Device attributes collected by Endpoint Verification

Attribute name

Description

Supported OS

Example of using the attribute in the CEL expressions

is_secured_with_screenlock

A boolean value that indicates whether the screen lock function is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.is_secured_with_screenlock == true

encryption_status

The encryption status of a device. Possible values:

• ENCRYPTION_UNSPECIFIED = 0 indicates that the encryption status of the device is not specified or not known.
• ENCRYPTION_UNSUPPORTED = 1 indicates that the device does not support encryption.
• ENCRYPTION_UNENCRYPTED = 2 indicates that the device supports encryption, but is not encrypted.
• ENCRYPTED = 3 indicates that the device is encrypted.

• macOS
• ChromeOS
• Windows
• Linux

device.encryption_status == DeviceEncryptionStatus.ENCRYPTED

os_type

The operating system running on a device. Possible values:

• OS_UNSPECIFIED = 0 indicates that the operating system of the device is not specified or not known.
• DESKTOP_MAC = 1
• DESKTOP_WINDOWS = 2
• DESKTOP_LINUX = 3
• DESKTOP_CHROME_OS = 6

• macOS
• ChromeOS
• Windows
• Linux

device.os_type == OsType.DESKTOP_MAC

os_version

The version of the operating system running on a device.

• macOS
• ChromeOS
• Windows
• Linux

• device.os_version == "MacOS 13.4.0"
• device.os_version == "ChromeOs 14541.0.0"
• device.os_version == "Windows 10.0.19045"
• device.os_version == "Linux rodete"

verified_chrome_os

A boolean value that indicates whether the request comes from a device with a verified ChromeOS .

ChromeOS (only for enterprise-enrolled devices)

device.verified_chrome_os == true

model

The model of a device.

• macOS
• Windows
• Linux

device.model == "MacBookPro16,1"

is_managed_browser_profile

A boolean value that indicates whether the Chrome content area account associated with a device matches its Chrome profile account.

• macOS
• ChromeOS
• Windows
• Linux

device.is_managed_browser_profile == true

certificates

Attributes of the certificates associated with a device. For example, Enterprise certificates .

• macOS
• ChromeOS
• Windows
• Linux

device.certificates.exists(cert, cert.is_valid && cert.root_ca_fingerprint == "SOME_ROOT_CA_FINGERPRINT")

windows_domain_name

The domain name of a windows machine.

Windows

device.clients["bce"].data["windows_domain_name"] == "GOOGLE"

is_os_native_firewall_enabled

A boolean value that indicates whether the operating system's built-in firewall is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.clients["bce"].data["is_os_native_firewall_enabled"] == true

is_secure_boot_enabled

A boolean value that indicates whether the secure boot option is enabled on a device.

Windows

device.clients["bce"].data["is_secure_boot_enabled"] == true

av_installed

A list of antivirus software products that are installed on a device.

Windows

device.clients["bce"].data["av_installed"].exists(x, x == "mcafee") == true

av_enabled

A list of antivirus software products that are installed and enabled on a device.

Windows

device.clients["bce"].data["av_enabled"].exists(x, x == "mcafee") == true

hotfixes

A list of hotfixes that are applied on Windows systems.

Windows

device.clients["bce"].data["hotfixes"].exists(x, x == "KB0001") == true

Attribute name

Description

Supported OS

Serial number

The serial number of the device.

• macOS
• ChromeOS (only for enterprise-enrolled devices)
• Windows
• Linux

Hostname

The hostname of the device.

• macOS
• Windows
• Linux

Device ID

The unique identification number associated with the device.

• macOS
• Windows
• Linux

Wifi MAC Address

The MAC address of the device.

• macOS
• ChromeOS
• Windows
• Linux

Attribute name

Description

Supported OS

Example of using the attribute in the CEL expressions

presence

Indicates the presence of a file, folder, or binary. Possible values:

• VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
• VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
• VALUE_NOT_FOUND = 2 indicates that the resource was not found.
• VALUE_FOUND = 3 indicates that the resource was found.

• macOS
• Windows
• Linux

device.clients["bce"].data["file_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND

is_running

Indicates if a binary is running. It is always false for a file or folder.

• macOS
• Windows
• Linux

device.clients["bce"].data["file_config"]["config_name"]["is_running"] == true

sha256_hash

Provides SHA-256 hash of a file or binary. It is always an empty string for a folder.

• macOS
• Windows
• Linux

device.clients["bce"].data["file_config"]["config_name"]["sha256_hash"] == " "

public_key_sha256

Provides a list of SHA-256 hash values of the public keys that are used to sign the executable. It is always an empty string for a file or a folder.

• macOS
• Windows

device.clients["bce"].data["file_config"]["config_name"]["public_key_sha256"].exists(x, x == " ")

product_name

The product name of the executable. It is always an empty string for a file or folder.

• macOS
• Windows

device.clients["bce"].data["file_config"]["config_name"]["product_name"] == "some value"

version

The product version of the executable. It is always an empty string for a file or folder.

• macOS
• Windows

device.clients["bce"].data["file_config"]["config_name"]["version"] == "some value"

Attribute name

Description

Supported OS

Example of using the attribute in the CEL expressions

presence

Indicates the presence of a registry or plist entry. Possible values:

• VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
• VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
• VALUE_NOT_FOUND = 2 indicates that the resource was not found.
• VALUE_FOUND = 3 indicates that the resource was found.

• macOS
• Windows

• device.clients["bce"].data["registry_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
• device.clients["bce"].data["plist_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND

value

Provides the data that is stored in the registry or plist. Possible values:

• macOS: NSString or NSNumber
• Windows: REG_SZ , REG_DWORD , or REG_QWORD

The strings are limited to 1024 bytes.

• macOS
• Windows

• device.clients["bce"].data["registry_config"]["config_name"]["value"] == <"string value"|boolean|double|int>
• device.clients["bce"].data["plist_config"]["config_name"]["value"] == <"string value"|boolean|double|int>

Attribute name

Description

Supported OS

Example of using the attribute in the CEL expressions

versionAtLeast(min_version)

The minimum version of the Chrome browser.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.versionAtLeast("88.0.4321.44")

management_state

The management state of the browser for a device. A browser is considered to be managed if it is enrolled to Chrome browser cloud management . Possible values:

• CHROME_MANAGEMENT_STATE_UNSPECIFIED = 0 indicates that the management state of the device is not specified or not known.
• CHROME_MANAGEMENT_STATE_UNMANAGED = 1 indicates that the browser or the profile is not managed by any organization.
• CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN = 2 indicates that the browser is managed, but by some other organization.
• CHROME_MANAGEMENT_STATE_PROFILE_MANAGED = 3 indicates that the browser is not managed and the profile is managed by an organization.
• CHROME_MANAGEMENT_STATE_BROWSER_MANAGED = 4 indicates that the browser and profile are managed by an organization.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN

is_file_upload_analysis_enabled

A boolean value that indicates whether the file upload analysis connector is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_file_upload_analysis_enabled == true

is_file_download_analysis_enabled

A boolean value that indicates whether the file download analysis connector is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_file_download_analysis_enabled == true

is_bulk_data_entry_analysis_enabled

A boolean value that indicates whether the bulk text (paste) analysis connector is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_bulk_data_entry_analysis_enabled == true

is_security_event_analysis_enabled

A boolean value that indicates whether the security event reporting connector is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_security_event_analysis_enabled == true

is_realtime_url_check_enabled

A boolean value that indicates whether the real-time URL check connector is enabled on a device.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_realtime_url_check_enabled == true

safe_browsing_protection_level

The browsing protection level policy of the browser. Possible values:

• SAFE_BROWSING_LEVEL_UNSPECIFIED = 0 indicates that the browser protection level policy is not set for the device.
• SAFE_BROWSING_LEVEL_DISABLED = 1 indicates that the browser protection level policy is disabled for the device, and the device is not protected against dangerous websites, downloads, and extensions.
• SAFE_BROWSING_LEVEL_STANDARD = 2 indicates that the device is protected against websites, downloads, and extensions that are known to be dangerous.
• SAFE_BROWSING_LEVEL_ENHANCED = 3
indicates that the device has proactive protection against dangerous websites, downloads, and extensions.

• Mac
• ChromeOS
• Windows
• Linux

device.chrome.safe_browsing_protection_level == SafeBrowsingLevel.SAFE_BROWSING_LEVEL_STANDARD

is_site_isolation_enabled

A boolean value that indicates whether the site isolation is enabled for every site.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_site_isolation_enabled == true

is_built_in_dns_client_enabled

A boolean value that indicates whether Chrome's built-in DNS client communicates with the DNS server.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_built_in_dns_client_enabled == true

password_protection_warning_trigger

The password protect warning trigger policy of the browser. Possible values:

• PASSWORD_PROTECTION_TRIGGER_UNSPECIFIED = 0 indicates that the password protect warning trigger policy is not set.
• PASSWORD_PROTECTION_TRIGGER_PROTECTION_OFF = 1 indicates that the password reuse is never detected.
• PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE = 2 indicates that a warning is displayed when the end user reuses their protected password on a site that is not allowed.
• PASSWORD_PROTECTION_TRIGGER_PHISHING_REUSE = 3 indicates that a warning is displayed when the end user reuses their protected password on a phishing site.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.password_protection_warning_trigger == PasswordProtectionTrigger.PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE

is_chrome_remote_desktop_app_blocked

A boolean value that indicates whether the Chrome remote desktop remote application is blocked.

• macOS
• ChromeOS
• Windows
• Linux

device.chrome.is_chrome_remote_desktop_app_blocked == true

is_chrome_cleanup_enabled

A boolean value that indicates whether the Chrome Cleanup tool is enabled.

Windows

device.chrome.is_chrome_cleanup_enabled == true

is_third_party_blocking_enabled

A boolean value that indicates whether the third party software injection blocking is enabled.

Windows

device.chrome.is_third_party_blocking_enabled == true