Combine DLP rules with Context-Aware Access conditions

    Supported editions for this feature: Frontline Standard and Frontline Plus ; Enterprise Standard and Enterprise Plus ; Education Standard and Education Plus; Enterprise Essentials Plus.  Compare your edition

    Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the  Drive log events .

    To have greater control over which users and devices can transfer sensitive content, you can combine data loss prevention (DLP) rules with Context-Aware Access conditions, such as user location, device security status (managed, encrypted), and IP address. When you add a Context-Aware Access condition to a DLP rule, the rule is enforced only if the context conditions are met.

    Use cases

    Combining DLP rules and Context-Aware Access conditions can help you control:

    • Chrome browser—For example, uploading and attaching files, uploading and pasting web content, downloading, and printing.
    • Google Drive—For example, copying, downloading, and printing Drive files by users with comment or view access.

    To review detailed examples, go to DLP & Context-Aware Acess rule examples on this page.

    Before you begin

    Before combining DLP rules with Context-Aware Access conditions, you must meet the requirements described in the following table.

    Google Workspace add-on

    (Required for Chrome DLP, not required for Drive DLP)

    Chrome browser version

    Version 105 or later. For details, go to FAQ .

    (Required for Chrome DLP, not required for Drive DLP)

    Endpoint verification

    For desktop devices, you must turn on endpoint verification to apply device or device OS-based context conditions.

    (Not required for non-device-based attributes, such as IP address, region, and browser management state)

    Mobile management

    Mobile devices should have basic or advanced management enforced.

    (Not required for non-device-based attributes, such as IP address, region, and browser management state)

    Admin privileges for access levels

    To create access levels, you must have the Access level management privilege. To use access levels in DLP rules, you must have the Access level management or Rule management privilege.

    For details, go to Data Security .

    Step 1: Set up Chrome browser for rules enforcement

    To integrate DLP features with Chrome browser, you need to set up Chrome Enterprise connector policies .

    Step 2: Create a DLP rule with Context-Aware Access conditions

    Before you begin: These are generic instructions to illustrate creating a DLP rule with Context-Aware Access conditions. For more specific examples, go to DLP & Context-Aware Access rule examples  on this page.

    You can create an access level before you create a DLP rule or during rule creation. These steps create the access level first, before the rest of the steps.

    1. Create a new access level with appropriate conditions. For the steps, go to Create an access level .
      You can assign a single access level to a DLP rule.
    2. Create a new DLP rule from scratch or using a predefined template. For the steps, go to Create data protection rules .

    Changes can take up to 24 hours but typically happen more quickly.  Learn more

    DLP & Context-Aware Access rule examples

    The following examples show how you can combine DLP rules with Context-Aware Access levels to make rule enforcement dependent on a user’s IP address, location, or device status.

    Expand section   |   Collapse all & go to top

    Example 1: Block downloads on devices outside the corporate network (Chrome browser)

    To create rules for Chrome browser, you need Chrome Enterprise Premium.

    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Rules > Create rule > Data protection .

      Requires having the View and Manage DLP rule privileges .

    3. Add a name and, optionally, a description for the rule.
    4. In the Scopesection, select All in your-organization or choose to search for and include or exclude organizational units or groups that the rule applies to. If there's a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
    5. Click Continue.
    6. In the Appssection, for Chrome, check the File downloadedbox and click Continue.
    7. In the Conditionssection, click Add conditionand then configure the condition as follows:
      • For Content type to scan, select All content.
      • For What to scan form, choose a DLP scan type and select attributes.
        For more information on available attributes, go to Create a DLP rule .
    8. For Context conditions, click Select an access level.
      If you already created an appropriate access level, in the Context conditionssection, select your access level and go to step 15.
    9. Click Create new access level.
    10. Enter a name and, optionally, a description for the new access level.
    11. In the Context conditionssection, click Add condition.
    12. Select Doesn’t meet 1 or more attributes (OR).
    13. Click Select attribute IP subnetand enter your corporate network’s IP address. The address should be an IPv4 or IPv6 address or routing prefix in CIDR block notation.
      • Private IP addresses are not supported (including users' home networks).
      • Static IP addresses are supported.
      • To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address and the defined static IP address in the access level covers that range, the context condition is met. If the dynamic IP address is not in the defined static IP subnet, the context condition isn't met.
    14. Click Create. You return to the Create Rulepage. Your new access level and its attributes are added to the list.
    15. Click Continue.
    16. On the Actionspage, for ChromeOS action, choose Block.
    17. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alertingsection, check the Alert centerbox.
      • (Optional) To email alert notifications to super admins, check the All super adminsbox.
      • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
    18. Click Continueto review the rule details.
    19. Select a status for the rule:
      • Active—Your rule runs immediately.
      • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactivestatus for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
    20. Click Create.

    Changes can take up to 24 hours but typically happen more quickly.  Learn more

    Example 2: Block downloads for users signing in from specific countries (Chrome browser)

    To create rules for Chrome browser, you need Chrome Enterprise Premium.

    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Rules > Create rule > Data protection .

      Requires having the View and Manage DLP rule privileges .

    3. Add a name and, optionally, a description for the rule.
    4. In the Scopesection, select All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
    5. Click Continue.
    6. In the Appssection, for Chrome, check the File downloadedbox and click Continue.
    7. In the Conditionssection, click Add condition.
    8. For Content type to scan, select All content.
    9. For What to scan for, choose a DLP scan type and select attributes.
      For more information on available attributes, go to Create a DLP rule .
    10. In the Context conditionssection, click Select an access level.
      If you already created an appropriate access level, in the Context conditionssection, select your access level and go to step 18.
    11. Click Create new access level.
    12. Enter a name and, optionally, a description for the new access level.
    13. In the Context conditionssection, click Add condition.
    14. Select Meets all attributes (AND).
    15. Click Select attribute Locationand then select a country from the list.
    16. (Optional) To add additional countries and apply the rule to users signing in from them:
      1. Click Add conditionand select Meets all attributes.
      2. At the top of Conditions, set Join multiple conditions withto OR.
    17. Click Create. You return to the Create Rulepage. Your new access level and its attributes are added to the list.
    18. Click Continue.
    19. On the Actionspage, for ChromeOS action, select Block.
      The action is applied only when both content and context conditions are met.
    20. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alertingsection, check the Alert centerbox.
      • (Optional) To email alert notifications to super admins, check the All super adminsbox.
      • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
    21. Click Continueto review the rule details.
    22. Select a status for the rule:
      • Active—Your rule runs immediately.
      • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security Access and data control Data Protection Manage Rules. Click the Inactivestatus for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
    23. Click Create.

    Changes can take up to 24 hours but typically happen more quickly.  Learn more

    Example 3: Block downloads on devices that aren't admin-approved (Drive)
    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Rules > Create rule > Data protection .

      Requires having the View and Manage DLP rule privileges .

    3. Add a name and, optionally, a description for the rule.
    4. In the Scopesection, choose All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
    5. Click Continue.
    6. In the Appssection, for Google Drive, check the Drive filesbox and click Continue.
    7. In the Conditionssection, click Add condition.
    8. For Content type to scan, select All content.
    9. For What to scan for, choose a DLP scan type and select attributes.
      For more information on available attributes, see Create a DLP rule .
    10. In the Context conditionssection, click Select an access level.
      If you already created an appropriate access level, in the Context conditionssection, select your access level and go to step 17.
    11. Click Create new access level.
    12. Enter a name and, optionally, a description for the new access level.
    13. In the Context conditionssection, click Add condition.
    14. Select Doesn't meet 1 or more attributes (OR).
    15. Click Select attribute Device Admin-approved.
    16. Click Create. You return to the Create Rulepage. Your new access level and its attributes are added to the list.
    17. Click Continue.
    18. In the Actionssection, for Google Drive, click Actionand select Disable download, print, and copy For commenters and viewers only.
      The action is only applied when both content and context conditions are met.
    19. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alertingsection, check the Alert centerbox.
      • (Optional) To email alert notifications to super admins, check the All super adminsbox.
      • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
    20. Click Continueto review the rule details.
    21. Select a status for the rule:
      • Active—Your rule runs immediately.
      • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security Access and data control Data Protection Manage Rules. Click the Inactivestatus for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
    22. Click Create.

    Changes can take up to 24 hours but typically happen more quickly.  Learn more

    Example 4: Block navigations to "salesforce.com/admin" on unmanaged devices (Chrome browser)

    In this example, the user is blocked if they try to navigate to the Salesforce admin console (salesforce.com/admin) with an unmanaged device. Users would still be able to access other parts of the Salesforce application.

    To create rules for Chrome browser, you need Chrome Enterprise Premium.

    1. Sign in with an administrator account to the Google Admin console.

      If you aren’t using an administrator account, you can’t access the Admin console.

    2. Go to Menu  Rules > Create rule > Data protection .

      Requires having the View and Manage DLP rule privileges .

    3. Add a name and, optionally, a description for the rule.
    4. In the Scopesection, choose All in your-organization or choose to search for and include or exclude organizational units or groups the rule applies to. If there’s a conflict between organizational units and groups about inclusion or exclusion, the group takes precedence.
    5. Click Continue.
    6. In the  Apps section, for  Chrome, check the  URL visited  box.
    7. Click Continue.
    8. In the Conditionssection, click Add Condition.
    9. For Content type to scan, select URL.
    10. For What to scan for, select Contains text string.
    11. For Contents to match, enter salesforce.com/admin.
    12. In the Context conditionssection, click Select an access level.
      If you already created an appropriate access level, in the Context conditionssection, select your access level and go to step 18.
    13. Click Create new access level.
    14. Enter a name and, optionally, a description for the new access level.
    15. In Context conditions, click the Advancedtab.
    16. In the text box, enter:
      device.chrome.management_state != ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED
    17. Click Create. You return to the Create Rulepage. Your new access level and its attributes are added to the list.
    18. Click Continue.
    19. On the Actionspage, for ChromeOS action, select Block.
      The action is only applied when both content and context conditions are met.
    20. In the Alertingsection, click Lowand select an alert severity level ( Low Mediumor High).
    21. (Optional) To send alert notifications when an event meets the rule's criteria, in the Alertingsection,, check the Alert centerbox.
      • (Optional) To email alert notifications to super admins, check the All super adminsbox.
      • (Optional) To email alert notifications to others, click Add email recipients, add one or more usernames or email addresses, and click Done.
    22. Click Continueto review the rule details.
    23. Select a status for the rule:
      • Active—Your rule runs immediately.
      • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Security Access and data control Data Protection Manage Rules. Click the Inactivestatus for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
    24. Click Create.

    Note:If a URL that you're filtering has been visited recently, it's cached for several minutes and might not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing out a new or modified rule.

    FAQ

    Expand section   |   Collapse all & go to top

    How do DLP rules with Context-Aware Access conditions behave on previous Chrome versions?

    In previous Chrome versions, context conditions are ignored. Rules behave as if only content conditions are set.

    Do managed browser rules work in Incognito mode?

    No. Rules do not apply in Incognito mode. Administrators can prevent sign-ins to Workspace or SaaS applications from Chrome Incognito mode by enforcing Context-Aware Access at sign-in time.

    Do managed browsers and managed users need to be in the same enterprise for a rule to be applied?

    If the managed browser and managed profile user belong to the same enterprise, then both browser-level DLP rules and user-level DLP rules will be applied.

    If the managed browser and managed profile user belong to different enterprises, then only the browser-level DLP rules will be applied. The context condition will always be considered as a match, and the strictest outcome will be enforced. There is no impact on IP-based or region-based conditions.

    Do the Admin console and Google Cloud console support the same access levels?

    Context-Aware Access in the Admin console does not support all attributes supported by the Google Cloud console. Therefore, any basic access levels created in the Google Cloud console that include these attributes can be assigned in the Admin console, but can’t be edited there.

    On the Rules page in the Admin console, you can assign Google Cloud console-created access levels, but can’t view condition details for access levels with unsupported attributes.

    Why don’t I see the context conditions card when I’m creating a rule?
    • Make sure you have the Services > Data Security > Access level management admin privilege, which is required to view context conditions during DLP rule creation.
    • The context conditions card only displays when you select Chrome triggers during rule creation.
    What if an assigned access level is deleted?

    If an assigned access level is deleted, the context conditions default to true and the rule behaves like a content-only rule. Note that the rule will then apply to more devices and use cases than you originally intended.

    Should Context-Aware Access be enabled for context conditions to work in rules?

    No. Access level evaluation in rules is independent of Context-Aware Access settings. Context-Aware Access activation and assignment should not affect rules.

    What if the rule condition is empty?

    Empty conditions are evaluated to true by default. This means that for a Context-Aware Access-only rule, the content conditions can be left empty. Note that if both content and context conditions are left empty, the rule will always get triggered.

    Will a rule be triggered if only one of the conditions is met?

    No. The rule is only triggered when both content and context conditions are met.

    Why am I seeing log events saying that DLP was not enforced?

    DLP and Context-Aware Access both rely on background services which may be periodically interrupted. If a service interruption occurs during rule enforcement, then there is no enforcement. When this happens, an event is logged in both the Rules log events and Chrome log events .

    How do context conditions work when endpoint verification is not installed?

    For device-based attributes, the context conditions will be considered as a match and the strictest outcome will be enforced. For non-device-based attributes (such as IP address and region) there’s no change.

    Can I view access level information for triggered rules in the security investigation tool?

    Yes. You can view access level information by searching for either Rule log events or Chrome log events in the Access level column of the search results.

    Is user remediation available for context conditions in rules?

    No. User remediation is not available in these flows yet.

    Related topics


    Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

    Was this helpful?

    How can we improve it?

    Need more help?

    Try these next steps:

    Post to the help community Get answers from community members
    Contact us Tell us more and we’ll help you get there
    true
    Start your free 14-day trial today

    Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today .

    Enable Dark Mode
    Search
    Clear search
    Close search
    Google apps
    Main menu
    1397376900443587650
    true
    Search Help Center
    false
    true
    true
    true
    true
    true
    73010
    false
    false
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: