Use Chrome Enterprise Premium to integrate DLP with Chrome

This example shows how to use rule settings to block file downloads. In this example, the download is blocked if it occurs from drive.google.com.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to users for Chrome browsers and only to devices for Chrome OS. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

6. Click Continue.
7. In Apps, for Chrome, select File downloaded.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL
   2. What to scan for—Contains text string
   3. Contents to match—googleusercontent.com
   Important: Third-party cookies are necessary for Google Drive downloads to increase browser security and to make sure that only you can download your data. Google Drive uses googleusercontent.com, a Google domain, but one that is regarded as a third party by Drive, to deliver your files and further increase security.
    
10. Click Continue. In the Actions section, under Chrome, select Block.
11. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
12. Click Continue to review the rule details.
13. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
14. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to trigger a user warning under certain conditions.  In this example, the user is warned if they try to download more than 30 email addresses at once.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for Chrome OS. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

6. Click Continue.
7. In Apps, for Chrome, select File downloaded.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—All content
   2. What to scan for—Matches predefined data type
   3. Data type—Global - Email Address
   4. Likelihood threshold—Medium
   5. Minimum unique matches—30
   6. Minimum match counts—30
10. Click Continue. In the Actions section, under Chrome, select Allow with warning. The user is warned, but can proceed with the action if the rule is violated. If the user chooses to proceed after being warned, this action is recorded in the Rules audit log.
11. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
12. Click Continue to review the rule details.
13. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
14. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to block file uploads to certain types of websites. In this example, the upload is blocked if the user tries to upload files to social media sites, such as Facebook.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for the Chrome operating system. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

6. Click Continue.
7. In Apps, for Chrome, select File uploaded.

   Note: For the File uploaded and Content pasted triggers, the blocking behavior depends on the Delay file upload setting specified in Set Chrome Enterprise connector policies for Chrome Enterprise Premium. If the Delay file upload setting is set to Allow immediate upload the file will upload during the scan. To prevent users from uploading files or content during a scan, the Delay file upload setting should be set to Delay upload until analysis is complete.

8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL category
   2. Select category—Online CommunitiesSocial Networks
10. Click Continue. In the Actions section, under Chrome, select Block.
11. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
12. Click Continue to review the rule details.
13. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
14. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to block file downloads based on file type and size. In this example, the download is blocked if the user tries to download image files larger than 10 kB.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to devices for Chrome browsers and only to users for the Chrome operating system. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

6. Click Continue.
7. In Apps, for Chrome, select File downloaded.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—File size.
   2. What to scan for—Is greater than
   3. Enter file size (in bytes)—10000
10. Click Add condition and select the following values:
    1. Content type to scan—File type.
    2. What to scan for—Matches system file category
    3. System file category—Image

    For information on the MIME types included in each system file category, click here.

11. Click Continue. In the Actions section, under Chrome, select Block.
12. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
13. Click Continue to review the rule details.
14. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
15. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

This example shows how to use rule settings to trigger a user warning when a user tries to navigate to a website with gambling content.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Click Manage Rules. Then click Add ruleNew rule. 
4. Add the name and description for the rule.
5. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to users for Chrome browsers and only to devices for Chrome OS. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

6. Click Continue.
7. In Apps, for Chrome, select URL visited.
8. Click Continue.
9. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL category
   2. Select category—Games/Gambling
10. Click Continue. In the Actions section, under Chrome, select Allow with warning. The user is warned, but can choose to proceed with the action that triggers the rule. If the user chooses to proceed, the action is recorded in the Chrome log.
11. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
12. Click Continue to review the rule details.
13. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
14. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

This example shows how to use rule settings to block a user if they try to navigate to an URL that's part of a custom list.

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

• Organizational unit administrator privileges.
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlData protection.
3. Create a word list custom detector containing a comma-separated list of the URLs you want to block. For example: “example.com,example2.com”. For specific instructions see Create a custom detector.
4. Click Manage Rules. Then click Add ruleNew rule. 
5. Add the name and description for the rule.
6. In the Scope section, choose Apply to all <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there is a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

   Note that organizational units can contain devices, users or a combination of devices and users. This is important to know, because rules apply only to users for Chrome browsers and only to devices for Chrome OS. Keep this in mind as you create your DLP rules for Chrome Enterprise Premium.

7. Click Continue.
8. In Apps, for Chrome, select URL visited.
9. Click Continue.
10. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—URL
    2. What to scan for—Matches words from word list
    3. Word list name—The name of the word list you created in Step 3.
    4. Match mode—Match any word
    5. Minimum total times any word detected—1
11. Click Continue. In the Actions section, under Chrome, select Block.
12. (Optional) In the Alerting section:
    • Choose a severity level (Low, Medium, or High) for how an event triggered by this rule is reported in the security dashboard. 
    • Choose whether an event triggered by this rule should also send an alert to the alert center. Also choose whether to email alert notifications to all super administrators or to other recipients.
13. Click Continue to review the rule details.
14. Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but does not run immediately. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData protectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
15. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.