Admin console Contact us

    Use Chrome Enterprise Premium to integrate DLP with Chrome

    You must have the Chrome Enterprise Premium add-on for this feature.

    You can use Chrome Enterprise Premium with data protection rules to monitor user actions on Chrome browser and on Windows, Mac, Linux, and ChromeOS devices. Using data loss prevention (DLP) with Chrome, you can scan up to 10 MB of text content in a file to automatically detect data that's opened, uploaded, downloaded, pasted, or transferred. Use data protection rules with Chrome Enterprise Premium for control over sensitive information, such as Social Security or credit card numbers.

    Before you begin

    Understand triggers

    Before defining what content your rule should look for, you specify the trigger that initiates the scanning process. The trigger you select determines the Content type to scanoptions that are available for your rule.

    You can select one of the following triggers:

    • File uploaded—A user uploads a file from their device in Chrome browser.
    • File downloaded—A user downloads a file to their device.
    • Content pasted—A user pastes content into a webpage.
    • Content printed—A user prints the content of a webpage.
    • URL visited—A user navigates to a URL.

    Understand DLP actions

    When sensitive content is found, your rule can enforce the actions listed in the following table.
    Action (for Chrome browser & ChromeOS) Description Optional settings
    Block
    		 Stops the user from completing the action, such as uploading a file. The user gets an error or custom message. Customize Message: Show a custom message (up to 300 characters, supports hyperlinks) to the user explaining why the action was blocked.
    Allow with warning
    		 Lets the user proceed after a warning message. The user's choice to proceed is recorded in the log events.

    Customize Message: Display a custom warning message.

    Add watermark over page content: For URL-visited actions, overlays translucent watermark and Confidential text or a custom message on the webpage.

    Restrict screenshot and screen-share content: For URL-visited actions on Mac and Windows, blocks screenshots and screen sharing on the associated pages. Content is blacked out in screenshots (Windows) or disappears (Mac).
    Audit only
    		 Allows the user to proceed without interruption and logs the event for review.

    Add watermark over page content: For URL-visited actions, overlays translucent watermark and Confidential text or a custom message on the webpage.

    Restrict screenshot and screen-share content: For URL-visited actions on Mac and Windows, blocks screenshots and screen sharing on the associated pages. Content is blacked out in screenshots (Windows) or disappears (Mac).

    Important:For the File uploadedand Content pastedtriggers, the blocking behavior depends on your Chrome Enterprise connector policies' Delay file uploadand Delay text entrysettings. For details, go to Upload content analysis and Bulk text content analysis .

    Understand DLP conditions

    When you create a data protection rule, you can specify conditions that define what content or activity to scan for. You can use predefined data types. Or, create your own custom content detectors. You can also combine multiple conditions using AND, OR, or NOT operators.

    For details, go to How to use predefined content detectors , Create a custom detector , and Examples of rules with nested condition operators .

    The Content type to scanoptions available change based on which trigger is selected to initiate the scan, such as File uploaded, File downloaded, Content pasted, Content printed, URL visited, and so on.

    Content type to scan
    What to scan for
    Details & use
    All content

    Matches predefined data type

    Contains text string

    Contains word

    Matches regular expression

    Matches words from word list

    Scans all content for sensitive information that matches one of the following:
    • A predefined data type, such as Global  Email Address or United States - Social Security Number
    • A specified text string
    • A specified word
    • Patterns defined by a regular expression
    • Words from a custom list
    Body

    Matches predefined data type

    Contains text string

    Contains word

    Matches regular expression

    Matches words from word list

    Scans the main text content (body) of a webpage or file.
    File size

    Equals

    Is greater than

    Is less than

    Sets a file size threshold (in bytes) to trigger the rule based on your comparison.
    File type

    Matches common MIME type

    Matches custom MIME type

    Matches system file category

    Filters what to scan by predefined file categories, such as Image or Executable or by a specific MIME type. Learn more about MIME types by file category .
    Source Chrome context
    Specific attributes related to Chrome browser
    Scans for internal Chrome attributes to define the browser's environment or state. The rule applies if the context is one of the following values: Incognito , Clipboard , or Other Profile .
    Source URL

    Contains text string

    Matches words from word list

    Matches regular expression

    Scans the URL where the content originated for specific text, words from a custom list, or patterns.
    Source URL category

    Select category

    Works with triggers, such as Content pasted, to check if a source URL belongs to a predefined category, such as Social Networks or News.
    Title

    Matches predefined data type

    Contains text string

    Contains word

    Ends with

    Matches regular expression

    Matches words from word list

    Starts with

    Scans the title of the webpage or document involved in the action.
    URL

    Contains text string

    Ends with

    Matches URL from URL list

    Matches regular expression

    Matches words from word list

    Starts with

    Scans the URL involved in the action. This scan includes the URLs of content loaded inside any embedded iframes.
    URL category
    Select category
    Checks if the URL involved in the action belongs to a predefined category, such as Social Networks, Games, or Gambling. This scan includes the URLs of content loaded inside any embedded iframes.
    Web app signed-in account

    Matches domain name

    Matches email address

    Matches email address regex

    Scans the user account actively signed in to the Google web app, such as Gmail or Drive, at the time of the trigger. This condition applies to rules triggered by Paste, URL visited, File Download, File Upload, and Print events. Currently supported only for personal and managed Google Accounts.
    Source web app signed-in account

    Matches domain name

    Matches email address

    Matches email address regex

    Scans the user account signed in to the Google web app that contains the source of the content (the app where the user copied the content). This condition only applies to rules triggered by the Content pasted event. Currently supported only for personal and managed Google Accounts.

    Note:The URL visitedtrigger doesn't scan URLs or their corresponding categories within embedded iframes.

    Choose a region for your data

    You can store your DLP and malware scans in a specific region, for example, the United States or Europe. You can choose a region to achieve data residency, which is a requirement for many compliance agreements. For details, go to Choose a geographic region for your data .

    Create a rule

    After you determine what you want your rule to do, you create the rule. For details, go to Create data protection rules .

    Common use cases

    The following table provides examples of how to combine a trigger (what the user does), conditions (what is checked), and a specific action (the enforcement) to define your DLP policy. To use this table, you must:

    1. Select a trigger.
    2. Map condition values to the corresponding options.
    3. Select an action.

    Changes can take up to 24 hours but typically happen more quickly. Learn more

    Use case User event Conditions Action
    Block files from being downloaded from Google Drive File downloaded

    Content type: URL*

    Match: Contains text string

    Value: drive.google.com    		 Block
    Warn the user if a downloaded file contains more than 30 email addresses File downloaded

    Content type: All content

    Match: Matches predefined data type

    Settings: Data Type: Global - Email Address, Medium likelihood, Minimum unique matches 30    		 Allow with warning
    Block file uploads to social media sites File upload

    Content type: URL category

    Match: Select category

    Value: Social Networks    		 Block
    Block the download of image files larger than 10 kilobytes File downloaded

    Condition 1: File size

    Match : Is greater than

    Value : 10,000 bytes

    AND

    Condition 2: File type

    Match : Matches system file category

    Value : Image

    		 Block
    Log instances where U.S. Social Security numbers are transferred in files in ChromeOS File transfer

    Content type: All content

    Match: Matches predefined data type

    Settings: Data Type: United States - Social Security Number, Likelihood Medium, Minimum unique matches 1, Minimum match count 1    		 Audit only
    Block users from pasting content copied from Gmail (mail.google.com) Content pasted

    Content type: Source URL*

    Match: Contains text string

    Value: mail.google.com    		 Block
    Apply a watermark or restrict screenshots when users visit designated sensitive websites URL visited

    Content type: URL* or URL category

    Match: Select appropriate match

    Value: The specific sensitive URL or category    		 Allow with warning / Audit only (with Add watermark and/or Restrict screenshot selected)
    Block file uploads to a personal Google Drive account File uploaded

    Condition 1:
    Content type: URL

    Match: Contains text string

    Value: drive.google.com

    AND

    Condition 2:
    Content type: Web app signed-in account

    Match: Does not match domain name

    Value: your-organization-domain-name.com     		Block

    *If a URL you're filtering was recently visited, it's cached for several minutes and might not be successfully filtered by a new (or modified) rule until the cache is cleared. Wait approximately 5 minutes before testing a new or modified rule.

    Review, monitor & investigate alerts

    After you create data protection rules, you can review user actions, such as uploading and downloading or copying and pasting data in Chrome browser. You can then:

    • View reportsin the security dashboard. Reports related to Chrome Enterprise Premium include:
      • Chrome threat protection summary report
      • Chrome data protection summary report
      • Chrome high risk users report
      • Chrome high risk domains report
      • For details, go to Use the security dashboard .
    • Investigate alertsof data-sharing incidents using the security investigation tool. For details, go to About the security investigation tool .
    • View detailsof incidents in Rule log events .
    • Investigate rule violationsto determine if they're real incidents or false positives. For details, go to View content that triggers DLP rules .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: