# 50 Offline & desktop-sync data minimization

> v0.0.3 · role: Prevent · [policy: #25 · #15, #7](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Offline Docs, offline Gmail and Drive for desktop each mirror tenant data onto the local disk, where a lost, stolen or seized laptop yields it with no Workspace authentication in the way. This control turns those caches off, or restricts Drive for desktop to authorized devices — listed in the company-owned device inventory with a matching serial number — so the data stays server-side where the access controls actually are.

## Caveats

- Turning offline access off does not purge caches that already exist — local data on user machines survives the policy change, and clearing it needs an endpoint wipe or a profile reset.
- The local copy only stays gone if users cannot simply re-enable it — pair this with device-trust CAA (№27) and the Chrome managed-profile baseline (№10).
- 'Authorized devices' depends on the device being in the company-owned inventory with a matching serial number — devices missing from the inventory lock out legitimate users instead of attackers.
- Real usability cost: mobile, airport and field workflows genuinely break — scope it to the high-risk OU rather than tenant-wide unless the friction is acceptable everywhere.
- The device-policy variant is available on every edition, but requires installing the managed device policy on each computer and does not apply to ChromeOS or mobile.

## Setup steps

1. Restrict browser offline access so a stolen or unmanaged machine has no local Docs/Sheets/Slides cache to harvest. — `Apps › Google Workspace › Drive and Docs › Features and Applications`

   - **Offline access** = Use policies to control offline access from computers (not 'Allow users to turn on offline access')

   docs: [Set up offline access to Docs, Sheets & Slides](https://knowledge.workspace.google.com/admin/drive/set-up-offline-access-to-docs-sheets-and-slides)

2. Either disable Drive for desktop for the OU (organizational unit), or allow it only on authorized devices (in the company-owned device inventory with a matching serial number). — `Apps › Google Workspace › Drive and Docs › Features and Applications › Google Drive for desktop`

   Allow Google Drive for desktop in your organization = off for high-risk OU; otherwise 'Only allow Google Drive for desktop on authorized devices' = checked

   docs: [Set up Drive for desktop for your organization](https://knowledge.workspace.google.com/admin/drive/set-up-drive-for-desktop-for-your-organization) · [Use Drive for desktop with Google endpoint management](https://knowledge.workspace.google.com/admin/devices/use-drive-for-desktop-with-google-endpoint-management)

3. Turn off offline Gmail so the mailbox is not mirrored into browser local storage. — `Apps › Google Workspace › Gmail › User settings`

   Enable Gmail web offline = unchecked for the OU; optionally check 'Force deletion of offline data on log out of Google account'

   docs: [Use Gmail offline with Google Workspace](https://knowledge.workspace.google.com/admin/gmail/use-gmail-offline-with-google-workspace)

## How to verify

1. On a covered machine, confirm Drive offline availability and desktop-sync are refused for the restricted OU (the Drive settings toggle should be absent/greyed for a test user).

## Settings screens

- Apps > Google Workspace > Drive and Docs > Features and Applications
  - console: https://admin.google.com/ac/managedsettings/55656082996
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/55656082996.png
- Apps > Google Workspace > Gmail > User settings (offline Gmail)
  - console: https://admin.google.com/ac/apps/gmail/enduseraccess
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/enduseraccess.png
