Device attributes collected by Endpoint Verification

This document describes the details of device attributes that are collected by Endpoint Verification from the devices accessing your organization's resources. Endpoint Verification collects device attributes, device identity attributes, configurable device attributes and Chrome browser attributes.

Device attributes

The following table describes the attributes that are collected by Endpoint Verification that you can use to create access levels:

Attribute name Description Supported OS Example of using the attribute in the CEL expressions
is_secured_with_screenlock A boolean value that indicates whether the screen lock function is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.is_secured_with_screenlock == true
encryption_status

The encryption status of a device. Possible values:

  • ENCRYPTION_UNSPECIFIED = 0 indicates that the encryption status of the device is not specified or not known.
  • ENCRYPTION_UNSUPPORTED = 1 indicates that the device does not support encryption.
  • ENCRYPTION_UNENCRYPTED = 2 indicates that the device supports encryption, but is not encrypted.
  • ENCRYPTED = 3 indicates that the device is encrypted.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.encryption_status == DeviceEncryptionStatus.ENCRYPTED
os_type

The operating system running on a device. Possible values:

  • OS_UNSPECIFIED = 0 indicates that the operating system of the device is not specified or not known.
  • DESKTOP_MAC = 1
  • DESKTOP_WINDOWS = 2
  • DESKTOP_LINUX = 3
  • DESKTOP_CHROME_OS = 6
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.os_type == OsType.DESKTOP_MAC
os_version The version of the operating system running on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
  • device.os_version == "MacOS 13.4.0"
  • device.os_version == "ChromeOs 14541.0.0"
  • device.os_version == "Windows 10.0.19045"
  • device.os_version == "Linux rodete"
verified_chrome_os A boolean value that indicates whether the request comes from a device with a verified ChromeOS. ChromeOS (only for enterprise-enrolled devices) device.verified_chrome_os == true
model The model of a device.
  • macOS
  • Windows
  • Linux
 device.model == "MacBookPro16,1"
is_managed_browser_profile A boolean value that indicates whether the Chrome content area account associated with a device matches its Chrome profile account.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.is_managed_browser_profile == true
certificates Attributes of the certificates associated with a device. For example, Enterprise certificates.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.certificates.exists(cert, cert.is_valid && cert.root_ca_fingerprint == "SOME_ROOT_CA_FINGERPRINT")
windows_domain_name The domain name of a windows machine. Windows device.clients["bce"].data["windows_domain_name"] == "GOOGLE"
is_os_native_firewall_enabled A boolean value that indicates whether the operating system's built-in firewall is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.clients["bce"].data["is_os_native_firewall_enabled"] == true
is_secure_boot_enabled A boolean value that indicates whether the secure boot option is enabled on a device. Windows device.clients["bce"].data["is_secure_boot_enabled"] == true
av_installed A list of antivirus software products that are installed on a device. Windows device.clients["bce"].data["av_installed"].exists(x, x == "mcafee") == true
av_enabled A list of antivirus software products that are installed and enabled on a device. Windows device.clients["bce"].data["av_enabled"].exists(x, x == "mcafee") == true
hotfixes A list of hotfixes that are applied on Windows systems. Windows device.clients["bce"].data["hotfixes"].exists(x, x == "KB0001") == true

Device identity attributes

The following table describes the attributes that are collected by Endpoint Verification that you can use to identify devices. These attributes cannot be used for creating access levels.

Attribute name Description Supported OS
Serial number The serial number of the device.
  • macOS
  • ChromeOS (only for enterprise-enrolled devices)
  • Windows
  • Linux
Hostname The hostname of the device.
  • macOS
  • Windows
  • Linux
Device ID The unique identification number associated with the device.
  • macOS
  • Windows
  • Linux
Wifi MAC Address The MAC address of the device.
  • macOS
  • ChromeOS
  • Windows
  • Linux

Configurable device attributes

Endpoint Verification provides an option to collect granular device attributes called configurable device attributes, such as metadata attributes of files, folders, and binaries; registry entries; and properties in a plist. You can use these device configuration attributes to create access levels.

This option is not enabled by default. To collect these granular configurable device attributes, configure Endpoint Verification settings.

The following table describes the file, folder, and binary attributes.

Attribute name Description Supported OS Example of using the attribute in the CEL expressions
presence

Indicates the presence of a file, folder, or binary. Possible values:

  • VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
  • VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
  • VALUE_NOT_FOUND = 2 indicates that the resource was not found.
  • VALUE_FOUND = 3 indicates that the resource was found.
  • macOS
  • Windows
  • Linux
 device.clients["bce"].data["file_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
is_running Indicates if a binary is running. It is always false for a file or folder.
  • macOS
  • Windows
  • Linux
 device.clients["bce"].data["file_config"]["config_name"]["is_running"] == true
sha256_hash

Provides SHA-256 hash of a file or binary. It is always an empty string for a folder.
  • macOS
  • Windows
  • Linux
 device.clients["bce"].data["file_config"]["config_name"]["sha256_hash"] == ""
public_key_sha256

Provides a list of SHA-256 hash values of the public keys that are used to sign the executable. It is always an empty string for a file or a folder.
  • macOS
  • Windows
 device.clients["bce"].data["file_config"]["config_name"]["public_key_sha256"].exists(x, x == "")
product_name

The product name of the executable. It is always an empty string for a file or folder.
  • macOS
  • Windows
 device.clients["bce"].data["file_config"]["config_name"]["product_name"] == "some value"
version

The product version of the executable. It is always an empty string for a file or folder.

  • macOS
  • Windows
 device.clients["bce"].data["file_config"]["config_name"]["version"] == "some value"

The following table describes the attributes based on the registry entries and properties of a plist.

Attribute name Description Supported OS Example of using the attribute in the CEL expressions
presence

Indicates the presence of a registry or plist entry. Possible values:

  • VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
  • VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
  • VALUE_NOT_FOUND = 2 indicates that the resource was not found.
  • VALUE_FOUND = 3 indicates that the resource was found.
  • macOS
  • Windows
  • device.clients["bce"].data["registry_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
  • device.clients["bce"].data["plist_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
value

Provides the data that is stored in the registry or plist. Possible values:

  • macOS: NSString or NSNumber
  • Windows: REG_SZ, REG_DWORD, or REG_QWORD

The strings are limited to 1024 bytes.
  • macOS
  • Windows
  • device.clients["bce"].data["registry_config"]["config_name"]["value"] == <"string value"|boolean|double|int>
  • device.clients["bce"].data["plist_config"]["config_name"]["value"] == <"string value"|boolean|double|int>

Chrome browser attributes

The following table describes the Google Chrome browser attributes that are collected by Endpoint Verification that you can use to create access levels:

Attribute name Description Supported OS Example of using the attribute in the CEL expressions
versionAtLeast(min_version) The minimum version of the Chrome browser.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.versionAtLeast("88.0.4321.44")
management_state

The management state of the browser for a device. A browser is considered to be managed if it is enrolled to Chrome browser cloud management. Possible values:

  • CHROME_MANAGEMENT_STATE_UNSPECIFIED = 0 indicates that the management state of the device is not specified or not known.
  • CHROME_MANAGEMENT_STATE_UNMANAGED = 1 indicates that the browser or the profile is not managed by any organization.
  • CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN = 2 indicates that the browser is managed, but by some other organization.
  • CHROME_MANAGEMENT_STATE_PROFILE_MANAGED = 3 indicates that the browser is not managed and the profile is managed by an organization.
  • CHROME_MANAGEMENT_STATE_BROWSER_MANAGED = 4 indicates that the browser and profile are managed by an organization.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN
is_file_upload_analysis_enabled A boolean value that indicates whether the file upload analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_file_upload_analysis_enabled == true
is_file_download_analysis_enabled A boolean value that indicates whether the file download analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_file_download_analysis_enabled == true
is_bulk_data_entry_analysis_enabled A boolean value that indicates whether the bulk text (paste) analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_bulk_data_entry_analysis_enabled == true
is_security_event_analysis_enabled A boolean value that indicates whether the security event reporting connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_security_event_analysis_enabled == true
is_realtime_url_check_enabled A boolean value that indicates whether the real-time URL check connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_realtime_url_check_enabled == true
safe_browsing_protection_level

The browsing protection level policy of the browser. Possible values:

  • SAFE_BROWSING_LEVEL_UNSPECIFIED = 0 indicates that the browser protection level policy is not set for the device.
  • SAFE_BROWSING_LEVEL_DISABLED = 1 indicates that the browser protection level policy is disabled for the device, and the device is not protected against dangerous websites, downloads, and extensions.
  • SAFE_BROWSING_LEVEL_STANDARD = 2 indicates that the device is protected against websites, downloads, and extensions that are known to be dangerous.
  • SAFE_BROWSING_LEVEL_ENHANCED = 3
    • indicates that the device has proactive protection against dangerous websites, downloads, and extensions.
  • Mac
  • ChromeOS
  • Windows
  • Linux
 device.chrome.safe_browsing_protection_level == SafeBrowsingLevel.SAFE_BROWSING_LEVEL_STANDARD
is_site_isolation_enabled A boolean value that indicates whether the site isolation is enabled for every site.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_site_isolation_enabled == true
is_built_in_dns_client_enabled A boolean value that indicates whether Chrome's built-in DNS client communicates with the DNS server.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_built_in_dns_client_enabled == true
password_protection_warning_trigger

The password protect warning trigger policy of the browser. Possible values:

  • PASSWORD_PROTECTION_TRIGGER_UNSPECIFIED = 0 indicates that the password protect warning trigger policy is not set.
  • PASSWORD_PROTECTION_TRIGGER_PROTECTION_OFF = 1 indicates that the password reuse is never detected.
  • PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE = 2 indicates that a warning is displayed when the end user reuses their protected password on a site that is not allowed.
  • PASSWORD_PROTECTION_TRIGGER_PHISHING_REUSE = 3 indicates that a warning is displayed when the end user reuses their protected password on a phishing site.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.password_protection_warning_trigger == PasswordProtectionTrigger.PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE
is_chrome_remote_desktop_app_blocked A boolean value that indicates whether the Chrome remote desktop remote application is blocked.
  • macOS
  • ChromeOS
  • Windows
  • Linux
 device.chrome.is_chrome_remote_desktop_app_blocked == true
is_chrome_cleanup_enabled A boolean value that indicates whether the Chrome Cleanup tool is enabled. Windows device.chrome.is_chrome_cleanup_enabled == true
is_third_party_blocking_enabled A boolean value that indicates whether the third party software injection blocking is enabled. Windows device.chrome.is_third_party_blocking_enabled == true

What's next