We have created a instance awareness policy to restrict user to block upload on personal google drive instances which is working fine on the browser but can't even hit the policy with google drive desktop application via file explorer's auto-sync.
Below is the policy details:
Please let me know what else is needed to be added here!!
The Google Drive sync application uses a pinned certificate. Your tenant likely has a default exemption via CPA for Google Drive Sync application. Without it, this application won’t work. You could configure the CPA exemption to block rather than bypass but instance awareness doesn’t apply.
As @nduda mentioned, Google Drive's desktop client performs certificate pinning in its default configuration. Google does support importing additional certificates for trust which can then allow decryption. It's been some time since I tested this and I'm not sure if it's been validated to work with instance detection, activity controls, etc. For more info see the documentation here in the TrustedRootCertsFile section.
Sam Shiflett Netskope Solution Architect - North America
I followed the link that you mentioned and created an entry inside registry as well as added netskope CA Certificates in the google drive's certificate config. But it looks like it still doesn't work so can anyone please help me with steps on how to achieve the same.