Configuring Chrome browser attributes

The Chrome browser is BeyondCorp Enterprise's zero trust endpoint platform, empowering and protecting work-from-anywhere enterprises. Integrated natively with the Chrome browser, BeyondCorp Enterprise offers centralized security policy management, agentless endpoint protection, and integrated zero trust access.

The BeyondCorp Enterprise endpoint protection includes the following threat and data protection capabilities:

  • Data protection - Prevent leaking of sensitive data (for example, personally-identifiable information) in files transferred and in content uploaded by the browser.
  • Threat protection - Protect against malware transfers using reputation, signatures, and cloud sandboxing.
  • Enterprise analytics - Provide analysis and investigation for security events such as malware transfer, phishing site visit, credential thefts, or sensitive data transfer.

To ensure that users are accessing resources from secure environments, you can set zero trust policies that ensure the user's browser environment has these threat and data protection capabilities turned on. Following are new access conditions that you can use in Access Context Manager's custom access levels.

Attribute/Function Definition
management_state Is the browser managed, at the browser level or at the profile level, and by the enterprise under the correct domain.

A browser is considered to be managed if the policies are centrally managed and pushed, and that the domain of the managed browser or profile matches the expected domain on the server side.

device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN | ChromeManagementState.CHROME_MANAGEMENT_STATE_BROWSER_MANAGED | ChromeManagementState.CHROME_MANAGEMENT_STATE_PROFILE_MANAGED | ChromeManagementState.CHROME_MANAGEMENT_STATE_UNMANAGED

versionAtLeast(min_version) Is the browser above a certain minimum version.

device.chrome.versionAtLeast("88.0.4321.44")

is_realtime_url_check_enabled Is the real-time URL check connector enabled.

device.chrome.is_realtime_url_check_enabled == true | false

is_file_upload_analysis_enabled Is the file upload analysis connector enabled.

device.chrome.is_file_upload_analysis_enabled == true | false

is_file_download_analysis_enabled Is the file download analysis connector enabled.

device.chrome.is_file_download_analysis_enabled == true | false

is_bulk_data_entry_analysis_enabled Is the bulk text (paste) analysis connector enabled.

device.chrome.is_bulk_data_entry_analysis_enabled == true | false

is_security_event_analysis_enabled Is the security event reporting connector enabled.

device.chrome.is_security_event_analysis_enabled == true | false

The following table contains examples of policies that you can set:

Example Policy Expression
Only allow access to resources when the user is coming from a fully managed Chrome browser, and not just a managed Chrome profile. device.chrome.management_state == BROWSER_MANAGED
Only allow access to resources if download content analysis is enabled so administrators can ensure that sensitive content download can be detected. device.chrome.is_file_download_analysis_enabled == true
Only allow access to content if the browser has threat and data protection capabilities enabled. device.chrome.is_file_download_analysis_enabled == true && device.chrome.is_file_upload_analysis_enabled == true && device.chrome.is_realtime_url_check_enabled == true
Only allow access to content if security event reporting is enabled. device.chrome.is_security_event_analysis_enabled == true