Issue with google drive application

  • 20 November 2023
  • 4 replies

Hi People,


We have created a instance awareness policy to restrict user to block upload on personal google drive instances which is working fine on the browser but can't even hit the policy with google drive desktop application via file explorer's auto-sync.


Below is the policy details:


Please let me know what else is needed to be added here!!



4 replies

Userlevel 4
Badge +12

The Google Drive sync application uses a pinned certificate. Your tenant likely has a default exemption via CPA for Google Drive Sync application. Without it, this application won’t work. You could configure the CPA exemption to block rather than bypass but instance awareness doesn’t apply. 

Userlevel 6
Badge +16

As @nduda mentioned, Google Drive's desktop client performs certificate pinning in its default configuration.  Google does support importing additional certificates for trust which can then allow decryption.   It's been some time since I tested this and I'm not sure if it's been validated to work with instance detection, activity controls, etc.  For more info see the documentation here in the TrustedRootCertsFile section. 

I followed the link that you mentioned and created an entry inside registry as well as added netskope CA Certificates in the google drive's certificate config. But it looks like it still doesn't work so can anyone please help me with steps on how to achieve the same.





Userlevel 6
Badge +16

Hello @Paradox07,


Apologies for the delayed response.   Did you test with the steering exception removed?  Additionally, I can't see the full file you posted but does it also include the original certificates AND the Netskope certificates?  Or just the Netskope one.