Combine DLP rules with Context-Aware Access conditions

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus.  Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

To have greater control over which users and devices can transfer sensitive content, you can combine Data Loss Prevention (DLP) rules with Context-Aware Access conditions, such as user location, device security status (managed, encrypted) and IP address. When you add a Context-Aware Access policy to a DLP rule, the rule is enforced only if the context conditions are met. 

For example, you can create a DLP rule that blocks downloads of sensitive content only when users are:

  • Outside the corporate network 
  • Logging in from specific risky countries
  • Using devices that aren’t Admin-approved

You can combine DLP rules with context conditions to control these operations:

Chrome—file upload (for example, attaching a file), web content upload (pasted content), download, and page print.

Drive (beta)—Copying, downloading, and printing of Drive files by users with comment or view access.

Requirements

Google Workspace add-on

(Required for Chrome DLP, not required for Drive DLP)

Chrome version

Chrome 105 or later

(Required for Chrome DLP, not required for Drive DLP)

Endpoint verification For desktop devices, endpoint verification must be turned on to apply device-based context conditions. (Not required for non-device-based attributes such as IP address and region.)
Mobile device management Mobile devices should have basic or advanced management enforced.
Admin privileges To create access levels:
Services > Data Security > Access Level Management
To use access levels in DLP rules:
Services > Data Security > Access Level Management, or
Services > Data Security > Rule Management

Set up Chrome for rules enforcement

To integrate DLP features with Chrome you need to set up Chrome Enterprise connector policies.

Creating Access levels

  • Go to Security > Access and data control > Context-Aware Access > Access levels to view your existing access levels.
  • You can create an access level before you create a DLP rule, or during rule creation. If you're creating it before the DLP rule, see create access levels for instructions. In the examples below, you create the access level during DLP rule creation.
  • You can assign a single access level to a DLP rule. To create complex conditions with multiple access levels, use Advanced mode.

DLP and Context-Aware Access rule examples

The following examples show how you can combine DLP rules with Context-Aware Access levels to make rule enforcement dependent on a user’s IP address, location, or device status.

Note that these examples include the steps needed to create access levels during DLP rule creation. If you’ve already created access levels, you can omit those steps when creating the rule.

Example 1: Block download of sensitive content on a device outside the corporate network (Chrome)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Rulesand thenCreate ruleand thenData protection.
  3. Add a name and description for the rule.
  4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
  5. Click Continue.
  6. In Apps, under Chrome, check File downloaded
  7. Click Continue.
  8. In the Conditions section, click Add condition.
  9. For Content type to scan, choose All content.
  10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
  11. In the Context conditions section, click Select an access level to display your existing Access levels.
  12. Click Create new access level.
  13. Enter a name and description for the new access level.
  14. In Context conditions, click Add condition.
  15. Select Doesn’t meet 1 or more attributes.
  16. Click Select attributeand thenIP subnet, then enter your corporate network’s IP address. This is an IPv4 or IPv6 address or routing prefix in CIDR block notation.
    • Private IP addresses are not supported (including user's home networks).
    • Static IP addresses are supported.
    • To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address and the defined static IP address in the access level covers that range, the context condition is met. If the dynamic IP address is not in the defined static IP subnet, the context condition isn't met.
  17. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
  18. Click Continue.
  19. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

  20. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
  21. Click Continue to review the rule details.
  22.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

Example 2: Block download of sensitive content for a user logging in from specific risky countries (Chrome)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Rulesand thenCreate ruleand thenData protection.
  3. Add a name and description for the rule.
  4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
  5. Click Continue.
  6. In Apps, under Chrome, check File downloaded
  7. Click Continue.
  8. In the Conditions section, click Add condition.
  9. For Content type to scan, choose All content.
  10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
  11. In the Context conditions section, click Select an access level to display your existing Access levels.
  12. Click Create new access level.
  13. Enter a name and description for the new access level.
  14. In Context conditions, click Add condition.
  15. Select Meets all attributes
  16. Click Select attributeand thenLocation, then select a country from the dropdown list.
  17. (Optional) To add additional countries, click Add condition, then repeat step 16.
  18. (Optional) If you’ve selected more than one country, set the Join multiple conditions with toggle (located above Conditions) to OR. This means the DLP rule will be applied if users are logging in from any of the selected countries.
  19. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
  20. Click Continue.
  21. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

  22. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
  23. Click Continue to review the rule details.
  24.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  25. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

Example 3: Block download of sensitive content on a device which is not Admin approved (Drive) (beta)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Rulesand thenCreate ruleand thenData protection.
  3. Add a name and description for the rule.
  4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
  5. Click Continue.
  6. In Apps, under Google Drive, check Drive files
  7. Click Continue.
  8. In the Conditions section, click Add condition.
  9. For Content type to scan, choose All content.
  10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
  11. In the Context conditions section, click Select an access level to display your existing Access levels.
  12. Click Create new access level.
  13. Enter a name and description for the new access level.
  14. In Context conditions, click Add condition.
  15. Select Doesn't meet 1 or more attributes.
  16. Click Select attributeand thenDevice,  then select Admin-approved from the dropdown list.
  17. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
  18. Click Continue.
  19. On the Actions page, for Google Drive action, choose Disable download, print, and copy for commenters and viewers.

    Note: The action is only applied when both content conditions and context conditions are met.

  20. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
  21. Click Continue to review the rule details.
  22.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

Example 4: Block Chrome navigations to "salesforce.com/admin" on unmanaged devices (Chrome)

In this example, the user is blocked if they try to navigate to the Salesforce admin console (salesforce.com/admin) with an unmanaged device. Users would still be able to access to other parts of the Salesforce application.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Go to Rulesand thenCreate ruleand thenData protection.
  3. Add a name and description for the rule.
  4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
  5. Click Continue.
  6. In Apps, under Chrome, check URL visited
  7. Click Continue.
  8. In the Conditions section, click Add Condition and select the following values:
    1. Content type to scan—URL
    2. What to scan for—Contains text string
    3. Contents to match—salesforce.com/admin
  9. In the Context conditions section, click Select an access level to display your existing Access levels.
  10. Click Create new access level.
  11. Enter a name and description for the new access level.
  12. In Context conditions, click the Advanced tab.
  13. In the text box, enter the following: 
    device.chrome.management_state != ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED

    Learn more about Advanced mode.

  14. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
  15. Click Continue.
  16. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

  17. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
  18. Click Continue to review the rule details.
  19.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  20. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

FAQ

How do CAA+DLP rules behave on previous chrome versions?

In previous chrome versions, context conditions are ignored. Rules behave as if only content conditions are set.

Do managed browser rules work in incognito mode?

No. Rules do not apply in incognito mode. Administrators can prevent logins to Workspace or SaaS applications from Chrome incognito mode by enforcing Context-Aware Access at login time.

Do managed browsers and managed users need to be in the same enterprise for a rule to be applied?

If the managed browser and managed profile user belong to the same enterprise, then both browser-level DLP rules and user-level DLP rules will be applied.

If the managed browser and managed profile user belong to different enterprises, then only the browser-level DLP rules will be applied. The context condition will always be considered as a match, and the strictest outcome will be enforced. There is no impact on IP-based or region-based conditions.

Do Admin console and Google Cloud Platform console support the same access levels?

CAA in the Admin console does not support all attributes supported by the GCP console. Therefore, any basic access levels created in the GCP console that include these attributes can be assigned in the Admin console, but can’t be edited there.

On the Rules page in the Admin console, you can assign GCP-created access levels, but can’t view condition details for access levels with unsupported attributes.

Why don’t I see the context conditions card when I’m creating a rule?
  • Make sure you have the Services > Data Security > Access Level Management admin privilege, which is required to view context conditions during DLP rule creation.
  • The context conditions card only displays when you select Chrome triggers during rule creation.
What if an assigned access level is deleted?

If an assigned access level is deleted, the context conditions default to true, and the rule behaves like a content-only rule. Note that the rule will then apply to more devices/use cases than you originally intended.

Should CAA be enabled for context conditions to work in rules?

No. Access level evaluation in rules is independent of CAA settings. CAA activation and assignment should not affect rules.

What if the rule condition is empty?

Empty conditions are evaluated to true by default. This means that for a CAA-only rule, the content conditions can be left empty. Note that if both content and context conditions are left empty, the rule will always get triggered.

Will a rule be triggered if only one of the conditions is met?

No. The rule is only triggered when both content and context conditions are met.

Why am I seeing log events saying that DLP was not enforced?

DLP and CAA both rely on background services which may be periodically interrupted. If a service interruption occurs during rule enforcement, then there is no enforcement. When this happens, an event is logged in both the Rules log and Chrome log.

How do context conditions work when Endpoint Verification is not installed?

For device-based attributes, the context conditions will be considered as a match, and the strictest outcome will be enforced. For non-device-based attributes (such as IP address and region) there’s no change.

Can I view access level information for triggered rules in the Security Investigation Tool?

Yes. You can view access level information by searching for either Rule log events or Chrome log events, in the Access level column of the search results.

Is End user remediation available for context conditions in rules?

No. End user remediation is not available in these flows yet.

Related topics

Use Workspace DLP to prevent data loss

About Context-Aware Access

Use Chrome Enterprise Premium to integrate DLP with Chrome

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu