Combine DLP rules with Context-Aware Access conditions

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. In the Google Admin console, go to Menu RulesCreate ruleData protection.

   Go to Data protection

   Requires having the View and Manage DLP rule privileges.

2. Enter the name and (optionally) a description for the rule.
3. In the Apps section, for Chrome, click the File downloaded box.
4. Click Continue.
5. In the Actions section, for Chrome, select Block.
6. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
7. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
8. Click Continue.
9. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

   If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

10. In the Content conditions section, click Add condition and then configure the condition as follows:
    • For Content type to scan, select All content.
    • For What to scan for, choose a DLP scan type and select attributes.
      For more information on available attributes, go to Use Chrome Enterprise Premium to integrate DLP with Chrome.
11. For Context conditions, click Select an access level.
    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 19.
12. Click Create new access level.
13. Enter a name (for example, Outside corporate network) and, optionally, a description.
14. In the Context conditions section, click Add condition.
15. Select Doesn't meet 1 or more attributes (OR).
16. Click Select attributeIP subnet (Public) and enter your corporate network's IP address. The address should be an IPv4 or IPv6 address or routing prefix in CIDR block notation.
    • Private IP addresses aren't supported (including users' home networks).
    • Static IP addresses are supported.
    • To use a dynamic IP address, you must define a static IP subnet for the access level. If you know the range of the dynamic IP address, and the defined static IP address in the access level covers that range, the context condition is met. If the dynamic IP address isn't in the defined static IP subnet, the context condition isn't met.
17. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
18. Click Continue to review the rule details.
19. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
20. Click Create.

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. In the Google Admin console, go to Menu RulesCreate ruleData protection.

   Go to Data protection

   Requires having the View and Manage DLP rule privileges.

2. Enter the name and (optionally) a description for the rule.
3. In the Apps section, for Chrome, click the File downloaded box.
4. Click Continue.
5. In the Actions section, for Chrome, select Block.
6. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
7. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
8. Click Continue.
9. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

   If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

10. In the Content conditions section, click Add condition and then configure the condition as follows:
    • For Content type to scan, select All content.
    • For What to scan for, choose a DLP scan type and select attributes.
      For more information on available attributes, go to Use Chrome Enterprise Premium to integrate DLP with Chrome.
11. In the Context conditions section, click Select an access level.

    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 20.

12. Click Create new access level.
13. Enter a name (for example, In China) and, optionally, a description.
14. In the Context conditions section, click Add condition.
15. Select Meets all attributes (AND).
16. Click Select attributeLocation and then select a country from the list.
17. (Optional) To add additional countries and apply the rule to users signing in from them:
    1. Click Add condition and select Meets all attributes (AND).
    2. At the top of Conditions, set Join multiple conditions with to OR.
18. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
19. Click Continue to review the rule details.
20. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
21. Click Create.

1. In the Google Admin console, go to Menu RulesCreate ruleData protection.

   Go to Data protection

   Requires having the View and Manage DLP rule privileges.

2. Enter the name and (optionally) a description for the rule.
3. In the Apps section, for Google Drive, click the Drive files box.
4. Click Continue.
5. In the Actions section, for Google Drive, select Disable download, print, and copyFor commenters and viewers only.
6. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
7. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
8. Click Continue.
9. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

   If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

10. In the Content conditions section, click Add condition and then configure the condition as follows:
    • For Content type to scan, select All content.
    • For What to scan for, choose a DLP scan type and select attributes. For more information on available attributes, go to Create a DLP rule.
11. In the Context conditions section, click Select an access level.
12. If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 18.
13. Click Create new access level.
14. Enter a name (for example, Unapproved device) and, optionally, a description.
15. In the Context conditions section, click Add condition and configure the condition as follows:
    • Select Doesn't meet 1 or more attributes (OR).
    • Click Select attributeDeviceAdmin-approved.
16. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
17. Click Continue to review the rule details.
18. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
19. Click Create.

In this example, the user is blocked if they try to navigate to the Salesforce admin console (salesforce.com/admin) with an unmanaged device. Users would still be able to access other parts of the Salesforce application.

To create rules for Chrome browser, you need Chrome Enterprise Premium.

1. In the Google Admin console, go to Menu RulesCreate ruleData protection.

   Go to Data protection

   Requires having the View and Manage DLP rule privileges.

2. Enter the name and (optionally) a description for the rule.
3. In the Apps section, for Chrome, click the URL visited box.
4. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
5. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
6. Click Continue.
7. In the Actions section, for Chrome, select Block.
8. Click Continue.
9. For Scope, choose an option:
   • To apply the rule to your whole organization, select All in domain.name.
   • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

   If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

10. In the Content conditions section, click Add Condition and configure the condition as follows:
    • For Content type to scan, select URL.
    • For What to scan for, select Contains text string.
    • For Contents to match, enter salesforce.com/admin.
11. In the Context conditions section, click Select an access level.
    If you already created an appropriate access level, in the Context conditions section, select your access level and go to step 18.
12. Click Create new access level.
13. Enter a name (for example, Salesforce Admin) and, optionally, a description.
14. In the Context conditions section, click the Advanced tab.
15. In the text box, enter:
    device.chrome.management_state != ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED
16. Click Create. You return to the Create Rule page. Your new access level and its attributes are added to the list.
17. Click Continue to review the rule details.
18. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to SecurityAccess and data controlData ProtectionManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
19. Click Create.

Note: If a URL that you're filtering has been visited recently, it's cached for several minutes and might not be successfully filtered by a new (or modified) rule until the cache is cleared of that URL. Allow approximately 5 minutes before testing a new or modified rule.

In previous Chrome versions, context conditions are ignored. Rules behave as if only content conditions are set.

No. Rules do not apply in Incognito mode. Administrators can prevent sign-ins to Workspace or SaaS applications from Chrome Incognito mode by enforcing Context-Aware Access at sign-in time.

If the managed browser and managed profile user belong to the same enterprise, then both browser-level DLP rules and user-level DLP rules will be applied.

If the managed browser and managed profile user belong to different enterprises, then only the browser-level DLP rules will be applied. The context condition will always be considered as a match, and the strictest outcome will be enforced. There is no impact on IP-based or region-based conditions.

Context-Aware Access in the Admin console does not support all attributes supported by the Google Cloud console. Therefore, any basic access levels created in the Google Cloud console that include these attributes can be assigned in the Admin console, but can't be edited there.

On the Rules page in the Admin console, you can assign Google Cloud console-created access levels, but can't view condition details for access levels with unsupported attributes.

• Make sure you have the Services > Data Security > Access level management admin privilege, which is required to view context conditions during DLP rule creation.
• The context conditions card only displays when you select Chrome triggers during rule creation.

If an assigned access level is deleted, the context conditions default to true and the rule behaves like a content-only rule. Note that the rule will then apply to more devices and use cases than you originally intended.

No. Access level evaluation in rules is independent of Context-Aware Access settings. Context-Aware Access activation and assignment should not affect rules.

Empty conditions are evaluated to true by default. This means that for a Context-Aware Access-only rule, the content conditions can be left empty. Note that if both content and context conditions are left empty, the rule will always get triggered.

No. The rule is only triggered when both content and context conditions are met.

DLP and Context-Aware Access both rely on background services which may be periodically interrupted. If a service interruption occurs during rule enforcement, then there is no enforcement. When this happens, an event is logged in both the Rules log events and Chrome log events.

For device-based attributes, the context conditions will be considered as a match and the strictest outcome will be enforced. For non-device-based attributes (such as IP address and region) there's no change.

Yes. You can view access level information by searching for either Rule log events or Chrome log events in the Access level column of the search results.

No. User remediation is not available in these flows yet.