Planning your return to office strategy? See how Chrome OS can help.

Set ChromeOS data controls

What are ChromeOS data controls?

ChromeOS data controls are a set of controls, applied by the admin, that protect users from data leakage on endpoints using a Data Loss Prevention (DLP) layer in ChromeOS. 


If your admin has turned on data controls, they can see the actions you perform and metadata on confidential information. This is defined by rules set by your admin and is based on the source of content and, in some cases, destination for pasting. Reported actions include the use of the clipboard, screen capture, screen sharing, and printing.

How data controls works

Data controls, integrated at the OS level, restricts users from defined actions. The admin defines rules in the Google Admin console to trigger data controls based on the content source, and the destination for clipboard. Sources and destinations include URLs, Chrome apps, and Progressive Web Apps (PWAs). 

Examples of the data controls the admin can apply include, blocking the user from pasting any data from Google Workspace to non-work sites or blocking screen sharing when using Google Meet.

Actions that the admin can restrict include:

  • Copy and paste
  • Screen capture: screenshots and video capture
  • Screen sharing
  • Printing
  • Automatically turning on the electronic privacy screen on a compatible device when viewing content

The admin can apply the following restriction levels to the actions:

  • Allow—Users are explicitly allowed to perform the action. That action is not reported. 
    Note: This rule, when set, overrides all other rules.
  • Report—Users are not blocked from performing the action. That action is reported.
  • Warn—Users receive a warning but can choose to to carry out the action. That action is reported.
  • Block—Users cannot perform the action. That action is reported.
  • No policy set—Users can proceed as if no data control is in place. That action is not reported.

The admin can see reports on when data controls are triggered. This includes:

  • Action taken and rule triggered, including source and destination
  • Timestamp
  • Metadata for content
    • Filename or webpage title but not the actual content itself


When you implement data controls you can have the confidence to let well-intentioned employees safely work with the data they need from anywhere, on any network.

Before you begin

To apply data controls, you must have the delegated admin role for Manage User Settings. For details, see Delegate administrator roles in Chrome.

System requirements

  • ChromeOS devices must be on OS version 103 or later.
  • ChromeOS devices must be in user or managed guest session mode.
  • Rules for an electronic privacy screen require a compatible device. For example, HP devices equipped with Sure View.


  • Only the URL patterns included in the URL filter format are supported. 
  • A rule that is applied to a top-level domain applies to its subdomain. For example, a rule restriction that is applied to applies to unless the subdomain is explicitly allowed.
  • A rule that is applied to a domain name without specifying either http or https, applies to both http and https.
  • Destinations for Play apps and Files, Linux, and Parallels are broad-based restrictions and cannot target specific applications. For example, you can restrict pasting from a web app to all Android apps but not to any individual or subset of Android apps.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center