Chrome Enterprise Premium MCP Server

A Model Context Protocol (MCP) server for Chrome Enterprise Premium (CEP). CEP extends Chrome's built-in security with Data Loss Prevention (DLP), real-time threat protection (phishing and malware scanning), and Context-Aware Access controls. This server exposes CEP's DLP rules, content detectors, connector policies, browser telemetry, and license management as MCP tools — letting any MCP-compatible AI agent inspect and configure a Chrome Enterprise environment.

Important security consideration: Indirect Prompt Injection Risk

When exposing any language model to untrusted data, there's a risk of an indirect prompt injection attack. Agentic tools like Gemini CLI, connected to MCP servers, have access to a wide array of tools and APIs.

This MCP server grants the agent the ability to read, modify, and delete your Google Account data, as well as other data shared with you.

• Never connect this server to untrusted tools.
• Never feed untrusted content into the model context, including mail, documents, or other resources from unverified sources.
• Attackers can hide instructions inside untrusted content and use a hijacked CLI session to modify, steal, or destroy your data.
• Always review the actions Gemini CLI takes on your behalf and confirm they match what you asked for.

Quick start

git clone https://github.com/google/chrome-enterprise-premium-mcp.git
cd chrome-enterprise-premium-mcp
npm install

1. Authenticate with Google Cloud

Install the Google Cloud CLI if you don't have it, then create Application Default Credentials (ADC) with the scopes needed by each API:

gcloud auth application-default login \
--scopes=openid,\
https://www.googleapis.com/auth/userinfo.email,\
https://www.googleapis.com/auth/chrome.management.policy,\
https://www.googleapis.com/auth/chrome.management.reports.readonly,\
https://www.googleapis.com/auth/chrome.management.profiles.readonly,\
https://www.googleapis.com/auth/admin.reports.audit.readonly,\
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,\
https://www.googleapis.com/auth/admin.directory.customer.readonly,\
https://www.googleapis.com/auth/apps.licensing,\
https://www.googleapis.com/auth/cloud-identity.policies,\
https://www.googleapis.com/auth/service.management,\
https://www.googleapis.com/auth/service.management.readonly,\
https://www.googleapis.com/auth/cloud-platform

These scopes map to the underlying APIs:

Then set a quota project (identifies which GCP project's API enablement and quotas to use):

gcloud auth application-default set-quota-project YOUR_PROJECT_ID

Scopes must be provided at login time. You cannot add scopes to existing ADC credentials. If you get "insufficient scopes" errors, delete ~/.config/gcloud/application_default_credentials.json and re-run the gcloud auth application-default login command from the previous step.

The quota project is required. Without it you'll see a "quota project not set" error on the first API call.

Restricted Workspace environments: If your organization restricts third-party app access, an admin must trust the gcloud OAuth app before you can authenticate with sensitive Workspace scopes. Alternative to ADC: run mcp auth login for an OAuth-flow setup. Setup walkthrough at docs/auth-bring-your-own-oauth-client.md. Auth-method matrix at docs/configuration.md#authenticating-to-google-apis.

2. Enable Required APIs

These APIs must be enabled on your GCP project:

gcloud services enable \
  admin.googleapis.com \
  chromemanagement.googleapis.com \
  chromepolicy.googleapis.com \
  cloudidentity.googleapis.com \
  licensing.googleapis.com \
  serviceusage.googleapis.com

Or enable them from the API Library in Cloud Console.

Propagation delay: Newly enabled APIs can take 1–5 minutes to become available. The server handles this automatically by retrying PERMISSION_DENIED errors with exponential backoff. If you see retry messages on first run, wait; don't restart.

3. Connect Your MCP Client

The server uses stdio transport; your MCP client launches it as a child process. Add the config snippet for your client:

{
  "mcpServers": {
    "cep": {
      "command": "npx",
      "args": ["-y", "@google/chrome-enterprise-premium-mcp@latest"],
      "env": { "GCP_STDIO": "true" }
    }
  }
}

{
  "mcpServers": {
    "cep": {
      "command": "npx",
      "args": ["-y", "@google/chrome-enterprise-premium-mcp@latest"],
      "env": { "GCP_STDIO": "true" }
    }
  }
}

{
  "servers": {
    "cep": {
      "command": "npx",
      "args": ["-y", "@google/chrome-enterprise-premium-mcp@latest"],
      "env": { "GCP_STDIO": "true" }
    }
  }
}

{
  "mcpServers": {
    "cep": {
      "command": "npx",
      "args": ["-y", "@google/chrome-enterprise-premium-mcp@latest"],
      "env": { "GCP_STDIO": "true" }
    }
  }
}

Optional: If you are running from a local checkout instead of npx, replace the command with node and args with the absolute path to mcp-server.js. Relative paths might not resolve correctly depending on the client.

4. Verify

Restart your MCP client, then ask:

"What Chrome Enterprise Premium tools do you have access to?"

The agent discovers and lists the available tools. If tools don't appear, see Troubleshooting.

Configuration

For environment variables and stdio vs. HTTP transport, see docs/configuration.md.

Prerequisites

GCP IAM is not enough. Chrome Management and Admin SDK APIs require a Google Workspace admin role in addition to GCP IAM roles. The user must hold an admin role in the Admin Console (Super Admin or delegated with Chrome Management permissions). Having only GCP IAM permissions produces 403 Permission Denied with no indication that a Workspace role is missing.

Available tools and prompts

Prompts

Tools

The server exposes tools for reading and managing Chrome Enterprise resources:

• Discovery: get customer ID, list org units, count browser versions, list customer profiles
• Licensing: check CEP subscription status, check per-user license assignment
• DLP: list/create/delete DLP rules, list/create/delete detectors (regex, word list, URL list), create default rule sets
• Connectors: get connector policy status, enable Chrome Enterprise connectors
• Extensions: check SEB extension status, install SEB extension
• Security: get Chrome activity logs, check and enable required APIs
• Knowledge: search the built-in Chrome Enterprise Premium knowledge base

Architecture

The codebase has three layers: API clients in lib/api/ (one interface + real implementation per Google API), MCP tools and prompts in tools/ and prompts/, and the server entry point in mcp-server.js. Integration tests redirect the real API clients at an in-process Express fake under test/helpers/. For the directory layout, design patterns, and how the test backends are wired, see docs/architecture.md.

Development

Run npm run presubmit before every PR. It runs unit tests, fake-backend integration tests, and a smoke test against the in-process fake API server; no credentials needed. After merge, npm run postsubmit re-runs the full presubmit suite plus a real-API integration pass.

Presubmit is read-only. If formatting or lint fails, run npm run format and npm run lint:fix to fix, then re-run. The husky pre-commit hook auto-fixes staged files through lint-staged, so commits from a clean working tree usually pass without manual fixup.

GitHub Actions runs the same checks on every pull request as four parallel jobs (lint, test-unit, test-integration-fake, test-smoke); each failure shows up as a separate PR check. The workflow is at .github/workflows/node.js.yml.

npm run presubmit               # Required before every PR
npm run postsubmit              # After merge (real API credentials)
npm run test:unit               # Unit tests only
npm run test:integration:fake   # Integration tests against the fake
npm run test:smoke              # Server starts and responds
npm run mcp-inspector           # Browser UI for invoking tools and prompts
npm run lint                    # Check formatting and lint
npm run lint -- --fix           # Auto-fix
npm run format                  # Prettier on everything

For evaluations (Gemini agent against fake backend, graded by deterministic checks and an LLM judge), see test/evals/README.md. For the test runner layout and how to add a test, see test/README.md. For contributing, see CONTRIBUTING.md.

Troubleshooting

For known issues with auth, permissions, Node.js setup, and MCP client integration (including the /mcp reload tip when CEP tools do not show up right after restart), see docs/troubleshooting.md.

FAQ

For license requirements, Workspace edition, service-account auth, experimental features, and other recurring questions, see docs/faq.md.

Reporting bugs

If something isn't working:

1. In Gemini CLI, run /bug to capture session diagnostics. Attach the generated file to your issue.
2. Run npm run presubmit and paste the output; this lets maintainers tell environmental problems from real code bugs.
3. Describe what you expected vs. what actually happened, including the exact error message.

Contributing

Contributions are welcome. For details on how to contribute, see CONTRIBUTING.md.

Legal

This repository is provided as a reference implementation that customers can explore and adapt under the Apache 2.0 license. It is not an officially supported Google product.

• License: Apache License 2.0
• Terms of Service: Terms of Service
• Privacy Policy: Privacy Policy
• Security: Security Policy