Use Chrome Enterprise Premium to integrate DLP with Chrome

Chrome Enterprise Premium integrates Data Loss Prevention with Chrome

Chrome Enterprise Premium threat and data protection features are available only for customers who have purchased Chrome Enterprise Premium.

Using Chrome Enterprise Premium threat and data protection, you can integrate Data Loss Prevention (DLP) features to use with Chrome browser to implement sensitive data detection for files that are uploaded and downloaded and for content that is pasted or dragged and dropped. The DLP integration with Chrome scans and reports findings from up to 10MB of the text content extracted from each file.

This integration gives you control over what data Chrome users can share, such as Social Security numbers or credit card numbers. It applies only to Chrome on Windows, Mac, Linux, and the Chrome operating system. Other platforms are not supported at this time.

Chrome Enterprise Premium and DLP

DLP integration with Chrome is included in the Chrome Enterprise Premium suite of features, which is part of Cloud Platform Security. To configure the DLP integration, you will use Google Workspace features.

Chrome Enterprise Premium includes:

  • Use of Chrome management features
  • Configuration of Chrome connectors
  • Configuration of DLP rules in Google Workspace security (described in this article)
  • Alerts and investigation of security events generated by Chrome (such as malware or sensitive data detection, phishing or social engineering, or password reuse)

For details on implementing Chrome Enterprise Premium, go to Protect Chrome users with Chrome Enterprise Premium threat and data protection.

Steps to set up DLP for Chrome Enterprise Premium

To implement and use the entire set of Chrome Enterprise Premium DLP protections, you must:

  • Step 1: Set up Chrome browser Enterprise connector policies. For details, go to Set Chrome Enterprise connector policies for Chrome Enterprise Premium in Google Chrome Enterprise Help.
  • Step 2: Set up data protection rules (described in this article) in Google Admin console.
  • Step 3: Set up activity alerts. For descriptions of alert types, go to View alert details (also in Google Workspace Admin Help).

  • Step 4 (Optional): Configure a timeout deadline for DLP and malware scanning. Learn more

After you create your DLP rules, when users upload, download, or copy and paste data into the browser, these actions can trigger events. You can:

Choose a region for your data

You can store your DLP and malware scans in a specific region, for example, the United States or Europe. You can choose a region to achieve data residency, which is a requirement for many compliance agreements. For details, go to Choose a geographic region for your data.

Scan images for sensitive content

You must be signed in as a super administrator for this task.

Using optical character recognition (OCR), DLP for Chrome scans text in image files and images in PDFs for sensitive content. This includes files uploaded and downloaded and content printed in Chrome.

Supported attachment file types

The following image file types (if OCR is turned on) are scanned: BMP, GIF, JPEG, PNG, TIFF, and images within PDF files.

Turn on OCR
  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. On the Admin console Home page, go to Securityand thenAccess and data controland thenData protection.
  3. For Data protection settings, click Optical character recognition (OCR). The default state for Google Chrome is Off. Select Off and slide it to On.
  4. Click Save. This turns on OCR for data protection rules that apply to Chrome.

Note: Once turned on, the OCR setting will apply to all DLP for Chrome rules. You can't apply it selectively to specific rules.

Check that OCR is on when creating a data protection rule
  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. Go to Menu and then Rules.
  3. Click Create ruleand thenData protection.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, choose an option:
    • To apply the rule to your whole organization, select All in your-organization.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude the organizational units and groups.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the File uploaded box.
  8. Click Check in the banner to ensure that OCR is turned on to scan text in images and PDFs. If Chrome is not checked, check the Chrome box to turn on OCR for Chrome.
  9. Click Continue to finish creating the rule.

DLP rule examples that support Chrome Enterprise Premium integrations with Chrome

DLP and Chrome Enterprise Premium integration—Data transfer rule examples

Here are some examples of blocking file downloads based on the URL, warning of downloads with multiple email addresses, blocking uploads to a URL category, and blocking downloads based on file size.

Expand section | Collapse all & go to top

Example 1: Block file downloads from drive.google.com

This example shows how to use rule settings to block file downloads. In this example, the download is blocked if it occurs from drive.google.com.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the File downloaded box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select URL.
    • For What to scan for, select Contains text string.
    • For the Enter contents to match field, enter drive.google.com.
      Note: The Tab URL (drive.google.com) and Download URL (googleusercontent.com) can trigger the rule.
    Important: Third-party cookies are necessary for Google Drive downloads to increase browser security and to make sure that only you can download your data. Google Drive uses googleusercontent.com, a Google domain, but one that is regarded as a third party by Drive, to deliver your files and further increase security.
  10. Click Continue.
  11. In the Actions section, for Chrome, select Block.
    • (Optional) To show end users a custom message:
      • Check the Customize Message box.
      • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  12. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  13. Click Continue.
  14. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  15. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 2: Warn of a Chrome download that contains more than 30 email addresses

This example shows how to use rule settings to trigger a user warning under certain conditions. In this example, the user is warned if they try to download more than 30 email addresses at once.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the File downloaded box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select All content.
    • For What to scan for, select Matches predefined data type.
    • For Data type, select Global - Email Address.
    • For Likelihood threshold, select Medium.
    • For Minimum unique matches, enter 30.
    • For Minimum match count, enter 30.
  10. Click Continue.
  11. In the Actions section, for Chrome, select Allow with warning. The user is warned, but can proceed with the action if the rule is violated. If the user chooses to proceed after being warned, this action is recorded in the Rule log events.
    • (Optional) To show end users a custom message:
      • Check the Customize Message box.
      • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  12. (Optional) To specify how a triggered rule even is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an even triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  13. Click Continue.
  14. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  15. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 3: Block file uploads to social media sites

This example shows how to use rule settings to block file uploads to certain types of websites. In this example, the upload is blocked if the user tries to upload files to social media sites, such as Facebook.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the File uploaded box.
    For the File uploaded rule trigger, the blocking behavior depends on the Delay file upload setting specified in Set Chrome Enterprise connector policies for Chrome Enterprise Premium. If the Delay file upload setting is set to Allow immediate upload, the file will upload during the scan. To prevent users from uploading files or content during a scan, set the Delay file upload setting to Delay upload until analysis is complete.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select URL category.
    • For Select category, select Online Communitiesand thenSocialNetworks.
  10. Click Continue.
  11. In the Actions section, for Chrome, select Block.
    • (Optional) To show end users a custom message:
      • Check the Customize Message box.
      • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  12. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  13. Click Continue.
  14. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  15. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 4: Block downloads of image files larger than 10 kilobytes

This example shows how to use rule settings to block file downloads based on file type and size. In this example, the download is blocked if the user tries to download image files larger than 10 KB.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the File downloaded box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select File size.
    • For What to scan for, select is greater than.
    • For Enter file size (in bytes), enter 10000.
  10. Click Add condition and select the following values:
    • For Content type to scan, select File type.
    • For What to scan for, select Matches system file category.
    • For System file category, select Image.

    For information about the MIME types included in each system file category, go to MIME types by file category.

  11. Click Continue.

  12. In the Actions section, for Chrome, select Block.
    • (Optional) To show end users a custom message:
      • Check the Customize Message box.
      • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  13. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  14. Click Continue.
  15. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  16. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 5: Report ChromeOS file transfers containing U.S. Social Security numbers

This example shows how to use rule settings to report file transfers in ChromeOS that contain U.S. Social Security numbers. The ChromeOS Files app is the only place where files are scanned, and setting up these rules requires a Chrome Enterprise Upgrade.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for ChromeOS, check the File transfer box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select All content.
    • For What to scan for, select Matches predefined data type.
    • For Select data type, select United States - Social Security Number.
    • For Likelihood threshold, select Medium.
    • For Minimum unique matches, enter 1.
    • For Minimum match count, enter 1.
  10. Click Continue.
  11. In the Actions section, for ChromeOS, select Audit only.
  12. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard. The severity level is logged in the Rule log events and you can use it to investigate incidents.
  13. (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  14. Click Continue.
  15. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  16. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Example 6: Block text pasted from a specific source

This example shows how to use rule settings to block text pasted from mail.google.com.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection rules and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the Content pasted box.
    For the Content pasted rule trigger, the blocking behavior depends on the Delay text entry setting specified in Set Chrome Enterprise connector policies for Chrome Enterprise Premium. If you Allow immediate upload, the text will get pasted during the scan. To prevent users from pasting content during a scan, select Delay text entry until analysis is complete instead.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select Source URL.
    • For What to scan for, select Contains text string.
    • For Enter contents to match, enter mail.google.com.
  10. Click Continue.
  11. In the Actions section, for Chrome, select Block.
  12. (Optional) To show end users a custom message:
    • Check the Customize Message box.
    • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  13. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  14. Click Continue.
  15. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  16. Click Create.

Changes can take up to 24 hours but typically happen more quickly. Learn more

DLP and Chrome Enterprise Premium integration—URL navigation rule examples

In these examples, navigation is blocked to websites in a particular URL category and to a custom list of URLs that you create.

Expand section | Collapse all & go to top

Example 1: Warn of Chrome navigations to websites that match the "Games/Gambling" URL category

This example shows how to use rule settings to trigger a user warning when a user tries to navigate to a website with gambling content.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection ruses and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the URL visited box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select URL category.
    • For Select category, select Games/Gambling.
  10. Click Continue.
  11. In the Actions section, for Chrome, select Allow with warning. The user is warned, but can choose to proceed with the action that triggers the rule. If the user chooses to proceed, the action is recorded in the Chrome log.
  12. (Optional) To show end users a custom message:
    • Check the Customize Message box.
    • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  13. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  14. Click Continue.
  15. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  16. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

Example 2: Warn all Chrome navigations not matching a URL list

This example shows how to use rule settings to warn a user if they try to navigate to a URL that doesn't match any entries in a URL list.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. Create a URL list custom detector containing a comma-separated list of the URLs you want to allow without restriction. For example: "docs.google.com,drive.google.com,mail.google.com"
    For detailed instructions, go to Use custom URL lists for DLP in Chrome.
  4. In the Data protection ruses and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  5. Enter a name and, optionally, a description for the rule.
  6. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  7. Click Continue.
  8. In the Apps section, for Chrome, check the URL visited box.
  9. Click Continue.
  10. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select URL.
    • For What to scan for, select Matches URL from URL list.
    • For URL list name, select the URL list you created in step 3.
      You must also click Change this to a not condition to exclude any URLs in your URL list from triggering the rule. All visited URLs that aren’t in your URL list will trigger the rule.
  11. Click Continue.
  12. In the Actions section, for Chrome, select Allow with warning. The user is warned, but can choose to proceed with the action that triggers the rule. If the user chooses to proceed, the action is recorded in the Chrome log.
  13. (Optional) To show end users a custom message:
    • Check the Customize Message box.
    • Enter a message. The message can be 300 characters or less. You can also select text and click Insert link, but any hyperlink will count toward the character limit.
  14. (Optional) To specify how a triggered rule event is reported in the security dashboard and, optionally, in the alert center:
    • In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  15. Click Continue.
  16. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  17. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

Example 3: Audit or warn of URL navigations with watermarking

This example shows how to use rule settings to trigger a user warning or to audit user activity by overlaying a watermark when a user tries to navigate to a specific website.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection ruses and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the URL visited box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select values for the URL or URL category that you want to watermark.
  10. Click Continue.
  11. In the Actions section, for Chrome, select one of the following options:
    • Allow with warning—Warns the user, but they can proceed to the website. If the user proceeds, the action is recorded in the Rule and Chrome log events. To display translucent watermark text over the page content, check the Add watermark over page content box.
    • Audit only—Displays a watermark over the page content in Chrome and creates a new event in the Rule and Chrome log events.
    The default watermark message is Confidential.
  12. (Optional) To replace the default watermark message with your own custom watermark message, check the Customize watermark message box and enter a message.
  13. In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  14. Click Continue.
  15. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  16. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

Example 4: Block screenshots and screen sharing from a specific website

This example shows how to use rule settings to block screenshots (Mac and Windows) and screen sharing (Windows only). Content on the page is blacked out in screenshots for Windows and disappears for Mac.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection ruses and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  4. Enter a name and, optionally, a description for the rule.
  5. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  6. Click Continue.
  7. In the Apps section, for Chrome, check the URL visited box.
  8. Click Continue.
  9. In the Conditions section, click Add Condition and select values for the URL or URL category for which you want to block screenshots and screen sharing.
  10. Click Continue.
  11. In the Actions section, for Chrome, select one of the following options:
    • Allow with warning—Warns the user, but they can proceed to the website. If the user proceeds, the action is recorded in the Rule and Chrome log events. To block screenshots and screen sharing on the associated pages, check the Restrict screenshot and screen-share content box.
    • Audit only—Allows users to proceed to the website in Chrome and the action is recorded in the Rule and Chrome log events. To block screenshots and screen sharing on the associated pages, check the Restrict screenshot and screen-share content box.
  12. In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  13. Click Continue.
  14. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  15. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

Example 5: Audit Chrome navigations to URLs that match a regular expression

This example shows how to use rule settings to audit users' URL navigations when they try to navigate to an URL that matches a regular expression.

Before you begin: Sign in to your super administrator account or an admin account with these privileges:

  • Organizational Unit
  • Groups
  • View DLP rule
  • Manage DLP rule
  • View Metadata and Attributes

Learn more about administrator privileges and creating custom administrator roles.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Data protection ruses and detectors section, click Manage Detectors and then click Add detectorand thenRegular expression.
  4. Enter a name and, optionally, a description for the regular expression.
  5. Enter a regular expression that matches a substring of URLs.
    For example, the expression [?|&]page_id=123 matches any URL that has a query parameter with the name page_id and a value that starts with 123. For more information, go to Examples of regular expressions.
    • (Optional) To verify the regular expression, click Test Expression. You must enter terms to test against your regular expression. For example, if you enter https://example.com/path?user=user1&page_id=1234 there will be a match with the expression [?|&]page_id=123.
  6. Click Create.
  7. In the Data protection ruses and detectors section, click Manage Rules and then click Add ruleand thenNew rule.
  8. Enter a name and, optionally, a description for the rule.
  9. In the Scope section, select All in your-organization.
    • (Optional) To include or exclude organizational units or groups the rule applies to, click the appropriate option.
      Note: Organizational units can contain any combination of devices and users. If there’s a conflict between organizational units and groups, the group takes precedence.
  10. Click Continue.
  11. In the Apps section, for Chrome, check the URL visited box.
  12. Click Continue.
  13. In the Conditions section, click Add Condition and select the following values:
    • For Content type to scan, select URL.
    • For What to scan for, select Matches regular expression.
    • For Regular expression name, select the name of the regular expression that you entered in step 4.
    • For Minimum times the pattern detected, enter 1.
  14. Click Continue.
  15. In the Actions section, for Chrome, select Audit.
  16. In the Alerting section, select a severity level (Low, Medium, or High) to set how an event triggered by this rule is reported in the security dashboard.
    • (Optional) To send an alert to the alert center when the rule triggers an event, check the Send to alert center box. You can also choose whether to email alert notifications to all super administrators or to other recipients.
  17. Click Continue.
  18. On the Review page, select a status:
    • Active—Your rule runs immediately.
    • Inactive—Your rule doesn’t run immediately, giving you time to test the rule and share it with stakeholders.
      If you decide to activate an inactive rule, go to Securityand thenAccess and data controland thenData protectionand thenManage Rules, click the current Inactive status for the rule, and select Active.
  19. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and may not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Please allow approximately 5 minutes before testing out a new or modified rule.

Related topic

Chrome log events

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.