As an administrator, you can use data sharing settings to prevent users from potentially sharing Google Workspace data from their iOS device with people outside of your organization. These settings make it more difficult for users to move work data between corporate and personal accounts on the same iOS device. For example, you can prevent iOS users from copying text from a work email into a personal account and using an iOS share sheet (also known as an activity view) to send work data to personal apps.
Before you begin
- You can prevent data sharing only from Google apps that support data protection. These apps are Gmail, Google Drive, Google Docs, Sheets, and Slides, Google Chat, and Google Meet.
- Some files might open in a non-Google Workspace app and not be covered by data protection.
- The settings can’t stop all possible data leaks, such as copying from Apple Visual Look Up, taking screenshots, or using translation extensions.
What are the settings?
You can turn on or off the following data sharing options:
Turn settings on or off
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Devices > Mobile & endpoints > Settings > iOS.
Requires having the Services and devices administrator privilege.
- Click Data sharing
Data actions.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Choose an option:
- To prevent users from potentially sharing Google Workspace data externally, select Don't allow users to take actions that could share Google Workspace data externally.
- To allow users to take some data sharing actions, select Allow users to take selected actions on iOS devices and choose your settings.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Protect data with a managed configuration
When advanced mobile management for iOS devices is on, you can further protect your organization’s data by using a managed configuration. The following managed configuration prevents data sharing from unknown sources (typically non-Google Workspace apps) to users in a personal account or a corporate account with a different customer ID in a Google app (such as Gmail, Drive, Docs, Sheets, Slides, Chat, and Meet). To learn how to set up the managed configuration, go to Set up iOS apps with managed configurations.
<dict>
<key>GoogleWorkspaceDataSharingActionsRestrictSharingFromUnknownSourceOnlyToCustomer</key>
<string>${customer_id}</string>
</dict>
Notes:
- You can use this managed configuration with any mobile management provider that supports Managed App Configuration (AppConfig). Follow the mobile management provider's instructions to apply the managed configuration for Google Workspace apps using your Google Workspace customer ID.
- The
customer_idis a unique customer ID that’s assigned to your account. You can find it in your Google Admin console at Account - To ensure that data sharing restrictions are enforced consistently, apply the managed configuration to all Google apps used by your organization.
- For the managed configuration to work, the app must be a managed app and users must install it from the Google Device Policy app. For details, go to Edit app settings.
- To prevent users from opening work files and links in unmanaged apps, go to Open docs in unmanaged apps.
- If you want to allow data sharing from unknown sources only for some users, uncheck the Allow sending of work data to personal apps, including all non-Google Workspace apps on the iOS share sheet box or select Don't allow users to take actions that could share Google Workspace data externally on iOS devices for those users.
