Set Chrome Enterprise connector policies for Google BeyondCorp Enterprise

As an admin, you can use the Google Admin console to check for sensitive data or help protect your Chrome users from content that contains malware. You can also prevent certain files from being sent for analysis. You can then allow or block uploads and downloads for those unscanned files.

Where do Chrome Enterprise connector policies fit into BeyondCorp ?

To implement and use the entire set of BeyondCorp protections, you need to:

  1. Set up Chrome Enterprise connector policies (described below).
  2. Set up data protection rules. For details, see Use BeyondCorp Threat and Data Protection to integrate data loss protections with Chrome.
  3. Set up activity alerts. For descriptions of alert types, go to View alert details.

Before you begin

  • Set up Chrome Browser Cloud management. For details, read Set up Chrome Browser Cloud Management.
  • BeyondCorp Threat and Data Protection features are not supported in Incognito windows. For information about how to prevent users from opening new Incognito windows, read about the Incognito mode setting.
  • (Recommended) Turn on Safe Browsing to help protect users from websites that might contain malware or phishing. Read about the Safe browsing setting.
  • Sign up for Google BeyondCorp. Go to the sign-up form.

Set policies

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenUsers & browsers.
  4. Select your top-level organizational unit, so that all child organizations will inherit the policy.
  5. Scroll to Chrome Enterprise connectors.
  6. (Optional) If you’re configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on BeyondCorp threat and data protection for Chrome Enterprise.
  7. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  8. Configure Chrome Enterprise connectors settings. Click below for settings details, based on what type of content you want to send for analysis.
  9. Click Save.

Security events reporting

Specifies the cloud service APIs that you want to use to report security events. Select Google BeyondCorp Enterprise.

For details about how to view reports on the security dashboard, see:

Upload content analysis

Specify the cloud service APIs that you want to use. Select Google BeyondCorp Enterprise, and then configure the additional settings.

Setting Description

Check for sensitive data

Scan uploads for sensitive data. For details about how to specify what you want to check for, see Use BeyondCorp Threat and Data Protection to integrate data loss protections with Chrome.

Choose an option:

  • On by default, except for the following URL patterns
  • Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see Enterprise policy URL pattern format.

Check for malware

Scan uploads for malware.

Choose an option:

  • On by default, except for the following URL patterns
  • Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for malware. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see Enterprise policy URL pattern format.

Delay file upload

 Choose an option:
  • Allow immediate upload—Allow users to upload the file while the scan is taking place.
  • Delay upload until analysis is complete—Allow users to upload the file only after the scan is completed and passed.

File that won’t be sent for analysis

Some file types are not checked for sensitive data or malware, including password protected files and files larger than 50 MB. Choose how you want to handle those files:

  • Allow upload
  • Block upload

Download content analysis

Specify the cloud service APIs that you want to use. Select Google BeyondCorp Enterprise, and then configure the additional settings.

Setting Description

Check for sensitive data

Scan downloads for sensitive data. For details about how to specify what you want to check for, see Use BeyondCorp Threat and Data Protection to integrate data loss protections with Chrome.

Choose an option:

  • On by default, except for the following URL patterns
  • Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see Enterprise policy URL pattern format.
Check for malware

Scan downloads for malware.

Choose an option:

  • On by default, except for the following URL patterns
  • Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for malware. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see Enterprise policy URL pattern format.
Delay file access Choose an option:
  • Allow immediate file access—Allow users to open the file while the scan is taking place.
  • Delay file access until analysis is complete—Allow users to open the file only after the scan is completed and passed.
File that won’t be sent for analysis

Some file types are not checked for sensitive data or malware, including password protected files and files larger than 50 MB. Choose how you want to handle those files:

  • Allow download
  • Block download

[Optional] Apply download restrictions

You can use the DownloadRestrictions policy to prevent users from bypassing security warnings to download dangerous files. Or, prevent all downloads.

Bulk text content analysis

Specify the cloud service APIs that you want to use. Select Google BeyondCorp Enterprise, and then configure the additional settings.

Setting Description

Check for sensitive data

Scan bulk text for sensitive data. For details about how to specify what you want to check for, see Use BeyondCorp Threat and Data Protection to integrate data loss protections with Chrome.

Choose an option:

  • On by default, except for the following URL patterns
  • Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see Enterprise policy URL pattern format.
Minimum character count

Minimum number of characters, in bytes, required to send content for analysis. In general, one character is equal to one byte. However, there are some exceptions, such as emojis.
Delay text entry Choose an option:
  • Allow immediate entry—Allow users to paste text on the page while the scan is taking place.
  • Delay text entry until analysis is complete—Allow users to paste text on the page only after the scan is completed and passed.

Real time URL check

Choose the cloud service API to be used by Chrome for sending URLs to be scanned in real time to protect users against dangerous sites. We recommend that you also set Safe Browsing to Always enable Safe Browsing. For details about the Safe Browsing setting, see Set Chrome policies for users or browsers.

Related topics

Was this helpful?
How can we improve it?