  • If you want to allow data sharing from unknown sources only for some users, uncheck the Allow sending of work data to personal apps, including all non-Google Workspace apps on the iOS share sheet box or select Don't allow users to take actions that could share Google Workspace data externally on iOS devices for those users.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
2627803424937103909
true
Search Help Center
true
true
true
true
true
73010
false
false