Combine DLP rules with Context-Aware Access conditions

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. Go to RulesCreate ruleData protection.
3. Add a name and description for the rule.
4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In Apps, under Chrome, check File downloaded. 
7. Click Continue.
8. In the Conditions section, click Add condition.
9. For Content type to scan, choose All content.
10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
11. In the Context conditions section, click Select an access level to display your existing Access levels.
12. Click Create new access level.
13. Enter a name and description for the new access level.
14. In Context conditions, click Add condition.
15. Select Doesn’t meet 1 or more attributes.
16. Click Select attributeIP subnet, then enter your corporate network’s IP address. This is an IPv4 or IPv6 address or routing prefix in CIDR block notation.
    • Private IP addresses are not supported (including user's home networks).
    • Static IP addresses are supported.
    • To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address and the defined static IP address in the access level covers that range, the context condition is met. If the dynamic IP address is not in the defined static IP subnet, the context condition isn't met.
17. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
18. Click Continue.
19. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

20. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
21. Click Continue to review the rule details.
22.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. Go to RulesCreate ruleData protection.
3. Add a name and description for the rule.
4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In Apps, under Chrome, check File downloaded. 
7. Click Continue.
8. In the Conditions section, click Add condition.
9. For Content type to scan, choose All content.
10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
11. In the Context conditions section, click Select an access level to display your existing Access levels.
12. Click Create new access level.
13. Enter a name and description for the new access level.
14. In Context conditions, click Add condition.
15. Select Meets all attributes. 
16. Click Select attributeLocation, then select a country from the dropdown list.
17. (Optional) To add additional countries, click Add condition, then repeat step 16.
18. (Optional) If you’ve selected more than one country, set the Join multiple conditions with toggle (located above Conditions) to OR. This means the DLP rule will be applied if users are logging in from any of the selected countries.
19. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
20. Click Continue.
21. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

22. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
23. Click Continue to review the rule details.
24.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
25. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. Go to RulesCreate ruleData protection.
3. Add a name and description for the rule.
4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In Apps, under Google Drive, check Drive files. 
7. Click Continue.
8. In the Conditions section, click Add condition.
9. For Content type to scan, choose All content.
10. For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, see Create a DLP rule.
11. In the Context conditions section, click Select an access level to display your existing Access levels.
12. Click Create new access level.
13. Enter a name and description for the new access level.
14. In Context conditions, click Add condition.
15. Select Doesn't meet 1 or more attributes.
16. Click Select attributeDevice,  then select Admin-approved from the dropdown list.
17. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
18. Click Continue.
19. On the Actions page, for Google Drive action, choose Disable download, print, and copy for commenters and viewers.

    Note: The action is only applied when both content conditions and context conditions are met.

20. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
21. Click Continue to review the rule details.
22.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
23. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more.

In this example, the user is blocked if they try to navigate to the Salesforce admin console (salesforce.com/admin) with an unmanaged device. Users would still be able to access to other parts of the Salesforce application.

1. Sign in to your Google Admin console.

   Sign in using your administrator account (does not end in @gmail.com).

2. Go to RulesCreate ruleData protection.
3. Add a name and description for the rule.
4. In the Scope section, choose All in <domain.name> or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
5. Click Continue.
6. In Apps, under Chrome, check URL visited. 
7. Click Continue.
8. In the Conditions section, click Add Condition and select the following values:
   1. Content type to scan—URL
   2. What to scan for—Contains text string
   3. Contents to match—salesforce.com/admin
9. In the Context conditions section, click Select an access level to display your existing Access levels.
10. Click Create new access level.
11. Enter a name and description for the new access level.
12. In Context conditions, click the Advanced tab.
13. In the text box, enter the following: 
    device.chrome.management_state != ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED

    Learn more about Advanced mode.

14. Click Create. You return to the Create Rule page. Your new access level is added to the list, and its attributes are shown at right.
15. Click Continue.
16. On the Actions page, for Chrome action, choose Block.

    Note: The action is only applied when both content conditions and context conditions are met.

17. (Optional) Choose an alert severity level (Low, Medium, or High) and whether to send an alert and email alert notifications.
18. Click Continue to review the rule details.
19.  Choose a status for the rule:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security and then Access and data control and then Data Protection and then Manage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
20. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

In previous chrome versions, context conditions are ignored. Rules behave as if only content conditions are set.

No. Rules do not apply in incognito mode. Administrators can prevent logins to Workspace or SaaS applications from Chrome incognito mode by enforcing Context-Aware Access at login time.

If the managed browser and managed profile user belong to the same enterprise, then both browser-level DLP rules and user-level DLP rules will be applied.

If the managed browser and managed profile user belong to different enterprises, then only the browser-level DLP rules will be applied. The context condition will always be considered as a match, and the strictest outcome will be enforced. There is no impact on IP-based or region-based conditions.

CAA in the Admin console does not support all attributes supported by the GCP console. Therefore, any basic access levels created in the GCP console that include these attributes can be assigned in the Admin console, but can’t be edited there.

On the Rules page in the Admin console, you can assign GCP-created access levels, but can’t view condition details for access levels with unsupported attributes.

• Make sure you have the Services > Data Security > Access Level Management admin privilege, which is required to view context conditions during DLP rule creation.
• The context conditions card only displays when you select Chrome triggers during rule creation.

If an assigned access level is deleted, the context conditions default to true, and the rule behaves like a content-only rule. Note that the rule will then apply to more devices/use cases than you originally intended.

No. Access level evaluation in rules is independent of CAA settings. CAA activation and assignment should not affect rules.

Empty conditions are evaluated to true by default. This means that for a CAA-only rule, the content conditions can be left empty. Note that if both content and context conditions are left empty, the rule will always get triggered.

No. The rule is only triggered when both content and context conditions are met.

DLP and CAA both rely on background services which may be periodically interrupted. If a service interruption occurs during rule enforcement, then there is no enforcement. When this happens, an event is logged in both the Rules log and Chrome log.

For device-based attributes, the context conditions will be considered as a match, and the strictest outcome will be enforced. For non-device-based attributes (such as IP address and region) there’s no change.

Yes. You can view access level information by searching for either Rule log events or Chrome log events, in the Access level column of the search results.

No. End user remediation is not available in these flows yet.