Set Chrome Enterprise connector policies for Chrome Enterprise Premium

Chrome Enterprise Premium threat and data protection features are available only for customers who have purchased Chrome Enterprise Premium.

As an admin, you can use the Google Admin console to check for sensitive data or help protect your Chrome users from content that contains malware. You can also prevent certain files from being sent for analysis. You can then allow or block uploads and downloads for those unscanned files.

Where do Chrome Enterprise connector policies fit into Chrome Enterprise Premium?

To implement and use the entire set of Chrome Enterprise Premium protections, you need to:

Set up Chrome Enterprise connector policies (described below).
Set up data protection rules. For details, see Use Chrome Enterprise Premium to integrate DLP with Chrome.
Set up activity alerts. For descriptions of alert types, go to View alert details.

Before you begin

Set up Chrome Enterprise Core. For details, read Set up Chrome Enterprise Core.
Chrome Enterprise Premium threat and data protection features are not supported in Incognito windows. For information about how to prevent users from opening new Incognito windows, read about the Incognito mode setting.
(Recommended) Turn on Safe Browsing to help protect users from websites that might contain malware or phishing. Read about the Safe Browsing Protection Level setting.
Sign up for Chrome Enterprise Premium. Go to the sign-up form.

Set policies

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
Select your top-level organizational unit, so that all child organizations will inherit the policy.
Scroll to Chrome Enterprise connectors.
(Optional) If you’re configuring Chrome Enterprise connectors settings for the first time, follow the prompts to turn on Chrome Enterprise Premium threat and data protection for Chrome Enterprise.
Configure Chrome Enterprise connectors settings. Click below for settings details, based on what type of content you want to send for analysis.
Click Save.

Open all | Close all

Security events reporting

Specifies the cloud service APIs that you want to use to report security events. To see these events, you need to set up Chrome security events. For information, see Manage Chrome Enterprise reporting connectors.

For details about how to view reports on the security dashboard, see:

Upload content analysis

Specify the cloud service APIs that you want to use. Select Chrome Enterprise Premium, and then configure the additional settings.

Setting	Description
Delay file upload	Choose an option: Allow immediate upload—Allow users to upload the file while the scan is taking place. Delay upload until analysis is complete—Allow users to upload the file only after the scan is completed and passed. Block file upload on failure—If selected, users cannot upload the file if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.
Check for sensitive data	Scan uploads for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format. When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for uploading the data. Custom warning text—Enter the text the user sees when uploading sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message. Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message. User justification to bypass warnings—If you select Allow, the user can add a reason why they are uploading sensitive data. You can view these reasons in the Alert center.
Check for malware	Scan uploads for malware. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for malware. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format.
File that won’t be sent for analysis	Some file types are not checked for sensitive data or malware, including password protected files and files larger than 50 MB. Choose how you want to handle those files: Allow upload Block upload

Download content analysis

Specify the cloud service APIs that you want to use. Select Chrome Enterprise Premium, and then configure the additional settings.

Setting	Description
Delay file access	Choose an option: Allow immediate file access—Allow users to open the file while the scan is taking place. Delay file access until analysis is complete—Allow users to open the file only after the scan is completed and passed. Block file access on failure—If selected, users cannot open the file if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.
Check for sensitive data	Scan downloads for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format. When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for downloading the data. Custom warning text—Enter the text the user sees when downloading sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message. Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message. User justification to bypass warnings—If you select Allow, the user can add a reason why they are downloading sensitive data. You can view these reasons in the Alert center.
Check for malware	Scan downloads for malware. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for malware. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format.
File that won’t be sent for analysis	Some file types are not checked for sensitive data or malware, including password protected files and files larger than 50 MB. Choose how you want to handle those files: Allow download Block download

[Optional] Apply download restrictions

You can use the DownloadRestrictions policy to prevent users from bypassing security warnings to download dangerous files. Or, prevent all downloads.

File transfer content analysis

Specify the cloud service APIs that you want to use. Select Chrome Enterprise Premium, and then configure the additional settings.

Setting	Description
Delay transfer	Choose an option: Allow immediate transfer—Allow users to transfer the file while the scan is taking place. Users will not notice any influence in their workflows, but admins receive reports of the user activity if reporting is enabled. Delay the transfer until analysis is complete—Allow users to transfer the file only after the scan is completed and passed.
Check for sensitive data	Scan transfers for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome. Choose an option: On by default, except for the following locations Off by default, except for the following locations Locations Specify a list of file systems and whether transfers to or from those file systems should be checked. When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for transferring the data Custom warning text—Enter the text the user sees when transferring sensitive data. Leave this field empty to display the default warning message. Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. User justification to bypass warnings—If you select Allow, the user has to add a reason why they are transferring sensitive data. You can view these reasons in the Alert center.
Check for malware	Scan transfers for malware. Choose an option: On by default, except for the following locations Off by default, except for the following locations Locations Specify a list of file systems and whether transfers to or from those file systems should be checked.
File that won't be sent for analysis	Some transferred content is not checked for sensitive data or malware, including files larger than 50 MB. Choose how you want to handle those files: Allow transfer Block transfer

Bulk text content analysis

Specify the cloud service APIs that you want to use. Select Chrome Enterprise Premium, and then configure the additional settings.

Setting	Description
Delay text entry	Choose an option: Allow immediate entry—Allow users to paste text on the page while the scan is taking place. Delay text entry until analysis is complete—Allow users to paste text on the page only after the scan is completed and passed. Block text entry on failure—If selected, users cannot paste text on the page if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.
Check for sensitive data	Scan bulk text for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format. When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for pasting the text. Custom warning text—Enter the text the user sees when pasting sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message. Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message. User justification to bypass warnings—If you select Allow, the user can add a reason why they are pasting sensitive data. You can view these reasons in the Alert center.
Minimum character count	Minimum number of characters, in bytes, required to send content for analysis. In general, one character is equal to one byte. However, there are some exceptions, such as emojis.

Setting

Description

Delay text entry

Choose an option:

Allow immediate entry—Allow users to paste text on the page while the scan is taking place.
Delay text entry until analysis is complete—Allow users to paste text on the page only after the scan is completed and passed.
- Block text entry on failure—If selected, users cannot paste text on the page if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.

Check for sensitive data

Scan bulk text for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome.

Choose an option:

On by default, except for the following URL patterns
Off by default, except for the following URL patterns

URL pattern

Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format.

When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for pasting the text.

Custom warning text—Enter the text the user sees when pasting sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message.
Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message.
User justification to bypass warnings—If you select Allow, the user can add a reason why they are pasting sensitive data. You can view these reasons in the Alert center.

Minimum character count

Minimum number of characters, in bytes, required to send content for analysis. In general, one character is equal to one byte. However, there are some exceptions, such as emojis.

Print content analysis

Specify the cloud service APIs that you want to use. Select Chrome Enterprise Premium, and then configure the additional settings.

Setting	Description
Delay printing	Choose an option: Allow immediate printing—Allow users to print the page while the scan is taking place. Delay printing until analysis is complete—Allow users to print the page only after the scan is completed and passed. Block printing on failure—If selected, users cannot print the page if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.
Check for sensitive data	Scan printed content for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome. Choose an option: On by default, except for the following URL patterns Off by default, except for the following URL patterns URL pattern Specify a list of URL patterns for which pages Chrome allows or prevents scans for sensitive data. If you include multiple URLs, separate them by putting one URL per line. For information about valid URL patterns, see URL blocklist filter format. When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for printing the sensitive data. Custom warning text—Enter the text the user sees when printing sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message. Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message. User justification to bypass warnings—If you select Allow, the user can add a reason why they are printing sensitive data. You can view these reasons in the Alert center.
Printed content that won't be sent for analysis	Some printed content is not checked for sensitive data or malware, including files larger than 50 MB. Choose how you want to handle those files: Allow printing Block printing

Setting

Description

Delay printing

Choose an option:

Allow immediate printing—Allow users to print the page while the scan is taking place.
Delay printing until analysis is complete—Allow users to print the page only after the scan is completed and passed.
- Block printing on failure—If selected, users cannot print the page if the scan fails due to issues such as network errors, an unreachable server, or a request timeout.

Check for sensitive data

Scan printed content for sensitive data. For details about how to specify what you want to check for, see Use Chrome Enterprise Premium to integrate DLP with Chrome.

Choose an option:

On by default, except for the following URL patterns
Off by default, except for the following URL patterns

URL pattern

When sensitive data is found, you can choose to display a custom warning and require the user to enter a justification for printing the sensitive data.

Custom warning text—Enter the text the user sees when printing sensitive data. Leave this field empty to display the default warning message. If a custom message is defined directly in a rule, it takes precedence over this message.
Custom warning "learn more" link—Enter the URL that you want to display when the user clicks the learn more link. If you leave this field empty, the learn more link isn't displayed. If a custom message is defined directly in a rule, the learn more link isn’t displayed, only the rule’s custom message.
User justification to bypass warnings—If you select Allow, the user can add a reason why they are printing sensitive data. You can view these reasons in the Alert center.

Printed content that won't be sent for analysis

Some printed content is not checked for sensitive data or malware, including files larger than 50 MB. Choose how you want to handle those files:

Allow printing
Block printing

Real time URL check

Choose the cloud service API to be used by Chrome for sending URLs to be scanned in real time to protect users against dangerous sites. We also recommend that you turn on Safe Browsing. For details about the Safe Browsing Protection Level setting, see Set Chrome policies for users or browsers.

Was this helpful?

How can we improve it?

Set Chrome Enterprise connector policies for Chrome Enterprise Premium

Where do Chrome Enterprise connector policies fit into Chrome Enterprise Premium?

Before you begin

Set policies

URL pattern

URL pattern

URL pattern

URL pattern

[Optional] Apply download restrictions

Locations

Locations

URL pattern

URL pattern

Related topics

Was this helpful?

Need more help?

Try these next steps: