Chrome Enterprise Premium MCP Server
OfficialServer Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| GCP_STDIO | No | Set to 'true' to run the server in stdio mode. | true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| logging | {} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| get_customer_idA | Retrieves the unique Google customer ID for the authenticated account. This ID (often starting with 'C') is required as a parameter for many other Chrome management tools. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| list_org_unitsA | Lists the Organizational Units (OUs) for the customer. Use this tool to find the 'orgUnitId' required by most other Chrome management and policy tools. It provides the human-readable path and unique ID for each OU. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| check_cep_subscriptionA | Verifies the current Chrome Enterprise Premium (CEP) license assignments for an organization. This is useful for checking the actual protection state of users. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| check_user_cep_licenseA | Checks if a specific user has a Chrome Enterprise Premium (CEP) license assigned. Use this to verify if an individual user (by email or unique ID) is licensed for CEP features. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| count_browser_versionsA | Counts Chrome browser versions reported by managed devices. Use this for auditing and reporting on the distribution of browser versions across your organization or a specific Organizational Unit. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| list_customer_profilesB | Lists Chrome browser profiles for the customer. These profiles represent managed browser instances and provide details like OS version, platform, and associated user email. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| security_insightsA | Manages the enablement status of Chrome Security Insights for a customer. Use this to check, enable, or disable the security insights feature customer-wide. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| get_connector_policyA | Retrieves the current configuration for a specific Chrome Enterprise connector or all connectors. Use this to AUDIT or VERIFY settings for features like "printing sensitive data", "real-time URL checks", or "event reporting". Note: The 'enable_chrome_enterprise_connectors' tool can only ACTIVATE connectors that are currently unconfigured. There is currently no tool to MODIFY an already configured connector; these must be updated manually in the Admin Console. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| get_chrome_activity_logA | Retrieves audit logs of Chrome browser activity (e.g., login events, policy violations, extension installs). Use this for security investigations, auditing user actions, and to help tune DLP rules. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| list_dlp_rulesA | Lists all Chrome DLP rules currently configured in the organization. These rules protect sensitive data by monitoring browser actions like uploads, printing, and screenshots. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| get_dlp_ruleA | Retrieves details for a specific Chrome DLP rule by its resource name. The response includes a direct link to the Admin Console where you can view, edit, disable, or delete the rule. Note: The agent itself cannot modify or delete rules. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| list_detectorsA | Lists all custom Chrome DLP detectors (URL lists, word lists, or regular expressions). Detectors are used within DLP rules to identify sensitive content. Use this to find the 'policyName' of a detector to include in a rule. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| create_chrome_dlp_ruleA | Creates a new Chrome DLP rule for a specific Organizational Unit. Applies browser-level protection (uploads, downloads, printing). For safety reasons, this MCP tool is disabled from creating 'ACTIVE' rules with a 'BLOCK' action. You can create 'INACTIVE' 'BLOCK' rules and enable them later in the UI, or create 'ACTIVE' 'WARN' or 'AUDIT' rules. To ensure technical accuracy and verify trigger compatibility, you should retrieve the full technical reference using 'get_document' for '11-dlp-rule-reference' before using this tool. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| create_regex_detectorA | Creates a new DLP regular expression detector. Detectors are building blocks for DLP rules. After creating a detector, you must reference its resource name in a 'create_chrome_dlp_rule' condition (e.g., using the 'matches_detector' function). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| create_url_list_detectorA | Creates a new DLP URL list detector. Detectors are building blocks for DLP rules. After creating a detector, you must reference its resource name in a 'create_chrome_dlp_rule' condition (e.g., using the 'matches_detector' function). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| create_word_list_detectorA | Creates a new DLP word list detector. Detectors are building blocks for DLP rules. After creating a detector, you must reference its resource name in a 'create_chrome_dlp_rule' condition (e.g., using the 'matches_detector' function). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| create_default_dlp_rulesB | Creates a "Starter Pack" of default Chrome DLP rules for a specific Organizational Unit. Rules included:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| check_seb_extension_statusA | Checks if the Secure Enterprise Browser (SEB) extension is force-installed for a given Organizational Unit. The SEB extension is REQUIRED for advanced Chrome Enterprise Premium features like data masking. If not installed, use 'install_seb_extension' to fix it. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| install_seb_extensionB | Force-installs the Secure Enterprise Browser (SEB) extension for a given Organizational Unit. The SEB extension is REQUIRED for advanced Chrome Enterprise Premium features like data masking. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| enable_chrome_enterprise_connectorsA | Enables and configures selected Chrome Enterprise connectors (e.g., Print, Paste, File Upload/Download). Use this tool to ACTIVATE security protections. It will ONLY apply changes to connectors that are not already configured. To check current status without modifying, use 'get_connector_policy'. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| diagnose_environmentA | Runs a health check of the Chrome Enterprise Premium environment. By default returns a summary with counts and pre-computed issues — no large arrays. The agent should present these findings to the user. To drill into detail, pass a 'section' parameter:
Use 'limit' and 'offset' for pagination on large datasets. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| get_documentA | Retrieves the full text of one or more knowledge base documents. Pass Knowledge IndexThis index is for locating relevant documentation by topic. Document summaries are not a source of truth; for authoritative technical details, exact roles, or procedures, the agent retrieves the content in real-time via 'get_document'.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| cep_authA | Sign in to Google for the Chrome Enterprise Premium (CEP) MCP server. Before calling this tool, you MUST warn the user that this will open a browser tab or prompt them to sign in, and ask for their confirmation. Use this tool ONLY for the CEP MCP server. The Google Workspace MCP server has its own separate auth tool—do not use this one for that. Requests the CEP scope set: Admin SDK reports, Chrome browser management, Cloud Identity (DLP), Identity, Licensing, Service Usage. Call with no arguments to start the sign-in. If the response sets | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| cep_auth_statusA | Reports the current OAuth credential status and cached scopes for the Chrome Enterprise Premium (CEP) MCP server. Use this tool only for the CEP MCP server; the Google Workspace MCP server has its own separate status tool. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| cep_auth_clearA | Clears cached OAuth credentials for the Chrome Enterprise Premium (CEP) MCP server, forcing re-authentication on the next call. Use this tool only for the CEP MCP server; the Google Workspace MCP server has its own separate clear tool. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| cep:health | Run a health check on the user's environment. |
| cep:optimize | Review the environment's DLP rules and recommend specific tuning, enforcement, or cleanup actions. |
| cep:expert | Re-inject the Chrome Enterprise Premium expert context. |
| cep:auth | Sign in to the Chrome Enterprise Premium MCP server. |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| 01-cep-overview | Comprehensive introduction to Chrome Enterprise Premium (CEP). Helps with product evaluation and implementation. Walks through the 5-step checklist: setting up Chrome management, configuring connector policies, verifying the CEP service, setting up DLP rules, and configuring activity alerts. Covers trial terms (60 days, 5,000 users) and manual license assignment. Keywords: $6/user price, trial terms, Licensing, 5-step checklist, manual license assignment, Workspace service settings. |
| 02-chrome-deployment-guide | Comprehensive browser deployment and enrollment guide. Use this to perform large-scale MSI/PKG installation via MDM and configure cloud management. Covers how to: deploy the Chrome Enterprise bundle, apply policy templates, use Cloud management enrollment tokens, force-install Endpoint Verification, and perform the two-step unenrollment process. |
| 03-ev-troubleshooting | Endpoint Verification (EV) troubleshooting and privacy guide. Helps resolve device posture sync errors and access denial issues. Covers how to: fix OS-level sync failures by investigating Native Helper status, EDR/Antivirus blocks, and firewalls; resolve OS update delays via manual "Sync Now"; and understand privacy boundaries (no browsing history collected). Keywords: Failed to sync, Native messaging host, manual sync, privacy statement, BYOD security. |
| 04-dlp-core-features | Guide for configuring DLP triggers (Paste, Print, Upload), screen capture protection, and Enterprise Cache Encryption. Helps protect sensitive data from accidental leaks or exfiltration. Covers how to: enable screenshot blocking on sensitive URLs, manage file scan latency via DelayDeliveryUntilVerdict, and configure Optical Character Recognition (OCR) for images. Keywords: Screen capture protection, Clipboard controls (Paste), Cache encryption, OCR supported types (BMP, GIF, JPEG, PNG, TIF), scan delay. |
| 05-evidence-locker | Setup and configuration guide for the Evidence Locker (forensic file storage). Helps secure sensitive data for legal and security investigations. Covers how to: configure the GCS bucket, manage access permissions, and handle unscannable files. Note: DLP more reliably detects password protection on ZIP archives than on PDF or Office documents. Keywords: Evidence Locker, GCS bucket permissions, service account keys, DelayDeliveryUntilVerdict, password reliability (ZIP vs PDF). |
| 06-dlp-rule-troubleshooting | DLP troubleshooting and diagnostics guide. Helps resolve rule deployment issues and ensures effective protection against data leaks. Covers how to: verify rule receipt via chrome://policy, confirm CEP license assignment, refine strict rules using "Audit only" mode, investigate client-side logs at chrome://safe-browsing, and analyze server-side log events in the Admin Console. Keywords: chrome://policy, chrome://safe-browsing, audit only mode, license assignment, investigation tool. |
| 07-caa-dlp-integration | Context-Aware Access (CAA) and Security Gateway integration guide. Helps protect corporate apps by ensuring only compliant devices gain access. Covers how to: troubleshoot "401 Unauthorized" errors via IAP logs and Access Level definitions, secure native applications using Certificate-Based Access (CBA), and verify Device Trust Connector (Okta) status in chrome://connectors-internals. Keywords: 401 Unauthorized, IAP policy, Security Gateway, BeyondCorp, native app security. |
| 08-certificate-based-access | Certificate-Based Access (CBA) and Identity Provider guide. Helps enforce high-assurance access for managed and unmanaged devices. Covers how to: upload Root CA certificates to the Admin Console and configure the "AutoSelectCertificateForUrls" policy for seamless user authentication. Keywords: CBA, Root CA upload, AutoSelectCertificateForUrls, client certificates. |
| 09-chrome-log-events | Chrome Reporting Connector and SIEM integration guide. Helps search security event logs in the Admin Console and stream events to SIEMs like Splunk. Covers event descriptions for Threat and Data Protection events, and how to verify local event generation and policy receipt on client machines. Keywords: Chrome log events, Audit & investigation, Threat events, Data Protection events, chrome://policy, chrome://safe-browsing, Splunk integration. |
| 10-chrome-policy-management | Chrome policy management and URL filtering guide. Helps control web access and manage policy conflicts. Covers how to: use wildcard syntax—example.com (includes subdomains) vs .example.com (exact host only); give cloud policies precedence via "CloudPolicyOverridesPlatformPolicy"; and bypass Safe Browsing warnings for internal sites using "SafeBrowsingAllowlistDomains". |
| 12-security-posture-guide | Internal evaluation criteria the agent uses to assess a Chrome Enterprise Premium environment and recommend next steps. Walks through whether the prerequisites (licenses, connectors, SEB extension) are present, whether DLP rules exist, whether they are tuned, and whether they are enforcing. Covers the telemetry dependency (logs require active rules). For agent-internal use only — do not surface labels or framework names to users. |
| 15-rule-quality-guidelines | Internal evaluation criteria the agent uses to identify logic flaws and noise in Chrome Enterprise Premium DLP rule JSON. Covers context blindness (missing destination vectors), false negatives from broad file-type exclusions, root-OU over-scoping, low match thresholds that cause false positives, missing compound logic, mixed triggers, disproportionate actions, audit-first deployment, and orphaned rules. For agent-internal use only — do not surface heuristic names or category labels to users. |
| 16-configurable-timeouts | Guide for configuring timeout deadlines (evaluation time limit) for Data Loss Prevention (DLP) and malware scans, including the paste action. Covers UI navigation paths, Admin privileges required, and background scan behavior. Keywords: Configurable timeouts, evaluation time limit, deep scanning protection settings, Chrome Enterprise Security Services, Chrome Enterprise Premium, scan deadline, paste deadline. |
| 21-dlp-limits | DLP content and scanning limits guide. Helps explain why certain files are unscanned or blocked. Covers constraints for file size, text extraction, and spreadsheets. Keywords: 50MB file limit, 10MB text limit, 50,000 cell limit, unscannable files. |
| 22-dlp-data-masking | Helps protect sensitive UI data in the browser using data masking. Covers configuration of masking rules and requirements for the Secure Enterprise Browser (SEB) extension. Keywords: Data masking, SEB extension, PII protection, Light/Hard obfuscation. |
| 23-insider-risk-monitoring | Insider risk and data loss monitoring guide. Covers how to turn on insider risk monitoring via the 1-click "Monitor data leaks and insider risk" flow, and how to configure the "Data protection insight scanning and report" setting. Explains how this automatically configures Chrome connectors, event logging, and DLP scanning. Keywords: Insider risk, 1-click enablement, Data protection insight scanning, Chrome security event logging, turn off monitoring. |
| 24-security-reports | Overview of Chrome security reports in the Admin Console. Helps administrators monitor threat and data protection events. Covers Malware, Unsafe Sites, PII transfers, and high-volume upload/download reports. Keywords: Data protection reports, Threat protection dashboard, security telemetry. |
| 27-url-blocklist-format | Detailed technical format for URL blocklist and allowlist filters. Helps with precise web access control. Covers wildcard syntax rules: example.com (matches domain and all subdomains) vs .example.com (matches exact host only). Keywords: wildcard (*), subdomain (.), URL filter syntax, blocklist vs allowlist. |
| 28-safe-browsing-allowlists | Helps administrators exempt trusted internal sites from Safe Browsing warnings. Covers how to bypass malware, phishing, and password reuse checks. Keywords: SafeBrowsingAllowlistDomains, trusted domains, bypass warnings. |
| 29-admin-privilege-definitions | Reference for administrator privileges required to manage Google Workspace and CEP features in the Admin Console. Helps resolve "Access Denied" errors. Covers privileges for User management, Reports, Security Center, Data Loss Prevention (DLP) rule management, Chrome Management, and Data Security (Context-Aware Access). Keywords: Admin console privileges, Manage DLP rules, Security Center, Service Settings, custom roles. |
| 30-ev-device-attributes | Comprehensive list of device posture attributes collected by Endpoint Verification. Helps with creating granular Context-Aware Access (CAA) levels. Covers OS version, serial numbers, disk encryption, and screen lock status. Keywords: Device attributes, postural data, hardware identifiers, encryption status. |
| 31-security-insights-data | Guide to querying Chrome Enterprise Security Insights data. Covers methods for retrieving summaries and breakdowns of content transfers and URL visits. Helps with understanding security posture and data movement. |
| 98-agent-knowledge-addendum | Mandatory Technical "Golden Facts" and operational memory for Chrome Enterprise Premium. Covers Extension IDs for EV and SEB, Windows Certificate Store requirements for CBA, URL filtering syntax rules, and troubleshooting "Something went wrong" errors for Security Insights using specific privileges. Keywords: callobklhcbilhphinckomhgkigmfocg, ekajlcmdfcigmdbphhifahdfjbkciflj, Windows Store requirements, Security Insights Error, Chrome DLP insight setting management, SafeBrowsingAllowlistDomains. |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/google/chrome-enterprise-premium-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server