We are updating the administrative privileges setting for Windows device management to give administrators more control over how local administrative access is handled on Windows 10 and Windows 11 devices, managed by Google Endpoint Management.

This update simplifies settings and provides greater flexibility for organizations that need to preserve local admin access while managing specific users via Google Workspace. Previously, managing local administrative access used a "Replace" behavior, which removed any existing members from the local administrators group before adding the newly requested ones.

Getting started

Rollout pace

Availability

Resources

Today, we’re releasing new adoption and usage metrics to our Gemini reports in the Admin console. These new reports offer administrators comprehensive visibility into AI feature usage and thresholds to help them better manage their Workspace subscription and Gemini adoption. This includes usage data by features, apps, and active users.

With these new metrics, administrators can better understand how users are engaging with Gemini features across Workspace apps. Admins can use this information to make decisions on AI enablement, adoption, and productivity for their organizations. This data also offers insight into when they may need to adjust their Workspace subscriptions and plan for potential upgrades when users have reached their maximum AI usage thresholds.

Gemini usage report in the Admin console that shows per-feature data on active users and users at the limit

User-level Gemini usage report in the Admin console that shows data across apps and overall activity

Getting started

Rollout pace

Availability

Resources

Google Meet Speech Translation allows translation in near-real time, bridging language barriers across users and organizations. The feature is currently available in alpha but will launch to general availability on January 27, 2026.

Starting today, admins will see a setting to control this feature in the Admin console under Meet service settings > Gemini settings. It will be ON by default and can be disabled at the OU level.

A few important things to note:

Speech translation admin setting

Note that these admin settings do not affect users participating in the current alpha program.

Rollout pace

Admin setting

End user feature

Availability

Resources

To support more granular incident investigations, we’re expanding the Workspace audit logging datasets available on the Admin SDK (Reports API) to include these additional datasets:

 What’s changing

Single-sign on with custom OpenID Connect profiles is now generally available. With this capability, admins have the option to set up a custom OpenID Connect (OIDC) profile for single sign-on (SSO) with Google as their service provider. 

OIDC is a modern authentication layer built on top of the OAuth 2.0 protocol and verifies a user's identity without exposing their password to the applications they are accessing. OIDC enables secure, seamless authentication across various platforms, including web, mobile, and cloud environments. With this update, admins have more secure options to configure SSO for their organizations. Previously, only OIDC with pre-configured Microsoft Entra ID profile was supported in addition to SAML.

What’s changing 

Access Transparency, Access Management, and Access Approvals now cover Gemini App data. These features provide admins full transparency into when Gemini App data is viewed for support purposes, control over which Google support staff can view this data, and control over when this data can be viewed by Google for support purposes. 

The addition of Gemini App data to Access Transparency, Access Management, and Access Approvals expands on Google’s data commitments on customer data ownership, security, and privacy. 

These controls have been extended to cover Gemini App data in addition to Gmail, Calendar, Drive, Docs, Sheets, Slides, Drawings, Sites, Chat, meet, and Gemini in Workspace data. 

Getting started 

Rollout pace 

Availability 

Resources 

What's changing 

In order to improve the experience of admins managing Google Meet’s Enterprise Content Delivery Network (Meet eCDN) rules, we’re updating how the “Custom Rules” peering policy works in some cases, and how assigned networks are surfaced in the MQT eCDN network table. Understanding these changes will allow customers to make full use of those improvements. 

Overlapping IP ranges 

Please note you will only see this change if you have defined overlapping IP ranges. For example, if you have defined a large range that’s allowed but including some smaller ranges that should be blocked within it. If you have non-overlapping ranges only, you won’t be affected by this change. 

Viewers with the “custom rules” peering policy will be matched against a list of IP ranges and their respective peering configuration (allowed or blocked). This is done by checking all listed ranges in order from top to bottom. Previously, any blocking match would supersede an allowing match, even if the allowing match came first. We’re removing the priority for blocking changes to simplify how matches are determined. 

Example for a viewer with private IP address 10.0.0.30: 

Scenario 1:

Before:

After:

Multiple private IP addresses are now supported 

Please note that the following change will only materialize if your viewers’ devices have multiple private IP addresses configured on their network interfaces (typically one IPv4 and one IPv6 address). 

Previously, eCDN clients would detect their private IP address and always prioritize IPv4 over IPv6. Also, only a single IP address could be detected and sent for matching against custom rules. We’re changing this so that all private IPs configured on the device’s interfaces will be used for matching. To ensure top-to-bottom evaluation, the first rule matching any detected private IP addresses will be used. 

Renaming Random peering policy 

The policy previously called Random peering policy is now called Testing peering policy. This policy is primarily intended for test purposes and is not designed to provide full performance in production. 

Meet Quality Tool improvements 

Viewers with the Testing peering policy will now be represented in the Meet Quality Tool eCDN table. Previously this table would only show viewers per configured network if the Custom Rules peering policy was used. 

Rollout pace: 

Resources: 

What’s changing 

To support more granular incident investigations and to expand access to this critical security data, we’ve made a few changes to the Gmail Audit Logs. 

1. Addition of the Gmail log events to the audit and investigation tool 

Gmail log events, previously only available to customers with access to the Security investigation tool (Security > Security center > Investigation tool), will now also be available to customers with access to the audit and investigation tool (Reporting > Audit and investigation) when Gmail is enabled as an application. This is change is now available. 

2. Addition of the Gmail log events to the AdminSDK Reports API 

3. Gemini Data Access Logging for Gmail log events 

Addressing customer feedback for more granularity in reporting on how Gemini accesses data, a “message content accessed” log event will now be triggered when the Gemini app or Gemini for Workspace apps access Gmail messages on behalf of a user. Those events will have a client type of “API” and an actor application name of “Gemini or Gemini for Workspace”. These events will become available to customers gradually over the next few weeks. 

Who’s impacted 

Admins 

Why it matters 

Granular audit logs are critical to helping organizations investigate cybersecurity incidents and understand their data usage. The changes announced today expand access to this critical data and expand the depth of analysis that can be performed. 

Rollout pace 

Getting started 

Availability 

What’s changing 

To simplify the admin experience for creating rules and monitoring alerts, we are combining reporting rules with activity rules: 

Google Workspace Enterprise Plus, Enterprise Essentials Plus, Education Plus, Cloud Identity Premium, Chrome Enterprise Premium and Enterprise Standard customers will retain all the functionality of the activity rules experience and can now also create rules without thresholds. Thresholds are applied cumulatively across user actions, not on a per-activity basis. 

New threshold mode, which triggers rule every time the event occurs 

For Google Workspace Business Starter, Business Standard, Business Plus, Education Fundamentals, Education Standard, and Enterprise Essentials customers, all existing reporting rules will automatically be converted to activity rules. Admins gain the ability to configure notification frequencies and access more descriptive alerts. However, applying thresholds and actions to rules are not available for these Workspace editions. 

Admins will now be able to set notification frequency to limit the number of alerts or emails they receive 

Who’s impacted 

Admins 

Why it matters 

Reporting rules inform admins what happened, while activity rules help admins control what happens. By combining reporting rules with activity rules, admins receive the benefits of a more streamlined workflow with additional ways to work with rules and gain insights from more detailed reporting. 

Additional details 

Additionally, “Reporting rules” will be shown as “Activity rules” in various locations within the Admin console, including the “Add rules” user interface at Security > Investigation tool > Create activity rule. 

Getting started 

Admins: 

End users: 

Rollout pace 

Availability 

Available for Google Workspace: 

Resources 

What’s changing 

Admins with an AppSheet Enterprise Plus can now ask Gemini to generate a summary of an app owned by their organization. The will enable admins to more quickly understand the purpose and capabilities of any AppSheet app. 

Many AppSheet customers have hundreds if not thousands of apps. This makes it difficult for admins to understand the utility or purpose of those apps. With this launch, admins can quickly grasp what each app does without manual investigation, saving valuable time and improving governance oversight. 

Getting started 

Rollout pace 

Availability 

Resources 

What’s changing 

To improve security and clarity, the Manage Google Meet hardware and calendars privilege will no longer grant broad access to all calendars in your organization. 

Who’s impacted 

Why it’s important 

This update lets you grant calendar access independently of Google Meet hardware privileges. It ensures that administrators who only manage Meet hardware can no longer access sensitive calendar data across the organization, minimizing security risks. 

Getting started 

Rollout pace 

Availability 

Resources 

What’s changing 

Google Drive Inventory reporting now supports scheduling a daily export of your Drive data assets to BigQuery, in addition to the existing weekly cadence. Compared to APIs, exporting inventory reports to BigQuery empowers administrators to understand their data more deeply, providing insights into how their data is classified, accessed, and used. Understanding these metrics can help admins to identify security risks, ensure compliance with regulatory requirements, and more. 

Getting started 

Rollout pace 

Availability 

Resources 

What’s changing 

Admins can now apply Context-Aware Access (CAA) policies to apps which use OpenID Connect (OIDC), which are a subset of OAuth apps that are authenticated using Google sign-in. Admins can use a single setting to apply CAA policies to all OIDC apps by default. We are not providing per app access control for individual apps at this moment. The new OIDC setting can also be applied in monitor mode for admins to gauge potential end user impact before applying in active mode. 

CAA creates granular access control security policies for apps based on attributes, such as user identity, location, device security status, and IP address, and they can be applied to users on personal and managed devices. Expanding CAA to encompass OIDC apps means admins can ensure their users are able to access or are blocked from accessing these apps according to the broader security parameters of their organizations. 

Admins can configure CAA policies for OIDC apps in the Admin console under Security > Context-Aware Access > General settings 

Getting started 

Rollout pace 

Availability 

Available for Google Workspace: 

Resources 

What’s changing 

We’re introducing a new approval workflow option for enterprise users to request access to third-party apps that have not been explicitly configured via App Access Control (AAC) by an admin. This only applies to apps which have not been configured. If a user is able to access an app today based on the policies configured by their admin, then there will be no change and they will continue to be able to access the app. 

When end users attempt to access unconfigured third-party apps and get blocked, they will see an error screen with an option to raise a review request to admins. After the user submits a request, admins will be able to review the end user requests in app access control and make a decision. 

This feature gives enterprise users a clear process for requesting access to apps they need, reducing the likelihood of them being completely blocked and improving their productivity. For admins, it provides a centralized and efficient way to manage and configure access for new applications within their organization, while maintaining control over data security. 

An example of the dialog that the end user will see when access is blocked, with an opportunity to request access 

The dialog an end user will see if they choose to request access 

The interface in the Admin console where admins can see and process access requests from users 

The interface admins can use to configure access by OU 

Who’s impacted 

Admins and end users 

Getting started 

Rollout pace 

Resources 

What's Changing

We’re adding an additional data field for Google Meet log events: encryption_type, which will indicate whether standard cloud encryption or client-side encryption was used for a call endpoint. This information can also be called using the Admin Reports SDK API under the values: cloud_encryption and cse_encryption.

Example of a meeting without client-side encryption and a meeting with standard encryption. The encryption type will be captured in Meet log events going forward.

Rollout Pace:

Availability:

What’s changing 

We’re introducing several changes to make the act of training custom AI models for data classification in Google Drive more efficient:

• Refreshed UI: We’ve redesigned the AI classification experience from the ground up with a new onboarding flow and model details page.  With the redesigned UI, Workspace Administrators will now see richer insights into the status of model training, metrics on their training data, model recall scores, and a history of their model versions. 

Who’s impacted 

• Admins

Why it matters 

• Powered by privacy-preserving AI models that can be uniquely trained on specific customer needs, AI classification automatically identifies, classifies, and labels files in Google Drive. This helps organizations standardize data classification and achieve labeling consistency at scale. Labels can then be used to trigger rules on files that can and cannot be shared through data loss prevention (DLP) controls, lifecycle management policies, as well as audit and reporting use cases. These latest enhancements give admins the flexibility to train models when they need to and for the specific and dynamic needs of their organization.

Getting started 

Rollout pace 

Availability 

Resources 

What’s changing

Earlier this year, we announced an open beta for migrating files from Microsoft SharePoint Online to Google Drive in the New Data Migration service. Beginning today, this functionality is now generally available.

Admins can use the New Data Migration service to migrate data from SharePoint Online sites, including document libraries, folders, files and associated permissions, helping organizations transition to Google Workspace quickly and easily.

Additionally, you’ll notice a new, streamlined  interface designed to simplify your migration experience.

Example of a running Microsoft SharePoint Online migration

What’s changing

Gemini Audit logs are now accessible through the Reporting API (Admin SDK). This allows admins to track user activity and interactions with Gemini in the Gemini app and Workspace apps, including: 

Who’s impacted 

Admins 

Why you’d use it

Admins can use the Reports API to analyze how their users are engaging with Gemini at scale. These valuable insights can help organizations get the most out of Gemini. Specifically: 

Getting started 

Rollout pace 

Availability 

Resources 

What’s changing 

First, the “HANGOUTS DEVICE SETTING” event category is going away and will be replaced with a new event type: “GOOGLE MEET HARDWARE”. This does not apply for “Chromebox for meetings Device Setting Change”, which will move to “APPLICATION SETTING” in a follow-up launch. 

You can also view additional fields related to these new events, including:

Note that some fields are not visible in the log viewer by default; you can add additional fields using the “Manage columns” button.

In the coming weeks, you will be able to create, change, and delete application settings under “Application Settings”. All changes to settings found in the Admin console under Devices > Google Meet hardware > Settings will be audited here. We will share more details in the coming weeks.

Additional details 

In the coming months, we are removing all events under the “HANGOUTS DEVICE SETTINGS” event type since the product name is obsolete, and the new events will include this information and even more data. Prior to their removal, you’ll still be able to filter for these events, however new activity will be only captured under the new “GOOGLE MEET HARDWARE” events.

This table has more details:

 Getting started 

Rollout pace 

Important note: The new log events will be available in the user interface via the Event filter drop-down under “Google Meet Hardware” beginning July 7, 2025, however data will remain under the old log events (“Hangouts Device Settings”).Data will become available under the new log events starting July 21, 2025. You can use the time in between to update any scripts or rules to align with the new log events. 

Availability 

Resources