📖 12 mins read

What is GAT Shield?

GAT Shield is one of GAT Labs’ family of tools — It’s an audit, reporting and security Chrome Extension for your Google Workspace environment.

GAT Shield helps admins protect their Google Workspace users by monitoring all activity and providing real-time DLP on ALL sites.

GAT Shield consists of two parts: the Shield Reporter Web Application and the Shield Chrome Extension (clients).

When the extension is installed, it watches in real-time, receives instructions from the reporter, and sends data and alerts back to the reporter in milliseconds.

**Availability: GAT Shield can be enabled for trial. It’s part of  the Vigilant plan for Education, and Secure plan for Enterprise.

**Prerequisite: GAT Shield requires GAT+ to be installed on the domain. Once the trial is enabled, you’ll need to configure the product.

(See our resource  How to deploy and configure GAT Shield on Your Domain for more information)


Non-Google Admin User

GAT Shield can be delegated to non-admin users, allowing them to run audits, analyses or reports for any given scope such as user, group or Organization Unit (OU).

(See our resource GAT Shield: Delegated Auditors Functionality for more information)


How does GAT Shield work?

User interfaces

GAT works by pushing either an open or closed UI extension to the domain’s chrome browser.  

The open user interface extension allows the Chrome user to see their own activity information while using the Chrome browser.

The closed user interface will display a grey GAT Shield icon that the end-user can’t access.

 

GAT Shield Dashboard Overview

Once launched, the tool will display a dashboard with a section for navigation on the left side panel.

*Note: Filters are a powerful feature developed throughout the dashboard to help users find the right data for every use case faster.

The Shield panel presents:

Name of User

Name of User > Name of the user logged into GAT Shield.

 

Audit Dashboard

 A view summarising shield activity for users and alerts:

1. Browsing

a. Data explorer > A charted view of User activity denoting: Site name, Site URL, Time on site, Started, Finished, Tags, User.

Clicking on the eye icon next to each row will present more info: User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Browsing Filter; Users can define a filter to find what they need for the task at hand. This will then display the filtered search in the Data Explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

b. User/Chrome device Activity > Overall browsing activity charted and selectable by Date & Scope, denoting: time spent on each corresponding site. Charts can be grouped by Site or Tags.

c. User Summary > Charted view selectable by Time Range, Scope, denoting: Total User Time On Sites, Total User Site Views, Top Users, Top Sites Browsed By Users, and Top Tags Browsed By Users.

A PDF report can be generated and scheduled to automatically update the recipient with the above data.

d. Chrome Device Summary > Charted view for Chrome devices selectable by Time Range, Scope, denoting: Total Devices Time Spent on Site, Top Devices, Top Users on Devices, Top Sites Browsed on Devices, and Top Tags Browsed on Devices.

A PDF report can be generated and scheduled to automatically update the recipient with the above data.

e. Behaviour Flow > The Behaviour Flow shows how users move through the selected site. This allows admins to view the users’ Browsing behaviour through a specific website.

This flow should be read from left to right: The leftmost node of the flow network shows sites where users start their interaction with the site.

The path through links shows the user’s site browsing activity until they decided to move to another website.

f. Cookies > Cookies analysis denoted by: Domain, Count, Names, User Clicking. 

Clicking on the eye icon next to each row will present more info: Path, Host-Only, Secure, HTTP only, session, Expiring.

Browsing Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Cookies analysis. 

Using this filter users can define for their search: Cookie name, Cookie domain, Domain, User.

Filter sets can be imported & exported. Filter results can also be exported.

 

2. Downloads

Downloads explorer > Analysis of all the ‘download activity’ happening on the domain, denoted by: URL, MIME, Local File, Local Path, Size, Started, Finished, User.

Clicking on the eye icon next to each row will present more info: User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Downloads Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Downloads explorer. 

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

3. Extensions

Extensions Explorer > An Audit of chrome extensions, denoted by: Name, Version, Permissions, Permissions Score, Enabled, Installed, Removed, User.

Clicking on the eye icon next to each row will present more info: ID, User can disable, Type, Install type, Origin, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Extensions Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Extensions explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

4. Searches

Searches Explorer > An Audit of user searches, denoting: Query, Engine, Date, User.

Clicking on the eye icon next to each row will present more info: User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Searches Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Searches explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

5. Chats

 Chats Explorer > An Audit of Gmail Chat, denoting: Participants, Duration, Started, Finished, User.

Clicking on the eye icon next to each row will present more info: User Org.unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Chats Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Chats explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

6. User/Device Geo Reporting

a. User Device Explorer > An Audit of User devices, denoting the Geo-location of users on a real-world map.

Two views available:

I. View by UUID, denoting: Device serial no., Device Org unit, Device OS, Device Pub. IPv4, Device private IPv4, Device city, Device Country, User, Shield UUID, Shield CRX ver., Shield CRX last sync.

Clicking on the eye icon next to each row will present more info: Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device coordinates, Device est. uptime, CPU Model, CPU Usage by core, Total memory, Memory usage, Shield UUID, Shield CRX ver, edition, last sync, User Org. unit, Other user accounts, Quick help.

II. View by IP, denoting: Shield UUID, Shield CRX ver., OS, Public IPv4, Private IPv4, City, Country, User, Last Sync.

 

b. User/Chrome Device History Explorer > An Audit of User Chrome devices denoting the Geolocation of users on a real-world map.

View by UUID denoting: Device serial no., Device Org unit, Device OS, Device Pub. IPv4, Device private IPv4, Device city, Device Country, User, Shield UUID, Shield CRX ver., Shield CRX last sync.

Clicking on the eye icon next to each row will present more info: Device ID, Device Browser, Device OS, Device Org.Unit, Device Serial no., Device Model, Device annotated asset ID, Device wireless MAC, Device ethernet MAC, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device annotated location, Device location, Device coordinates, Shield UUID, Shield CRX ver, edition, last sync, User Org.unit, Other user accounts, Quick help.

Instance Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the User/Device Geo reporting

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

7. Shield Alerts

This section of the panel presents the triggered Alerts defined by the Admin/User in the Alert Rules Configuration.

Alerts Explorer

Alerts are presented in rows denoting columns showing: Rule Name, Rule Type, Page, Trigger, Sent, User, Status.

Next to each row, you’ll find three icons:

I. Eye icon: Presents more info on: Context, User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

II. Acknowledge icon: Mark Alert as acknowledged.

III. Show/Edit Rule icon: Quick edit triggered rule specifications and actions.

Alerts Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Alerts Explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

8. Site Access Events

This section of the panel presents the triggered ‘Site Access Events’ defined in the ‘Site Access Control Configuration’.

Site Access Events Explorer > Events are presented in rows denoted by columns showing: Site URL, Site Access Category, Site Access Action, Date, User.

Clicking on the eye icon next to each row will present more info: User Org. unit, Device Browser, Device OS, Device public IPv4, Device private IPv4, Device public IPv6, Device private IPv6, Device public IPv4 mapping, Device private IPv4 mapping, Device location, Device est. uptime, Shield UUID, Shield CRX ver, edition, last sync, Quick help.

Site Access Events Filters; Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Site Access Events Explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported.

 

9. User Activity

Redirects to User Chrome Device Activity tab. 

 

10. YouTube

This section of the panel denotes the Audit of user YouTube activity.

YouTube Explorer > The user’s YouTube activity denoting: Thumbnail, Title, User, URL, Time on Site, Started, Finished.

Clicking on the eye icon next to each row will stream the video.

YouTube Filters: Users defining a filter to fetch what they need for the task at hand. This will then display the filtered search in the YouTube Explorer

Using this filter users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported

 

Configuration Dashboard

A view where an Admin/User can set up and specify GAT Shield behaviour, customizing policies to their unique use case.

1. General and CIPA

a. General > An Admin/User is able to configure: Default domain, User-agent, User-agent overwrite, Date format, Records per table page, Time zone, Import export date format.

b. CIPA Compliance > Configuring Children’s internet protection act. Denoted by, Enable CIPA compliant features, Scope

(Learn more about becoming CIPA compliant in Google Workspace for Education with GAT Shield here)

2. Modules

Modules > An Admin/User can enable or disable the following audit areas: Browsing, Chats, Cookies, Downloads, Extensions, Searches, Scope.

3. Alert rules

An Admin/User can configure many types of alert rules:

Alert Rules > Alerts can be configured from scratch or by selecting templates.

Types of Alerts: File download, Page content inspection, Google docs inspection, Visit, Search, Device Usage, Location, IP Address, Active ID.

Configured Alerts will appear in the view denoting: Name, Type, Active, Created, Created By, Modified, Modified by. 

Next to each row you’ll find are three icons:

I. Edit > Quick edit rule specifications.

II. Export > Export rule specifications.

III. Delete >  Delete rule 

Alert rule Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Alert rules

Filter sets can be imported & exported. Filter results can also be exported.

4. Browsing Tags

Browsing Tags > An Admin/User can create and define browsing tags that can be used throughout Shield for reporting. Tag templates are available.

Configured Tags will appear in the view denoted by Site Url, Tags, Active, Created, Created by, Modified, Modified by.  

Next to each row, there are three icons;

I. Edit > Quick edit tags specifications.

II. Export > Export tags specifications.

III. Delete >  Delete tag.

Browsing Tags Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Browsing Tags

Filter sets can be imported & exported. Filter results can also be exported and imported.

5. Browsing Cookies

a. Browsing Cookies > An Admin/User can create cookies here, created cookies are denoted in the view by Name, Value, URL, Created, Created By, Modified, Modified by.

b. Cookies Audit Log > a log of Cookies activity details.

Browsing Cookies Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Browsing Cookies

Filter sets can be imported & exported. Filter results can be exported and imported. 

6. Site Access Control

a. Site Access Control > Presented in dual sections User/System Defined Site Access Categories and Active Site Access Rules. 

An Admin/User can define site access policies. Selecting ‘Add a site Access Category’ will launch a pop-up to define Site Category, Type, Description, Site List.

Custom categories can also be uploaded using spreadsheets.

On the left-hand side, the defined category is displayed. Selecting the Arrow icon beside the row will launch a pop-up window to specify and then activate the Site Access rule once it’s saved.

On the right-hand side, the active Site Access Rules are displayed, rules can be quickly edited or deleted using the icons next to each row.

On the bottom left-hand side, the System defined categories can be enabled and customized. 

Site Access Control Filters; Users can define a filter to fetch what they need for the task at hand. That will then display the filtered search in the Site Access Control.

Filter sets can be imported & exported.

b. Config > Admin/user can configure Block Page, IP Blocking, Global Allow List.

7. Search Access

Search Access > Options to enable; Safe Search, Image Safe Search, Scope.

8. YouTube Access

YouTube Access > An Admin/User can toggle ‘Strict Restricted YouTube access’ or ‘Moderate Restricted YouTube access’ and apply the scope for User, User org.unit, User Group.

9. Gmail Access

Gmail Access > An Admin/User can enforce a Gmail restriction. 

Denoted by: Allow any Gmail accounts, Allow domain Gmail accounts, Block personal Gmail accounts.

The Scope can be selected for certain users.

10. Chat Hangouts Access

Chats/Hangouts Access > An Admin/User can manage Chats/hangouts. 

Denoted by: Disable Chat/Hangouts, customizable Time restriction, Scope of users.

11. Zoom Access

a. Zoom Access > Admin/User can manage Zoom accessibility.

Denoted by; Disable Zoom, Block Zoom Chat, customizable Time restriction, Scope of users.

12. Active ID

Machine learning algorithms used to constantly confirm that the user logged in is in fact the one using the device at hand.

An Admin/User can configure Active ID behaviour.

a. Active ID > This tab presents three Status sections:

(Users covered, Users known to model)

I. On the top left-hand side, Status section denotes: Active ID/Enabled, Current mode, Scope, Active ID alert rules, HealthCheck, Patterns in total, New Patterns in last 24hrs, patterns per user (avg), Classifications started, No. of users eligible for the model, No. of users to be processed, No. of users with too few patterns.

II. On the middle left-hand side,Users Covered ‘section denotes: User, No. of patterns gathered, a model built, Status Clicking on the eye icon next to each row will present more info; Number of patterns collected, Patterns used for building the model, Model created, Total number of patterns verified

Positive predictions, Negative predictions: Clicking on the wrench icon will prompt the option to rebuild the model for the user.

III. On the middle right-hand side,Users unknown’ to the model section denotes: User, No. patterns gathered.

b. Face Verification > presents the user’s status if there’s an uploaded photo of the user to Shield CRX for active ID face verification.

Denoted by: User, Photo Status, Action.

Photo vector representations can be deleted by selecting the action icon.

c. Logs > Trigger logs can be identified here, denoted by: Created, Model, Outcome, Predicted Class, Real Class.

Active ID Logs Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Logs.

Filter sets can be imported & exported. 

Learn more about ActiveID here

13. Porn Blocking

Porn Blocking > An Admin/User can toggle ‘Blocking enabled’ and adjust the level of ‘Filter Strictness’ and ‘Scope’ for applying the porn blocking browsing feature.

14. Monitoring Ranges

Monitoring Ranges > An Admin/User can configure the scope for where Shield is active.

A descending view denoted by: Network Monitored List, Network Not Monitored List, Users Monitored List, Users Not Monitored List, Devices Monitored List, Devices not monitored List, Enrolled Devices only. 

At the bottom view, IP Mapping can be set and or Imported/Exported.

15. Login Control

Login Control > An Admin/User can control who logs into the domain from Shield protected devices. 

The view is denoted by:  Login Time Window (from), Login Time Window (To), Login Area, idle timeout (s), Hard logout, Login allow list, Login allow list exclusions.

16. Scheduled reports

Reports > This section keeps tabs of all scheduled reports configured throughout the Shield tool’s sections. 

The reports are presented in rows denoted by columns showing: Name, Type, Enabled, Cron, Created, Created By, Modified, Modified by, Action. 

The Action column allows you to edit reports or delete them.

Report Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Reports.

Filter sets can be imported & exported.

17. Delegated Auditors

Auditors > An Admins can set up delegated auditors to have access to the designated areas of the tool.

Auditors can be set by launching the ‘Add an Auditor’ button.

All auditors are displayed in the view in rows denoted by columns showing: Auditor, Scope, Valid until Active, Created, Created By, Modified, Modified by, Action.

Auditor permissions can be edited in the action column or deleted.

Delegated auditor Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in Auditors.

Filter sets can be imported & exported. 

Checkout our ‘How to’ link GAT Shield: Delegated Auditors Functionality.

18. Admin Log 

Redirects to GAT+ for a log of every action taken.

Actions are presented in rows and denoted by columns showing: Date, User, Action, Additional information, Duration, product, version.

Admin logs Filters: Users can define a filter to fetch what they need for the task at hand. This will then display the filtered search in the Admin log. 

Using this filter, users can define scheduled reports and automatically export them to specific users and folder locations.

Filter sets can be imported & exported. Filter results can also be exported

 

Help Dashboard

  1. User Manual > Redirect to User Manual URL.
  2. Extensions Deployment > Choose whether to deploy open or closed UI extension.
  3. Resources > Redirect to resources URL.
  4. License > License details.
  5. About > About GAT Shield tool.
Thanks for sharing and spreading the word!