Device attributes collected by Endpoint Verification

This document describes the details of device attributes that are collected byEndpoint Verification from the devices accessing your organization's resources.Endpoint Verification collectsdevice attributes,device identity attributes,configurable device attributes andChrome browser attributes.

Note: You can also useChrome Enterprise Premium and third-party client integrationsto collect device attributes from third-party clients, such as Tanium,CrowdStrike, and Microsoft Intune.

Device attributes

The following table describes the attributes that are collected byEndpoint Verification that you can use to create access levels.

Note: The valuebce indevice.clients[] represents Chrome Enterprise Premium (formerly BeyondCorp Enterprise).
Attribute nameDescriptionSupported OSExample of using the attribute in theCEL expressions
is_secured_with_screenlockA boolean value that indicates whether the screen lock function is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.is_secured_with_screenlock == true
encryption_status

The encryption status of a device. Possible values:

  • ENCRYPTION_UNSPECIFIED = 0 indicates that the encryption status of the device is not specified or not known.
  • ENCRYPTION_UNSUPPORTED = 1 indicates that the device does not support encryption.
  • ENCRYPTION_UNENCRYPTED = 2 indicates that the device supports encryption, but is not encrypted.
  • ENCRYPTED = 3 indicates that the device is encrypted.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.encryption_status == DeviceEncryptionStatus.ENCRYPTED
os_type

The operating system running on a device. Possible values:

  • OS_UNSPECIFIED = 0 indicates that the operating system of the device is not specified or not known.
  • DESKTOP_MAC = 1
  • DESKTOP_WINDOWS = 2
  • DESKTOP_LINUX = 3
  • DESKTOP_CHROME_OS = 6
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.os_type == OsType.DESKTOP_MAC
os_versionThe version of the operating system running on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
  • device.os_version == "MacOS 13.4.0"
  • device.os_version == "ChromeOs 14541.0.0"
  • device.os_version == "Windows 10.0.19045"
  • device.os_version == "Linux rodete"
Note: Operating system names are case-sensitive.
verified_chrome_osA boolean value that indicates whether the request comes from a device with averified ChromeOS. ChromeOS (only for enterprise-enrolled devices)device.verified_chrome_os == true
modelThe model of a device.
  • macOS
  • Windows
  • Linux
device.model == "MacBookPro16,1"
is_managed_browser_profileA boolean value that indicates whether the Chrome content area account associated with a device matches its Chrome profile account.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.is_managed_browser_profile == true
certificatesAttributes of the certificates associated with a device. For example,Enterprise certificates.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.certificates.exists(cert, cert.is_valid && cert.root_ca_fingerprint == "SOME_ROOT_CA_FINGERPRINT")
windows_domain_nameThe domain name of a Windows machine.Windowsdevice.clients["bce"].data["windows_domain_name"] == "GOOGLE"
is_os_native_firewall_enabled

A boolean value that indicates whether the operating system's built-in firewall is enabled on a device.

Note: Requires theEndpoint Verification native helper.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.clients["bce"].data["is_os_native_firewall_enabled"] == true
is_secure_boot_enabledA boolean value that indicates whether the secure boot option is enabled on a device.Windowsdevice.clients["bce"].data["is_secure_boot_enabled"] == true
av_installed

A list of antivirus software products that are installed on a device.

Note: Requires theEndpoint Verification native helper.		Windowsdevice.clients["bce"].data["av_installed"].exists(x, x == "mcafee") == true
av_enabled

A list of antivirus software products that are installed and enabled on a device.

Note: Requires theEndpoint Verification native helper.		Windowsdevice.clients["bce"].data["av_enabled"].exists(x, x == "mcafee") == true
hotfixes

A list of hotfixes that are applied on Windows systems.

Note: Requires theEndpoint Verification native helper.		Windowsdevice.clients["bce"].data["hotfixes"].exists(x, x == "KB0001") == true

Device identity attributes

The following table describes the attributes that are collected byEndpoint Verification that you can use to identify devices. These attributes cannotbe used for creating access levels.

Attribute nameDescriptionSupported OS
Serial numberThe serial number of the device.
  • macOS
  • ChromeOS (only for enterprise-enrolled devices)
  • Windows
  • Linux
HostnameThe hostname of the device.
  • macOS
  • Windows
  • Linux
Device IDThe unique identification number associated with the device.
  • macOS
  • Windows
  • Linux
Wifi MAC AddressThe MAC address of the device.
  • macOS
  • ChromeOS
  • Windows
  • Linux

Configurable device attributes

Endpoint Verification provides an option to collect granular device attributes calledconfigurable device attributes, such as metadata attributes of files, folders,and binaries; registry entries; and properties in a plist.You can use these device configuration attributes to create access levels.

This option is not enabled by default. To collect these granular configurabledevice attributes,configure Endpoint Verification settings.

Note: TheEndpoint Verification native helper runs in the user space, as the signed-in user. It can only detect files, folders, and processes that are visible and accessible to the current user.

The following table describes the file, folder, and binary attributes.

Note:config_name is the name of the configuration that you specified whenconfiguring the Endpoint Verification settings.
Attribute nameDescriptionSupported OSExample of using the attribute in theCEL expressions
presence

Indicates the presence of a file, folder, or binary. Possible values:

  • VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
  • VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
  • VALUE_NOT_FOUND = 2 indicates that the resource was not found.
  • VALUE_FOUND = 3 indicates that the resource was found.
  • macOS
  • Windows
  • Linux
device.clients["bce"].data["file_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
is_runningIndicates if a binary is running. It is always false for a file or folder.
  • macOS
  • Windows
  • Linux
device.clients["bce"].data["file_config"]["config_name"]["is_running"] == true
sha256_hash

Provides SHA-256 hash of a file or binary. It is always an empty string for a folder.

Note: String comparisons are case-sensitive.
  • macOS
  • Windows
  • Linux
device.clients["bce"].data["file_config"]["config_name"]["sha256_hash"] == ""
public_key_sha256

Provides a list of SHA-256 hash values of the public keys that are used to sign the executable. It is always an empty string for a file or a folder.

Note: String comparisons are case-sensitive.
  • macOS
  • Windows
device.clients["bce"].data["file_config"]["config_name"]["public_key_sha256"].exists(x, x == "")
product_name

The product name of the executable. It is always an empty string for a file or folder.

Note: String comparisons are case-sensitive.
  • macOS
  • Windows
device.clients["bce"].data["file_config"]["config_name"]["product_name"] == "some value"
version

The product version of the executable. It is always an empty string for a file or folder.

Note: String comparisons are case-sensitive.
  • macOS
  • Windows
device.clients["bce"].data["file_config"]["config_name"]["version"] == "some value"

The following table describes the attributes based on the registry entries and properties of a plist.

Note:config_name is the name of the configuration that you specified whenconfiguring the Endpoint Verification settings.
Attribute nameDescriptionSupported OSExample of using the attribute in theCEL expressions
presence

Indicates the presence of a registry or plist entry. Possible values:

  • VALUE_UNKNOWN = 0 indicates that the presence is not known due to a failure that occurred before the assessment.
  • VALUE_INACCESSIBLE = 1 indicates that the organization does not have access to the signal's resource.
  • VALUE_NOT_FOUND = 2 indicates that the resource was not found.
  • VALUE_FOUND = 3 indicates that the resource was found.
  • macOS
  • Windows
  • device.clients["bce"].data["registry_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
  • device.clients["bce"].data["plist_config"]["config_name"]["presence"] == PresenceValue.VALUE_FOUND
value

Provides the data that is stored in the registry or plist. Possible values:

  • macOS:NSString orNSNumber
  • Windows:REG_SZ,REG_DWORD, orREG_QWORD

The strings are limited to 1024 bytes.

Note: String comparisons are case-sensitive.
  • macOS
  • Windows
  • device.clients["bce"].data["registry_config"]["config_name"]["value"] ==<"string value"|boolean|double|int>
  • device.clients["bce"].data["plist_config"]["config_name"]["value"] ==<"string value"|boolean|double|int>

Chrome browser attributes

The following table describes the Google Chrome browser attributes that are collected byEndpoint Verification that you can use to create access levels:

Attribute nameDescriptionSupported OSExample of using the attribute in theCEL expressions
versionAtLeast(min_version)The minimum version of the Chrome browser.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.versionAtLeast("88.0.4321.44")
management_state

The management state of the browser for a device. A browser is considered to be managed if it is enrolled toChrome browser cloud management. Possible values:

  • CHROME_MANAGEMENT_STATE_UNSPECIFIED = 0 indicates that the management state of the device is not specified or not known.
  • CHROME_MANAGEMENT_STATE_UNMANAGED = 1 indicates that the browser or the profile is not managed by any organization.
  • CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN = 2 indicates that the browser is managed, but by some other organization.
  • CHROME_MANAGEMENT_STATE_PROFILE_MANAGED = 3 indicates that the browser is not managed and the profile is managed by an organization.
  • CHROME_MANAGEMENT_STATE_BROWSER_MANAGED = 4 indicates that the browser and profile are managed by an organization.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.management_state == ChromeManagementState.CHROME_MANAGEMENT_STATE_MANAGED_BY_OTHER_DOMAIN
is_file_upload_analysis_enabledA boolean value that indicates whether thefile upload analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_file_upload_analysis_enabled == true
is_file_download_analysis_enabledA boolean value that indicates whether thefile download analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_file_download_analysis_enabled == true
is_bulk_data_entry_analysis_enabledA boolean value that indicates whether thebulk text (paste) analysis connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_bulk_data_entry_analysis_enabled == true
is_security_event_analysis_enabledA boolean value that indicates whether thesecurity event reporting connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_security_event_analysis_enabled == true
is_realtime_url_check_enabledA boolean value that indicates whether thereal-time URL check connector is enabled on a device.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_realtime_url_check_enabled == true
safe_browsing_protection_level

Thebrowsing protection level policy of the browser. Possible values:

  • SAFE_BROWSING_LEVEL_UNSPECIFIED = 0 indicates that the browser protection level policy is not set for the device.
  • SAFE_BROWSING_LEVEL_DISABLED = 1 indicates that the browser protection level policy is disabled for the device, and the device is not protected against dangerous websites, downloads, and extensions.
  • SAFE_BROWSING_LEVEL_STANDARD = 2 indicates that the device is protected against websites, downloads, and extensions that are known to be dangerous.
  • SAFE_BROWSING_LEVEL_ENHANCED = 3
    • indicates that the device has proactive protection against dangerous websites, downloads, and extensions.
  • Mac
  • ChromeOS
  • Windows
  • Linux
device.chrome.safe_browsing_protection_level == SafeBrowsingLevel.SAFE_BROWSING_LEVEL_STANDARD
is_site_isolation_enabledA boolean value that indicates whether thesite isolation is enabled for every site.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_site_isolation_enabled == true
is_built_in_dns_client_enabledA boolean value that indicates whetherChrome's built-in DNS client communicates with the DNS server.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_built_in_dns_client_enabled == true
password_protection_warning_trigger

Thepassword protect warning trigger policy of the browser. Possible values:

  • PASSWORD_PROTECTION_TRIGGER_UNSPECIFIED = 0 indicates that the password protect warning trigger policy is not set.
  • PASSWORD_PROTECTION_TRIGGER_PROTECTION_OFF = 1 indicates that the password reuse is never detected.
  • PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE = 2 indicates that a warning is displayed when the end user reuses their protected password on a site that is not allowed.
  • PASSWORD_PROTECTION_TRIGGER_PHISHING_REUSE = 3 indicates that a warning is displayed when the end user reuses their protected password on a phishing site.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.password_protection_warning_trigger == PasswordProtectionTrigger.PASSWORD_PROTECTION_TRIGGER_PASSWORD_REUSE
is_chrome_remote_desktop_app_blockedA boolean value that indicates whether theChrome remote desktop remote application is blocked.
  • macOS
  • ChromeOS
  • Windows
  • Linux
device.chrome.is_chrome_remote_desktop_app_blocked == true
is_chrome_cleanup_enabledA boolean value that indicates whether theChrome Cleanup tool is enabled.Windowsdevice.chrome.is_chrome_cleanup_enabled == true
is_third_party_blocking_enabledNote: This attribute is supported only on Chrome from version 65 to version 135. This attribute is deprecated for Chrome version later than version 135.A boolean value that indicates whether thethird party software injection blocking is enabled.Windowsdevice.chrome.is_third_party_blocking_enabled == true

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.