You must have the Chrome Enterprise Premium add-on for this feature.
You can use Chrome Enterprise Premium with Data Loss Prevention (DLP) rules to monitor user actions on Chrome browser and on Windows, Mac, Linux, and ChromeOS devices. You can scan up to 10 MB of text content in a file to automatically detect data that’s opened, uploaded, downloaded, pasted, or transferred. Use DLP rules with Chrome Enterprise Premium for control over sensitive information, such as Social Security or credit card numbers.
- Before you begin
- Understand user events (triggers)
- Understand DLP conditions
- Understand DLP actions
- Choose a region for your data
- Turn on OCR
- Create a DLP rule
- Common use cases
- Review, monitor & investigate alerts
Before you begin
Set up your Chrome Enterprise connector policies. For the steps, go to Set Chrome Enterprise connector policies for Chrome Enterprise Premium.
Understand user events (triggers)
Before defining what content or context your rule should look for, you must specify the user event that initiates the scanning process. This event is the trigger for the entire rule. The event you select determines the Content type to scan options that are available for your rule.
You can select one of the following user events:
- File uploaded—A user uploads a file from their device in Chrome browser.
- File downloaded—A user downloads a file to their device.
- Content pasted—A user pastes content into a webpage.
- Content printed—A user prints the content of a webpage.
- URL visited—A user navigates to a URL.
Understand DLP conditions
When you create a DLP rule, you specify conditions that define what content or activity to scan for. You can combine multiple conditions to create specific rules.
The Content type to scan options available change based on which user event is selected to initiate the scan, such as File uploaded, File downloaded, Content pasted, Content printed, URL visited, and so on.
| Content type to scan | What to scan for | Details & use |
|---|---|---|
| All content | Matches predefined data type | Scans all content for sensitive information that matches a predefined data type, such as Global - Email Address or United States - Social Security Number. You can set a likelihood threshold and minimum for unique or total matches. |
| Body |
Contains text string Matches words from word list Matches regular expression |
Scans the main text content (body) of a webpage or file for specific text, words from a custom list, or patterns defined by a regular expression. |
| File size |
Is greater than Is less than Is equal to |
Sets a file size threshold (in bytes) to trigger the rule based on your comparison. |
| File type |
Matches system file category Matches specific MIME type |
Filters what to scan by predefined file categories, such as Image or Executable or by a specific MIME type. Learn more about MIME types by file category. |
| Source Chrome context | Specific attributes related to Chrome browser | Scans for internal Chrome attributes to define the browser's environment or state. The rule applies if the context is one of the following values: Incognito, Clipboard, or Other Profile. |
| Source URL |
Contains text string Matches words from word list Matches regular expression |
Scans the URL where the content originated for specific text, words from a custom list, or patterns. |
| Source URL category |
Select category |
Works with the user event, such as Content pasted, to check if a source URL belongs to a predefined category, such as Social Networks or News. |
| Title |
Contains text string Matches words from word list Matches regular expression |
Scans the title of the webpage or document involved in the action for specific text, words from a custom list, or patterns. |
| URL |
Contains text string Matches words from word list Matches regular expression |
Scans the URL involved in the action for specific text, words from a custom list, or patterns. |
| URL category | Select category | Checks if the URL involved in the action belongs to a predefined category, such as Social Networks, Games, or Gambling. |
Understand DLP actions
When a condition is met, your rule can enforce one of these actions:
| Action (for Chrome browser & ChromeOS) | Description | Optional settings |
|---|---|---|
| Block | Stops the user from completing the action, such as uploading a file. The user gets an error or custom message. | Customize Message: Show a custom message (up to 300 characters, supports hyperlinks) to the user explaining why the action was blocked. |
| Allow with warning | Lets the user proceed after a warning message. The user's choice to proceed is recorded in the log events. |
Customize Message: Display a custom warning message. Add watermark over page content: For URL-visited actions, overlays translucent watermark and Confidential text or a custom message on the webpage. Restrict screenshot and screen-share content: For URL-visited actions on Mac and Windows, blocks screenshots and screen sharing on the associated pages. Content is blacked out in screenshots (Windows) or disappears (Mac). |
| Audit only | Allows the user to proceed without interruption and logs the event for review. |
Add watermark over page content: For URL-visited actions, overlays translucent watermark and Confidential text or a custom message on the webpage. Restrict screenshot and screen-share content: For URL-visited actions on Mac and Windows, blocks screenshots and screen sharing on the associated pages. Content is blacked out in screenshots (Windows) or disappears (Mac). |
Important: For the File uploaded and Content pasted user events, the blocking behavior depends on your Chrome Enterprise connector policies' Delay file upload and Delay text entry settings. For details, go to Upload content analysis and Bulk text content analysis.
Choose a region for your data
You can store your DLP and malware scans in a specific region, for example, the United States or Europe. You can choose a region to achieve data residency, which is a requirement for many compliance agreements. For details, go to Choose a geographic region for your data.
Turn on OCR
You need to turn on optical character recognition (OCR) to allow Chrome to scan for sensitive content in images in files and PDFs. OCR scans BMP, GIF, JPEG, PNG, and TIF files uploaded, downloaded, and printed. Turning on OCR applies to all DLP rules. You can’t apply OCR selectively to specific rules.
To turn on OCR:
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Security > Access and data control > Data protection.
Requires having the View DLP rule and Manage DLP rule administrator privileges.
- Go to Data protection settings and click Optical character recognition (OCR).
- Turn on For Google Chrome.
- Click Save.
Create a DLP rule
After you turn on OCR and determine the conditions and actions for your rule, you create the DLP rule. For details, go to Create a DLP rule.
Common use cases
The following table provides examples of how to combine a user event (the trigger), Conditions (what is checked), and a specific Action (the enforcement) to define your DLP policy. To use this table, you must:
- Select a user event.
- Map condition values to the corresponding options.
- Select an action.
| Use case | User event | Conditions | Action |
| Block files from being downloaded from Google Drive | File downloaded |
Content type: URL* Match: Contains text string Value: drive.google.com |
Block |
| Warn the user if a downloaded file contains more than 30 email addresses | File downloaded |
Content type: All content Match: Matches predefined data type Settings: Data Type: Global - Email Address, Medium likelihood, Minimum unique matches 30 |
Allow with warning |
| Block file uploads to social media sites | File upload |
Content type: URL category Match: Select category Value: Social Networks |
Block |
| Block the download of image files larger than 10 kilobytes | File downloaded |
Condition 1: File size Match: Is greater than Value: 10,000 bytes AND Condition 2: File type Match: Matches system file category Value: Image |
Block |
| Log instances where U.S. Social Security numbers are transferred in files in ChromeOS | File transfer |
Content type: All content Match: Matches predefined data type Settings: Data Type: United States - Social Security Number, Likelihood Medium, Minimum unique matches 1, Minimum match count 1 |
Audit only |
| Block users from pasting content copied from Gmail (mail.google.com) | Content pasted |
Content type: Source URL* Match: Contains text string Value: mail.google.com |
Block |
| Apply a watermark or restrict screenshots when users visit designated sensitive websites | URL visited |
Content type: URL* or URL category Match: Select appropriate match Value: The specific sensitive URL or category |
Allow with warning / Audit only (with Add watermark and/or Restrict screenshot selected) |
Review, monitor & investigate alerts
After you create DLP rules, you can review user actions, such as uploading and downloading or copying and pasting data in Chrome browser. You can then:
- View reports in the security dashboard. Reports related to Chrome Enterprise Premium include:
- Chrome threat protection summary report
- Chrome data protection summary report
- Chrome high risk users report
- Chrome high risk domains report
- For details, go to Use the security dashboard.
- Investigate alerts of data-sharing incidents using the security investigation tool. For details, go to About the security investigation tool.
- View details of incidents in Rule log events.
- Investigate DLP rule violations to determine if they're real incidents or false positives. For details, go to View content that triggers DLP rules.
