What is GAT Shield? #
GAT Shield is one of GAT Labs’ family of tools — It’s an audit, reporting and security Chrome Extension for your Google Workspace environment.
GAT Shield helps admins protect their Google Workspace users by monitoring all activity and providing real-time DLP on ALL sites.
GAT Shield consists of two parts: the Shield Reporter Web Application and the Shield Chrome Extension (clients).
When the extension is installed, it watches in real-time, receives instructions from the reporter, and sends data and alerts back to the reporter in milliseconds.
**Availability: GAT Shield can be enabled for trial. It’s part of the Vigilant plan for Education, and Secure plan for Enterprise.
**Prerequisite: GAT Shield requires GAT+ to be installed on the domain. Once the trial is enabled, you’ll need to configure the product.
(See our resource How to deploy and configure GAT Shield on Your Domain for more information)
Non-Google Admin User #
GAT Shield can be delegated to non-admin users, allowing them to run audits, analyses, or reports for any given scope such as user, group, or Organization Unit (OU).
(See our resource GAT Shield: Delegated Auditors Functionality for more information)
How does GAT Shield work? #
User interfaces #
GAT works by pushing either an open or closed UI extension to the domain’s chrome browser.
The open user interface extension allows the Chrome user to see their own activity information while using the Chrome browser.
The closed user interface will display a grey GAT Shield icon that the end-user can’t access.
GAT Shield Dashboard Overview #
Once launched, the tool will display a dashboard with a section for navigation on the left side panel.
*Note: Filters are a powerful feature developed throughout the dashboard to help users find the right data for every use case faster.
The Shield panel presents:
Name of User #
Name of User > Name of the user logged into GAT Shield.
Audit Dashboard #
A view summarising shield activity for users and alerts:
1. Browsing #
a. Data explorer > A charted view of User activity denoting: Site name, Site URL, Time on site, Started, Finished, Tags, User.
Clicking on the eye icon next to each row will present more info: User, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync., Quick help.
Browsing Filter; Users can define a filter to find what they need for the task at hand. This will then display the filtered search in the Data Explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
b. User/Chrome device Activity > Overall browsing activity charted and selectable by Date & Scope, denoting: time spent on each corresponding site. Charts can be grouped by Site or Tags.
c. User Summary > Charted view selectable by Time Range, Scope, denoting: Total User Time On Sites, Top Users, Top Sites Browsed By Users, and Top Tags Browsed By Users.
A PDF report can be generated and scheduled to automatically update the recipient with the above data.
d. Chrome Device Summary > Charted view for Chrome devices selectable by Time Range, Scope, denoting: Total Devices Time Spent on Site, Top Devices, Top Users on Devices, Top Sites Browsed on Devices, and Top Tags Browsed on Devices.
A PDF report can be generated and scheduled to automatically update the recipient with the above data.
e. Behaviour Flow > The Behaviour Flow shows how users move through the selected site. This allows admins to view the users’ Browsing behavior through a specific website.
This flow should be read from left to right: The leftmost node of the flow network shows sites where users start their interaction with the site.
The path through links shows the user’s site browsing activity until they decided to move to another website.
f. Cookies > Cookies analysis denoted by: Domain, Count, Names, User Clicking.
Clicking on the eye icon next to each row will present more info: Path, Host-Only, Secure, HTTP only, Session, Expiring.
Browsing Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Cookies analysis.
Using this filter users can define for their search: Cookie name, Cookie domain, Domain, User.
Filter sets can be imported & exported. Filter results can also be exported.
2. Downloads #
Downloads explorer > Analysis of all the ‘download activity happening on the domain, denoted by: URL, MIME, Local File, Local Path, Size, Started, Finished, User.
Clicking on the eye icon next to each row will present more info: User, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync, Quick help.
Downloads Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Downloads explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
3. Extensions #
Extensions Explorer > An Audit of chrome extensions, denoted by: Name, Version, Permissions, Permissions Score, Enabled, Installed, Removed, User.
Clicking on the eye icon next to each row will present more info: ID, Name, Version, Enabled, User can disable, Permission score, Type, Install type, Origin, User, User Org. unit, Quick help.
Extensions Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Extensions explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
4. Searches #
Searches Explorer > An Audit of user searches, denoting: Query, Engine, Date, User.
Clicking on the eye icon next to each row will present more info: User, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync, Quick help.
Searches Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Searches explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
5. Chats #
Chats Explorer > An Audit of Gmail Chat, denoting: Participants, Duration, Started, Finished, User.
Clicking on the eye icon next to each row will present more info: User, User Org.unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync, Quick help.
Chats Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Chats explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
6. User/Device Geo Reporting #
a. User/Device Explorer > An Audit of User devices, denoting the Geo-location of users on a real-world map.
I. View by UUID, denoting: Device serial no., Device Org unit, Device OS, Device Pub. IPv4, Device private IPv4, Device city, Device Country, User, Shield UUID, Shield CRX ver., Shield CRX last sync.
Clicking on the eye icon next to each row will present more info: Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Total device estimated uptime, Device location, Device coordinates, Device coordinates accuracy, CPU Model, CPU Usage by core, Total memory, Memory usage, User Org. unit, Other user accounts, Shield UUID, Shield CRX ver, edition, last sync, Quick help.
Instance Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the User/Device Geo reporting.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
7. Shield Alerts #
This section of the panel presents the triggered Alerts defined by the Admin/User in the Alert Rules Configuration.
Alerts Explorer
Alerts are presented in rows denoting columns showing: Rule Name, Rule Type, Page, Trigger, Sent, User, Status.
Next to each row, you’ll find three icons:
I. Eye icon: Presents more info on Context, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync, Quick help.
II. Acknowledge icon: Mark Alert as acknowledged.
III. Show/Edit Rule icon: Quick edit triggered rule specifications and actions.
Alerts Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Alerts Explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
8. Site Access Events #
This section of the panel presents the triggered ‘Site Access Events’ defined in the ‘Site Access Control Configuration’.
Site Access Events Explorer > Events are presented in rows denoted by columns showing: Site URL, Site Access Category, Site Access Action, Date, User.
Clicking on the eye icon next to each row will present more info: User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync, Quick help.
Site Access Events Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Site Access Events Explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported.
9. Login Control Events #
Login Control Events section presents the triggered ‘Login Control Events’ defined in the ‘Login Control’ section.
The result of all the activities of users reported via Login Control can now be seen by Admins in the Login Control Events tab.
Login Control Events Explorer > Events are presented in rows denoted by columns showing: User, Created, Reason, Logout mode, Logout Session URLs, Org. Unit, User groups.
I. Eye icon: Presents more info on: Domain, Student Courses, Agent ID, User org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Total device estimated uptime, Shield UUID, Shield CRX ver, Shield CRX edition, Shield CRX last sync.
10. User Activity #
Redirects to User Chrome Device Activity tab.
11. YouTube #
This section of the panel denotes the Audit of user YouTube activity.
YouTube Explorer > The user’s YouTube activity denoting: Thumbnail, Title, User, URL, Time on Site, Started, Finished.
Clicking on the eye icon next to each row will stream the video.
YouTube Filters: Users define a filter to fetch what they need for the task at hand. This will then display the filtered search in the YouTube Explorer.
Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported
Configuration Dashboard #
A view where an Admin/User can set up and specify GAT Shield behavior, customizing policies to their unique use case.
1. General and CIPA #
a. General > An Admin/User is able to configure: Default domain, User-agent, User-agent overwrite, Date format, Records per table page, Time zone, Import export date format.
b. CIPA Compliance > Configuring Children’s internet protection act. Denoted by, Enable CIPA compliant features, Scope
(Learn more about becoming CIPA compliant in Google Workspace for Education with GAT Shield here)
c. Webhooks > An Admin can set up webhook notifications for Alert rules. This means that anytime an alert rule is triggered, the alert will be sent to the webhook URL that is added in the Shield configuration. This post explains the process.
2. Modules #
Modules > An Admin/User can enable or disable the following audit areas: Browsing, Chats, Cookies, Downloads, Extensions, Searches, Scope.
3. Alert rules #
An Admin/User can configure many types of alert rules:
Alert Rules > Alerts can be configured from scratch or by selecting templates.
Types of Alerts: File download, Page content inspection, Visit, Search, Device Usage, Location, IP Address, Active ID, Denoted User/Last User Mismatch.
Configured Alerts will appear in the view denoting: Name, Type, Active, Created, Created By, Modified, Modified by.
Next to each row, you’ll find are three icons:
I. Edit > Quick edit rule specifications.
II. Export > Export rule specifications.
III. Delete > Delete rule
Alert rule Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Alert rules.
Filter sets can be imported & exported. Filter results can also be exported.
4. Browsing Tags #
Browsing Tags > An Admin/User can create and define browsing tags that can be used throughout Shield for reporting. Tag templates are available.
Configured Tags will appear in the view denoted by Site Url, Tags, Active, Created, Created By, Modified, Modified by.
Next to each row, there are three icons;
I. Edit > Quick edit tags specifications.
II. Export > Export tags specifications.
III. Delete > Delete tag.
Browsing Tags Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Browsing Tags.
Filter sets can be imported & exported. Filter results can also be exported and imported.
5. Browsing Cookies #
a. Browsing Cookies > An Admin/User can create cookies here, created cookies are denoted in the view by Name, Value, URL, Created, Created By, Modified, Modified by.
b. Cookies Audit Log > a log of Cookies activity details.
Browsing Cookies Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Browsing Cookies.
Filter sets can be imported & exported. Filter results can be exported and imported.
6. Site Access Control #
a. Site Access Control > Presented in dual sections User/System Defined Site Access Categories and Active Site Access Rules.
An Admin/User can define site access policies. Selecting ‘Add a site Access Category’ will launch a pop-up to define Site Category, Type, Description, Site List.
Custom categories can also be uploaded using spreadsheets.
On the left-hand side, the defined category is displayed. Selecting the Arrow icon beside the row will launch a pop-up window to specify and then activate the Site Access rule once it’s saved.
On the right-hand side, the active Site Access Rules are displayed, rules can be quickly edited or deleted using the icons next to each row.
On the bottom left-hand side, the System defined categories can be enabled and customized.
Site Access Control Filters; Users can define a filter to fetch what they need for the task at hand. That will then display the filtered search in the Site Access Control.
Filter sets can be imported & exported.
b. Config > Admin/user can configure Block Page, IP Blocking, Global Allow List.
7. Search Access #
Search Access > Options to enable; Safe Search, Image Safe Search, Scope.
8. YouTube Access #
YouTube Access > An Admin/User can toggle ‘Strict Restricted YouTube access’ or ‘Moderate Restricted YouTube access’ and apply the scope for User, User org.unit, User Group.
Additional Blocking > An Admin/User can toggle ‘Block embedded YouTube videos on all sites‘ or ‘Block embedded YouTube videos only on these sites‘ and apply the scope for User, User org.unit, User Group.
9. Gmail Access #
Gmail Access > An Admin/User can enforce a Gmail restriction.
Denoted by: Allow any Gmail accounts, Allow domain Gmail accounts, Block personal Gmail accounts.
The Scope can be selected for certain users.
10. Chat Access #
Chats/Hangouts Access > An Admin/User can manage Chats/hangouts.
Denoted by: Disable Chat/Hangouts, customizable Time restriction, Scope of users.
11. Monitoring Ranges #
Monitoring Ranges > An Admin/User can configure the scope for where Shield is active.
A descending view denoted by: Network Monitored List, Network Not Monitored List, Users Monitored List, Users Not Monitored List, Devices Monitored List, Devices not monitored List, Enrolled ChromeOS devices only.
At the bottom view, IP Mapping can be set and or Imported/Exported.
12. Login Control #
Login Control > An Admin/User can control who logs into the domain from Shield-protected devices.
The view is denoted by: Login Time Window (from), Login Time Window (To), Login Area, idle timeout (s), Hard logout, Login allow list, Login allow list exclusions, Scope, Quick help.
13. Scheduled reports #
Reports > This section keeps tabs of all scheduled reports configured throughout the Shield tool’s sections.
The reports are presented in rows denoted by columns showing: Name, Type, Enabled, Cron, Created, Created By, Modified, Modified by, Action.
The Action column allows you to edit reports or delete them.
Report Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Reports.
Filter sets can be imported & exported.
14. Delegated Auditors #
Auditors > An Admins can set up delegated auditors to have access to the designated areas of the tool.
Auditors can be set by launching the ‘Add an Auditor’ button.
All auditors are displayed in the view in rows denoted by columns showing: Auditor, Scope, Valid until Active, Created, Created By, Modified, Modified by, Action.
Auditor permissions can be edited in the action column or deleted.
Delegated auditor Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Auditors.
Filter sets can be imported & exported.
Check out our ‘How to’ link GAT Shield: Delegated Auditors Functionality.
15. Admin Log #
Redirects to GAT+ for a log of every action taken.
Actions are presented in rows and denoted by columns showing: Date, User, Action, Additional information, Duration, product, version.
Admin logs Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Admin log.
Using this filter, users can define scheduled reports and automatically export them to specific users and folder locations.
Filter sets can be imported & exported. Filter results can also be exported
Help Dashboard #
- User Manual > Redirect to User Manual URL.
- Extensions Deployment > Choose whether to deploy open or closed UI extension.
- Resources > Redirect to resources URL.
- License > License details.
- About > About GAT Shield tool.
