ChromeOS data controls are a set of controls, applied by the admin, that protect users from data leakage on endpoints using a Data Loss Prevention (DLP) layer in ChromeOS. Admins can create and manage rules that restrict users from defined Chrome actions.
Users
If your admin has turned on data controls, they can see the actions you perform and metadata on confidential information.
How data controls works
Data controls, integrated at the OS level, restricts users from defined Chrome actions. The admin defines rules in the Google Admin console to trigger data controls based on the content source, and the destination for clipboard and file transfers. Sources and destinations include URLs, Chrome apps, Progressive Web Apps (PWAs), and removable storage like USB sticks.
Examples of the data controls the admin can apply include, blocking the user from pasting any data from Google Workspace to non-work sites or blocking screen sharing when using Google Meet.
Actions that the admin can restrict include:
- Copy and paste
- Printing
- Screen capture: screenshots and video capture
- Screen sharing
- Opening, uploading, or transferring files
- Automatically turning on the electronic privacy screen on a compatible device when viewing content
- File interactions like open, save, or transfer files
The admin can apply the following restriction levels to the actions:
- Allow—Users are explicitly allowed to perform the action. That action is not reported.
Note: This rule, when set, overrides all other rules. You can use the Block and Allow rules together, for example you can block all actions but allow one. - Report—Users are not blocked from performing the action. That action is reported.
- Warn—Users receive a warning but can choose to to carry out the action. That action is reported.
- Block—Users cannot perform the action. That action is reported.
- No policy set—Users can proceed as if no data control is in place. That action is not reported.
The admin can see reports on when data controls are triggered. This includes:
- Action taken and rule triggered, including source and destination
- Timestamp
- Metadata for content
- Filename or webpage title but not the actual content itself
Admins
When you implement data controls you can have the confidence to let well-intentioned employees safely work with the data they need from anywhere, on any network.
Before you begin
To apply data controls, you must have the delegated admin role for Manage User Settings. For details, see Delegate administrator roles in Chrome.
System requirements
- ChromeOS devices must be on OS version 103 or later.
- Opening, uploading, or transferring files is supported only on OS version 120 or later.
- ChromeOS devices must be in user or managed guest session mode.
- Rules for an electronic privacy screen require a compatible device. For example, HP devices equipped with Sure View.
Considerations
- Only the URL patterns included in the URL filter format are supported.
- A rule that is applied to a top-level domain applies to its subdomain. For example, a rule restriction that is applied to google.com applies to mail.google.com unless the subdomain is explicitly allowed.
- A rule that is applied to a domain name without specifying either http or https, applies to both http and https.
- Destinations for Play apps and Files, Linux, Parallels, and OneDrive are broad-based restrictions and cannot target specific applications. See the following examples:
- You can restrict pasting from a web app to all Android apps but not to any individual or subset of Android apps.
- You can block files from being copied to external storage based on the source they are transferred from but not specific storage devices.
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.