What you control
Control the verified user, workspace policy, work domains, domain/category rules, allowed egress region, active sessions, and admin revoke.
Contractors
Controlled browser access for contractors
A contractor needs web access for a project, but a device VPN, imaged laptop, or broad network path is too much for a short engagement.
What stays outside
The contractor's personal apps, files, calls, banking, local tools, and non-browser traffic stay outside the proxy path. On unmanaged devices, other browsers or unmanaged Chrome profiles are outside the product boundary.
Proof points
Backed by implementation
- Onboard external users without issuing a device VPN.
- Proxy credentials expire in minutes and can be revoked by an admin.
- Sessions are tied to a verified user and registered device key.
- Browser-path filtering uses domains/categories without HTTPS content inspection.
- Private/internal network ranges are blocked on the browser-proxy path.
FAQ
Does the contractor need a VPN?
No. The contractor uses the managed browser extension. Current beta users use Chrome/Chromium with the BusinessProxy extension. BusinessProxy does not install an OS-level agent or route the whole device.
What happens when the project ends?
Admins can revoke active sessions and remove future access from the account. Session credentials are short-lived, so existing proxy credentials expire if they are not refreshed.
Can the contractor reach internal networks?
This Layer-1 contractor use case is for managed public web access through the browser extension. Current beta users access it through Chrome/Chromium. Private/internal ranges are blocked on the browser-proxy path. Private App Access is a separate beta path and is presented only when its feature gate is on.
Related use cases