Chromebook-Specific Web Policy

Add a Chromebook-specific rule set to the web policy and protect all the Chromebook devices connected to your network. After you add a Chromebook-specific rule set, place the rule set at the top of your rule set list so that it is evaluated first. This ensures that this Chromebook-specific rule set is applied to your Chromebooks before any other rule set is evaluated. For more information about web policy, see Manage the Web Policy.

Note: To maintain end-user privacy when Chromebooks are connected at remote locations, you can also disable content logging and include only security-related events in your reporting.


  • Cisco Security for Chromebook client must be deployed. For more information, see Deploy the Chromebook Client.
  • To avoid certificate errors when accessing an Umbrella block page, install the Cisco Umbrella root certificate or a certificate signed by your CA on your Chromebooks. See Manage Certificates.
  • Full-admin access to the Umbrella dashboard. See Manage User Roles.


  1. Navigate to Policies > Management > Web Policy and click Add.
  1. Under Ruleset Settings, configure the settings, as needed.

a. Click Edit adjacent to Ruleset Identities.
Note: You must add identities to a rule set to enable that rule set.
b. Choose one of these options, as required, and click Save. (Each Chromebook is identified and listed by the email used to log in to that Chromebook.)

  • G Suite OUs — To apply a web rule set to one or more G Suite organizational units.
  • G Suite Users — To apply a web rule set to one or more Chromebook users.
  • Chromebooks — To apply a web rule set to one or more Chromebook devices.
  1. Continue editing the Ruleset Settings, as needed, and then click Save. For more information about adding a rule set to a web policy, see Add a Ruleset to the Web Policy.
  2. Add rules to your rule set. For more information about adding rules to a rule set, see Add Rules to a Ruleset.
    Rules allow you to fine-tune your rule set, setting the action—allow, warn, block, or isolate—that takes place when an identity attempts to access a destination.
    a. For Identities, click Add Identity, select the G Suite OUs, G Suite Users, and Chromebooks identities that will use this rule, and then click Apply.
    You must select a minimum of one identity.
  1. Continue through the rule and then save it.
    The new rule is saved to the rule set to which it has been added. However, by default, rules are disabled and must be enabled to come into effect. Until then, a new rule is ignored when Umbrella evaluates the web policy against requests.
  2. Enable the rule:
    a. From the Action menu, click Enable Rule.
    Tip: Before enabling rules, prioritize them. When a rule set has multiple enabled rules, they are evaluated in a top-down order, that is, the rule that is at the top of the list is evaluated first, and then the next, and so on until a match is made. Dag and drop your rules such that rules are evaluated in the order in which you require them to be evaluated.


b. Click UPDATE and then confirm the change.
The rule is enabled.


Chromebook-specific DNS Policy > Chromebook-specific Web Policy > Chromebook Client - FAQs