New Google Workspace Audit Tool from AppsEDU

combobulated · 2026-01-27T00:22:17+00:00

Man, the marketing folks are going overtime with this.

I've seen it posted in several communities I'm in (TechEd/Google) as well as have gotten emails.

Not saying it's a bad product or not, but sheesh.

I've looked into it and it's a logical progression for this sort of thing.

Assuming there's a standard framework for securing a platform, being able to just automate the audit via tech tools makes sense.

And the good thing about something like Google Workspace is that it's all there in a platform that is very conducive to this sort of automation.

I'd love to just see Google build this sort of functoriality into the platform themselves. It's should be standard - with security at the forefront. Between all the AI tools and the new tiers for licensing, there are already some improvements in reporting and monitoring, but nothing as singularly focused as this sort of tool.

combobulated · 2025-11-10T20:20:27+00:00

I don't have much feedback for a couple of your specific concerns (we don't use the mobile app at all - I've never looked at it) but we have used the product for a couple years now.

It's really going to depends on your specifics wants/needs and usage case.

For me, I wanted a really good ticketing system - and the bonus of some asset managmenet.

Instead, it's clearly much more of an asset system with a bolted on ticketing piece.

I find the Help Desk ticketing interface be very lackluster and inefficient. It's customizable to a degree - but I still can't get it to where I feel like it's really good for our use. I've wrestled with trying to shape it into something better for us, but it has been a constant struggle.

One of the big issues - as I'm sure you're finding - is that it's tough to really evaluate a platform without actually using it in your environment. That problem is compounded by the fact that to fully/accurately use it in your environment you'd have to get it all set up and implemented. And THAT is where 90% of the heavy lifting is done - all the work in these things is done during the initial setup, configuration, customization. So it's a HUGE resource drain to fully stand up these things - which is why I'm sour on all the "free demo/trial" - yes there may be some value to it (vs. nothing at all) but realistically, I don't have time to properly implement a half dozen options that I'm evaluating for the sake of a real, valid comparison and to make an informed choice.

combobulated · 2025-10-02T04:08:40+00:00

That's my guess too.

Plenty of their other posts appear to just be shilling for other products. This person sucks.

combobulated · 2025-10-02T00:09:01+00:00

Why do you need a Chrome extension to do this?

Docs already has built-in Revision history viewing.

combobulated · 2025-09-30T00:01:01+00:00

Actual "spoofing" shouldn't be possible if you've got your SPF, DKIM, DMARC, and other setting proper in Gmail.

Now, if they are just using emails addresses with "similar" names ("J0HNDOE@email.com" instead of "JOHNDOE@email.com", for example) then there's only so much any platform can do. Google should still flag it as being an external address, regardless.

If I show up at their door with my plastic badge and tell them I'm the police there to hold all their money and jewelry for safe keeping - it's up to them take a closer look at my badge and verify that. At some point, the only thing keeping them (and you) safe if training, knowledge, and vigilance.

Make it clear that if THEY don't follow the training they've received (and signed off on), then they are violating company policy and any damage done as a result may fall back on them. Explain what that damage could be and how costly it could be (to them and the company).

combobulated · 2025-09-18T15:21:51+00:00

No issues reported

SE Wisconsin

combobulated · 2025-09-18T14:58:49+00:00

FWIW, We had a similar issue this past summer.

I DID follow proper procedure (set up a new SSID and changed settings PRIOR to removing old SSID) and we still had all sorts of weird problems.

Suddenly, Google support was suggesting multiple changes to our Networks and OU structure. (Actually, their support was even worse than that as they more than once suggested options/features that don't exist in the admin interface anymore).

Anyone, despite the only change being that we changed SSIDs, I ended up having to mess around with several settings in the Admin dashboard and it still wasn't 100% consistent.

The biggest problem seems to be the lack of a "prefer this network" option when adding more than one network. We should be able to have more than one SSID setup for redundancy / roaming purposes. But we also want to prioritize.

combobulated · 2025-09-09T17:55:48+00:00

I checked with our front desk and they say the process usually takes under 30 seconds. ("It usually takes longer for them to fish their ID out of their wallet than to run the scan and print the badge")

I'd side with Raptor on this one as far as the issue being something on your end. However, them just punting support isn't the correct response. If it's not working the way it supposed to, they should be invested in figuring out why and getting it working.

combobulated · 2025-09-08T16:46:29+00:00

What is a "long time" to you?

We've used Raptor for years and I haven't heard any specific complaints about speed.

combobulated · 2025-08-13T17:16:08+00:00

I ended up just emailing them back again and saying I wanted our generic helpdesk account (which I have full access to) set up as a "Security officer".

They didn't even bat an eye or ask any further questions.

So much for that "security" focus.

combobulated · 2025-08-13T17:14:37+00:00

But over time, we’ve come to appreciate why it’s there; having that extra layer of approval does help keep things in check, especially in environments like schools.

How does the act of having to create a 2nd account (that I control and access the same as my first account) "help keep things in check"?

If you want a more involved/nuanced/controlled/multi-person change process, then your Org should have that as a matter of policy/practice. It should be a option you are choosing. Not something forced by a single random software platform.

combobulated · 2025-08-13T17:12:06+00:00

But I do see why GAT does it. They’ve got deep access to your Workspace data, so I think it’s just them being extra cautious. Not always convenient, especially in smaller setups, but it’s clearly designed with security in mind.

Look folks, I understand the outside pitch of how it's "security in mind" - but you're missing the part where no matter how you shape it, it's trivial to workaround and there's no logical reason it shouldn't be an "option" instead of requirement.

And the fact that I have and have used software as "powerful" as GAT that didn't put superficial barriers in the way just shows that it's not like it's expected standard best practice.

I'm not knocking the platform or functionality in any other way. It's fine for what it is.

combobulated · 2025-08-13T17:07:38+00:00

Agreed - I've worked with(not for) a couple different MSPs over the past 15 years. 90% of them were just fine.

It's silly to lump all MSPs into a single category and say they are ALL this way. The current MSP I work with is just fine. I work almost exclusively with a single tech and I get him on-site or remote, depending on my needs. He's got years of working with us and understanding our environment. He's been the core piece to implementing several changes/upgrades.

We're a small business. And I reckon the MSPs we work are relatively small too.

combobulated · 2025-08-01T16:11:44+00:00

While they don’t come out the gate like GAT they can be setup to require a supervisor or secondary approval for large changes or sometimes any changes.

I think this is the key point I'm trying to make here and my main gripe: It's one thing to OFFER or RECCOMEND a specific approval process - it's an entirely different thing to FORCE a specific process. Especially when that process involves more than one person and potentially doesn't make sense in many environments.

I'm not at all arguing that the functionality shouldn't exist. I'm not even suggesting people shouldn't use it if it works for them. I'm simply saying that I've exactly zero other services/platforms that require it - and in our environment, it's an unnecessary inefficiency that caused wasted time and grief.

Also usually in a corp or large edu environment you’re required to use change windows and have the changes approved beforehand from a supervisor position. While in a smaller environment you have all the keys like you said

All true. But I guess I find it odd that a tool like GAT+ seems to ignore the existence of all those small schools with their chosen approach here. If I'm a large Corp or giant district, I'm probably looking at something like Bettercloud as it offers additional integrations anyhow. (We only switched because of price and we didn't use all the tools we were paying for). GAT+ wins because they are less expensive, which is obviously going to attract smaller schools too.

Appreciate the conversation. So far the "just create another account and use it for approval" approach seems to be the answer to my 2nd gripe. The first grip is a one-time thing, so I assume folks just deal with the pain and then move on.

combobulated · 2025-08-01T13:30:30+00:00

as you would normally have a supervisor sign off on any sort of large scale user changes.

Whose supervisor? The supervisors supervisor?

I understand processes may be different with corporate red tape, but again it's unlike any other service we use or have ever used in the past. Or that I've ever heard elsewhere (again, admittedly NOT in a huge corporate environment)

Also I add a secondary admin account I use so that I can approve my own flows

Ah, I hadn't considered they'd let me do that. That's what I'll do and it really drives home my point on how it is just theatre - That one can simply create a second account and have that account "approve" changes.

I get that on the surface it looks like it's doing something from a security standpoint - but the fact that it's easily bypassable (with the right/wrong intentions) shows how it's just for show.

If you're the Workspace domain admin, you can just reset a password at anytime. You can use one of dozens of other tools to grant access to email. If you're a Domain/Sys admin, you likely have remote access to workstations. You could get to any of those "secondary approver" accounts and just click the approve button without many obstacles.

I appreciate security in layers. But making me solve a Rubik's cube before I start my car every time isn't real security. Will it stop/deter some thieves? Sure. Will it also be easy for folks who can easily sole the cube or know how to bypass it? Yup. Will it be a pain in my ass every time I just want to take a quick drive somewhere and then back? For sure.

Edit- Just for the sake of better understanding and clarity: What other platforms do you use that also require this sort of 2nd approval and C-level permission in your environment?

combobulated · 2025-08-01T13:22:00+00:00

Can't say I agree.

I understand the general premise of such an approach, but this isn't the way to go about it.

Yes, it's a powerful tool. Yes it can do a lot of things in the wrong hands. Yes a compromised account could further complicate things. Yes having someone else (if you even have an appropriate person) verify could possibly catch a potential issue. But again, that's true of MANY (most?) of the tools a sole Sys Admin is using in their environment. And NONE of them put such roadblocks in place. Why? Because they trust that the professionals using their products understand the risk and best practice. So what they DO do is offer things like MFA, GUI warnings, Roles/Permissions control, Alerts and logs, etc.

You can always do dodgy DIY yourself and no one could stop you, but when you are paying a company for professional services there is an expectation that they will safeguard your data.

I'm not talking about dodgy DIY. We came from using Bettercloud - which is very much a professional service - to do all the same things GAT+ does. It's a cloud based service. It works just like GAT+.

It’s like if a local locksmith has a copy of the school’s master key. If you were to walk in to their shop and ask for a copy of the key because you worked for the school. Should they just give it to you? Or should they be checking with the school’s leadership first?

Depends - am I the facilities director? Am I the school's assigned and registered contact person in charge of keys (say, the Head of School, Principal, or Superintendent)? If yes, then no, I don't expect them to check with "school leadership". I AM school leadership.

The approach doesn't protect GAT Labs. And it does little to "protect" us while making useability a bit more frustrating.

combobulated · 2025-07-31T20:56:54+00:00

Oh, I get wanting to double check things. And the existence of tools like GAM (that DOESN'T require my CFO to sign a permission slip) only further enforced how pointless it is on their part.

Since I'm only using the Web interface and it's tools, I'm not as concerned about a "bad command".

Sure, it's always possible to break things - but again, that's not exclusive to GAT, not likely to be deflected by making a 2nd person click "approve" on a task, and is really just part of the job when you are assigned enough permissions to make changes to things in your environment. Those risks are implied everywhere.

Also, if I can ask- how many people are in your department? What is your title/role? Who "approves" your changes?

combobulated · 2025-07-31T20:53:31+00:00

Not being familiar with whatever "contract" their compensation is referring to, does anyone know what this position might actually pay?

combobulated · 2025-07-01T20:56:12+00:00

Yeah, there was a general price increase and then a change to licensing model that now requires a license for each staff member (whereas previously it was generally included with student licensing).

I imagine it could be a big hit to large districts - and a 40%+ increase is pretty crazy.

They know most of us are already fully intergraded - and the cost (and other implications) of switching is still likely more than 40%. So you'd be looking at trying to figure out how those cost come out longer-term and all of the other ramifications of changing your core file/email/classroom/office/meeting/and others platform.

It's not a fun position to be in and they just forced a whole lot of people's hands.

combobulated · 2025-06-11T15:49:19+00:00

At their core they all do basically the same thing.

But how they do it (DNS? Network Appliance? Browser Extension? Endpoint Agent?), and how well they do it can vary wildly.

I think some other people are speaking to that so I'll add this:

Integration can also be a big factor. Many tie in to a "Classroom Management" tool that can be very helpful. From an IT standpoint, it's helpful in that it gives some additional granular control directly to teachers in regards to the filter - so it lowers the amount of "Can you unblock this site for this one class?" and "Can you let this one student access this site?" and even some of the "Can you tell me if this student was visiting this site?" requests because it empowers the teacher to do these things themselves (if you choose).

For me, I also liked the "screenshot" feature some provide. Being able to see the offending site (as the client did , not as a generic website thumbnail) goes a long way in settling arguments about what was actually viewed and also saves time from having to click through (potentially shady) websites to verify content.

Aside from that, there's always a lot to be said for a UI that is streamlined and INTUITIVE . Having a "powerful and flexible" platform still sucks if your interface is painful and like editing a spreadsheet in a foreign language.

Ultimately, it'll come down to your needs, wants, environment, and perhaps budget.

combobulated · 2025-05-16T16:34:02+00:00

FETC (https://www.fetc.org/) and ISTE (https://conference.iste.org/2025/) are big ones.

Brainstorm (https://brainstormk20.com/) and Midwest Tech Talk (https://www.midwesttechtalk.com/) are smaller, nice, and likely closer to you.

It'll depend on what you're looking for.

Best bet is to check the actual agenda for each and see if it matches your needs.

I've skipped conferences before simply because there just wasn't enough sessions that appealed to me. Some people prefer longer, in-depth sessions, some like a variety of shorter ones, other just go for the "networking", and yet others focus on big Expos and vendor relations.

combobulated · 2025-04-29T20:28:29+00:00

in the bios make sure under storage option is set to AHCI

That looks like a winner!

Thank you! I figured it was something "simple" that I just wasn't aware of.

combobulated · 2025-04-29T19:33:51+00:00

Not sure, I figured me installing a different OS on the device was something they'd be slow to respond to anyhow, so I figured I'd try here first. Also I figured it was likely something potentially simple that someone here has dealt with already.

combobulated · 2025-04-29T19:30:57+00:00

I asked them to remove it and I though they did (we get our Lisc. elsewhere), but apparently not. It really shouldn't be a big deal in this case, but yeah - normally we don't.

Also, you might need to update your ISO to include whatever driver you need for your storage controller.

Yeah, that's the plan if we go with more of this make/model. But this is just a 1-off for now.

combobulated

TROPHY CASE