Configure the Clear managed Chrome profile browsing data feature

Early Access release. See Enable self-service features.

You can clear users' Chrome data in response to session violations or entity risk changes, or both.

This feature uses an authenticated API to clear a user's Chrome cache and cookies. Setting this up as an enforcement action is a three-step process. First, set your Google service account permissions. Then, configure the delegated workflow. And finally, add the workflow to your policies.

Before you begin

  • You must be a super admin, org admin, group admin, help desk admin, or a custom admin with the Clear users' Chrome data permission. See Admin roles for ITP.
  • Your org must use managed Chrome profiles, which are provisioned through Chrome Enterprise Core or Google Workspace. Make a note of your service account so you can assign it Google permissions. See Integrate Okta with Chrome Enterprise.
  • Your Google app integration needs the okta.users.manage OAuth 2.0 scope. See Okta API Scopes.
  • Configure a device assurance policy for Chrome browsers. See Device assurance.

Assign the Managed Browsers permission to your Google service account

  1. In the Google Admin Console, go to Account > Admin Roles.
  2. Click Create new role.
  3. Under Services > Chrome Management > Settings, select Managed Browsers.
  4. Confirm and create the role.
  5. Click Assign Admin.
  6. Click Assign service accounts, and find the services admin that you configured for Chrome Device Trust. Open its Actions menu.
  7. Select Assign Admin.

Create a delegated workflow

This feature uses an authenticated API (/api/v1/users/{userId}/clear-chrome-data) that supports the POST method only and requires no request body. See Clear the managed Chrome profile browsing data.

Use this API in a delegated workflow. See Create delegated flows for policy actions.

Add the workflow to your policies

Session protection

If you want to clear users' Chrome data for a session violation, add this workflow to your session protection policy. In this scenario, the workflow is one of the additional enforcement actions that ITP performs after MFA if possible and Okta logout, which are inherited from your global session and app sign-in policies.

  1. In the Admin Console, go to Security > Identity Threat Protection.

  2. Click the Detection and Response tab.

  3. Go to Session Protection.

  4. In the Status section, select Enforced.

  5. In the Session violation detection section, click Edit. In Edit mode you can also change the Risk level or User's new IP is fields, if you want to set different criteria for clearing managed Chrome profile data.

  6. In the Enforcement settings section, select Run an additional action, and then choose Run a workflow.

  7. Select the workflow that you configured.

  8. In the Groups impacted section, select the groups that Run a workflow applies to. Remember that users who aren't in these groups may still be affected by the MFA if possible and Okta logout actions in your global session and app sign-in policies.

Entity risk policy

If you want to clear users' Chrome data for an entity risk change, add this workflow to your entity risk policy. In this scenario, you can clear users' Chrome profile data in the event of session hijacking, brute-force attacks, and sign-in events from high-threat IP addresses. The entity risk policy can have multiple rules, so you can control which events require clearing of Google profile data.

  1. In the Admin Dashboard, go to Security > Identity Threat Protection .
  2. In the Configure response section, click Go to entity risk policy.
  3. Click Add Rule.
  4. Enter a Rule Name.
  5. In User's group membership includes, specify the user groups to include in or exclude from the rule.
  6. In Detection, specify the activity you want Okta to detect or exclude.
  7. Select an Entity Risk Level.
  8. In the Take this action field, select Run a workflow.
  9. Click the Workflow triggered by action dropdown menu or type the name of your delegated workflow.
  10. Click Save.