Policy List

Last updated on 2019-07-24 based on Chrome 77.0.3864.

The Chrome Enterprise policy list is moving! Please update your bookmarks to https://cloud.google.com/docs/chrome-enterprise/policies/.

Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of Google Chrome) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.

These policies are strictly intended to be used to configure instances of Google Chrome internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.

These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from https://www.chromium.org/administrators/policy-templates.

The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a Microsoft® Active Directory® domain.

Policy Name	Description
Accessibility settings
ShowAccessibilityOptionsInSystemTrayMenu	Show accessibility options in system tray menu
LargeCursorEnabled	Enable large cursor
SpokenFeedbackEnabled	Enable spoken feedback
HighContrastEnabled	Enable high contrast mode
VirtualKeyboardEnabled	Enable on-screen keyboard
StickyKeysEnabled	Enable sticky keys
KeyboardDefaultToFunctionKeys	Media keys default to function keys
ScreenMagnifierType	Set screen magnifier type
DeviceLoginScreenDefaultLargeCursorEnabled	Set default state of the large cursor on the login screen
DeviceLoginScreenDefaultSpokenFeedbackEnabled	Set the default state of spoken feedback on the login screen
DeviceLoginScreenDefaultHighContrastEnabled	Set the default state of high contrast mode on the login screen
DeviceLoginScreenDefaultVirtualKeyboardEnabled	Set default state of the on-screen keyboard on the login screen
DeviceLoginScreenDefaultScreenMagnifierType	Set the default screen magnifier type enabled on the login screen
Android settings
ArcEnabled	Enable ARC
UnaffiliatedArcAllowed	Allow unaffiliated users to use ARC
ArcPolicy	Configure ARC
ArcAppInstallEventLoggingEnabled	Log events for Android app installs
ArcBackupRestoreServiceEnabled	Control Android backup and restore service
ArcGoogleLocationServicesEnabled	Control Android Google location services
ArcCertificatesSyncMode	Set certificate availability for ARC-apps
AppRecommendationZeroStateEnabled	Enable App Recommendations in Zero State of Search Box
Content settings
DefaultCookiesSetting	Default cookies setting
DefaultImagesSetting	Default images setting
DefaultJavaScriptSetting	Default JavaScript setting
DefaultPluginsSetting	Default Flash setting
DefaultPopupsSetting	Default popups setting
DefaultNotificationsSetting	Default notification setting
DefaultGeolocationSetting	Default geolocation setting
DefaultMediaStreamSetting	Default mediastream setting
DefaultWebBluetoothGuardSetting	Control use of the Web Bluetooth API
DefaultWebUsbGuardSetting	Control use of the WebUSB API
AutoSelectCertificateForUrls	Automatically select client certificates for these sites
CookiesAllowedForUrls	Allow cookies on these sites
CookiesBlockedForUrls	Block cookies on these sites
CookiesSessionOnlyForUrls	Limit cookies from matching URLs to the current session
ImagesAllowedForUrls	Allow images on these sites
ImagesBlockedForUrls	Block images on these sites
JavaScriptAllowedForUrls	Allow JavaScript on these sites
JavaScriptBlockedForUrls	Block JavaScript on these sites
PluginsAllowedForUrls	Allow the Flash plugin on these sites
PluginsBlockedForUrls	Block the Flash plugin on these sites
PopupsAllowedForUrls	Allow popups on these sites
RegisteredProtocolHandlers	Register protocol handlers
PopupsBlockedForUrls	Block popups on these sites
NotificationsAllowedForUrls	Allow notifications on these sites
NotificationsBlockedForUrls	Block notifications on these sites
WebUsbAllowDevicesForUrls	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
WebUsbAskForUrls	Allow WebUSB on these sites
WebUsbBlockedForUrls	Block WebUSB on these sites
Date and time
SystemTimezone	Timezone
SystemTimezoneAutomaticDetection	Configure the automatic timezone detection method
SystemUse24HourClock	Use 24 hour clock by default
Default search provider
DefaultSearchProviderEnabled	Enable the default search provider
DefaultSearchProviderName	Default search provider name
DefaultSearchProviderKeyword	Default search provider keyword
DefaultSearchProviderSearchURL	Default search provider search URL
DefaultSearchProviderSuggestURL	Default search provider suggest URL
DefaultSearchProviderIconURL	Default search provider icon
DefaultSearchProviderEncodings	Default search provider encodings
DefaultSearchProviderAlternateURLs	List of alternate URLs for the default search provider
DefaultSearchProviderImageURL	Parameter providing search-by-image feature for the default search provider
DefaultSearchProviderNewTabURL	Default search provider new tab page URL
DefaultSearchProviderSearchURLPostParams	Parameters for search URL which uses POST
DefaultSearchProviderSuggestURLPostParams	Parameters for suggest URL which uses POST
DefaultSearchProviderImageURLPostParams	Parameters for image URL which uses POST
Device update settings
ChromeOsReleaseChannel	Release channel
ChromeOsReleaseChannelDelegated	Users may configure the Chrome OS release channel
DeviceAutoUpdateDisabled	Disable Auto Update
DeviceAutoUpdateP2PEnabled	Auto update p2p enabled
DeviceAutoUpdateTimeRestrictions	Update Time Restrictions
DeviceTargetVersionPrefix	Target Auto Update Version
DeviceUpdateStagingSchedule	The staging schedule for applying a new update
DeviceUpdateScatterFactor	Auto update scatter factor
DeviceUpdateAllowedConnectionTypes	Connection types allowed for updates
DeviceUpdateHttpDownloadsEnabled	Allow autoupdate downloads via HTTP
RebootAfterUpdate	Automatically reboot after update
MinimumRequiredChromeVersion	Configure minimum allowed Chrome version for the device.
DeviceRollbackToTargetVersion	Rollback to target version
DeviceRollbackAllowedMilestones	Number of milestones rollback is allowed
DeviceQuickFixBuildToken	Provide users with Quick Fix Build
Display
DeviceDisplayResolution	Set display resolution and scale factor
DisplayRotationDefault	Set default display rotation, reapplied on every reboot
Extensions
ExtensionInstallBlacklist	Configure extension installation blacklist
ExtensionInstallWhitelist	Configure extension installation whitelist
ExtensionInstallForcelist	Configure the list of force-installed apps and extensions
ExtensionInstallSources	Configure extension, app, and user script install sources
ExtensionAllowedTypes	Configure allowed app/extension types
ExtensionAllowInsecureUpdates	Allow insecure algorithms in integrity checks on extension updates and installs
ExtensionSettings	Extension management settings
Google Assistant
VoiceInteractionContextEnabled	"Allow Google Assistant to access screen context"
VoiceInteractionHotwordEnabled	Allow Google Assistant to listen for the voice activation phrase
Google Cast
EnableMediaRouter	Enable Google Cast
ShowCastIconInToolbar	Show the Google Cast toolbar icon
Google Drive
DriveDisabled	Disable Drive in the Google Chrome OS Files app
DriveDisabledOverCellular	Disable Google Drive over cellular connections in the Google Chrome OS Files app
HTTP authentication
AuthSchemes	Supported authentication schemes
DisableAuthNegotiateCnameLookup	Disable CNAME lookup when negotiating Kerberos authentication
EnableAuthNegotiatePort	Include non-standard port in Kerberos SPN
AuthServerWhitelist	Authentication server whitelist
AuthNegotiateDelegateWhitelist	Kerberos delegation server whitelist
AuthNegotiateDelegateByKdcPolicy	Use KDC policy to delegate credentials.
GSSAPILibraryName	GSSAPI library name
AuthAndroidNegotiateAccountType	Account type for HTTP Negotiate authentication
AllowCrossOriginAuthPrompt	Cross-origin HTTP Basic Auth prompts
NtlmV2Enabled	Enable NTLMv2 authentication.
Kiosk settings
DeviceLocalAccounts	Device-local accounts
DeviceLocalAccountAutoLoginId	Device-local account for auto-login
DeviceLocalAccountAutoLoginDelay	Device-local account auto-login timer
DeviceLocalAccountAutoLoginBailoutEnabled	Enable bailout keyboard shortcut for auto-login
DeviceLocalAccountPromptForNetworkWhenOffline	Enable network configuration prompt when offline
AllowKioskAppControlChromeVersion	Allow the auto launched with zero delay kiosk app to control Google Chrome OS version
Legacy Browser Support
AlternativeBrowserPath	Alternative browser to launch for configured websites.
AlternativeBrowserParameters	Command-line parameters for the alternative browser.
BrowserSwitcherChromePath	Path to Chrome for switching from the alternative browser.
BrowserSwitcherChromeParameters	Command-line parameters for switching from the alternative browser.
BrowserSwitcherDelay	Delay before launching alternative browser (milliseconds)
BrowserSwitcherEnabled	Enable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrl	URL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherExternalGreylistUrl	URL of an XML file that contains URLs that should never trigger a browser switch.
BrowserSwitcherKeepLastChromeTab	Keep last tab open in Chrome.
BrowserSwitcherUrlList	Websites to open in alternative browser
BrowserSwitcherUrlGreylist	Websites that should never trigger a browser switch.
BrowserSwitcherUseIeSitelist	Use Internet Explorer's SiteList policy for Legacy Browser Support.
Linux container
VirtualMachinesAllowed	Allow devices to run virtual machines on Chrome OS
CrostiniAllowed	User is enabled to run Crostini
DeviceUnaffiliatedCrostiniAllowed	Allow unaffiliated users to use Crostini
CrostiniExportImportUIAllowed	User is enabled to export / import Crostini containers via the UI
Microsoft® Active Directory® management settings
DeviceMachinePasswordChangeRate	Machine password change rate
DeviceUserPolicyLoopbackProcessingMode	User policy loopback processing mode
DeviceKerberosEncryptionTypes	Allowed Kerberos encryption types
DeviceGpoCacheLifetime	GPO cache lifetime
DeviceAuthDataCacheLifetime	Authentication data cache lifetime
Native Messaging
NativeMessagingBlacklist	Configure native messaging blacklist
NativeMessagingWhitelist	Configure native messaging whitelist
NativeMessagingUserLevelHosts	Allow user-level Native Messaging hosts (installed without admin permissions)
Network File Shares settings
NetworkFileSharesAllowed	Contorls Network File Shares for ChromeOS availability
NetBiosShareDiscoveryEnabled	Controls Network File Share discovery via NetBIOS
NTLMShareAuthenticationEnabled	Controls enabling NTLM as an authentication protocol for SMB mounts
NetworkFileSharesPreconfiguredShares	List of preconfigured network file shares.
Network settings
DeviceOpenNetworkConfiguration	Device-level network configuration
DeviceDataRoamingEnabled	Enable data roaming
NetworkThrottlingEnabled	Enable throttling network bandwidth
DeviceHostnameTemplate	Device network hostname template
DeviceWiFiFastTransitionEnabled	Enable 802.11r Fast Transition
DeviceWiFiAllowed	Enable WiFi
DeviceDockMacAddressSource	Device MAC address source when docked
Other
UsbDetachableWhitelist	Whitelist of USB detachable devices
DeviceAllowBluetooth	Allow bluetooth on device
TPMFirmwareUpdateSettings	Configure TPM firmware update behavior
DevicePolicyRefreshRate	Refresh rate for Device Policy
DeviceBlockDevmode	Block developer mode
DeviceAllowRedeemChromeOsRegistrationOffers	Allow users to redeem offers through Chrome OS Registration
DeviceQuirksDownloadEnabled	Enable queries to Quirks Server for hardware profiles
ExtensionCacheSize	Set Apps and Extensions cache size (in bytes)
DeviceOffHours	Off hours intervals when the specified device policies are released
Password manager
PasswordManagerEnabled	Enable saving passwords to the password manager
PluginVm
PluginVmAllowed	Allow devices to use a PluginVm on Google Chrome OS
PluginVmLicenseKey	PluginVm license key
PluginVmImage	PluginVm image
Power and shutdown
DeviceLoginScreenPowerManagement	Power management on the login screen
UptimeLimit	Limit device uptime by automatically rebooting
DeviceRebootOnShutdown	Automatic reboot on device shutdown
Power management
ScreenDimDelayAC	Screen dim delay when running on AC power
ScreenOffDelayAC	Screen off delay when running on AC power
ScreenLockDelayAC	Screen lock delay when running on AC power
IdleWarningDelayAC	Idle warning delay when running on AC power
IdleDelayAC	Idle delay when running on AC power
ScreenDimDelayBattery	Screen dim delay when running on battery power
ScreenOffDelayBattery	Screen off delay when running on battery power
ScreenLockDelayBattery	Screen lock delay when running on battery power
IdleWarningDelayBattery	Idle warning delay when running on battery power
IdleDelayBattery	Idle delay when running on battery power
IdleAction	Action to take when the idle delay is reached
IdleActionAC	Action to take when the idle delay is reached while running on AC power
IdleActionBattery	Action to take when the idle delay is reached while running on battery power
LidCloseAction	Action to take when the user closes the lid
PowerManagementUsesAudioActivity	Specify whether audio activity affects power management
PowerManagementUsesVideoActivity	Specify whether video activity affects power management
PresentationScreenDimDelayScale	Percentage by which to scale the screen dim delay in presentation mode
AllowWakeLocks	Allow wake locks
AllowScreenWakeLocks	Allow screen wake locks
UserActivityScreenDimDelayScale	Percentage by which to scale the screen dim delay if the user becomes active after dimming
WaitForInitialUserActivity	Wait for initial user activity
PowerManagementIdleSettings	Power management settings when the user becomes idle
ScreenLockDelays	Screen lock delays
PowerSmartDimEnabled	Enable smart dim model to extend the time until the screen is dimmed
ScreenBrightnessPercent	Screen brightness percent
DevicePowerPeakShiftBatteryThreshold	Set power peak shift battery threshold in percent
DevicePowerPeakShiftDayConfig	Set power peak shift day config
DevicePowerPeakShiftEnabled	Enable power peak shift
DeviceBootOnAcEnabled	Enable boot on AC (alternating current)
DeviceAdvancedBatteryChargeModeEnabled	Enable advanced battery charge mode
DeviceAdvancedBatteryChargeModeDayConfig	Set advanced battery charge mode day config
DeviceBatteryChargeMode	Battery charge mode
DeviceBatteryChargeCustomStartCharging	Set battery charge custom start charging in percent
DeviceBatteryChargeCustomStopCharging	Set battery charge custom stop charging in percent
DeviceUsbPowerShareEnabled	Enable USB power share
Printing
PrintingEnabled	Enable printing
CloudPrintProxyEnabled	Enable Google Cloud Print proxy
PrintingAllowedColorModes	Restrict printing color mode
PrintingAllowedDuplexModes	Restrict printing duplex mode
PrintingColorDefault	Default printing color mode
PrintingDuplexDefault	Default printing duplex mode
CloudPrintSubmitEnabled	Enable submission of documents to Google Cloud Print
DisablePrintPreview	Disable Print Preview
PrintHeaderFooter	Print Headers and Footers
DefaultPrinterSelection	Default printer selection rules
NativePrinters	Native Printing
NativePrintersBulkConfiguration	Enterprise printer configuration file
NativePrintersBulkAccessMode	Printer configuration access policy.
NativePrintersBulkBlacklist	Disabled enterprise printers
NativePrintersBulkWhitelist	Enabled enterprise printers
DeviceNativePrinters	Enterprise printer configuration file for devices
DeviceNativePrintersAccessMode	Device printers configuration access policy.
DeviceNativePrintersBlacklist	Disabled enterprise device printers
DeviceNativePrintersWhitelist	Enabled enterprise device printers
PrintPreviewUseSystemDefaultPrinter	Use System Default Printer as Default
Proxy server
ProxyMode	Choose how to specify proxy server settings
ProxyServerMode	Choose how to specify proxy server settings
ProxyServer	Address or URL of proxy server
ProxyPacUrl	URL to a proxy .pac file
ProxyBypassList	Proxy bypass rules
Quick unlock
QuickUnlockModeWhitelist	Configure allowed quick unlock modes
QuickUnlockTimeout	Set how often user has to enter password to use quick unlock
PinUnlockMinimumLength	Set the minimum length of the lock screen PIN
PinUnlockMaximumLength	Set the maximum length of the lock screen PIN
PinUnlockWeakPinsAllowed	Enable users to set weak PINs for the lock screen PIN
Remote access
RemoteAccessHostClientDomain	Configure the required domain name for remote access clients
RemoteAccessHostClientDomainList	Configure the required domain names for remote access clients
RemoteAccessHostFirewallTraversal	Enable firewall traversal from remote access host
RemoteAccessHostDomain	Configure the required domain name for remote access hosts
RemoteAccessHostDomainList	Configure the required domain names for remote access hosts
RemoteAccessHostTalkGadgetPrefix	Configure the TalkGadget prefix for remote access hosts
RemoteAccessHostRequireCurtain	Enable curtaining of remote access hosts
RemoteAccessHostAllowClientPairing	Enable or disable PIN-less authentication for remote access hosts
RemoteAccessHostAllowGnubbyAuth	Allow gnubby authentication for remote access hosts
RemoteAccessHostAllowRelayedConnection	Enable the use of relay servers by the remote access host
RemoteAccessHostUdpPortRange	Restrict the UDP port range used by the remote access host
RemoteAccessHostMatchUsername	Require that the name of the local user and the remote access host owner match
RemoteAccessHostTokenUrl	URL where remote access clients should obtain their authentication token
RemoteAccessHostTokenValidationUrl	URL for validating remote access client authentication token
RemoteAccessHostTokenValidationCertificateIssuer	Client certificate for connecting to RemoteAccessHostTokenValidationUrl
RemoteAccessHostAllowUiAccessForRemoteAssistance	Allow remote users to interact with elevated windows in remote assistance sessions
RemoteAccessHostAllowFileTransfer	Allow remote access users to transfer files to/from the host
Remote attestation
AttestationEnabledForDevice	Enable remote attestation for the device
AttestationEnabledForUser	Enable remote attestation for the user
AttestationExtensionWhitelist	Extensions allowed to to use the remote attestation API
AttestationForContentProtectionEnabled	Enable the use of remote attestation for content protection for the device
Safe Browsing settings
SafeBrowsingEnabled	Enable Safe Browsing
SafeBrowsingExtendedReportingEnabled	Enable Safe Browsing Extended Reporting
SafeBrowsingExtendedReportingOptInAllowed	Allow users to opt in to Safe Browsing extended reporting
SafeBrowsingWhitelistDomains	Configure the list of domains on which Safe Browsing will not trigger warnings.
PasswordProtectionWarningTrigger	Password protection warning trigger
PasswordProtectionLoginURLs	Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.
PasswordProtectionChangePasswordURL	Configure the change password URL.
Sign-in settings
DeviceGuestModeEnabled	Enable guest mode
DeviceUserWhitelist	Login user white list
DeviceAllowNewUsers	Allow creation of new user accounts
DeviceLoginScreenDomainAutoComplete	Enable domain name autocomplete during user sign in
DeviceShowUserNamesOnSignin	Show usernames on login screen
DeviceWallpaperImage	Device wallpaper image
DeviceEphemeralUsersEnabled	Wipe user data on sign-out
LoginAuthenticationBehavior	Configure the login authentication behavior
DeviceTransferSAMLCookies	Transfer SAML IdP cookies during login
LoginVideoCaptureAllowedUrls	URLs that will be granted access to video capture devices on SAML login pages
DeviceLoginScreenExtensions	Configure the list of installed apps on the login screen
DeviceLoginScreenLocales	Device sign-in screen locale
DeviceLoginScreenInputMethods	Device sign-in screen keyboard layouts
DeviceSecondFactorAuthentication	Integrated second factor authentication mode
DeviceLoginScreenIsolateOrigins	Enable Site Isolation for specified origins
DeviceLoginScreenAutoSelectCertificateForUrls	Automatically select client certificates for these sites on the sign-in screen
Startup, Home page and New Tab page
ShowHomeButton	Show Home button on toolbar
HomepageLocation	Configure the home page URL
HomepageIsNewTabPage	Use New Tab Page as homepage
NewTabPageLocation	Configure the New Tab page URL
RestoreOnStartup	Action on startup
RestoreOnStartupURLs	URLs to open on startup
User and device reporting
ReportDeviceVersionInfo	Report OS and firmware version
ReportDeviceBootMode	Report device boot mode
ReportDeviceUsers	Report device users
ReportDeviceActivityTimes	Report device activity times
ReportDeviceNetworkInterfaces	Report device network interfaces
ReportDeviceHardwareStatus	Report hardware status
ReportDeviceSessionStatus	Report information about active kiosk sessions
ReportDeviceBoardStatus	Report board status
ReportDevicePowerStatus	Report power status
ReportDeviceStorageStatus	Report storage status
ReportUploadFrequency	Frequency of device status report uploads
ReportArcStatusEnabled	Report information about status of Android
HeartbeatEnabled	Send network packets to the management server to monitor online status
HeartbeatFrequency	Frequency of monitoring network packets
LogUploadEnabled	Send system logs to the management server
DeviceMetricsReportingEnabled	Enable metrics reporting
AbusiveExperienceInterventionEnforce	Abusive Experience Intervention Enforce
AdsSettingForIntrusiveAdsSites	Ads setting for sites with intrusive ads
AllowDeletingBrowserHistory	Enable deleting browser and download history
AllowDinosaurEasterEgg	Allow Dinosaur Easter Egg Game
AllowFileSelectionDialogs	Allow invocation of file selection dialogs
AllowOutdatedPlugins	Allow running plugins that are outdated
AllowPopupsDuringPageUnload	Allows a page to show popups during its unloading
AllowScreenLock	Permit locking the screen
AllowedDomainsForApps	Define domains allowed to access G Suite
AllowedInputMethods	Configure the allowed input methods in a user session
AllowedLanguages	Configure the allowed languages in a user session
AlternateErrorPagesEnabled	Enable alternate error pages
AlwaysOpenPdfExternally	Always Open PDF files externally
ApplicationLocaleValue	Application locale
AudioCaptureAllowed	Allow or deny audio capture
AudioCaptureAllowedUrls	URLs that will be granted access to audio capture devices without prompt
AudioOutputAllowed	Allow playing audio
AutoFillEnabled	Enable AutoFill
AutofillAddressEnabled	Enable AutoFill for addresses
AutofillCreditCardEnabled	Enable AutoFill for credit cards
AutoplayAllowed	Allow media autoplay
AutoplayWhitelist	Allow media autoplay on a whitelist of URL patterns
BackgroundModeEnabled	Continue running background apps when Google Chrome is closed
BlockThirdPartyCookies	Block third party cookies
BookmarkBarEnabled	Enable Bookmark Bar
BrowserAddPersonEnabled	Enable add person in user manager
BrowserGuestModeEnabled	Enable guest mode in browser
BrowserGuestModeEnforced	Enforce browser guest mode
BrowserNetworkTimeQueriesEnabled	Allow queries to a Google time service
BrowserSignin	Browser sign in settings
BuiltInDnsClientEnabled	Use built-in DNS client
BuiltinCertificateVerifierEnabled	Determines whether the built-in certificate verifier will be used to verify server certificates
CaptivePortalAuthenticationIgnoresProxy	Captive portal authentication ignores proxy
CertificateTransparencyEnforcementDisabledForCas	Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas	Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities
CertificateTransparencyEnforcementDisabledForUrls	Disable Certificate Transparency enforcement for a list of URLs
ChromeCleanupEnabled	Enable Chrome Cleanup on Windows
ChromeCleanupReportingEnabled	Control how Chrome Cleanup reports data to Google
ChromeOsLockOnIdleSuspend	Enable lock when the device become idle or suspended
ChromeOsMultiProfileUserBehavior	Control the user behavior in a multiprofile session
ClientCertificateManagementAllowed	Allow users to manage installed client certificates.
CloudManagementEnrollmentMandatory	Enable mandatory cloud management enrollment
CloudManagementEnrollmentToken	The enrollment token of cloud policy on desktop
CloudPolicyOverridesPlatformPolicy	Google Chrome cloud policy overrides Platform policy.
CommandLineFlagSecurityWarningsEnabled	Enable security warnings for command-line flags
ComponentUpdatesEnabled	Enable component updates in Google Chrome
ContextualSearchEnabled	Enable Tap to Search
DataCompressionProxyEnabled	Enable the data compression proxy feature
DefaultBrowserSettingEnabled	Set Google Chrome as Default Browser
DefaultDownloadDirectory	Set default download directory
DeveloperToolsAvailability	Control where Developer Tools can be used
DeveloperToolsDisabled	Disable Developer Tools
DeviceLocalAccountManagedSessionEnabled	Allow managed session on device
DevicePowerwashAllowed	Allow the device to request powerwash
DeviceRebootOnUserSignout	Force device reboot when user sign out
DeviceScheduledUpdateCheck	Set custom schedule to check for updates
DeviceWebUsbAllowDevicesForUrls	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.
Disable3DAPIs	Disable support for 3D graphics APIs
DisableSafeBrowsingProceedAnyway	Disable proceeding from the Safe Browsing warning page
DisableScreenshots	Disable taking screenshots
DisabledPlugins	Specify a list of disabled plugins
DisabledPluginsExceptions	Specify a list of plugins that the user can enable or disable
DisabledSchemes	Disable URL protocol schemes
DiskCacheDir	Set disk cache directory
DiskCacheSize	Set disk cache size in bytes
DownloadDirectory	Set download directory
DownloadRestrictions	Allow download restrictions
EasyUnlockAllowed	Allow Smart Lock to be used
EcryptfsMigrationStrategy	Migration strategy for ecryptfs
EditBookmarksEnabled	Enable or disable bookmark editing
EnableDeprecatedWebPlatformFeatures	Enable deprecated web platform features for a limited time
EnableOnlineRevocationChecks	Enable online OCSP/CRL checks
EnableSyncConsent	Enable displaying Sync Consent during sign-in
EnabledPlugins	Specify a list of enabled plugins
EnterpriseHardwarePlatformAPIEnabled	Enables managed extensions to use the Enterprise Hardware Platform API
ExternalStorageDisabled	Disable mounting of external storage
ExternalStorageReadOnly	Treat external storage devices as read-only
ForceBrowserSignin	Enable force sign in for Google Chrome
ForceEphemeralProfiles	Ephemeral profile
ForceGoogleSafeSearch	Force Google SafeSearch
ForceMaximizeOnFirstRun	Maximize the first browser window on first run
ForceNetworkInProcess	Force networking code to run in the browser process
ForceSafeSearch	Force SafeSearch
ForceYouTubeRestrict	Force minimum YouTube Restricted Mode
ForceYouTubeSafetyMode	Force YouTube Safety Mode
FullscreenAllowed	Allow fullscreen mode
HardwareAccelerationModeEnabled	Use hardware acceleration when available
HideWebStoreIcon	Hide the web store from the New Tab Page and app launcher
Http09OnNonDefaultPortsEnabled	Enable HTTP/0.9 support on non-default ports
ImportAutofillFormData	Import autofill form data from default browser on first run
ImportBookmarks	Import bookmarks from default browser on first run
ImportHistory	Import browsing history from default browser on first run
ImportHomepage	Import of homepage from default browser on first run
ImportSavedPasswords	Import saved passwords from default browser on first run
ImportSearchEngine	Import search engines from default browser on first run
IncognitoEnabled	Enable Incognito mode
IncognitoModeAvailability	Incognito mode availability
InstantTetheringAllowed	Allow Instant Tethering to be used.
IsolateOrigins	Enable Site Isolation for specified origins
IsolateOriginsAndroid	Enable Site Isolation for specified origins on Android devices
JavascriptEnabled	Enable JavaScript
KeyPermissions	Key Permissions
MachineLevelUserCloudPolicyEnrollmentToken	The enrollment token of cloud policy on desktop
ManagedBookmarks	Managed Bookmarks
MaxConnectionsPerProxy	Maximal number of concurrent connections to the proxy server
MaxInvalidationFetchDelay	Maximum fetch delay after a policy invalidation
MediaRouterCastAllowAllIPs	Allow Google Cast to connect to Cast devices on all IP addresses.
MetricsReportingEnabled	Enable reporting of usage and crash-related data
NTPContentSuggestionsEnabled	Show content suggestions on the New Tab page
NetworkPredictionOptions	Enable network prediction
NoteTakingAppsLockScreenWhitelist	Whitelist note-taking apps allowed on the Google Chrome OS lock screen
OpenNetworkConfiguration	User-level network configuration
OverrideSecurityRestrictionsOnInsecureOrigin	Origins or hostname patterns for which restrictions on insecure origins should not apply
ParentAccessCodeConfig	Parent Access Code Configuration
PinnedLauncherApps	List of pinned apps to show in the launcher
PolicyDictionaryMultipleSourceMergeList	Allow merging dictionary policies from different sources
PolicyListMultipleSourceMergeList	Allow merging list policies from different sources
PolicyRefreshRate	Refresh rate for user policy
PromotionalTabsEnabled	Enable showing full-tab promotional content
PromptForDownloadLocation	Ask where to save each file before downloading
ProxySettings	Proxy settings
QuicAllowed	Allow QUIC protocol
RelaunchHeadsUpPeriod	Set the time of the first user relaunch notification
RelaunchNotification	Notify a user that a browser relaunch or device restart is recommended or required
RelaunchNotificationPeriod	Set the time period for update notifications
ReportCrostiniUsageEnabled	Report information about usage of Linux apps
RequireOnlineRevocationChecksForLocalAnchors	Require online OCSP/CRL checks for local trust anchors
RestrictAccountsToPatterns	Restrict accounts that are visible in Google Chrome
RestrictSigninToPattern	Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome
RoamingProfileLocation	Set the roaming profile directory
RoamingProfileSupportEnabled	Enable the creation of roaming copies for Google Chrome profile data
RunAllFlashInAllowMode	Extend Flash content setting to all content
SAMLOfflineSigninTimeLimit	Limit the time for which a user authenticated via SAML can log in offline
SSLErrorOverrideAllowed	Allow proceeding from the SSL warning page
SSLVersionMin	Minimum SSL version enabled
SafeBrowsingForTrustedSourcesEnabled	Enable Safe Browsing for trusted sources
SafeSitesFilterBehavior	Control SafeSites adult content filtering.
SavingBrowserHistoryDisabled	Disable saving browser history
SchedulerConfiguration	Select task scheduler configuration
SearchSuggestEnabled	Enable search suggestions
SecondaryGoogleAccountSigninAllowed	Allow Multiple Sign-in Within the Browser
SecurityKeyPermitAttestation	URLs/domains automatically permitted direct Security Key attestation
SelectToSpeakEnabled	Enable select to speak
SessionLengthLimit	Limit the length of a user session
SessionLocales	Set the recommended locales for a managed session
ShelfAutoHideBehavior	Control shelf auto-hiding
ShowAppsShortcutInBookmarkBar	Show the apps shortcut in the bookmark bar
ShowLogoutButtonInTray	Add a logout button to the system tray
SignedHTTPExchangeEnabled	Enable Signed HTTP Exchange (SXG) support
SigninAllowed	Allow sign in to Google Chrome
SitePerProcess	Enable Site Isolation for every site
SitePerProcessAndroid	Enable Site Isolation for every site
SmartLockSigninAllowed	Allow Smart Lock Signin to be used.
SmsMessagesAllowed	Allow SMS Messages to be synced from phone to Chromebook.
SpellCheckServiceEnabled	Enable or disable spell checking web service
SpellcheckEnabled	Enable spellcheck
SpellcheckLanguage	Force enable spellcheck languages
SpellcheckLanguageBlacklist	Force disable spellcheck languages
StartupBrowserWindowLaunchSuppressed	Suppress launching of browser window
SuppressUnsupportedOSWarning	Suppress the unsupported OS warning
SyncDisabled	Disable synchronization of data with Google
TabLifecyclesEnabled	Enables or disables tab lifecycles
TaskManagerEndProcessEnabled	Enable ending processes in Task Manager
TermsOfServiceURL	Set the Terms of Service for a device-local account
ThirdPartyBlockingEnabled	Enable third party software injection blocking
TouchVirtualKeyboardEnabled	Enable virtual keyboard
TranslateEnabled	Enable Translate
URLBlacklist	Block access to a list of URLs
URLWhitelist	Allow access to a list of URLs
UnifiedDesktopEnabledByDefault	Make Unified Desktop available and turn on by default
UnsafelyTreatInsecureOriginAsSecure	Origins or hostname patterns for which restrictions on insecure origins should not apply
UrlKeyedAnonymizedDataCollectionEnabled	Enable URL-keyed anonymized data collection
UsageTimeLimit	Time Limit
UserAvatarImage	User avatar image
UserDataDir	Set user data directory
UserDisplayName	Set the display name for device-local accounts
UserFeedbackAllowed	Allow user feedback
VideoCaptureAllowed	Allow or deny video capture
VideoCaptureAllowedUrls	URLs that will be granted access to video capture devices without prompt
VpnConfigAllowed	Allow the user to manage VPN connections
WPADQuickCheckEnabled	Enable WPAD optimization
WallpaperImage	Wallpaper image
WebAppInstallForceList	Configure list of force-installed Web Apps
WebDriverOverridesIncompatiblePolicies	Allow WebDriver to Override Incompatible Policies
WebRtcEventLogCollectionAllowed	Allow collection of WebRTC event logs from Google services
WebRtcUdpPortRange	Restrict the range of local UDP ports used by WebRTC

Accessibility settings

Configure Google Chrome OS accessibility features.

ShowAccessibilityOptionsInSystemTrayMenu

Show accessibility options in system tray menu

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ShowAccessibilityOptionsInSystemTrayMenu

Supported on:

Google Chrome OS (Google Chrome OS) since version 27

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this policy is set to true, Accessibility options always appear in system tray menu.

If this policy is set to false, Accessibility options never appear in system tray menu.

If you set this policy, users cannot change or override it.

If this policy is left unset, Accessibility options will not appear in the system tray menu, but the user can cause the Accessibility options to appear via the Settings page.

When accessiblity features are enabled by other means (e.g by a key combination), Accessibility options will always appear in system tray menu.

Example value:

0x00000001 (Windows)

LargeCursorEnabled

Enable large cursor

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\LargeCursorEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the large cursor accessibility feature.

If this policy is set to true, the large cursor will always be enabled.

If this policy is set to false, the large cursor will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the large cursor is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

SpokenFeedbackEnabled

Enable spoken feedback

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SpokenFeedbackEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the spoken feedback accessibility feature.

If this policy is set to true, spoken feedback will always be enabled.

If this policy is set to false, spoken feedback will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, spoken feedback is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

HighContrastEnabled

Enable high contrast mode

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\HighContrastEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the high contrast mode accessibility feature.

If this policy is set to true, high contrast mode will always be enabled.

If this policy is set to false, high contrast mode will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, high contrast mode is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

VirtualKeyboardEnabled

Enable on-screen keyboard

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VirtualKeyboardEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the on-screen keyboard accessibility feature.

If this policy is set to true, the on-screen keyboard will always be enabled.

If this policy is set to false, the on-screen keyboard will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

StickyKeysEnabled

Enable sticky keys

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\StickyKeysEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 76

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the sticky keys accessibility feature.

If this policy is set to true, the sticky keys will always be enabled.

If this policy is set to false, the sticky keys will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the sticky keys is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

KeyboardDefaultToFunctionKeys

Media keys default to function keys

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\KeyboardDefaultToFunctionKeys

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Changes the default behaviour of the top row keys to function keys.

If this policy is set to true, the keyboard's top row of keys will produce function key commands per default. The search key has to be pressed to revert their behavior back to media keys.

If this policy is set to false or left unset, the keyboard will produce media key commands per default and function key commands when the search key is held.

Example value:

0x00000001 (Windows)

ScreenMagnifierType

Set screen magnifier type

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ScreenMagnifierType

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this policy is set, it controls the type of screen magnifier that is enabled. Setting the policy to "None" disables the screen magnifier.

If you set this policy, users cannot change or override it.

If this policy is left unset, the screen magnifier is disabled initially but can be enabled by the user anytime.

0 = Screen magnifier disabled
1 = Full-screen magnifier enabled
2 = Docked magnifier enabled

Example value:

0x00000001 (Windows)

DeviceLoginScreenDefaultLargeCursorEnabled

Set default state of the large cursor on the login screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultLargeCursorEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Set the default state of the large cursor accessibility feature on the login screen.

If this policy is set to true, the large cursor will be enabled when the login screen is shown.

If this policy is set to false, the large cursor will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the large cursor. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the large cursor is disabled when the login screen is first shown. Users can enable or disable the large cursor anytime and its status on the login screen is persisted between users.

Example value:

0x00000001 (Windows)

DeviceLoginScreenDefaultSpokenFeedbackEnabled

Set the default state of spoken feedback on the login screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultSpokenFeedbackEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Set the default state of the spoken feedback accessibility feature on the login screen.

If this policy is set to true, spoken feedback will be enabled when the login screen is shown.

If this policy is set to false, spoken feedback will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling spoken feedback. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, spoken feedback is disabled when the login screen is first shown. Users can enable or disable spoken feedback anytime and its status on the login screen is persisted between users.

Example value:

0x00000001 (Windows)

DeviceLoginScreenDefaultHighContrastEnabled

Set the default state of high contrast mode on the login screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultHighContrastEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Set the default state of the high contrast mode accessibility feature on the login screen.

If this policy is set to true, high contrast mode will be enabled when the login screen is shown.

If this policy is set to false, high contrast mode will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling high contrast mode. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, high contrast mode is disabled when the login screen is first shown. Users can enable or disable high contrast mode anytime and its status on the login screen is persisted between users.

Example value:

0x00000001 (Windows)

DeviceLoginScreenDefaultVirtualKeyboardEnabled

Set default state of the on-screen keyboard on the login screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultVirtualKeyboardEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Dynamic Policy Refresh: Yes

Description:

Set the default state of the on-screen keyboard accessibility feature on the login screen.

If this policy is set to true, the on-screen keyboard will be enabled when the login screen is shown.

If this policy is set to false, the on-screen keyboard will be disabled when the login screen is shown.

If you set this policy, users can temporarily override it by enabling or disabling the on-screen keyboard. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the on-screen keyboard is disabled when the login screen is first shown. Users can enable or disable the on-screen keyboard anytime and its status on the login screen is persisted between users.

Example value:

0x00000001 (Windows)

DeviceLoginScreenDefaultScreenMagnifierType

Set the default screen magnifier type enabled on the login screen

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDefaultScreenMagnifierType

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Set the default type of screen magnifier that is enabled on the login screen.

If this policy is set, it controls the type of screen magnifier that is enabled when the login screen is shown. Setting the policy to "None" disables the screen magnifier.

If you set this policy, users can temporarily override it by enabling or disabling the screen magnifier. However, the user's choice is not persistent and the default is restored whenever the login screen is shown anew or the user remains idle on the login screen for a minute.

If this policy is left unset, the screen magnifier is disabled when the login screen is first shown. Users can enable or disable the screen magnifier anytime and its status on the login screen is persisted between users.

0 = Screen magnifier disabled
1 = Full-screen magnifier enabled
2 = Docked magnifier enabled

Example value:

0x00000001 (Windows)

Android settings

Controls settings for the Android container (ARC) and Android apps.

ArcEnabled

Enable ARC

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ArcEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 50

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this policy is set to true, ARC will be enabled for the user (subject to additional policy settings checks - ARC will still be unavailable if either ephemeral mode or multiple sign-in is enabled in the current user session).

If this setting is disabled or not configured then enterprise users are unable to use ARC.

Example value:

0x00000000 (Windows)

UnaffiliatedArcAllowed

Allow unaffiliated users to use ARC

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UnaffiliatedArcAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 64

Supported features:

Dynamic Policy Refresh: No

Description:

If the policy is set to false, unaffiliated users will not be allowed to use ARC.

If the policy is unset or set to true, all users are allowed to use ARC (unless ARC is disabled by other means).

Changes to the policy will only be applied while ARC is not running, e.g. while Chrome OS is starting.

Example value:

0x00000000 (Windows)

ArcPolicy

Configure ARC

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ArcPolicy

Supported on:

Google Chrome OS (Google Chrome OS) since version 50

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies a set of policies that will be handed over to the ARC runtime. The value must be valid JSON.

This policy can be used to configure which Android apps are automatically installed on the device.

To pin apps to the launcher, see PinnedLauncherApps.

Schema:

{ "properties": { "applications": { "items": { "properties": { "defaultPermissionPolicy": { "description": "Policy for granting permission requests to apps. PERMISSION_POLICY_UNSPECIFIED: Policy not specified. If no policy is specified for a permission at any level, then the `PROMPT` behavior is used by default. PROMPT: Prompt the user to grant a permission. GRANT: Automatically grant a permission. DENY: Automatically deny a permission.", "enum": [ "PERMISSION_POLICY_UNSPECIFIED", "PROMPT", "GRANT", "DENY" ], "type": "string" }, "installType": { "description": "Specifies how an app is installed. OPTIONAL: The app is not installed automatically, but the user can install it. This is the default if this policy is not specified. PRELOAD: The app is installed automatically, but the user can uninstall it. FORCE_INSTALLED: The app is installed automatically and the user cannot uninstall it. BLOCKED: The app is blocked and cannot be installed. If the app was installed under a previous policy it will be uninstalled.", "enum": [ "OPTIONAL", "PRELOAD", "FORCE_INSTALLED", "BLOCKED" ], "type": "string" }, "managedConfiguration": { "description": "App-specific JSON configuration object with a set of key-value pairs, e.g. '\"managedConfiguration\": { \"key1\": value1, \"key2\": value2 }'. The keys are defined in the app manifest.", "type": "object" }, "packageName": { "description": "Android app identifier, e.g. \"com.google.android.gm\" for Gmail", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }

Example value:

"{"applications":[{"packageName":"com.google.android.gm","installType":"FORCE_INSTALLED","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}},{"packageName":"com.google.android.apps.docs","installType":"PRELOAD","defaultPermissionPolicy":"PROMPT","managedConfiguration":{}}]}"

ArcAppInstallEventLoggingEnabled

Log events for Android app installs

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables reporting of key events during Android app installation to Google. Events are captured only for apps whose installation was triggered via policy.

If the policy is set to true, events will be logged. If the policy is set to false or unset, events will not be logged.

ArcBackupRestoreServiceEnabled

Control Android backup and restore service

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ArcBackupRestoreServiceEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 68

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy controls the initial state of Android backup and restore.

When this policy is not configured or set to BackupAndRestoreDisabled, Android backup and restore is initially disabled.

When this policy is set to BackupAndRestoreEnabled, Android backup and restore is initially enabled.

When this policy is set to BackupAndRestoreUnderUserControl, the user is asked to choose whether to use Android backup and restore. If the user enables backup and restore, Android app data is uploaded to Android backup servers and restored from them upon app re-installations for compatible apps.

Note that this policy controls the state of Android backup and restore during initial setup only. The user can open Android settings afterward and turn Android backup and restore on/off.

0 = Backup and restore disabled
1 = User decides whether to enable backup and restore
2 = Backup and restore enabled

Example value:

0x00000001 (Windows)

ArcGoogleLocationServicesEnabled

Control Android Google location services

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ArcGoogleLocationServicesEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 68

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy controls the initial state of Google location services.

When this policy is not configured or set to GoogleLocationServicesDisabled, Google location services are initially disabled.

When this policy is set to GoogleLocationServicesEnabled, Google location services are initially enabled.

When this policy is set to GoogleLocationServicesUnderUserControl, the user is asked to choose whether to use Google location services. This will allow Android apps to use the services to query the device location, and also will enable submitting of anonymous location data to Google.

Note that this policy controls the state of Google location services during initial setup only. The user can open Android settings afterward and turn Google location services on/off.

Note that this policy is ignored and Google location services are always disabled when the DefaultGeolocationSetting policy is set to BlockGeolocation.

0 = Google location services disabled
1 = User decides whether to enable Google location services
2 = Google location services enabled

Example value:

0x00000001 (Windows)

ArcCertificatesSyncMode

Set certificate availability for ARC-apps

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ArcCertificatesSyncMode

Supported on:

Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If set to SyncDisabled or not configured, Google Chrome OS certificates are not available for ARC-apps.

If set to CopyCaCerts, all ONC-installed CA certificates with Web TrustBit are available for ARC-apps.

0 = Disable usage of Google Chrome OS certificates to ARC-apps
1 = Enable Google Chrome OS CA certificates to ARC-apps

Example value:

0x00000000 (Windows)

AppRecommendationZeroStateEnabled

Enable App Recommendations in Zero State of Search Box

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AppRecommendationZeroStateEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable App Recommendation in Zero State of search box in launcher.

If this policy is set to true, App recommendations may appear in the zero state search.

If this policy is set to false, App recommendations will not appear in the zero state search.

If you set this policy, users cannot change or override it.

If this policy is left unset, the default is False for managed devices.

Example value:

0x00000001 (Windows)

Content settings

Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.

DefaultCookiesSetting

Default cookies setting

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultCookiesSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultCookiesSetting

Mac/Linux preference name:

DefaultCookiesSetting

Android restriction name:

DefaultCookiesSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to set local data. Setting local data can be either allowed for all websites or denied for all websites.

If this policy is set to 'Keep cookies for the duration of the session' then cookies will be cleared when the session closes. Note that if Google Chrome is running in 'background mode', the session may not close when the last window is closed. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

If this policy is left not set, 'AllowCookies' will be used and the user will be able to change it.

1 = Allow all sites to set local data
2 = Do not allow any site to set local data
4 = Keep cookies for the duration of the session

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : CookiesSettings

DefaultImagesSetting

Default images setting

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultImagesSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultImagesSetting

Mac/Linux preference name:

DefaultImagesSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to display images. Displaying images can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'AllowImages' will be used and the user will be able to change it.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

1 = Allow all sites to show all images
2 = Do not allow any site to show images

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : ImageSettings

DefaultJavaScriptSetting

Default JavaScript setting

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultJavaScriptSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultJavaScriptSetting

Mac/Linux preference name:

DefaultJavaScriptSetting

Android restriction name:

DefaultJavaScriptSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to run JavaScript. Running JavaScript can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'AllowJavaScript' will be used and the user will be able to change it.

1 = Allow all sites to run JavaScript
2 = Do not allow any site to run JavaScript

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : JavascriptSettings

DefaultPluginsSetting

Default Flash setting

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultPluginsSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultPluginsSetting

Mac/Linux preference name:

DefaultPluginsSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites.

Click to play allows the Flash plugin to run but the user must click on the placeholder to start its execution.

Automatic playback is only allowed for domains explictly listed in the PluginsAllowedForUrls policy. If you want to enabled automatic playback for all sites consider adding http://* and https://* to this list.

If this policy is left not set, the user will be able to change this setting manually.

1 = Allow all sites to automatically run the Flash plugin
2 = Block the Flash plugin
3 = Click to play

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PluginsSettings

DefaultPopupsSetting

Default popups setting

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultPopupsSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultPopupsSetting

Mac/Linux preference name:

DefaultPopupsSetting

Android restriction name:

DefaultPopupsSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 33

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to show pop-ups. Showing popups can be either allowed for all websites or denied for all websites.

If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it.

1 = Allow all sites to show pop-ups
2 = Do not allow any site to show popups

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PopupsSettings

DefaultNotificationsSetting

Default notification setting

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultNotificationsSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultNotificationsSetting

Mac/Linux preference name:

DefaultNotificationsSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to display desktop notifications. Displaying desktop notifications can be allowed by default, denied by default or the user can be asked every time a website wants to show desktop notifications.

If this policy is left not set, 'AskNotifications' will be used and the user will be able to change it.

1 = Allow sites to show desktop notifications
2 = Do not allow any site to show desktop notifications
3 = Ask every time a site wants to show desktop notifications

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : NotificationsSettings

DefaultGeolocationSetting

Default geolocation setting

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultGeolocationSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultGeolocationSetting

Mac/Linux preference name:

DefaultGeolocationSetting

Android restriction name:

DefaultGeolocationSetting

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to track the users' physical location. Tracking the users' physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location.

If this policy is left not set, 'AskGeolocation' will be used and the user will be able to change it.

1 = Allow sites to track the users' physical location
2 = Do not allow any site to track the users' physical location
3 = Ask whenever a site wants to track the users' physical location

Note for Google Chrome OS devices supporting Android apps:

If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

DefaultMediaStreamSetting (deprecated)

Default mediastream setting

See deprecated policy DefaultMediaStreamSetting

DefaultWebBluetoothGuardSetting

Control use of the Web Bluetooth API

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultWebBluetoothGuardSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultWebBluetoothGuardSetting

Mac/Linux preference name:

DefaultWebBluetoothGuardSetting

Android restriction name:

DefaultWebBluetoothGuardSetting

Supported on:

Google Chrome OS (Google Chrome OS) since version 50
Google Chrome (Android) since version 50
Google Chrome (Linux, Mac, Windows) since version 50

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to get access to nearby Bluetooth devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to nearby Bluetooth devices.

If this policy is left not set, '3' will be used, and the user will be able to change it.

2 = Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API
3 = Allow sites to ask the user to grant access to a nearby Bluetooth device

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)

DefaultWebUsbGuardSetting

Control use of the WebUSB API

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultWebUsbGuardSetting

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultWebUsbGuardSetting

Mac/Linux preference name:

DefaultWebUsbGuardSetting

Android restriction name:

DefaultWebUsbGuardSetting

Supported on:

Google Chrome OS (Google Chrome OS) since version 67
Google Chrome (Android) since version 67
Google Chrome (Linux, Mac, Windows) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices.

This policy can be overridden for specific URL patterns using the 'WebUsbAskForUrls' and 'WebUsbBlockedForUrls' policies.

If this policy is left not set, '3' will be used, and the user will be able to change it.

2 = Do not allow any site to request access to USB devices via the WebUSB API
3 = Allow sites to ask the user to grant access to a connected USB device

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : WebUsbSettings

AutoSelectCertificateForUrls

Automatically select client certificates for these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AutoSelectCertificateForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AutoSelectCertificateForUrls

Mac/Linux preference name:

AutoSelectCertificateForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15
Google Chrome OS (Google Chrome OS) since version 15

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify a list of url patterns that specify sites for which Google Chrome should automatically select a client certificate, if the site requests a certificate.

The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select. Independent of the filter, only certificates will be selected that match the server's certificate request. For example, if $FILTER has the form { "ISSUER": { "CN": "$ISSUER_CN" } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN. If $FILTER contains an "ISSUER" and a "SUBJECT" section, a client certificate must satisfy both conditions to be selected. If $FILTER specifies an organization ("O"), a certificate must have at least one organization which matches the specified value to be selected. If $FILTER specifies an organization unit ("OU"), a certificate must have at least one organization unit which matches the specified value to be selected. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.

If this policy is left not set, no auto-selection will be done for any site.

Schema:

{ "items": { "properties": { "filter": { "properties": { "ISSUER": { "id": "CertPrincipalFields", "properties": { "CN": { "type": "string" }, "L": { "type": "string" }, "O": { "type": "string" }, "OU": { "type": "string" } }, "type": "object" }, "SUBJECT": { "$ref": "CertPrincipalFields" } }, "type": "object" }, "pattern": { "type": "string" } }, "type": "object" }, "type": "array" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}"
Android/Linux:: [ "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}" ]
Mac:: <array> <string>{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name", "L": "certificate issuer location", "O": "certificate issuer org", "OU": "certificate issuer org unit"}, "SUBJECT":{"CN":"certificate subject name", "L": "certificate subject location", "O": "certificate subject org", "OU": "certificate subject org unit"}}}</string> </array>

CookiesAllowedForUrls

Allow cookies on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CookiesAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CookiesAllowedForUrls

Mac/Linux preference name:

CookiesAllowedForUrls

Android restriction name:

CookiesAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to set cookies.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.

See also policies 'CookiesBlockedForUrls' and 'CookiesSessionOnlyForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CookiesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

CookiesBlockedForUrls

Block cookies on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CookiesBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CookiesBlockedForUrls

Mac/Linux preference name:

CookiesBlockedForUrls

Android restriction name:

CookiesBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to set cookies.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise.

See also policies 'CookiesAllowedForUrls' and 'CookiesSessionOnlyForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CookiesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

CookiesSessionOnlyForUrls

Limit cookies from matching URLs to the current session

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls

Mac/Linux preference name:

CookiesSessionOnlyForUrls

Android restriction name:

CookiesSessionOnlyForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Cookies set by pages matching these URL patterns will be limited to the current session, i.e. they will be deleted when the browser exits.

For URLs not covered by the patterns specified here, or for all URLs if this policy is not set, the global default value will be used either from the 'DefaultCookiesSetting' policy, if it is set, or the user's personal configuration otherwise.

Note that if Google Chrome is running in 'background mode', the session may not be closed when the last browser window is closed, but will instead stay active until the browser exits. Please see the 'BackgroundModeEnabled' policy for more information about configuring this behavior.

See also policies 'CookiesAllowedForUrls' and 'CookiesBlockedForUrls'. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.

If the "RestoreOnStartup" policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\CookiesSessionOnlyForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

ImagesAllowedForUrls

Allow images on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImagesAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ImagesAllowedForUrls

Mac/Linux preference name:

ImagesAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to display images.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ImagesAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ImagesAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ImagesAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

ImagesBlockedForUrls

Block images on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImagesBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ImagesBlockedForUrls

Mac/Linux preference name:

ImagesBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to display images.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultImagesSetting' policy if it is set, or the user's personal configuration otherwise.

Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\ImagesBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ImagesBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\ImagesBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

JavaScriptAllowedForUrls

Allow JavaScript on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\JavaScriptAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls

Mac/Linux preference name:

JavaScriptAllowedForUrls

Android restriction name:

JavaScriptAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\JavaScriptAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\JavaScriptAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

JavaScriptBlockedForUrls

Block JavaScript on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\JavaScriptBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls

Mac/Linux preference name:

JavaScriptBlockedForUrls

Android restriction name:

JavaScriptBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to run JavaScript.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\JavaScriptBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\JavaScriptBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

PluginsAllowedForUrls

Allow the Flash plugin on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PluginsAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PluginsAllowedForUrls

Mac/Linux preference name:

PluginsAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to run the Flash plugin.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PluginsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PluginsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PluginsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PluginsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

PluginsBlockedForUrls

Block the Flash plugin on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PluginsBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PluginsBlockedForUrls

Mac/Linux preference name:

PluginsBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to run the Flash plugin.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPluginsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PluginsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PluginsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PluginsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PluginsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

PopupsAllowedForUrls

Allow popups on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PopupsAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PopupsAllowedForUrls

Mac/Linux preference name:

PopupsAllowedForUrls

Android restriction name:

PopupsAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to open popups.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PopupsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PopupsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PopupsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

RegisteredProtocolHandlers

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\Recommended\RegisteredProtocolHandlers

Mac/Linux preference name:

RegisteredProtocolHandlers

Supported on:

Google Chrome (Linux, Mac, Windows) since version 37
Google Chrome OS (Google Chrome OS) since version 37

Supported features:

Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: Yes

Description:

Allows you to register a list of protocol handlers. This can only be a recommended policy. The property |protocol| should be set to the scheme such as 'mailto' and the property |url| should be set to the URL pattern of the application that handles the scheme. The pattern can include a '%s', which if present will be replaced by the handled URL.

The protocol handlers registered by policy are merged with the ones registered by the user and both are available for use. The user can override the protocol handlers installed by policy by installing a new default handler, but cannot remove a protocol handler registered by policy.

Note for Google Chrome OS devices supporting Android apps:

The protocol handlers set via this policy are not used when handling Android intents.

Schema:

{ "items": { "properties": { "default": { "description": "A boolean flag indicating if the protocol handler should be set as the default.", "type": "boolean" }, "protocol": { "description": "The protocol for the protocol handler.", "type": "string" }, "url": { "description": "The URL of the protocol handler.", "type": "string" } }, "required": [ "protocol", "url" ], "type": "object" }, "type": "array" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\Recommended\RegisteredProtocolHandlers = [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Android/Linux:: RegisteredProtocolHandlers: [ { "default": true, "protocol": "mailto", "url": "https://mail.google.com/mail/?extsrc=mailto&url=%s" } ]
Mac:: <key>RegisteredProtocolHandlers</key> <array> <dict> <key>default</key> <true/> <key>protocol</key> <string>mailto</string> <key>url</key> <string>https://mail.google.com/mail/?extsrc=mailto&url=%s</string> </dict> </array>

PopupsBlockedForUrls

Block popups on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PopupsBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PopupsBlockedForUrls

Mac/Linux preference name:

PopupsBlockedForUrls

Android restriction name:

PopupsBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to open popups.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultPopupsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\PopupsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PopupsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\PopupsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

NotificationsAllowedForUrls

Allow notifications on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NotificationsAllowedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls

Mac/Linux preference name:

NotificationsAllowedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 16
Google Chrome OS (Google Chrome OS) since version 16

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to display notifications.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\NotificationsAllowedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\NotificationsAllowedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

NotificationsBlockedForUrls

Block notifications on these sites

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NotificationsBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls

Mac/Linux preference name:

NotificationsBlockedForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 16
Google Chrome OS (Google Chrome OS) since version 16

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are not allowed to display notifications.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultNotificationsSetting' policy if it is set, or the user's personal configuration otherwise.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\NotificationsBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\NotificationsBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

WebUsbAllowDevicesForUrls

Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Data type:

Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebUsbAllowDevicesForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebUsbAllowDevicesForUrls

Mac/Linux preference name:

WebUsbAllowDevicesForUrls

Android restriction name:

WebUsbAllowDevicesForUrls

Supported on:

Google Chrome (Android) since version 75
Google Chrome OS (Google Chrome OS) since version 74
Google Chrome (Linux, Mac, Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of urls that specify which sites will automatically be granted permission to access a USB device with the given vendor and product IDs. Each item in the list must contain both devices and urls in order for the policy to be valid. Each item in devices can contain a vendor ID and product ID field. Any ID that is omitted is treated as a wildcard with one exception, and that exception is that a product ID cannot be specified without a vendor ID also being specified. Otherwise, the policy will not be valid and will be ignored.

The USB permission model uses the URL of the requesting site ("requesting URL") and the URL of the top-level frame site ("embedding URL") to grant permission to the requesting URL to access the USB device. The requesting URL may be different than the embedding URL when the requesting site is loaded in an iframe. Therefore, the "urls" field can contain up to two URL strings delimited by a comma to specify the requesting and embedding URL respectively. If only one URL is specified, then access to the corresponding USB devices will be granted when the requesting site's URL matches this URL regardless of embedding status. The URLs in "urls" must be valid URLs, otherwise the policy will be ignored.

If this policy is left not set, the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with the ones configured via WebUsbBlockedForUrls. If there is a clash, this policy will take precedence over WebUsbBlockedForUrls and WebUsbAskForUrls.

Values for this policy and the DeviceWebUsbAllowDevicesForUrls policy are merged together.

Schema:

{ "items": { "properties": { "devices": { "items": { "properties": { "product_id": { "type": "integer" }, "vendor_id": { "type": "integer" } }, "type": "object" }, "type": "array" }, "urls": { "items": { "type": "string" }, "type": "array" } }, "required": [ "devices", "urls" ], "type": "object" }, "type": "array" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://requesting.com,https://embedded.com" ] } ]
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\WebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://requesting.com,https://embedded.com" ] } ]
Android/Linux:: WebUsbAllowDevicesForUrls: [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://requesting.com,https://embedded.com" ] } ]
Mac:: <key>WebUsbAllowDevicesForUrls</key> <array> <dict> <key>devices</key> <array> <dict> <key>product_id</key> <integer>5678</integer> <key>vendor_id</key> <integer>1234</integer> </dict> </array> <key>urls</key> <array> <string>https://google.com</string> <string>https://requesting.com,https://embedded.com</string> </array> </dict> </array>

WebUsbAskForUrls

Allow WebUSB on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebUsbAskForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebUsbAskForUrls

Mac/Linux preference name:

WebUsbAskForUrls

Android restriction name:

WebUsbAskForUrls

Supported on:

Google Chrome OS (Google Chrome OS) since version 68
Google Chrome (Android) since version 68
Google Chrome (Linux, Mac, Windows) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are allowed to ask the user to grant them access to a USB device.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with ones configured via WebUsbBlockedForUrls. It is unspecified which of the two policies takes precedence if a URL matches with both.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WebUsbAskForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\WebUsbAskForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WebUsbAskForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

WebUsbBlockedForUrls

Block WebUSB on these sites

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebUsbBlockedForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls

Mac/Linux preference name:

WebUsbBlockedForUrls

Android restriction name:

WebUsbBlockedForUrls

Supported on:

Google Chrome OS (Google Chrome OS) since version 68
Google Chrome (Android) since version 68
Google Chrome (Linux, Mac, Windows) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set a list of url patterns that specify sites which are prevented from asking the user to grant them access to a USB device.

If this policy is left not set the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with ones configured via WebUsbAskForUrls. It is unspecified which of the two policies takes precedence if a URL matches with both.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\Chrome\WebUsbBlockedForUrls\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\WebUsbBlockedForUrls\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

Date and time

Controls clock and time zone settings.

SystemTimezone

Timezone

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SystemTimezone

Supported on:

Google Chrome OS (Google Chrome OS) since version 22

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the enforced timezone to be used for the device. When this policy is set, users on the device cannot override the specified timezone. If an invalid value is provided, the policy is still activated using "GMT" instead. If an empty string is provided, the policy is ignored.

If this policy is not used, the currently active timezone will remain in use however users can change the timezone.

New devices start out with the timezone set to "US/Pacific".

The format of the value follows the names of timezones in the "IANA Time Zone Database" (see "https://en.wikipedia.org/wiki/Tz_database"). In particular, most timezones can be referred to by "continent/large_city" or "ocean/large_city".

Setting this policy completely disables automatic timezone resolve by device location. It also overrides SystemTimezoneAutomaticDetection policy.

Example value:

"America/Los_Angeles"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : DateAndTime

SystemTimezoneAutomaticDetection

Configure the automatic timezone detection method

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SystemTimezoneAutomaticDetection

Supported on:

Google Chrome OS (Google Chrome OS) since version 53

Supported features:

Dynamic Policy Refresh: Yes

Description:

When this policy is set, automatic timezone detection flow will be in one of the following ways depending on the value of the setting:

If set to TimezoneAutomaticDetectionUsersDecide, users would be able to control automatic timezone detection using normal controls in chrome://settings.

If set to TimezoneAutomaticDetectionDisabled, automatic timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always off.

If set to TimezoneAutomaticDetectionIPOnly, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. Timezone detection will use IP-only method to resolve location.

If set to TimezoneAutomaticDetectionSendWiFiAccessPoints, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. The list of visible WiFi access-points will be always sent to Geolocation API server for fine-grained timezone detection.

If set to TimezoneAutomaticDetectionSendAllLocationInfo, timezone controls in chrome://settings will be disabled. Automatic timezone detection will be always on. Location information (such as WiFi access-points, reachable Cell Towers, GPS) will be sent to a server for fine-grained timezone detection.

If this policy is not set, it will behave as if TimezoneAutomaticDetectionUsersDecide is set.

If SystemTimezone policy is set, it overrides this policy. In this case automatic timezone detection is completely disabled.

0 = Let users decide
1 = Never auto-detect timezone
2 = Always use coarse timezone detection
3 = Always send WiFi access-points to server while resolving timezone
4 = Always send any available location signals to the server while resolving timezone

Example value:

0x00000000 (Windows)

SystemUse24HourClock

Use 24 hour clock by default

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SystemUse24HourClock

Supported on:

Google Chrome OS (Google Chrome OS) since version 30

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the clock format be used for the device.

This policy configures the clock format to use on the login screen and as a default for user sessions. Users can still override the clock format for their account.

If the policy is set to true, the device will use a 24 hour clock format. If the policy is set to false, the device will use 12 hour clock format.

If this policy is not set, the device will default to a 24 hour clock format.

Example value:

0x00000001 (Windows)

Default search provider

Configures the default search provider. You can specify the default search provider that the user will use or choose to disable default search.

DefaultSearchProviderEnabled

Enable the default search provider

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderEnabled

Mac/Linux preference name:

DefaultSearchProviderEnabled

Android restriction name:

DefaultSearchProviderEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables the use of a default search provider.

If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL.

You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider.

If you disable this setting, no search is performed when the user enters non-URL text in the omnibox.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : DefaultSearchProvider

DefaultSearchProviderName

Default search provider name

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderName

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderName

Mac/Linux preference name:

DefaultSearchProviderName

Android restriction name:

DefaultSearchProviderName

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the name of the default search provider. If left empty or not set, the host name specified by the search URL will be used.

This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"My Intranet Search"

DefaultSearchProviderKeyword

Default search provider keyword

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderKeyword

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderKeyword

Mac/Linux preference name:

DefaultSearchProviderKeyword

Android restriction name:

DefaultSearchProviderKeyword

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the keyword, which is the shortcut used in the omnibox to trigger the search for this provider.

This policy is optional. If not set, no keyword will activate the search provider.

This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"mis"

DefaultSearchProviderSearchURL

Default search provider search URL

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderSearchURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderSearchURL

Mac/Linux preference name:

DefaultSearchProviderSearchURL

Android restriction name:

DefaultSearchProviderSearchURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for.

Google's search URL can be specified as: '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'.

This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case.

Example value:

"https://search.my.company/search?q={searchTerms}"

DefaultSearchProviderSuggestURL

Default search provider suggest URL

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderSuggestURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderSuggestURL

Mac/Linux preference name:

DefaultSearchProviderSuggestURL

Android restriction name:

DefaultSearchProviderSuggestURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the URL of the search engine used to provide search suggestions. The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

This policy is optional. If not set, no suggest URL will be used.

Google's suggest URL can be specified as: '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"https://search.my.company/suggest?q={searchTerms}"

DefaultSearchProviderIconURL

Default search provider icon

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderIconURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderIconURL

Mac/Linux preference name:

DefaultSearchProviderIconURL

Android restriction name:

DefaultSearchProviderIconURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the favorite icon URL of the default search provider.

This policy is optional. If not set, no icon will be present for the search provider.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"https://search.my.company/favicon.ico"

DefaultSearchProviderEncodings

Default search provider encodings

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderEncodings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings

Mac/Linux preference name:

DefaultSearchProviderEncodings

Android restriction name:

DefaultSearchProviderEncodings

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the character encodings supported by the search provider. Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided.

This policy is optional. If not set, the default will be used which is UTF-8.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\Google\Chrome\DefaultSearchProviderEncodings\4 = "ISO-8859-1"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\1 = "UTF-8" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\2 = "UTF-16" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\3 = "GB2312" Software\Policies\Google\ChromeOS\DefaultSearchProviderEncodings\4 = "ISO-8859-1"
Android/Linux:: [ "UTF-8", "UTF-16", "GB2312", "ISO-8859-1" ]
Mac:: <array> <string>UTF-8</string> <string>UTF-16</string> <string>GB2312</string> <string>ISO-8859-1</string> </array>

DefaultSearchProviderAlternateURLs

List of alternate URLs for the default search provider

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs

Mac/Linux preference name:

DefaultSearchProviderAlternateURLs

Android restriction name:

DefaultSearchProviderAlternateURLs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 24
Google Chrome OS (Google Chrome OS) since version 24
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies a list of alternate URLs that can be used to extract search terms from the search engine. The URLs should contain the string '{searchTerms}', which will be used to extract the search terms.

This policy is optional. If not set, no alternate urls will be used to extract search terms.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\Google\Chrome\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs\1 = "https://search.my.company/suggest#q={searchTerms}" Software\Policies\Google\ChromeOS\DefaultSearchProviderAlternateURLs\2 = "https://search.my.company/suggest/search#q={searchTerms}"
Android/Linux:: [ "https://search.my.company/suggest#q={searchTerms}", "https://search.my.company/suggest/search#q={searchTerms}" ]
Mac:: <array> <string>https://search.my.company/suggest#q={searchTerms}</string> <string>https://search.my.company/suggest/search#q={searchTerms}</string> </array>

DefaultSearchProviderImageURL

Parameter providing search-by-image feature for the default search provider

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderImageURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderImageURL

Mac/Linux preference name:

DefaultSearchProviderImageURL

Android restriction name:

DefaultSearchProviderImageURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the URL of the search engine used to provide image search. Search requests will be sent using the GET method. If the DefaultSearchProviderImageURLPostParams policy is set then image search requests will use the POST method instead.

This policy is optional. If not set, no image search will be used.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"https://search.my.company/searchbyimage/upload"

DefaultSearchProviderNewTabURL

Default search provider new tab page URL

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderNewTabURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderNewTabURL

Mac/Linux preference name:

DefaultSearchProviderNewTabURL

Android restriction name:

DefaultSearchProviderNewTabURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 30
Google Chrome OS (Google Chrome OS) since version 30
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the URL that a search engine uses to provide a new tab page.

This policy is optional. If not set, no new tab page will be provided.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"https://search.my.company/newtab"

DefaultSearchProviderSearchURLPostParams

Parameters for search URL which uses POST

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderSearchURLPostParams

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderSearchURLPostParams

Mac/Linux preference name:

DefaultSearchProviderSearchURLPostParams

Android restriction name:

DefaultSearchProviderSearchURLPostParams

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the parameters used when searching a URL with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"q={searchTerms},ie=utf-8,oe=utf-8"

DefaultSearchProviderSuggestURLPostParams

Parameters for suggest URL which uses POST

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderSuggestURLPostParams

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderSuggestURLPostParams

Mac/Linux preference name:

DefaultSearchProviderSuggestURLPostParams

Android restriction name:

DefaultSearchProviderSuggestURLPostParams

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the parameters used when doing suggestion search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {searchTerms} in above example, it will be replaced with real search terms data.

This policy is optional. If not set, suggest search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"q={searchTerms},ie=utf-8,oe=utf-8"

DefaultSearchProviderImageURLPostParams

Parameters for image URL which uses POST

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultSearchProviderImageURLPostParams

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultSearchProviderImageURLPostParams

Mac/Linux preference name:

DefaultSearchProviderImageURLPostParams

Android restriction name:

DefaultSearchProviderImageURLPostParams

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the parameters used when doing image search with POST. It consists of comma-separated name/value pairs. If a value is a template parameter, like {imageThumbnail} in above example, it will be replaced with real image thumbnail data.

This policy is optional. If not set, image search request will be sent using the GET method.

This policy is only respected if the 'DefaultSearchProviderEnabled' policy is enabled.

Example value:

"content={imageThumbnail},url={imageURL},sbisrc={SearchSource}"

Device update settings

Controls how and when Chrome OS updates are applied.

ChromeOsReleaseChannel

Release channel

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ChromeOsReleaseChannel

Supported on:

Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the release channel that this device should be locked to.

"stable-channel" = Stable channel
"beta-channel" = Beta channel
"dev-channel" = Dev channel (may be unstable)

Example value:

"stable-channel"

ChromeOsReleaseChannelDelegated

Users may configure the Chrome OS release channel

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ChromeOsReleaseChannelDelegated

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to True and the ChromeOsReleaseChannel policy is not specified then users of the enrolling domain will be allowed to change the release channel of the device. If this policy is set to false the device will be locked in whatever channel it was last set.

The user selected channel will be overridden by the ChromeOsReleaseChannel policy, but if the policy channel is more stable than the one that was installed on the device, then the channel will only switch after the version of the more stable channel reaches a higher version number than the one installed on the device.

Example value:

0x00000000 (Windows)

DeviceAutoUpdateDisabled

Disable Auto Update

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAutoUpdateDisabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes

Description:

Disables automatic updates when set to True.

Google Chrome OS devices automatically check for updates when this setting is not configured or set to False.

Warning: It is recommended to keep auto-updates enabled so that users receive software updates and critical security fixes. Turning off auto-updates might leave users at risk.

Example value:

0x00000001 (Windows)

DeviceAutoUpdateP2PEnabled

Auto update p2p enabled

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAutoUpdateP2PEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 31

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies whether p2p is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False or not configured, p2p will not be used.

Example value:

0x00000000 (Windows)

DeviceAutoUpdateTimeRestrictions

Update Time Restrictions

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAutoUpdateTimeRestrictions

Supported on:

Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy controls the time frames during which the Google Chrome OS device is not allowed to check for updates automatically. When this policy is set to a non-empty list of time intervals: Devices will not be able to check for updates automatically during the specified time intervals. Devices that require a rollback or are below the minimum Google Chrome OS version will not be affected by this policy due to potential security issues. Furthermore, this policy will not block update checks requested by users or administrators. When this policy is unset or contains no time intervals: No automatic update checks will be blocked by this policy, but they may be blocked by other policies. This feature is only enabled on Chrome devices configured as auto-launch kiosks. Other devices will not be restricted by this policy.

Schema:

{ "items": { "description": "Time interval that spans at most one week. If the start time is later than the end time, then the interval will wrap around.", "properties": { "end": { "$ref": "DisallowedTimeInterval", "description": "End of the interval, exclusive." }, "start": { "description": "Start time of the interval, inclusive.", "id": "DisallowedTimeInterval", "properties": { "day_of_week": { "description": "Day of the week for the interval.", "enum": [ "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday" ], "type": "string" }, "hours": { "description": "Hours elapsed since the start of the day in (24 hour format).", "maximum": 23, "minimum": 0, "type": "integer" }, "minutes": { "description": "Minutes elapsed in the current hour.", "maximum": 59, "minimum": 0, "type": "integer" } }, "required": [ "day_of_week", "minutes", "hours" ], "type": "object" } }, "required": [ "start", "end" ], "type": "object" }, "type": "array" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceAutoUpdateTimeRestrictions = [ { "end": { "day_of_week": "Thursday", "hours": 2, "minutes": 30 }, "start": { "day_of_week": "Monday", "hours": 3, "minutes": 50 } }, { "end": { "day_of_week": "Sunday", "hours": 15, "minutes": 10 }, "start": { "day_of_week": "Thursday", "hours": 3, "minutes": 30 } } ]

DeviceTargetVersionPrefix

Target Auto Update Version

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceTargetVersionPrefix

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes

Description:

Sets a target version for Auto Updates.

Specifies the prefix of a target version Google Chrome OS should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, effects depend on the value of DeviceRollbackToTargetVersion. The prefix format works component-wise as is demonstrated in the following example:

"" (or not configured): update to latest version available. "1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) "1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) "1412.24.34": update to this specific version only

Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.

Example value:

"1412."

DeviceUpdateStagingSchedule

The staging schedule for applying a new update

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUpdateStagingSchedule

Supported on:

Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes

Description:

This policy defines a list of percentages that will define the fraction of Google Chrome OS devices in the OU to update per day starting from the day the update is first discovered. The discovery time is later than the update published time, since it could be a while after the update publishing until the device checks for updates.

Each (day, percentage) pair contains which percentage of the fleet has to be updated by the given number of days since the update has been discovered. For example, if we have the pairs [(4, 40), (10, 70), (15, 100)], then 40% of the fleet should have been updated 4 days after seeing the update. 70% should be updated after 10 days, and so on.

If there is a value defined for this policy, updates will ignore the DeviceUpdateScatterFactor policy and follow this policy instead.

If this list is empty, there will be no staging and updates will be applied according to other device policies.

This policy does not apply for channel switches.

Schema:

{ "items": { "description": "Contains the number of days and the percentage of the fleet that should be updated after those days have passed.", "id": "DayPercentagePair", "properties": { "days": { "description": "Days from update discovery.", "maximum": 28, "minimum": 1, "type": "integer" }, "percentage": { "description": "Percentage of the fleet that should be updated after the given days.", "maximum": 100, "minimum": 0, "type": "integer" } }, "type": "object" }, "type": "array" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceUpdateStagingSchedule = [ { "days": 7, "percentage": 50 }, { "days": 10, "percentage": 100 } ]

DeviceUpdateScatterFactor

Auto update scatter factor

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUpdateScatterFactor

Supported on:

Google Chrome OS (Google Chrome OS) since version 20

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.

Example value:

0x00001c20 (Windows)

DeviceUpdateAllowedConnectionTypes

Connection types allowed for updates

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUpdateAllowedConnectionTypes

Supported on:

Google Chrome OS (Google Chrome OS) since version 21

Supported features:

Dynamic Policy Refresh: Yes

Description:

The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive, which include WiMax, Bluetooth and Cellular at the moment.

The recognized connection type identifiers are "ethernet", "wifi", "wimax", "bluetooth" and "cellular".

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceUpdateAllowedConnectionTypes\1 = "ethernet"

DeviceUpdateHttpDownloadsEnabled

Allow autoupdate downloads via HTTP

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUpdateHttpDownloadsEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Auto-update payloads on Google Chrome OS can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.

If this policy is set to true, Google Chrome OS will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.

Example value:

0x00000001 (Windows)

RebootAfterUpdate

Automatically reboot after update

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RebootAfterUpdate

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Schedule an automatic reboot after a Google Chrome OS update has been applied.

When this policy is set to true, an automatic reboot is scheduled when a Google Chrome OS update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.

When this policy is set to false, no automatic reboot is scheduled after applying a Google Chrome OS update. The update process is completed when the user next reboots the device.

If you set this policy, users cannot change or override it.

Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.

Example value:

0x00000001 (Windows)

MinimumRequiredChromeVersion

Configure minimum allowed Chrome version for the device.

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\MinimumRequiredChromeVersion

Supported on:

Google Chrome OS (Google Chrome OS) since version 64

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures the requirement of the minimum allowed version of Google Chrome. Versions below given are treated as obsolete and device would not allow user sign in before OS is updated. If current version becomes obsolete during user session, user will be forcefully signed out.

If this policy is not set, no restrictions are applied, and user can sign regardless of Google Chrome version.

Here "Version" can be either an exact version like '61.0.3163.120' or a version prefix, like '61.0'

Example value:

"61.0.3163.120"

DeviceRollbackToTargetVersion

Rollback to target version

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceRollbackToTargetVersion

Supported on:

Google Chrome OS (Google Chrome OS) since version 67

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies whether the device should roll back to the version set by DeviceTargetVersionPrefix if it's already running a later version.

Default is RollbackDisabled.

1 = Do not roll back to target version if OS version is newer than target. Updates are also disabled.
2 = Roll back and stay on target version if OS version is newer than target. Do a powerwash during the process.
3 = Roll back and stay on target version if OS version is newer than target. Try to carry over device-level configuration (including network credentials) through the rollback process, if possible, but do the rollback with full powerwash even if restoring the data is not possible (because the target version doesn't support restoring data or because of a backward-incompatible change). Supported on Google Chrome OS version 75 and higher. For older clients, this value means that rollback is disabled.

Example value:

0x00000001 (Windows)

DeviceRollbackAllowedMilestones

Number of milestones rollback is allowed

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceRollbackAllowedMilestones

Supported on:

Google Chrome OS (Google Chrome OS) since version 67

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the minimum number of Google Chrome OS milestones rollback should be allowed starting from the stable version at any time.

Default is 0 for consumer, 4 (approx. half a year) for enterprise enrolled devices.

Setting this policy prevents rollback protection to apply for at least this number of milestones.

Setting this policy to a lower value has a permanent effect: the device MAY not be able to roll back to earlier versions even after the policy is reset to a larger value.

Actual rollback possibilities may also depend on the board and critical vulnerability patches.

Restrictions:

Minimum:0
Maximum:4

Example value:

0x00000004 (Windows)

DeviceQuickFixBuildToken

Provide users with Quick Fix Build

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceQuickFixBuildToken

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy controls whether or not the device should be updated to a Quick Fix Build.

If policy value is set to a token that maps to a Quick Fix Build, the device will be updated to the corresponding Quick Fix Build if the update is not blocked by another policy.

If this policy is not set, or if its value does not map to a Quick Fix Build, then the device won't be updated to a Quick Fix Build. If the device is already running a Quick Fix Build and the policy is not set anymore or its value does not map to a Quick Fix Build anymore, then the device will be updated to a regular build if the update is not blocked by another policy.

Example value:

"sometoken"

Display

Controls display settings.

DeviceDisplayResolution

Set display resolution and scale factor

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceDisplayResolution

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this policy is set, resolution and scale factor of each display are set to the specified values. External display settings are applied to all connected external displays.

Values of "external_width" and "external_height" should be specified in pixels. Values of "external_scale_percentage" and "internal_scale_percentage" should be specified in percents.

If "external_use_native" is set to true, policy will ignore values of "external_height" and "external_width" and set resolution of the external displays to their native resolution.

If "external_use_native" is false or not provided and either "external_height" or "external_width" is not provided, policy doesn't affect the external display settings. If specified resolution or scale factor is not supported by some display, policy is not applied to that display.

If "recommended" flag is set to true, users may change resolution and scale factor of any display via the settings page after logging in, but their settings will be overriden by the policy value at the next reboot. If "recommended" flag is set to false or not set, users can't change the display settings.

Schema:

{ "properties": { "external_height": { "minimum": 1, "type": "integer" }, "external_scale_percentage": { "minimum": 1, "type": "integer" }, "external_use_native": { "type": "boolean" }, "external_width": { "minimum": 1, "type": "integer" }, "internal_scale_percentage": { "minimum": 1, "type": "integer" }, "recommended": { "type": "boolean" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceDisplayResolution = { "external_height": 1080, "external_scale_percentage": 100, "external_use_native": false, "external_width": 1920, "internal_scale_percentage": 150, "recommended": true }

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Display

DisplayRotationDefault

Set default display rotation, reapplied on every reboot

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DisplayRotationDefault

Supported on:

Google Chrome OS (Google Chrome OS) since version 48

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set, each display is rotated to the specified orientation on every reboot, and the first time it is connected after the policy value has changed. Users may change the display rotation via the settings page after logging in, but their setting will be overridden by the policy value at the next reboot.

This policy applies to both the primary and all secondary displays.

If the policy is not set, the default value is 0 degrees and the user is free to change it. In this case, the default value is not reapplied at restart.

0 = Rotate screen by 0 degrees
1 = Rotate screen clockwise by 90 degrees
2 = Rotate screen by 180 degrees
3 = Rotate screen clockwise by 270 degrees

Example value:

0x00000001 (Windows)

Extensions

Configures extension-related policies. The user is not allowed to install blacklisted extensions unless they are whitelisted. You can also force Google Chrome to automatically install extensions by specifying them in ExtensionInstallForcelist. Force-installed extensions are installed regardless whether they are present in the blacklist.

ExtensionInstallBlacklist

Configure extension installation blacklist

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionInstallBlacklist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionInstallBlacklist

Mac/Linux preference name:

ExtensionInstallBlacklist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blacklisted, without a way for the user to enable them. Once an extension disabled due to the blacklist is removed from it, it will automatically get re-enabled.

A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist.

If this policy is left not set the user can install any extension in Google Chrome.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionInstallBlacklist\1 = "extension_id1" Software\Policies\Google\Chrome\ExtensionInstallBlacklist\2 = "extension_id2"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionInstallBlacklist\1 = "extension_id1" Software\Policies\Google\ChromeOS\ExtensionInstallBlacklist\2 = "extension_id2"
Android/Linux:: [ "extension_id1", "extension_id2" ]
Mac:: <array> <string>extension_id1</string> <string>extension_id2</string> </array>

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Extensions

ExtensionInstallWhitelist

Configure extension installation whitelist

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionInstallWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionInstallWhitelist

Mac/Linux preference name:

ExtensionInstallWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify which extensions are not subject to the blacklist.

A blacklist value of * means all extensions are blacklisted and users can only install extensions listed in the whitelist.

By default, all extensions are whitelisted, but if all extensions have been blacklisted by policy, the whitelist can be used to override that policy.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionInstallWhitelist\1 = "extension_id1" Software\Policies\Google\Chrome\ExtensionInstallWhitelist\2 = "extension_id2"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionInstallWhitelist\1 = "extension_id1" Software\Policies\Google\ChromeOS\ExtensionInstallWhitelist\2 = "extension_id2"
Android/Linux:: [ "extension_id1", "extension_id2" ]
Mac:: <array> <string>extension_id1</string> <string>extension_id2</string> </array>

ExtensionInstallForcelist

Configure the list of force-installed apps and extensions

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionInstallForcelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionInstallForcelist

Mac/Linux preference name:

ExtensionInstallForcelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. Furthermore, permissions are granted for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These two APIs are not available to apps/extensions that are not force-installed.)

This policy takes precedence over a potentially conflicting ExtensionInstallBlacklist policy. If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.

For Windows instances that are not joined to a Microsoft® Active Directory® domain, forced installation is limited to apps and extensions listed in the Chrome Web Store.

Note that the source code of any extension may be altered by users via Developer Tools (potentially rendering the extension dysfunctional). If this is a concern, the DeveloperToolsDisabled policy should be set.

Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL, if specified, should point to an Update Manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest. Note also that specifying the "update" URL explicitly was mandatory in Google Chrome versions up to and including 67.

For example, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx installs the extension with id aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: https://developer.chrome.com/extensions/hosting.

If this policy is left not set, no apps or extensions are installed automatically and the user can uninstall any app or extension in Google Chrome.

Note that this policy doesn't apply to incognito mode.

Note for Google Chrome OS devices supporting Android apps:

Android apps can be force-installed from the Google Admin console using Google Play. They do not use this policy.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionInstallForcelist\1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx" Software\Policies\Google\Chrome\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionInstallForcelist\1 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx" Software\Policies\Google\ChromeOS\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"
Android/Linux:: [ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx", "abcdefghijklmnopabcdefghijklmnop" ]
Mac:: <array> <string>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx</string> <string>abcdefghijklmnopabcdefghijklmnop</string> </array>

ExtensionInstallSources

Configure extension, app, and user script install sources

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionInstallSources

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionInstallSources

Mac/Linux preference name:

ExtensionInstallSources

Supported on:

Google Chrome (Linux, Mac, Windows) since version 21
Google Chrome OS (Google Chrome OS) since version 21

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify which URLs are allowed to install extensions, apps, and themes.

Starting in Google Chrome 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store. Previously, users could click on a link to a *.crx file, and Google Chrome would offer to install the file after a few warnings. After Google Chrome 21, such files must be downloaded and dragged onto the Google Chrome settings page. This setting allows specific URLs to have the old, easier installation flow.

Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.

ExtensionInstallBlacklist takes precedence over this policy. That is, an extension on the blacklist won't be installed, even if it happens from a site on this list.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionInstallSources\1 = "https://corp.mycompany.com/*"
Android/Linux:: [ "https://corp.mycompany.com/*" ]
Mac:: <array> <string>https://corp.mycompany.com/*</string> </array>

ExtensionAllowedTypes

Configure allowed app/extension types

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionAllowedTypes

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionAllowedTypes

Mac/Linux preference name:

ExtensionAllowedTypes

Supported on:

Google Chrome (Linux, Mac, Windows) since version 25
Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Controls which app/extension types are allowed to be installed and limits runtime access.

This setting white-lists the allowed types of extension/apps that can be installed in Google Chrome and which hosts they can interact with. The value is a list of strings, each of which should be one of the following: "extension", "theme", "user_script", "hosted_app", "legacy_packaged_app", "platform_app". See the Google Chrome extensions documentation for more information on these types.

Note that this policy also affects extensions and apps to be force-installed via ExtensionInstallForcelist.

If this setting is configured, extensions/apps which have a type that is not on the list will not be installed.

If this settings is left not-configured, no restrictions on the acceptable extension/app types are enforced.

Prior to version 75 using multiple comma separated extension IDs is not supported and will be skipped. The rest of the policy will continue to apply.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionAllowedTypes\1 = "hosted_app"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionAllowedTypes\1 = "hosted_app"
Android/Linux:: [ "hosted_app" ]
Mac:: <array> <string>hosted_app</string> </array>

ExtensionAllowInsecureUpdates

Allow insecure algorithms in integrity checks on extension updates and installs

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionAllowInsecureUpdates

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionAllowInsecureUpdates

Mac/Linux preference name:

ExtensionAllowInsecureUpdates

Supported on:

Google Chrome (Linux, Mac, Windows) since version 73
Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Google Chrome provides for the secure update and installation of extensions. However, the content of some extensions hosted outside of the Chrome Web Store may only be protected by insecure signing or hashing algorithms such as SHA1. When this policy is disabled, fresh installation of and updates to such extensions will not be permitted by Chrome (until the extension developers rebuild the extension with stronger algorithms). When this policy is enabled, installation and updates for such extensions will be permitted.

This will default to the enabled behavior when unset. Starting in Google Chrome 76, this will default to the disabled behavior when unset.

Starting in Google Chrome 78, this policy will be ignored and treated as disabled.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

ExtensionSettings

Extension management settings

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ExtensionSettings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExtensionSettings

Mac/Linux preference name:

ExtensionSettings

Supported on:

Google Chrome (Linux, Mac, Windows) since version 62
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures extension management settings for Google Chrome.

This policy controls multiple settings, including settings controlled by any existing extension-related policies. This policy will override any legacy policies if both are set.

This policy maps an extension ID or an update URL to its configuration. With an extension ID, configuration will be applied to the specified extension only. A default configuration can be set for the special ID "*", which will apply to all extensions that don't have a custom configuration set in this policy. With an update URL, configuration will be applied to all extensions with the exact update URL stated in manifest of this extension, as described at https://developer.chrome.com/extensions/autoupdate.

For Windows instances that are not joined to a Microsoft® Active Directory® domain, forced installation is limited to apps and extensions listed in the Chrome Web Store.

Schema:

{ "patternProperties": { "^[a-p]{32}(?:,[a-p]{32})*,?$": { "properties": { "allowed_permissions": { "$ref": "ListOfPermissions" }, "blocked_install_message": { "description": "text that will be displayed to the user in the chrome webstore if installation is blocked.", "type": "string" }, "blocked_permissions": { "id": "ListOfPermissions", "items": { "pattern": "^[a-z][a-zA-Z.]*$", "type": "string" }, "type": "array" }, "installation_mode": { "enum": [ "blocked", "allowed", "force_installed", "normal_installed", "removed" ], "type": "string" }, "minimum_version_required": { "pattern": "^[0-9]+([.][0-9]+)*$", "type": "string" }, "runtime_allowed_hosts": { "$ref": "ListOfUrlPatterns" }, "runtime_blocked_hosts": { "id": "ListOfUrlPatterns", "items": { "type": "string" }, "type": "array" }, "update_url": { "type": "string" } }, "type": "object" }, "^update_url:": { "properties": { "allowed_permissions": { "$ref": "ListOfPermissions" }, "blocked_permissions": { "$ref": "ListOfPermissions" }, "installation_mode": { "enum": [ "blocked", "allowed", "removed" ], "type": "string" } }, "type": "object" } }, "properties": { "*": { "properties": { "allowed_types": { "$ref": "ExtensionAllowedTypes" }, "blocked_install_message": { "type": "string" }, "blocked_permissions": { "$ref": "ListOfPermissions" }, "install_sources": { "$ref": "ExtensionInstallSources" }, "installation_mode": { "enum": [ "blocked", "allowed", "removed" ], "type": "string" }, "runtime_allowed_hosts": { "$ref": "ListOfUrlPatterns" }, "runtime_blocked_hosts": { "$ref": "ListOfUrlPatterns" } }, "type": "object" } }, "type": "object" }

Expanded schema description:

https://www.chromium.org/administrators/policy-list-3/extension-settings-full

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ExtensionSettings = { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ExtensionSettings = { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Android/Linux:: ExtensionSettings: { "*": { "allowed_types": [ "hosted_app" ], "blocked_install_message": "Custom error message.", "blocked_permissions": [ "downloads", "bookmarks" ], "install_sources": [ "https://company-intranet/chromeapps" ], "installation_mode": "blocked", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ] }, "abcdefghijklmnopabcdefghijklmnop": { "blocked_permissions": [ "history" ], "installation_mode": "allowed", "minimum_version_required": "1.0.1" }, "bcdefghijklmnopabcdefghijklmnopa": { "allowed_permissions": [ "downloads" ], "installation_mode": "force_installed", "runtime_allowed_hosts": [ "*://good.example.com" ], "runtime_blocked_hosts": [ "*://*.example.com" ], "update_url": "https://example.com/update_url" }, "cdefghijklmnopabcdefghijklmnopab": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd": { "blocked_install_message": "Custom error message.", "installation_mode": "blocked" }, "fghijklmnopabcdefghijklmnopabcde": { "blocked_install_message": "Custom removal message.", "installation_mode": "removed" }, "update_url:https://www.example.com/update.xml": { "allowed_permissions": [ "downloads" ], "blocked_permissions": [ "wallpaper" ], "installation_mode": "allowed" } }
Mac:: <key>ExtensionSettings</key> <dict> <key>*</key> <dict> <key>allowed_types</key> <array> <string>hosted_app</string> </array> <key>blocked_install_message</key> <string>Custom error message.</string> <key>blocked_permissions</key> <array> <string>downloads</string> <string>bookmarks</string> </array> <key>install_sources</key> <array> <string>https://company-intranet/chromeapps</string> </array> <key>installation_mode</key> <string>blocked</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> </dict> <key>abcdefghijklmnopabcdefghijklmnop</key> <dict> <key>blocked_permissions</key> <array> <string>history</string> </array> <key>installation_mode</key> <string>allowed</string> <key>minimum_version_required</key> <string>1.0.1</string> </dict> <key>bcdefghijklmnopabcdefghijklmnopa</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>installation_mode</key> <string>force_installed</string> <key>runtime_allowed_hosts</key> <array> <string>*://good.example.com</string> </array> <key>runtime_blocked_hosts</key> <array> <string>*://*.example.com</string> </array> <key>update_url</key> <string>https://example.com/update_url</string> </dict> <key>cdefghijklmnopabcdefghijklmnopab</key> <dict> <key>blocked_install_message</key> <string>Custom error message.</string> <key>installation_mode</key> <string>blocked</string> </dict> <key>defghijklmnopabcdefghijklmnopabc,efghijklmnopabcdefghijklmnopabcd</key> <dict> <key>blocked_install_message</key> <string>Custom error message.</string> <key>installation_mode</key> <string>blocked</string> </dict> <key>fghijklmnopabcdefghijklmnopabcde</key> <dict> <key>blocked_install_message</key> <string>Custom removal message.</string> <key>installation_mode</key> <string>removed</string> </dict> <key>update_url:https://www.example.com/update.xml</key> <dict> <key>allowed_permissions</key> <array> <string>downloads</string> </array> <key>blocked_permissions</key> <array> <string>wallpaper</string> </array> <key>installation_mode</key> <string>allowed</string> </dict> </dict>

Google Assistant

Controls settings for Google Assistant.

VoiceInteractionContextEnabled

"Allow Google Assistant to access screen context"

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VoiceInteractionContextEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy gives Google Assistant permission to access screen context and send the info to server. If the policy is enabled, Google Assistant will be allowed to access screen context. If the policy is disabled, Google Assistant will not be allowed to access screen context. If not set, users can decide whether to allow Google Assistant to access screen context or not

Example value:

0x00000001 (Windows)

VoiceInteractionHotwordEnabled

Allow Google Assistant to listen for the voice activation phrase

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VoiceInteractionHotwordEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy gives Google Assistant permission to listen for the voice activation phrase.

If the policy is enabled, Google Assistant would listen for the voice activation phrase. If the policy is disabled, Google Assistant would not listen for the voice activation phrase. If the policy is not set, users can decide whether to allow Google Assistant to listen for the voice activation phrase.

Example value:

0x00000001 (Windows)

Google Cast

Configure policies for Google Cast, a feature that allows users to send the contents of tabs, sites or the desktop from the browser to remote displays and sound systems.

EnableMediaRouter

Enable Google Cast

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnableMediaRouter

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableMediaRouter

Mac/Linux preference name:

EnableMediaRouter

Android restriction name:

EnableMediaRouter

Supported on:

Google Chrome (Linux, Mac, Windows) since version 52
Google Chrome OS (Google Chrome OS) since version 52
Google Chrome (Android) since version 52

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

If this policy is set to true or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.

If this policy set to false, Google Cast will be disabled.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

ShowCastIconInToolbar

Show the Google Cast toolbar icon

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ShowCastIconInToolbar

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ShowCastIconInToolbar

Mac/Linux preference name:

ShowCastIconInToolbar

Supported on:

Google Chrome (Linux, Mac, Windows) since version 58
Google Chrome OS (Google Chrome OS) since version 58

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

If this policy is set to true, the Cast toolbar icon will always be shown on the toolbar or the overflow menu, and users will not be able to remove it.

If this policy is set to false or is not set, users will be able to pin or remove the icon via its contextual menu.

If the policy "EnableMediaRouter" is set to false, then this policy's value would have no effect, and the toolbar icon would not be shown.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

Google Drive

Configure Google Drive in Google Chrome OS.

DriveDisabled

Disable Drive in the Google Chrome OS Files app

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DriveDisabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables Google Drive syncing in the Google Chrome OS Files app when set to True. In that case, no data is uploaded to Google Drive.

If not set or set to False, then users will be able to transfer files to Google Drive.

Note for Google Chrome OS devices supporting Android apps:

This policy does not prevent the user from using the Android Google Drive app. If you want to prevent access to Google Drive, you should disallow installation of the Android Google Drive app as well.

Example value:

0x00000001 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Drive

DriveDisabledOverCellular

Disable Google Drive over cellular connections in the Google Chrome OS Files app

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DriveDisabledOverCellular

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables Google Drive syncing in the Google Chrome OS Files app when using a cellular connection when set to True. In that case, data is only synced to Google Drive when connected via WiFi or Ethernet.

If not set or set to False, then users will be able to transfer files to Google Drive via cellular connections.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.

Example value:

0x00000001 (Windows)

HTTP authentication

Policies related to integrated HTTP authentication.

AuthSchemes

Supported authentication schemes

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AuthSchemes

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AuthSchemes

Mac/Linux preference name:

AuthSchemes

Android restriction name:

AuthSchemes

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome (Android) since version 46
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which HTTP authentication schemes are supported by Google Chrome.

Possible values are 'basic', 'digest', 'ntlm' and 'negotiate'. Separate multiple values with commas.

If this policy is left not set, all four schemes will be used.

Example value:

"basic,digest,ntlm,negotiate"

DisableAuthNegotiateCnameLookup

Disable CNAME lookup when negotiating Kerberos authentication

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DisableAuthNegotiateCnameLookup

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DisableAuthNegotiateCnameLookup

Mac/Linux preference name:

DisableAuthNegotiateCnameLookup

Android restriction name:

DisableAuthNegotiateCnameLookup

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome (Android) since version 46
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies whether the generated Kerberos SPN is based on the canonical DNS name or the original name entered.

If you enable this setting, CNAME lookup will be skipped and the server name will be used as entered.

If you disable this setting or leave it not set, the canonical name of the server will be determined via CNAME lookup.

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

EnableAuthNegotiatePort

Include non-standard port in Kerberos SPN

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnableAuthNegotiatePort

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableAuthNegotiatePort

Mac/Linux preference name:

EnableAuthNegotiatePort

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies whether the generated Kerberos SPN should include a non-standard port.

If you enable this setting, and a non-standard port (i.e., a port other than 80 or 443) is entered, it will be included in the generated Kerberos SPN.

If you disable this setting or leave it not set, the generated Kerberos SPN will not include a port in any case.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

AuthServerWhitelist

Authentication server whitelist

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AuthServerWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AuthServerWhitelist

Mac/Linux preference name:

AuthServerWhitelist

Android restriction name:

AuthServerWhitelist

Android WebView restriction name:

com.android.browser:AuthServerWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome (Android) since version 46
Android System WebView (Android) since version 49
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list.

Separate multiple server names with commas. Wildcards (*) are allowed.

If you leave this policy not set Google Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Google Chrome.

Example value:

"*example.com,foobar.com,*baz"

AuthNegotiateDelegateWhitelist

Kerberos delegation server whitelist

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AuthNegotiateDelegateWhitelist

Mac/Linux preference name:

AuthNegotiateDelegateWhitelist

Android restriction name:

AuthNegotiateDelegateWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome (Android) since version 46
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Servers that Google Chrome may delegate to.

Separate multiple server names with commas. Wildcards (*) are allowed.

If you leave this policy not set Google Chrome will not delegate user credentials even if a server is detected as Intranet.

Example value:

"foobar.example.com"

AuthNegotiateDelegateByKdcPolicy

Use KDC policy to delegate credentials.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AuthNegotiateDelegateByKdcPolicy

Mac/Linux preference name:

AuthNegotiateDelegateByKdcPolicy

Supported on:

Google Chrome (Linux) since version 74
Google Chrome (Mac) since version 74
Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls whether approval by KDC policy is respected to decide whether to delegate Kerberos tickets.

If this policy is true, HTTP authentication respects approval by KDC policy, i.e. Chrome only delegates credentials if the KDC sets OK-AS-DELEGATE on a service ticket. Please see https://tools.ietf.org/html/rfc5896.html for more information. Service should also match 'AuthNegotiateDelegateWhitelist' policy.

If this policy is not set or set to false, KDC policy is ignored on supported platforms and 'AuthNegotiateDelegateWhitelist' policy only is respected.

On Windows KDC policy is always respected.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

GSSAPILibraryName

GSSAPI library name

Data type:

String

Mac/Linux preference name:

GSSAPILibraryName

Supported on:

Google Chrome (Linux) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which GSSAPI library to use for HTTP authentication. You can set either just a library name, or a full path.

If no setting is provided, Google Chrome will fall back to using a default library name.

Example value:

"libgssapi_krb5.so.2"

AuthAndroidNegotiateAccountType

Account type for HTTP Negotiate authentication

Data type:

String

Android restriction name:

AuthAndroidNegotiateAccountType

Android WebView restriction name:

com.android.browser:AuthAndroidNegotiateAccountType

Supported on:

Google Chrome (Android) since version 46
Android System WebView (Android) since version 49

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies the account type of the accounts provided by the Android authentication app that supports HTTP Negotiate authentication (e.g. Kerberos authentication). This information should be available from the supplier of the authentication app. For more details see https://goo.gl/hajyfN.

If no setting is provided, HTTP Negotiate authentication is disabled on Android.

Example value:

"com.example.spnego"

AllowCrossOriginAuthPrompt

Cross-origin HTTP Basic Auth prompts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowCrossOriginAuthPrompt

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowCrossOriginAuthPrompt

Mac/Linux preference name:

AllowCrossOriginAuthPrompt

Supported on:

Google Chrome (Linux, Mac, Windows) since version 13
Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls whether third-party sub-content on a page is allowed to pop-up an HTTP Basic Auth dialog box.

Typically this is disabled as a phishing defense. If this policy is not set, this is disabled and third-party sub-content will not be allowed to pop up a HTTP Basic Auth dialog box.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

NtlmV2Enabled

Enable NTLMv2 authentication.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NtlmV2Enabled

Mac/Linux preference name:

NtlmV2Enabled

Android restriction name:

NtlmV2Enabled

Android WebView restriction name:

com.android.browser:NtlmV2Enabled

Supported on:

Google Chrome (Linux) since version 63
Google Chrome (Mac) since version 63
Google Chrome OS (Google Chrome OS) since version 63
Google Chrome (Android) since version 63
Android System WebView (Android) since version 63

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls whether NTLMv2 is enabled.

All recent versions of Samba and Windows servers support NTLMv2. This should only be disabled for backwards compatibility and reduces the security of authentication.

If this policy is not set, the default is true and NTLMv2 is enabled.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

Kiosk settings

Controls public session and kiosk account types.

DeviceLocalAccounts

Device-local accounts

Data type:

List of strings

Supported on:

Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the list of device-local accounts to be shown on the login screen.

Every list entry specifies an identifier, which is used internally to tell the different device-local accounts apart.

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Kiosk

DeviceLocalAccountAutoLoginId

Device-local account for auto-login

Data type:

String

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes

Description:

A device-local account to auto-login after a delay.

If this policy is set, the specified session will be automatically logged in after a period of time has elapsed at the login screen without user interaction. The device-local account must already be configured (see |DeviceLocalAccounts|).

If this policy is unset, there will be no auto-login.

DeviceLocalAccountAutoLoginDelay

Device-local account auto-login timer

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes

Description:

The device-local account auto-login delay.

If the |DeviceLocalAccountAutoLoginId| policy is unset, this policy has no effect. Otherwise:

If this policy is set, it determines the amount of time without user activity that should elapse before automatically logging into the device-local account specified by the |DeviceLocalAccountAutoLoginId| policy.

If this policy is unset, 0 milliseconds will be used as the timeout.

This policy is specified in milliseconds.

DeviceLocalAccountAutoLoginBailoutEnabled

Enable bailout keyboard shortcut for auto-login

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 28

Supported features:

Dynamic Policy Refresh: Yes

Description:

Enable bailout keyboard shortcut for auto-login.

If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login, Google Chrome OS will honor the keyboard shortcut Ctrl+Alt+S for bypassing auto-login and showing the login screen.

If this policy is set to False, zero-delay auto-login (if configured) cannot be bypassed.

DeviceLocalAccountPromptForNetworkWhenOffline

Enable network configuration prompt when offline

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 33

Supported features:

Dynamic Policy Refresh: Yes

Description:

Enable network configuration prompt when offline.

If this policy is unset or set to True and a device-local account is configured for zero-delay auto-login and the device does not have access to the Internet, Google Chrome OS will show a network configuration prompt.

If this policy is set to False, an error message will be displayed instead of the network configuration prompt.

AllowKioskAppControlChromeVersion

Allow the auto launched with zero delay kiosk app to control Google Chrome OS version

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 51

Supported features:

Dynamic Policy Refresh: Yes

Description:

Whether to allow the auto launched with zero delay kiosk app to control Google Chrome OS version.

This policy controls whether to allow the auto launched with zero delay kiosk app to control Google Chrome OS version by declaring a required_platform_version in its manifest and use it as the auto update target version prefix.

If the policy is set to true, the value of required_platform_version manifest key of the auto launched with zero delay kiosk app is used as auto update target version prefix.

If the policy is not configured or set to false, the required_platform_version manifest key is ignored and auto update proceeds as normal.

Warning: It is not recommended to delegate control of the Google Chrome OS version to a kiosk app as it may prevent the device from receiving software updates and critical security fixes. Delegating control of the Google Chrome OS version might leave users at risk.

Note for Google Chrome OS devices supporting Android apps:

If the kiosk app is an Android app, it will have no control over the Google Chrome OS version, even if this policy is set to True.

Legacy Browser Support

Configure policies to switch between browsers. Configured websites will automatically open in another browser than Google Chrome.

AlternativeBrowserPath

Alternative browser to launch for configured websites.

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AlternativeBrowserPath

Mac/Linux preference name:

AlternativeBrowserPath

Supported on:

Google Chrome (Linux, Mac, Windows) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls which command to use to open URLs in an alternative browser.

When this policy is left unset, a platform-specific default is used: Internet Explorer for Windows, or Safari for Mac OS X. On Linux, launching an alternative browser will fail when this is unset.

When this policy is set to one of ${ie}, ${firefox}, ${safari} or ${opera}, that browser will launch if it is installed. ${ie} is only available on Windows, and ${safari} is only available on Windows and Mac OS X.

When this policy is set to a file path, that file is used as an executable file.

Example value:

"${ie}"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : BrowserSwitcher

AlternativeBrowserParameters

Command-line parameters for the alternative browser.

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AlternativeBrowserParameters

Mac/Linux preference name:

AlternativeBrowserParameters

Supported on:

Google Chrome (Linux, Mac, Windows) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls command-line parameters to launch to the alternative browser.

When this policy is left unset, only the URL is passed as a command-line parameters.

When this policy is set to a list of strings, each string is passed to the alternative browser as a separate command-line parameters. On Windows, the parameters are joined with spaces. On Mac OS X and Linux, a parameter may contain spaces, and still be treated as a single parameter.

If an element contains ${url}, it gets replaced with the URL of the page to open.

If no element contains ${url}, the URL is appended at the end of the command line.

Environment variables are expanded. On Windows, %ABC% is replaced with the value of the ABC environment variable. On Mac OS X and Linux, ${ABC} is replaced with the value of the ABC environment variable.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\AlternativeBrowserParameters\1 = "-foreground" Software\Policies\Google\Chrome\AlternativeBrowserParameters\2 = "-new-window" Software\Policies\Google\Chrome\AlternativeBrowserParameters\3 = "${url}" Software\Policies\Google\Chrome\AlternativeBrowserParameters\4 = "-profile" Software\Policies\Google\Chrome\AlternativeBrowserParameters\5 = "%HOME%\browser_profile"
Android/Linux:: [ "-foreground", "-new-window", "${url}", "-profile", "%HOME%\browser_profile" ]
Mac:: <array> <string>-foreground</string> <string>-new-window</string> <string>${url}</string> <string>-profile</string> <string>%HOME%\browser_profile</string> </array>

BrowserSwitcherChromePath

Path to Chrome for switching from the alternative browser.

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherChromePath

Supported on:

Google Chrome (Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls the command to use to open URLs in Google Chrome when switching from Internet Explorer.

If the 'Legacy Browser Support' add-in for Internet Explorer is not installed, this policy has no effect.

When this policy is left unset, Internet Explorer will auto-detect Google Chrome's own executable path when launching Google Chrome from Internet Explorer.

When this policy is set, it will be used to launch Google Chrome when launching Google Chrome from Internet Explorer.

This policy can be set to an executable file path, or ${chrome} to auto-detect Chrome's install location.

Example value:

"${chrome}"

BrowserSwitcherChromeParameters

Command-line parameters for switching from the alternative browser.

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherChromeParameters

Supported on:

Google Chrome (Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls command-line parameters for Chrome from Internet Explorer.

If the 'Legacy Browser Support' add-in for Internet Explorer is not installed, this policy has no effect.

When this policy is left unset, Internet Explorer only passes the URL to Chrome as a command-line parameter.

When this policy is set to a list of strings, the strings are joined with spaces and passed to Chrome as command-line parameters.

If an element contains ${url}, it gets replaced with the URL of the page to open.

If no element contains ${url}, the URL is appended at the end of the command line.

Environment variables are expanded. On Windows, %ABC% is replaced with the value of the ABC environment variable.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\BrowserSwitcherChromeParameters\1 = "--force-dark-mode"

BrowserSwitcherDelay

Delay before launching alternative browser (milliseconds)

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherDelay

Mac/Linux preference name:

BrowserSwitcherDelay

Supported on:

Google Chrome (Linux, Mac, Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls how long to wait before launching an alternative browser, in milliseconds.

When this policy is left unset, or set to 0, navigating to a designated URL immediately opens it in an alternative browser.

When this policy is set to a number, Chrome shows a message for that many milliseconds, and then opens the alternative browser.

Example value:

0x00002710 (Windows), 10000 (Linux), 10000 (Mac)

BrowserSwitcherEnabled

Enable the Legacy Browser Support feature.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherEnabled

Mac/Linux preference name:

BrowserSwitcherEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls whether to enable Legacy Browser Support.

When this policy is left unset, or is set to false, Chrome will not attempt to launch designated URLs in an alternate browser.

When this policy is set to true, Chrome will attempt to launch some URLs in an alternate browser (such as Internet Explorer). This feature is configured using the policies in the Legacy Browser support group.

This feature is a replacement for the 'Legacy Browser Support' extension. Configuration from the extension will carry over to this feature, but it is strongly advised to use the Chrome policies instead. This ensures better compatibility in the future.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserSwitcherExternalSitelistUrl

URL of an XML file that contains URLs to load in an alternative browser.

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherExternalSitelistUrl

Mac/Linux preference name:

BrowserSwitcherExternalSitelistUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 72

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy is a URL, that points to an XML file in the same format as Internet Explorer's SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer.

When this policy is left unset, or not set to a valid URL, Google Chrome does not use it as a source of rules for switching browsers.

When this policy is set to a valid URL, Google Chrome downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlList policy.

For more information on Internet Explorer's SiteList policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode

Example value:

"http://example.com/sitelist.xml"

BrowserSwitcherExternalGreylistUrl

URL of an XML file that contains URLs that should never trigger a browser switch.

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherExternalGreylistUrl

Mac/Linux preference name:

BrowserSwitcherExternalGreylistUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 77

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy is a URL, that points to an XML file in the same format as Internet Explorer's SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer.

The rules in this XML file apply in the same way as BrowserSwitcherUrlGreylist. That is, these rules prevent Google Chrome from opening the alternative browser, and also prevent the alternative browser from opening Google Chrome.

When this policy is left unset, or not set to a valid URL, Google Chrome does not use it as a source of rules that don't trigger a browser switch.

When this policy is set to a valid URL, Google Chrome downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlGreylist policy.

For more information on Internet Explorer's SiteList policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode

Example value:

"http://example.com/greylist.xml"

BrowserSwitcherKeepLastChromeTab

Keep last tab open in Chrome.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherKeepLastChromeTab

Mac/Linux preference name:

BrowserSwitcherKeepLastChromeTab

Supported on:

Google Chrome (Linux, Mac, Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls whether to close Chrome completely when the last tab would switch to another browser.

When this policy is left unset, or is set to true, Chrome will keep at least one tab open, after switching to an alternate browser.

When this policy is set to false, Chrome will close the tab after switching to an alternate browser, even if it was the last tab. This will cause Chrome to exit completely.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

BrowserSwitcherUrlList

Websites to open in alternative browser

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherUrlList

Mac/Linux preference name:

BrowserSwitcherUrlList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls the list of websites to open in an alternative browser.

Note that elements can also be added to this list through the BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl policies.

When this policy is left unset, no websites are added to the list.

When this policy is set, each item is treated as a rule for something to open in an alternative browser. Google Chrome uses those rules when choosing if a URL should open in an alternative browser.

When the Internet Explorer add-in is present and enabled, Internet Explorer switches back to Google Chrome when the rules do not match.

If rules contradict eachother, Google Chrome uses the most specific rule.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\BrowserSwitcherUrlList\1 = "ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlList\2 = "!open-in-chrome.ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlList\3 = "foobar.com/ie-only/"
Android/Linux:: [ "ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/" ]
Mac:: <array> <string>ie.com</string> <string>!open-in-chrome.ie.com</string> <string>foobar.com/ie-only/</string> </array>

BrowserSwitcherUrlGreylist

Websites that should never trigger a browser switch.

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist

Mac/Linux preference name:

BrowserSwitcherUrlGreylist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls the list of websites that will never cause a browser switch.

Note that elements can also be added to this list through the BrowserSwitcherExternalGreylistUrl policy.

When this policy is left unset, no websites are added to the list.

When this policy is set, each item is treated as a rule, similar to the BrowserSwitcherUrlList policy. However, the logic is reversed: rules that match will not open an alternative browser.

Unlike BrowserSwitcherUrlList, rules apply to both directions. That is, when the Internet Explorer add-in is present and enabled, it also controls whether Internet Explorer should open these URLs in Google Chrome.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\1 = "ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\2 = "!open-in-chrome.ie.com" Software\Policies\Google\Chrome\BrowserSwitcherUrlGreylist\3 = "foobar.com/ie-only/"
Android/Linux:: [ "ie.com", "!open-in-chrome.ie.com", "foobar.com/ie-only/" ]
Mac:: <array> <string>ie.com</string> <string>!open-in-chrome.ie.com</string> <string>foobar.com/ie-only/</string> </array>

BrowserSwitcherUseIeSitelist

Use Internet Explorer's SiteList policy for Legacy Browser Support.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSwitcherUseIeSitelist

Supported on:

Google Chrome (Windows) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls whether to load rules from Internet Explorer's SiteList policy.

When this policy is left unset, or set to false, Google Chrome does not use Internet Explorer's SiteList policy as a source of rules for switching browsers.

When this policy is set to true, Google Chrome reads Internet Explorer's SiteList to obtain the site list's URL. Google Chrome then downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlList policy.

For more information on Internet Explorer's SiteList policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode

Example value:

0x00000001 (Windows)

Linux container

Controls settings for the Linux container (Crostini).

VirtualMachinesAllowed

Allow devices to run virtual machines on Chrome OS

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VirtualMachinesAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes

Description:

Allows you to control whether virtual machines are allowed to run on Chrome OS.

If the policy is set to True, the device is allowed to run virtual machines. If the policy is set to False, the device will not be allowed to run virtual machines. All three policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed need to be true when they apply for Crostini to be allowed to run. When this policy is changed to False, it applies to starting new virtual machines but does not shut down virtual machines which are already running. When this policy is not set on a managed device, the device is not allowed to run virtual machines. Unmanaged devices are allowed to run virtual machines.

Example value:

0x00000001 (Windows)

CrostiniAllowed

User is enabled to run Crostini

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CrostiniAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable this user to run Crostini.

If the policy is set to false, Crostini is not enabled for the user. If set to true or left unset, Crostini is enabled for the user as long as other settings also allow it. All three policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed need to be true when they apply for Crostini to be allowed to run. When this policy is changed to false, it applies to starting new Crostini containers but does not shut down containers which are already running.

Example value:

0x00000000 (Windows)

DeviceUnaffiliatedCrostiniAllowed

Allow unaffiliated users to use Crostini

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUnaffiliatedCrostiniAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes

Description:

If the policy is set to false, unaffiliated users will not be allowed to use Crostini.

If the policy is unset or set to true, all users are allowed to use Crostini as long as other settings also allow it. All three policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed need to be true when they apply for Crostini to be allowed to run. When this policy is changed to false, it applies to starting new Crostini containers but does not shut down containers which are already running.

Example value:

0x00000000 (Windows)

CrostiniExportImportUIAllowed

User is enabled to export / import Crostini containers via the UI

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CrostiniExportImportUIAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If the policy is set to false, the export / import UI will not be available to users, however it is still possible to use 'lxc' commands directly in the virtual machine to export and import container images.

Example value:

0x00000000 (Windows)

Microsoft® Active Directory® management settings

Controls settings specific to Microsoft® Active Directory® managed Google Chrome OS devices.

DeviceMachinePasswordChangeRate

Machine password change rate

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceMachinePasswordChangeRate

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the rate (in days) at which a client changes their machine account password. The password is randomly generated by the client and not visible to the user.

Just like user passwords, machine passwords should be changed regularly. Disabling this policy or setting a high number of days can have a negative impact on security since it gives potential attackers more time to find the machine account password and use it.

If the policy is unset, the machine account password is changed every 30 days.

If the policy is set to 0, machine account password change is disabled.

Note that passwords might get older than the specified number of days if the client has been offline for a longer period of time.

Restrictions:

Minimum:0
Maximum:9999

Example value:

0x00000000 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : ActiveDirectoryManagement

DeviceUserPolicyLoopbackProcessingMode

User policy loopback processing mode

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUserPolicyLoopbackProcessingMode

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies whether and how user policy from computer GPO is processed.

If the policy is set to 'Default' or if it is unset, user policy is read only from user GPOs (computer GPOs are ignored).

If the policy is set to 'Merge', user policy in user GPOs is merged with user policy in computer GPOs (computer GPOs take preference).

If the policy is set to 'Replace', user policy in user GPOs is replaced by user policy in computer GPOs (user GPOs are ignored).

0 = Default
1 = Merge
2 = Replace

Example value:

0x00000000 (Windows)

DeviceKerberosEncryptionTypes

Allowed Kerberos encryption types

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceKerberosEncryptionTypes

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes

Description:

Sets encryption types that are allowed when requesting Kerberos tickets from an Microsoft® Active Directory® server.

If the policy is set to 'All', both the AES encryption types 'aes256-cts-hmac-sha1-96' and 'aes128-cts-hmac-sha1-96' as well as the RC4 encryption type 'rc4-hmac' are allowed. AES encryption takes preference if the server supports both types. Note that RC4 is insecure and the server should be reconfigured if possible to support AES encryption.

If the policy is set to 'Strong' or if it is unset, only the AES encryption types are allowed.

If the policy is set to 'Legacy', only the RC4 encryption type is allowed. This option is insecure and should only be needed in very specific circumstances.

0 = All (insecure)
1 = Strong
2 = Legacy (insecure)

Example value:

0x00000001 (Windows)

DeviceGpoCacheLifetime

GPO cache lifetime

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceGpoCacheLifetime

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache. Instead of re-downloading GPOs on every policy fetch, the system may reuse cached GPOs as long as their version does not change. This policy specifies the maximum duration for which cached GPOs may be reused before they are re-downloaded. Rebooting and logging out clears the cache.

If the policy is unset, cached GPOs may be reused for up to 25 hours.

If the policy is set to 0, GPO caching is turned off. Note that this increases server load since GPOs are re-downloaded on every policy fetch, even if they did not change.

Restrictions:

Minimum:0
Maximum:9999

Example value:

0x00000000 (Windows)

DeviceAuthDataCacheLifetime

Authentication data cache lifetime

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAuthDataCacheLifetime

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the lifetime (in hours) of the authentication data cache. The cache is used to speed up sign-in. It contains general data (workgroup name etc.) about affiliated realms, i.e. realms trusted by the machine realm. No user-specific data and no data for unaffiliated realms is cached. Rebooting the device clears the cache.

If the policy is unset, cached authentication data may be reused for up to 73 hours.

If the policy is set to 0, authentication data caching is turned off. This can significantly slow down sign-in of affiliated users since realm-specific data has to be fetched on every sign-in.

Note that realm data is cached even for ephemeral users. The cache should be turned off if tracing the realm of ephemeral users should be prevented.

Restrictions:

Minimum:0
Maximum:9999

Example value:

0x00000000 (Windows)

Native Messaging

Configures policies for Native Messaging. Blacklisted native messaging hosts won't be allowed unless they are whitelisted.

NativeMessagingBlacklist

Configure native messaging blacklist

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NativeMessagingBlacklist

Mac/Linux preference name:

NativeMessagingBlacklist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify which native messaging hosts that should not be loaded.

A blacklist value of '*' means all native messaging hosts are blacklisted unless they are explicitly listed in the whitelist.

If this policy is left not set Google Chrome will load all installed native messaging hosts.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\NativeMessagingBlacklist\1 = "com.native.messaging.host.name1" Software\Policies\Google\Chrome\NativeMessagingBlacklist\2 = "com.native.messaging.host.name2"
Android/Linux:: [ "com.native.messaging.host.name1", "com.native.messaging.host.name2" ]
Mac:: <array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : NativeMessaging

NativeMessagingWhitelist

Configure native messaging whitelist

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NativeMessagingWhitelist

Mac/Linux preference name:

NativeMessagingWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify which native messaging hosts are not subject to the blacklist.

A blacklist value of * means all native messaging hosts are blacklisted and only native messaging hosts listed in the whitelist will be loaded.

By default, all native messaging hosts are whitelisted, but if all native messaging hosts have been blacklisted by policy, the whitelist can be used to override that policy.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\NativeMessagingWhitelist\1 = "com.native.messaging.host.name1" Software\Policies\Google\Chrome\NativeMessagingWhitelist\2 = "com.native.messaging.host.name2"
Android/Linux:: [ "com.native.messaging.host.name1", "com.native.messaging.host.name2" ]
Mac:: <array> <string>com.native.messaging.host.name1</string> <string>com.native.messaging.host.name2</string> </array>

NativeMessagingUserLevelHosts

Allow user-level Native Messaging hosts (installed without admin permissions)

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NativeMessagingUserLevelHosts

Mac/Linux preference name:

NativeMessagingUserLevelHosts

Supported on:

Google Chrome (Linux, Mac, Windows) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables user-level installation of Native Messaging hosts.

If this setting is enabled then Google Chrome allows usage of Native Messaging hosts installed on user level.

If this setting is disabled then Google Chrome will only use Native Messaging hosts installed on system level.

If this setting is left not set Google Chrome will allow usage of user-level Native Messaging hosts.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

Network File Shares settings

Configure Network File Share related policies.

NetworkFileSharesAllowed

Contorls Network File Shares for ChromeOS availability

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NetworkFileSharesAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

This policy controls whether the Network File Shares feature for Google Chrome OS is allowed for a user.

When this policy is not configured or set to True, users will be able to use Network File Shares.

When this policy is set to False, users will be unable to use Network File Shares.

Example value:

0x00000001 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : NetworkFileShares

NetBiosShareDiscoveryEnabled

Controls Network File Share discovery via NetBIOS

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NetBiosShareDiscoveryEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls whether the Network File Shares feature for Google Chrome OS should use the NetBIOS Name Query Request protocol to discover shares on the network. When this policy is set to True, share discovery will use the NetBIOS Name Query Request protocol protocol to discover shares on the network. When this policy is set to False, share discovery will not use the NetBIOS Name Query Request protocol protocol to discover shares. If the policy is left not set, the default is disabled for enterprise-managed users and enabled for non-managed users.

Example value:

0x00000001 (Windows)

NTLMShareAuthenticationEnabled

Controls enabling NTLM as an authentication protocol for SMB mounts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NTLMShareAuthenticationEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

This policy controls whether the Network File Shares feature for Google Chrome OS will use NTLM for authentication.

When this policy is set to True, NTLM will be used for authentication to SMB shares if necessary. When this policy is set to False, NTLM authentication to SMB shares will be disabled.

If the policy is left not set, the default is disabled for enterprise-managed users and enabled for non-managed users.

Example value:

0x00000001 (Windows)

NetworkFileSharesPreconfiguredShares

List of preconfigured network file shares.

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NetworkFileSharesPreconfiguredShares

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies a list of preconfigued network file shares.

Each list item of the policy is an object with two members: "share_url" and "mode". "share_url" should be the URL of the share and "mode" should be either "drop_down" or "pre_mount". "drop_down" mode indicates that "share_url" will be added to the share discovery drop down. "pre_mount" mode indicates that "share_url" will be mounted.

Schema:

{ "items": { "properties": { "mode": { "enum": [ "drop_down", "pre_mount" ], "type": "string" }, "share_url": { "type": "string" } }, "required": [ "share_url", "mode" ], "type": "object" }, "type": "array" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NetworkFileSharesPreconfiguredShares = [ { "mode": "drop_down", "share_url": "smb://server/share" }, { "mode": "drop_down", "share_url": "\\\\server\\share" } ]

Network settings

Controls device-wide network configuration.

DeviceOpenNetworkConfiguration

Device-level network configuration

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceOpenNetworkConfiguration

Supported on:

Google Chrome OS (Google Chrome OS) since version 16

Supported features:

Dynamic Policy Refresh: Yes

Description:

Allows pushing network configuration to be applied for all users of a Google Chrome OS device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format.

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Expanded schema description:

https://chromium.googlesource.com/chromium/src/+/master/components/onc/docs/onc_spec.md

Example value:

"{ "NetworkConfigurations": [ { "GUID": "{4b224dfd-6849-7a63-5e394343244ae9c9}", "Name": "my WiFi", "Type": "WiFi", "WiFi": { "SSID": "my WiFi", "HiddenSSID": false, "Security": "None", "AutoConnect": true } } ] }"

DeviceDataRoamingEnabled

Enable data roaming

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceDataRoamingEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes

Description:

Determines whether data roaming should be enabled for the device. If set to true, data roaming is allowed. If left unconfigured or set to false, data roaming will be not available.

Example value:

0x00000001 (Windows)

NetworkThrottlingEnabled

Enable throttling network bandwidth

Data type:

Dictionary

Supported on:

Google Chrome OS (Google Chrome OS) since version 56

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows enabling or disabling network throttling. This applies to all users, and to all interfaces on the device. Once set, the throttling persists until the policy is changed to disable it.

If set to false, there is no throttling. If set to true, the system is throttled to achieve the provided upload and download rates (in kbits/s).

Schema:

{ "properties": { "download_rate_kbits": { "description": "Desired download rate in kbits/s.", "type": "integer" }, "enabled": { "description": "A boolean flag indicating if throttling is enabled.", "type": "boolean" }, "upload_rate_kbits": { "description": "Desired upload rate in kbits/s.", "type": "integer" } }, "required": [ "enabled", "upload_rate_kbits", "download_rate_kbits" ], "type": "object" }

DeviceHostnameTemplate

Device network hostname template

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceHostnameTemplate

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Determine the hostname of the device used in DHCP requests.

If this policy is set to a non empty string, that string will be used as the device hostname during DHCP request.

The string can contain variables ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME} that would be replaced with values on the device before using as a hostname. Resulting substitution should be a valid hostname (per RFC 1035, section 3.1).

If this policy is not set, or the value after substitution is not a valid hostname, no hostname will be set in DHCP request.

Example value:

"chromebook-${ASSET_ID}"

DeviceWiFiFastTransitionEnabled

Enable 802.11r Fast Transition

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceWiFiFastTransitionEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows enabling or disabling Fast Transition. This applies to all users, and to all interfaces on the device. In order for Fast Transition to be used, both this setting and the per-network ONC property need to be enabled. Once set, Fast Transition persists until the policy is changed to disable it.

If this policy is not set or set to false, Fast Transition is not used. If set to true, Fast Transition is used when the wireless access point supports it.

Example value:

0x00000001 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : WiFi

DeviceWiFiAllowed

Enable WiFi

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceWiFiAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If the policy is set to false, Google Chrome OS will disable WiFi and users cannot enable it back. If the policy is set to true or left unset, users will be able to enable or disable WiFi as they wish.

Example value:

0x00000001 (Windows)

DeviceDockMacAddressSource

Device MAC address source when docked

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceDockMacAddressSource

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures which MAC (media access control) address will be used when a dock is connected to the device.

When a dock is connected to some device models, the device's designated dock MAC address is used to identify the device on Ethernet by default. This policy allows the administrator to change the source of the MAC address while docked.

If 'DeviceDockMacAddress' is selected or the policy is left unset, the device's designated dock MAC address will be used.

If 'DeviceNicMacAddress' is selected, the device's NIC (network interface controller) MAC address will be used.

If 'DockNicMacAddress' is selected, the dock's NIC MAC address will be used.

This setting can not be changed by the user.

1 = Device's designated dock MAC address
2 = Device's built-in NIC MAC address
3 = Dock's built-in NIC MAC address

Example value:

0x00000001 (Windows)

Other

Controls miscellaneous settings including USB, bluetooth, policy refresh, developer mode and others.

UsbDetachableWhitelist

Whitelist of USB detachable devices

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UsbDetachableWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 51

Supported features:

Dynamic Policy Refresh: No

Description:

Defines the list of USB devices that are allowed to be detached from their kernel driver in order to be used through the chrome.usb API directly inside a web application. Entries are pairs of USB Vendor Identifier and Product Identifier to identify a specific hardware.

If this policy is not configured, the list of a detachable USB devices is empty.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\UsbDetachableWhitelist\1 = "{'vendor_id': 1027, 'product_id': 24577}" Software\Policies\Google\ChromeOS\UsbDetachableWhitelist\2 = "{'vendor_id': 16700, 'product_id': 8453}"

DeviceAllowBluetooth

Allow bluetooth on device

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAllowBluetooth

Supported on:

Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: No

Description:

If this policy is set to false, Google Chrome OS will disable Bluetooth and the user cannot enable it back.

If this policy is set to true or left unset, the user will be able to enable or disable Bluetooth as they wish.

If this policy is set, the user cannot change or override it.

After enabling Bluetooth, the user must log out and log back in for the changes to take effect (no need for this when disabling Bluetooth).

Example value:

0x00000001 (Windows)

TPMFirmwareUpdateSettings

Configure TPM firmware update behavior

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\TPMFirmwareUpdateSettings

Supported on:

Google Chrome OS (Google Chrome OS) since version 63

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures availability and behavior of TPM firmware update functionality.

Individual settings can be specified in JSON properties:

allow-user-initiated-powerwash: If set to true, users will be able to trigger the powerwash flow to install a TPM firmware update.

allow-user-initiated-preserve-device-state: If set to true, users will be able to invoke the TPM firmware update flow that preserves device-wide state (including enterprise enrollment), but loses user data. This update flow is available starting from version 68.

auto-update-mode: Controls how automatic TPM firmware updates are enforced for vulnerable TPM firmware. All flows preserve local device state. If set to 1 or left not set, TPM firmware updates are not enforced. If set to 2, TPM firmware will be updated at the next reboot after user acknowledges the update. If set to 3, TPM firmware will be updated at the next reboot. If set to 4, TPM firmware will be updated after enrollment, before user sign-in. This option is available starting from version 74.

If the policy is not set, TPM firmware update functionality will not be available.

Schema:

{ "properties": { "allow-user-initiated-powerwash": { "type": "boolean" }, "allow-user-initiated-preserve-device-state": { "type": "boolean" }, "auto-update-mode": { "enum": [ 1, 2, 3, 4 ], "type": "integer" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\TPMFirmwareUpdateSettings = { "allow-user-initiated-powerwash": true, "allow-user-initiated-preserve-device-state": true, "auto-update-mode": 1 }

DevicePolicyRefreshRate

Refresh rate for Device Policy

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DevicePolicyRefreshRate

Supported on:

Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the period in milliseconds at which the device management service is queried for device policy information.

Leaving this policy not set will make Google Chrome OS use the default value of 3 hours.

Note that if the platform supports policy notifications, the refresh delay will be set to 24 hours (ignoring all defaults and the value of this policy) because it is expected that policy notifications will force a refresh automatically whenever policy changes, making more frequent refreshes unnecessary.

Example value:

0x0036ee80 (Windows)

DeviceBlockDevmode

Block developer mode

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 37

Supported features:

Dynamic Policy Refresh: Yes

Description:

Block developer mode.

If this policy is set to True, Google Chrome OS will prevent the device from booting into developer mode. The system will refuse to boot and show an error screen when the developer switch is turned on.

If this policy is unset or set to False, developer mode will remain available for the device.

Note for Google Chrome OS devices supporting Android apps:

This policy controls Google Chrome OS developer mode only. If you want to prevent access to Android Developer Options, you need to set the DeveloperToolsDisabled policy.

DeviceAllowRedeemChromeOsRegistrationOffers

Allow users to redeem offers through Chrome OS Registration

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAllowRedeemChromeOsRegistrationOffers

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes

Description:

IT admins for enterprise devices can use this flag to control whether to allow users to redeem offers through Chrome OS Registration.

If this policy is set to true or left not set, users will be able to redeem offers through Chrome OS Registration.

If this policy is set to false, user will not be able to redeem offers.

Example value:

0x00000001 (Windows)

DeviceQuirksDownloadEnabled

Enable queries to Quirks Server for hardware profiles

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceQuirksDownloadEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 51

Supported features:

Dynamic Policy Refresh: Yes

Description:

The Quirks Server provides hardware-specific configuration files, like ICC display profiles to adjust monitor calibration.

When this policy is set to false, the device will not attempt to contact the Quirks Server to download configuration files.

If this policy is true or not configured then Google Chrome OS will automatically contact the Quirks Server and download configuration files, if available, and store them on the device. Such files might, for example, be used to improve display quality of attached monitors.

Example value:

0x00000001 (Windows)

ExtensionCacheSize

Set Apps and Extensions cache size (in bytes)

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: No

Description:

Google Chrome OS caches Apps and Extensions for installation by multiple users of a single device to avoid re-downloading them for each user. If this policy is not configured or the value is lower than 1 MB, Google Chrome OS will use the default cache size.

Note for Google Chrome OS devices supporting Android apps:

The cache is not used for Android apps. If multiple users install the same Android app, it will be downloaded anew for each user.

DeviceOffHours

Off hours intervals when the specified device policies are released

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceOffHours

Supported on:

Google Chrome OS (Google Chrome OS) since version 62

Supported features:

Dynamic Policy Refresh: Yes

Description:

If "OffHours" policy is set, then the specified device policies are ignored (use the default settings of these policies) during the defined time intervals. Device policies are re-applied by Chrome on every event when "OffHours" period starts or ends. User will be notified and forced to sign out when "OffHours" time end and device policy settings are changed (e.g. when user is logged in not with an allowed account).

Schema:

{ "properties": { "ignored_policy_proto_tags": { "items": { "type": "integer" }, "type": "array" }, "intervals": { "items": { "id": "WeeklyTimeIntervals", "properties": { "end": { "$ref": "WeeklyTime" }, "start": { "id": "WeeklyTime", "properties": { "day_of_week": { "enum": [ "MONDAY", "TUESDAY", "WEDNESDAY", "THURSDAY", "FRIDAY", "SATURDAY", "SUNDAY" ], "id": "WeekDay", "type": "string" }, "time": { "type": "integer" } }, "type": "object" } }, "type": "object" }, "type": "array" }, "timezone": { "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceOffHours = { "ignored_policy_proto_tags": [ 3, 8 ], "intervals": [ { "end": { "day_of_week": "MONDAY", "time": 21720000 }, "start": { "day_of_week": "MONDAY", "time": 12840000 } }, { "end": { "day_of_week": "FRIDAY", "time": 57600000 }, "start": { "day_of_week": "FRIDAY", "time": 38640000 } } ], "timezone": "GMT" }

Password manager

Configures the password manager.

PasswordManagerEnabled

Enable saving passwords to the password manager

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PasswordManagerEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PasswordManagerEnabled

Mac/Linux preference name:

PasswordManagerEnabled

Android restriction name:

PasswordManagerEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this setting is enabled, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site.

If this settings is disabled, users cannot save new passwords but they may still use passwords that have been saved previously.

If this policy is enabled or disabled, users cannot change or override it in Google Chrome. If this policy is unset, password saving is allowed (but can be turned off by the user).

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PasswordManager

PluginVm

Configure PluginVm related policies.

PluginVmAllowed

Allow devices to use a PluginVm on Google Chrome OS

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PluginVmAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Dynamic Policy Refresh: Yes

Description:

Enable this device to run PluginVm.

If the policy is set to false or left unset, PluginVm is not enabled for the device. If set to true, PluginVm is enabled for the device as long as other settings also allow it. PluginVmAllowed needs to be true, PluginVmLicenseKey and PluginVmImage need to be set for PluginVm to be allowed to run.

Example value:

0x00000001 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PluginVm

PluginVmLicenseKey

PluginVm license key

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PluginVmLicenseKey

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

This policy specifies PluginVm license key for this device.

Example value:

"LICENSE_KEY"

PluginVmImage

PluginVm image

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PluginVmImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy specifies the PluginVm image for a user. The policy is set by specifying the URL from which the device can download the image and a SHA-256 hash used to verify the integrity of the download.

The policy should be specified as a string that expresses the URL and hash in the JSON format.

Schema:

{ "properties": { "hash": { "description": "The SHA-256 hash of the PluginVm image.", "type": "string" }, "url": { "description": "The URL from which the PluginVm image can be downloaded.", "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PluginVmImage = { "hash": "842841a4c75a55ad050d686f4ea5f77e83ae059877fe9b6946aa63d3d057ed32", "url": "https://example.com/plugin_vm_image" }

Power and shutdown

Controls settings related to power management and rebooting.

DeviceLoginScreenPowerManagement

Power management on the login screen

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenPowerManagement

Supported on:

Google Chrome OS (Google Chrome OS) since version 30

Supported features:

Dynamic Policy Refresh: Yes

Description:

Configure power management on the login screen in Google Chrome OS.

This policy lets you configure how Google Chrome OS behaves when there is no user activity for some amount of time while the login screen is being shown. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session. The only deviations from these policies are: * The actions to take on idle or lid close cannot be to end the session. * The default action taken on idle when running on AC power is to shut down.

If a setting is left unspecified, a default value is used.

If this policy is unset, defaults are used for all settings.

Schema:

{ "properties": { "AC": { "description": "Power management settings applicable only when running on AC power", "id": "DeviceLoginScreenPowerSettings", "properties": { "Delays": { "properties": { "Idle": { "description": "The length of time without user input after which the idle action is taken, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenDim": { "description": "The length of time without user input after which the screen is dimmed, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenOff": { "description": "The length of time without user input after which the screen is turned off, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }, "IdleAction": { "description": "Action to take when the idle delay is reached", "enum": [ "Suspend", "Shutdown", "DoNothing" ], "type": "string" } }, "type": "object" }, "Battery": { "$ref": "DeviceLoginScreenPowerSettings", "description": "Power management settings applicable only when running on battery power" }, "LidCloseAction": { "description": "Action to take when the lid is closed", "enum": [ "Suspend", "Shutdown", "DoNothing" ], "type": "string" }, "UserActivityScreenDimDelayScale": { "description": "Percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off", "minimum": 100, "type": "integer" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceLoginScreenPowerManagement = { "AC": { "IdleAction": "DoNothing" }, "Battery": { "Delays": { "Idle": 30000, "ScreenDim": 10000, "ScreenOff": 20000 }, "IdleAction": "DoNothing" }, "LidCloseAction": "Suspend", "UserActivityScreenDimDelayScale": 110 }

UptimeLimit

Limit device uptime by automatically rebooting

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Limit the device uptime by scheduling automatic reboots.

When this policy is set, it specifies the length of device uptime after which an automatic reboot is scheduled.

When this policy is not set, the device uptime is not limited.

If you set this policy, users cannot change or override it.

An automatic reboot is scheduled at the selected time but may be delayed on the device by up to 24 hours if a user is currently using the device.

The policy value should be specified in seconds. Values are clamped to be at least 3600 (one hour).

DeviceRebootOnShutdown

Automatic reboot on device shutdown

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceRebootOnShutdown

Supported on:

Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to false or not configured, Google Chrome OS will allow the user to shut down the device. If this policy is set to true, Google Chrome OS will trigger a reboot when the user shuts down the device. Google Chrome OS replaces all occurrences of shutdown buttons in the UI by reboot buttons. If the user shuts down the device using the power button, it will not automatically reboot, even if the policy is enabled.

Example value:

0x00000001 (Windows)

Power management

Configure power management in Google Chrome OS. These policies let you configure how Google Chrome OS behaves when the user remains idle for some amount of time.

ScreenDimDelayAC (deprecated)

Screen dim delay when running on AC power

See deprecated policy ScreenDimDelayAC

ScreenOffDelayAC (deprecated)

Screen off delay when running on AC power

See deprecated policy ScreenOffDelayAC

ScreenLockDelayAC (deprecated)

Screen lock delay when running on AC power

See deprecated policy ScreenLockDelayAC

IdleWarningDelayAC (deprecated)

Idle warning delay when running on AC power

See deprecated policy IdleWarningDelayAC

IdleDelayAC (deprecated)

Idle delay when running on AC power

See deprecated policy IdleDelayAC

ScreenDimDelayBattery (deprecated)

Screen dim delay when running on battery power

See deprecated policy ScreenDimDelayBattery

ScreenOffDelayBattery (deprecated)

Screen off delay when running on battery power

See deprecated policy ScreenOffDelayBattery

ScreenLockDelayBattery (deprecated)

Screen lock delay when running on battery power

See deprecated policy ScreenLockDelayBattery

IdleWarningDelayBattery (deprecated)

Idle warning delay when running on battery power

See deprecated policy IdleWarningDelayBattery

IdleDelayBattery (deprecated)

Idle delay when running on battery power

See deprecated policy IdleDelayBattery

IdleAction (deprecated)

Action to take when the idle delay is reached

See deprecated policy IdleAction

IdleActionAC (deprecated)

Action to take when the idle delay is reached while running on AC power

See deprecated policy IdleActionAC

IdleActionBattery (deprecated)

Action to take when the idle delay is reached while running on battery power

See deprecated policy IdleActionBattery

LidCloseAction

Action to take when the user closes the lid

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\LidCloseAction

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this policy is set, it specifies the action that Google Chrome OS takes when the user closes the device's lid.

When this policy is unset, the default action is taken, which is suspend.

If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.

0 = Suspend
1 = Log the user out
2 = Shut down
3 = Do nothing

Example value:

0x00000000 (Windows)

PowerManagementUsesAudioActivity

Specify whether audio activity affects power management

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PowerManagementUsesAudioActivity

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to True or is unset, the user is not considered to be idle while audio is playing. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off and screen lock will be performed after the configured timeouts, irrespective of audio activity.

If this policy is set to False, audio activity does not prevent the user from being considered idle.

Example value:

0x00000001 (Windows)

PowerManagementUsesVideoActivity

Specify whether video activity affects power management

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PowerManagementUsesVideoActivity

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to True or is unset, the user is not considered to be idle while video is playing. This prevents the idle delay, screen dim delay, screen off delay and screen lock delay from being reached and the corresponding actions from being taken.

If this policy is set to False, video activity does not prevent the user from being considered idle.

Note for Google Chrome OS devices supporting Android apps:

Video playing in Android apps is not taken into consideration, even if this policy is set to True.

Example value:

0x00000001 (Windows)

PresentationScreenDimDelayScale

Percentage by which to scale the screen dim delay in presentation mode

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PresentationScreenDimDelayScale

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when the device is in presentation mode. When the screen dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

If this policy is unset, a default scale factor is used.

This policy only takes effect if the PowerSmartDimEnabled is disabled. Otherwise, this policy is ignored because the screen dim delay is deteremined by a machine-learning model.

The scale factor must be 100% or more. Values that would make the screen dim delay in presentation mode shorter than the regular screen dim delay are not allowed.

Example value:

0x000000c8 (Windows)

AllowWakeLocks

Allow wake locks

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowWakeLocks

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies whether wake locks are allowed. Wake locks can be requested by extensions via the power management extension API and by ARC apps.

If this policy is set to true or left not set, wake locks will be honored for power management.

If this policy is set to false, wake lock requests will get ignored.

Example value:

0x00000000 (Windows)

AllowScreenWakeLocks

Allow screen wake locks

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowScreenWakeLocks

Supported on:

Google Chrome OS (Google Chrome OS) since version 28

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies whether screen wake locks are allowed. Screen wake locks can be requested by extensions via the power management extension API and by ARC apps.

If this policy is set to true or left not set, screen wake locks will be honored for power management, unless AllowWakeLocks is set to false.

If this policy is set to false, screen wake lock requests will be demoted to system wake lock requests.

Example value:

0x00000000 (Windows)

UserActivityScreenDimDelayScale

Percentage by which to scale the screen dim delay if the user becomes active after dimming

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserActivityScreenDimDelayScale

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off.

If this policy is set, it specifies the percentage by which the screen dim delay is scaled when user activity is observed while the screen is dimmed or soon after the screen has been turned off. When the dim delay is scaled, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured.

If this policy is unset, a default scale factor is used.

This policy only takes effect if the PowerSmartDimEnabled policy is disabled. Otherwise, this policy is ignored because the screen dim delay is deteremined by a machine-learning model.

The scale factor must be 100% or more.

Example value:

0x000000c8 (Windows)

WaitForInitialUserActivity

Wait for initial user activity

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WaitForInitialUserActivity

Supported on:

Google Chrome OS (Google Chrome OS) since version 32

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies whether power management delays and the session length limit should only start running after the first user activity has been observed in a session.

If this policy is set to True, power management delays and the session length limit do not start running until after the first user activity has been observed in a session.

If this policy is set to False or left unset, power management delays and the session length limit start running immediately on session start.

Example value:

0x00000001 (Windows)

PowerManagementIdleSettings

Power management settings when the user becomes idle

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PowerManagementIdleSettings

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy controls multiple settings for the power management strategy when the user becomes idle.

There are four types of action: * The screen will be dimmed if the user remains idle for the time specified by |ScreenDim|. * The screen will be turned off if the user remains idle for the time specified by |ScreenOff|. * A warning dialog will be shown if the user remains idle for the time specified by |IdleWarning|, telling the user that the idle action is about to be taken. The warning message is only shown if the idle action is to logout or shut down. * The action specified by |IdleAction| will be taken if the user remains idle for the time specified by |Idle|.

For each of above actions, the delay should be specified in milliseconds, and needs to be set to a value greater than zero to trigger the corresponding action. In case the delay is set to zero, Google Chrome OS will not take the corresponding action.

For each of the above delays, when the length of time is unset, a default value will be used.

When the |IdleAction| is unset, the default action is taken, which is suspend.

There are also separate settings for AC power and battery.

Schema:

{ "properties": { "AC": { "description": "Delays and actions to take when the device is idle and running on AC power", "id": "PowerManagementDelays", "properties": { "Delays": { "properties": { "Idle": { "description": "The length of time without user input after which the idle action is taken, in milliseconds", "minimum": 0, "type": "integer" }, "IdleWarning": { "description": "The length of time without user input after which a warning dialog is shown, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenDim": { "description": "The length of time without user input after which the screen is dimmed, in milliseconds", "minimum": 0, "type": "integer" }, "ScreenOff": { "description": "The length of time without user input after which the screen is turned off, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }, "IdleAction": { "description": "Action to take when the idle delay is reached", "enum": [ "Suspend", "Logout", "Shutdown", "DoNothing" ], "type": "string" } }, "type": "object" }, "Battery": { "$ref": "PowerManagementDelays", "description": "Delays and actions to take when the device is idle and running on battery" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PowerManagementIdleSettings = { "AC": { "IdleAction": "DoNothing" }, "Battery": { "Delays": { "Idle": 30000, "IdleWarning": 5000, "ScreenDim": 10000, "ScreenOff": 20000 }, "IdleAction": "DoNothing" } }

ScreenLockDelays

Screen lock delays

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ScreenLockDelays

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the length of time without user input after which the screen is locked when running on AC power or battery.

When the length of time is set to a value greater than zero, it represents the length of time that the user must remain idle before Google Chrome OS locks the screen.

When the length of time is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.

When the length of time is unset, a default length of time is used.

The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.

The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.

Schema:

{ "properties": { "AC": { "description": "The length of time without user input after which the screen is locked when running on AC power, in milliseconds", "minimum": 0, "type": "integer" }, "Battery": { "description": "The length of time without user input after which the screen is locked when running on battery, in milliseconds", "minimum": 0, "type": "integer" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ScreenLockDelays = { "AC": 600000, "Battery": 300000 }

PowerSmartDimEnabled

Enable smart dim model to extend the time until the screen is dimmed

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PowerSmartDimEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed.

When the screen is about to be dimmed, the smart dim model evaluates if dimming the screen should be deferred. If the smart dim model defers dimming the screen, it effectively extends the time until the screen is dimmed. In this case, the screen off, screen lock and idle delays get adjusted to maintain the same distances from the screen dim delay as originally configured. If this policy is set to True or left not set, the smart dim model will be enabled and allowed to extend the time until the screen is dimmed. If this policy is set to False, the smart dim model will not influence screen dimming.

Example value:

0x00000000 (Windows)

ScreenBrightnessPercent

Screen brightness percent

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ScreenBrightnessPercent

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies screen brightness percent. When this policy is set initial screen brightness is adjusted to the policy value, but the user can change it later on. Auto-brightness features are disabled. When this policy is unset user screen controls and auto-brightness features are not affected. The policy values should be specified in percents in range 0-100.

Schema:

{ "properties": { "BrightnessAC": { "description": "Screen brightness percent when running on AC power", "maximum": 100, "minimum": 0, "type": "integer" }, "BrightnessBattery": { "description": "Screen brightness percent when running on battery power", "maximum": 100, "minimum": 0, "type": "integer" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ScreenBrightnessPercent = { "BrightnessAC": 90, "BrightnessBattery": 75 }

DevicePowerPeakShiftBatteryThreshold

Set power peak shift battery threshold in percent

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DevicePowerPeakShiftBatteryThreshold

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Set power peak shift battery threshold in percent.

This policy is only used if DevicePowerPeakShiftEnabled is set to true.

If this policy is not configured or left unset, power peak shift will always be disabled.

Restrictions:

Minimum:15
Maximum:100

Example value:

0x00000014 (Windows)

DevicePowerPeakShiftDayConfig

Set power peak shift day config

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DevicePowerPeakShiftDayConfig

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Set power peak shift day config.

This policy is only used if DevicePowerPeakShiftEnabled is set to true.

If this policy is not configured or left unset, power peak shift will always be disabled.

Note: allowed values for minute field in start_time, end_time and charge_start_time are 0, 15, 30, 45.

Schema:

{ "properties": { "entries": { "items": { "properties": { "charge_start_time": { "$ref": "Time" }, "day": { "$ref": "WeekDay" }, "end_time": { "$ref": "Time" }, "start_time": { "$ref": "Time" } }, "type": "object" }, "type": "array" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DevicePowerPeakShiftDayConfig = { "entries": [ { "charge_start_time": { "hour": 20, "minute": 45 }, "day": "MONDAY", "end_time": { "hour": 15, "minute": 15 }, "start_time": { "hour": 9, "minute": 0 } }, { "charge_start_time": { "hour": 23, "minute": 45 }, "day": "FRIDAY", "end_time": { "hour": 21, "minute": 0 }, "start_time": { "hour": 2, "minute": 30 } } ] }

DevicePowerPeakShiftEnabled

Enable power peak shift

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DevicePowerPeakShiftEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enable the power peak shift power management policy.

Peak Shift is power saving policy that minimizes alternating current usage during the peak usage times during the day. For each weekday a start and end time to run in power Peak Shift mode can be set. During these times the system will run from the battery even if the alternating current is attached as long as the battery stays above the threshold specified. After the end time specified the system will run from alternating current if attached but will not charge the battery. The system will again function normally using alternating current and recharging the battery after the specified Charge Start time.

If this policy is set to true, and DevicePowerPeakShiftBatteryThreshold, DevicePowerPeakShiftDayConfig are set, then power peak shift will always be enabled if supported on the device.

If this policy is set to false, power peak shift will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, power peak shift is disabled initially and cannot be enabled by the user.

Example value:

0x00000000 (Windows)

DeviceBootOnAcEnabled

Enable boot on AC (alternating current)

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceBootOnAcEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enable the boot on AC power management policy.

Boot on AC provides an opportunity for system to automatically boot up from OFF/Hibernate state when line power is inserted.

If this policy is set to true then boot on AC will always be enabled if supported on the device.

If this policy is set to false, boot on AC will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, boot on AC is disabled and cannot be enabled by the user.

Example value:

0x00000000 (Windows)

DeviceAdvancedBatteryChargeModeEnabled

Enable advanced battery charge mode

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enable the advanced battery charge mode power management policy.

Advanced Battery Charging Mode allows the user to maximize the battery health. In Advanced Charging Mode the system will use standard charging algorithm and other techniques during non-work hours to maximize battery health. During work hours, an express charge is used. This express charge allows the battery to be charged faster; therefore, the battery is at full charge sooner. For each day the time in which the system will be most heavily used is specified by the start time and the duration.

If this policy is set to true, and DeviceAdvancedBatteryChargeModeDayConfig is set, then advanced battery charge mode will always be enabled if supported on the device.

If this policy is set to false, advanced battery charge mode will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, advanced battery charge mode is disabled and cannot be enabled by the user.

Example value:

0x00000000 (Windows)

DeviceAdvancedBatteryChargeModeDayConfig

Set advanced battery charge mode day config

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeDayConfig

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Set advanced battery charge mode day config.

This policy is only used if DeviceAdvancedBatteryChargeModeEnabled is set to true.

If this policy is not configured or left unset, advanced battery charge mode will always be disabled.

Note: charge_start_time must be less than charge_end_time.

Note: allowed values for minute field in charge_start_time and charge_end_time are 0, 15, 30, 45.

Schema:

{ "properties": { "entries": { "items": { "properties": { "charge_end_time": { "$ref": "Time" }, "charge_start_time": { "$ref": "Time" }, "day": { "$ref": "WeekDay" } }, "type": "object" }, "type": "array" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceAdvancedBatteryChargeModeDayConfig = { "entries": [ { "charge_end_time": { "hour": 23, "minute": 0 }, "charge_start_time": { "hour": 20, "minute": 30 }, "day": "TUESDAY" }, { "charge_end_time": { "hour": 6, "minute": 45 }, "charge_start_time": { "hour": 4, "minute": 15 }, "day": "FRIDAY" } ] }

DeviceBatteryChargeMode

Battery charge mode

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceBatteryChargeMode

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies battery charge mode power management policy.

Dynamically control battery charging to minimize battery wear-out due to battery stress and extend battery life.

If custom battery charge mode is selected then DeviceBatteryChargeCustomStartCharging and DeviceBatteryChargeCustomStopCharging must be specified.

If this policy is set then battery charge mode will be applied if supported on the device.

If this policy is left unset and policy is supported on the device, the standard battery charge mode will be applied and cannot be changed by the user.

Note: DeviceAdvancedBatteryChargeModeEnabled overrides this policy if the former is specified.

1 = Fully charge battery at a standard rate.
2 = Charge battery using fast charging technology.
3 = Charge battery for devices that are primarily connected to an external power source.
4 = Adaptive charge battery based on battery usage pattern.
5 = Charge battery while it is within a fixed range.

Example value:

0x00000001 (Windows)

DeviceBatteryChargeCustomStartCharging

Set battery charge custom start charging in percent

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceBatteryChargeCustomStartCharging

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Set battery charge custom start charging in percent.

Battery starts charging when it depletes the battery charge custom start charging value.

DeviceBatteryChargeCustomStartCharging must be less than DeviceBatteryChargeCustomStopCharging.

This policy is only used if DeviceBatteryChargeMode is set to custom.

If this policy is not configured or left unset, the standard battery charge mode will be applied.

Restrictions:

Minimum:50
Maximum:95

Example value:

0x0000003c (Windows)

DeviceBatteryChargeCustomStopCharging

Set battery charge custom stop charging in percent

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceBatteryChargeCustomStopCharging

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Set battery charge custom stop charging in percent.

Battery stops charging when it reaches the battery charge custom stop charging value.

DeviceBatteryChargeCustomStartCharging must be less than DeviceBatteryChargeCustomStopCharging.

This policy is only used if DeviceBatteryChargeMode is set to custom.

If this policy is not configured or left unset, the standard battery charge mode will be applied.

Restrictions:

Minimum:55
Maximum:100

Example value:

0x0000005a (Windows)

DeviceUsbPowerShareEnabled

Enable USB power share

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUsbPowerShareEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enable the USB power share power management policy.

Certain devices have a specific USB port marked with a lightning bolt or battery icon that can be used to charge devices like a mobile phone using the system battery. This policy affects the charging behavior of this port while the system is in the sleep and shut down modes. This policy does not affect the other USB ports and the charging behavior while the system is awake.

When awake, the USB port will always provide power.

When sleeping, if this policy is set to true, then power will be supplied to the USB port when the device is plugged into the wall charger or if the battery level is > 50%. Otherwise no power is supplied.

When shut down, if this policy is set to true, then power will be supplied to the USB port when the device is plugged into the wall charger. Otherwise no power is supplied.

If this policy is left unset, the policy is enabled and cannot be disabled by the user.

Example value:

0x00000001 (Windows)

Printing

Controls printing settings.

PrintingEnabled

Enable printing

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PrintingEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintingEnabled

Mac/Linux preference name:

PrintingEnabled

Android restriction name:

PrintingEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 39

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables printing in Google Chrome and prevents users from changing this setting.

If this setting is enabled or not configured, users can print.

If this setting is disabled, users cannot print from Google Chrome. Printing is disabled in the wrench menu, extensions, JavaScript applications, etc. It is still possible to print from plugins that bypass Google Chrome while printing. For example, certain Flash applications have the print option in their context menu, which is not covered by this policy.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

CloudPrintProxyEnabled

Enable Google Cloud Print proxy

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CloudPrintProxyEnabled

Mac/Linux preference name:

CloudPrintProxyEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 17

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine.

If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account.

If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it's printers with Google Cloud Print.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

PrintingAllowedColorModes

Restrict printing color mode

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintingAllowedColorModes

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Sets printing to color only, monochrome only or no color mode restriction. Unset policy is treated as no restriction.

"any" = Allow all color modes
"color" = Color printing only
"monochrome" = Monochrome printing only

Example value:

"monochrome"

PrintingAllowedDuplexModes

Restrict printing duplex mode

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintingAllowedDuplexModes

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Restricts printing duplex mode. Unset policy and empty set are treated as no restriction.

"any" = Allow all duplex modes
"simplex" = Simplex printing only
"duplex" = Duplex printing only

Example value:

"duplex"

PrintingColorDefault

Default printing color mode

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintingColorDefault

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Overrides default printing color mode. If the mode is unavailable this policy is ignored.

"color" = Enable color printing
"monochrome" = Enable monochrome printing

Example value:

"monochrome"

PrintingDuplexDefault

Default printing duplex mode

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintingDuplexDefault

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Overrides default printing duplex mode. If the mode is unavailable this policy is ignored.

"simplex" = Enable simplex printing
"short-edge" = Enable short edge duplex printing
"long-edge" = Enable long edge duplex printing

Example value:

"long-edge"

CloudPrintSubmitEnabled

Enable submission of documents to Google Cloud Print

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CloudPrintSubmitEnabled

Mac/Linux preference name:

CloudPrintSubmitEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 17

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome to submit documents to Google Cloud Print for printing. NOTE: This only affects Google Cloud Print support in Google Chrome. It does not prevent users from submitting print jobs on web sites.

If this setting is enabled or not configured, users can print to Google Cloud Print from the Google Chrome print dialog.

If this setting is disabled, users cannot print to Google Cloud Print from the Google Chrome print dialog

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

DisablePrintPreview

Disable Print Preview

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DisablePrintPreview

Mac/Linux preference name:

DisablePrintPreview

Supported on:

Google Chrome (Linux, Mac, Windows) since version 18

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

Show the system print dialog instead of print preview.

When this setting is enabled, Google Chrome will open the system print dialog instead of the built-in print preview when a user requests a page to be printed.

If this policy is not set or is set to false, print commands trigger the print preview screen.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

PrintHeaderFooter

Print Headers and Footers

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PrintHeaderFooter

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PrintHeaderFooter

Mac/Linux preference name:

PrintHeaderFooter

Supported on:

Google Chrome OS (Google Chrome OS) since version 70
Google Chrome (Linux, Mac, Windows) since version 70

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Force 'headers and footers' to be on or off in the printing dialog.

If the policy is unset, the user can decide whether to print headers and footers.

If the policy is set to false, 'Headers and footers' is not selected in the print preview dialog, and the user cannot change it.

If the policy is set to true, 'Headers and footers' is selected in the print preview dialog, and the user cannot change it.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

DefaultPrinterSelection

Default printer selection rules

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultPrinterSelection

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DefaultPrinterSelection

Mac/Linux preference name:

DefaultPrinterSelection

Supported on:

Google Chrome (Linux, Mac, Windows) since version 48
Google Chrome OS (Google Chrome OS) since version 48

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Overrides Google Chrome default printer selection rules.

This policy determines the rules for selecting the default printer in Google Chrome which happens the first time the print function is used with a profile.

When this policy is set, Google Chrome will attempt to find a printer matching all of the specified attributes, and select it as default printer. The first printer found matching the policy is selected, in case of non-unique match any matching printer can be selected, depending on the order printers are discovered.

If this policy is not set or matching printer is not found within the timeout, the printer defaults to built-in PDF printer or no printer selected, when PDF printer is not available.

Printers connected to Google Cloud Print are considered "cloud", the rest of the printers are classified as "local". Omitting a field means all values match, for example, not specifying connectivity will cause Print Preview to initiate the discovery of all kinds of printers, local and cloud. Regular expression patterns must follow the JavaScript RegExp syntax and matches are case sensistive.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps.

Schema:

{ "properties": { "idPattern": { "description": "Regular expression to match printer id.", "type": "string" }, "kind": { "description": "Whether to limit the search of the matching printer to a specific set of printers.", "enum": [ "local", "cloud" ], "type": "string" }, "namePattern": { "description": "Regular expression to match printer display name.", "type": "string" } }, "type": "object" }

Example value:

"{ "kind": "cloud", "idPattern": ".*public", "namePattern": ".*Color" }"

NativePrinters

Native Printing

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrinters

Supported on:

Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures a list of printers.

This policy allows administrators to provide printer configurations for their users.

display_name and description are free-form strings that can be customized for ease of printer selection. manufacturer and model serve to ease printer identification by end users. They represent the manufacturer and model of the printer. uri should be an address reachable from a client computer including the scheme, port, and queue. uuid is optional. If provided, it is used to help deduplicate zeroconf printers.

Either effective_model should contain the name of the printer or autoconf should be set to true. The printers with both or without any properties will be ignored.

Printer setup is completed upon the first use of a printer. PPDs are not downloaded until the printer is used. After that time, frequently used PPDs are cached.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

For Active Directory managed devices this policy supports expansion of ${MACHINE_NAME[,pos[,count]]} to the Active Directory machine name or a substring of it. For example, if the machine name is CHROMEBOOK, then ${MACHINE_NAME,6,4} would be replaced by the 4 characters starting after the 6th position, i.e. BOOK. Note that the position is zero-based.

Schema:

{ "items": { "id": "PrinterType", "properties": { "description": { "type": "string" }, "display_name": { "type": "string" }, "manufacturer": { "type": "string" }, "model": { "type": "string" }, "ppd_resource": { "id": "PpdResource", "properties": { "autoconf": { "description": "Boolean flag indicating whether IPP Everywhere should be used to set up the printer. This flag is supported on Google Chrome OS version 76 and higher.", "type": "boolean" }, "effective_model": { "description": "This field must match one of the strings which represent a Google Chrome OS supported printer. The string will be used to identify and install the appropriate PPD for the printer. More information can be found at https://support.google.com/chrome?p=noncloudprint.", "type": "string" } }, "type": "object" }, "uri": { "type": "string" }, "uuid": { "type": "string" } }, "type": "object" }, "type": "array" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NativePrinters\1 = "{ "display_name": "Color Laser", "description": "The printer next to the water cooler.", "manufacturer": "Printer Manufacturer", "model": "Color Laser 2004", "uri": "ipps://print-server.intranet.example.com:443/ipp/cl2k4", "uuid": "1c395fdb-5d93-4904-b246-b2c046e79d12", "ppd_resource": { "effective_model": "Printer Manufacturer ColorLaser2k4", "autoconf": false } }"

NativePrintersBulkConfiguration

Enterprise printer configuration file

Data type:

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrintersBulkConfiguration

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Provides configurations for enterprise printers.

This policy allows you to provide printer configurations to Google Chrome OS devices. The format is the same as the NativePrinters dictionary, with an additional required "id" or "guid" field per printer for whitelisting or blacklisting.

The size of the file must not exceed 5MB and must be encoded in JSON. It is estimated that a file containing approximately 21,000 printers will encode as a 5MB file. The cryptographic hash is used to verify the integrity of the download.

The file is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download the file for printer configurations and make printers available in accordance with NativePrintersBulkAccessMode, NativePrintersBulkWhitelist, and NativePrintersBulkBlacklist.

If you set this policy, users cannot change or override it.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

Schema:

{ "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NativePrintersBulkConfiguration = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef", "url": "https://example.com/printerpolicy" }

NativePrintersBulkAccessMode

Printer configuration access policy.

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrintersBulkAccessMode

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Controls which printers from the NativePrintersBulkConfiguration are available to users.

Designates which access policy is used for bulk printer configuration. If AllowAll is selected, all printers are shown. If BlacklistRestriction is selected, NativePrintersBulkBlacklist is used to restrict access to the specified printers. If WhitelistPrintersOnly is selected, NativePrintersBulkWhitelist designates only those printers which are selectable.

If this policy is not set, AllowAll is assumed.

0 = All printers are shown except those in the blacklist.
1 = Only printers in the whitelist are shown to users
2 = Allow all printers from the configuration file.

Example value:

0x00000001 (Windows)

NativePrintersBulkBlacklist

Disabled enterprise printers

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrintersBulkBlacklist

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the printers which a user cannot use.

This policy is only used if BlacklistRestriction is chosen for NativePrintersBulkAccessMode.

If this policy is used, all printers are provided to the user except for the ids listed in this policy. The ids must correspond to the "id" or "guid" fields in the file specified in NativePrintersBulkConfiguration.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NativePrintersBulkBlacklist\1 = "id1" Software\Policies\Google\ChromeOS\NativePrintersBulkBlacklist\2 = "id2" Software\Policies\Google\ChromeOS\NativePrintersBulkBlacklist\3 = "id3"

NativePrintersBulkWhitelist

Enabled enterprise printers

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NativePrintersBulkWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the printers which a user can use.

This policy is only used if WhitelistPrintersOnly is chosen for NativePrintersBulkAccessMode.

If this policy is used, only the printers with ids matching the values in this policy are available to the user. The ids must correspond to the "id" or "guid" fields in the file specified in NativePrintersBulkConfiguration.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NativePrintersBulkWhitelist\1 = "id1" Software\Policies\Google\ChromeOS\NativePrintersBulkWhitelist\2 = "id2" Software\Policies\Google\ChromeOS\NativePrintersBulkWhitelist\3 = "id3"

DeviceNativePrinters

Enterprise printer configuration file for devices

Data type:

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceNativePrinters

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Provides configurations for enterprise printers bound to devices.

The file is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download the file for printer configurations and make printers available in accordance with DeviceNativePrintersAccessMode, DeviceNativePrintersWhitelist, and DeviceNativePrintersBlacklist.

This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.

This policy is additive to the NativePrintersBulkConfiguration.

If this policy is unset, there will be no device printers and the other DeviceNativePrinter* policies will be ignored.

Schema:

{ "properties": { "hash": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceNativePrinters = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeafdeadbeefdeadbeef", "url": "https://example.com/printerpolicy" }

DeviceNativePrintersAccessMode

Device printers configuration access policy.

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceNativePrintersAccessMode

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls which printers from the DeviceNativePrinters are available to users.

Designates which access policy is used for bulk printer configuration. If AllowAll is selected, all printers are shown. If BlacklistRestriction is selected, DeviceNativePrintersBlacklist is used to restrict access to the specified printers. If WhitelistPrintersOnly is selected, DeviceNativePrintersWhitelist designates only those printers which are selectable.

If this policy is not set, AllowAll is assumed.

0 = All printers are shown except those in the blacklist.
1 = Only printers in the whitelist are shown to users
2 = Allow all printers from the configuration file.

Example value:

0x00000001 (Windows)

DeviceNativePrintersBlacklist

Disabled enterprise device printers

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceNativePrintersBlacklist

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies the printers which a user cannot use.

This policy is only used if BlacklistRestriction is chosen for DeviceNativePrintersAccessMode.

If this policy is used, all printers are provided to the user except for the ids listed in this policy. The ids must correspond to the "id" or "guid" fields in the file specified in DeviceNativePrinters.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceNativePrintersBlacklist\1 = "id1" Software\Policies\Google\ChromeOS\DeviceNativePrintersBlacklist\2 = "id2" Software\Policies\Google\ChromeOS\DeviceNativePrintersBlacklist\3 = "id3"

DeviceNativePrintersWhitelist

Enabled enterprise device printers

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceNativePrintersWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Specifies the printers which a user can use.

This policy is only used if WhitelistPrintersOnly is chosen for DeviceNativePrintersAccessMode

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceNativePrintersWhitelist\1 = "id1" Software\Policies\Google\ChromeOS\DeviceNativePrintersWhitelist\2 = "id2" Software\Policies\Google\ChromeOS\DeviceNativePrintersWhitelist\3 = "id3"

PrintPreviewUseSystemDefaultPrinter

Use System Default Printer as Default

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PrintPreviewUseSystemDefaultPrinter

Mac/Linux preference name:

PrintPreviewUseSystemDefaultPrinter

Supported on:

Google Chrome (Linux, Mac, Windows) since version 61

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Causes Google Chrome to use the system default printer as the default choice in Print Preview instead of the most recently used printer.

If you disable this setting or do not set a value, Print Preview will use the most recently used printer as the default destination choice.

If you enable this setting, Print Preview will use the OS system default printer as the default destination choice.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

Proxy server

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings. If you choose to never use a proxy server and always connect directly, all other options are ignored. If you choose to auto detect the proxy server, all other options are ignored. For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett. If you enable this setting, Google Chrome and ARC-apps ignore all proxy-related options specified from the command line. Leaving these policies not set will allow the users to choose the proxy settings on their own.

ProxyMode

Choose how to specify proxy server settings

Data type:

String [Android:choice, Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ProxyMode

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ProxyMode

Mac/Linux preference name:

ProxyMode

Android restriction name:

ProxyMode

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

This policy only takes effect if the ProxySettings policy has not been specified.

If you choose to never use a proxy server and always connect directly, all other options are ignored.

If you choose to use system proxy settings, all other options are ignored.

If you choose to auto detect the proxy server, all other options are ignored.

If you choose fixed server proxy mode, you can specify further options in 'Address or URL of proxy server' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.

If you choose to use a .pac proxy script, you must specify the URL to the script in 'URL to a proxy .pac file'.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

If you enable this setting, Google Chrome and ARC-apps ignore all proxy-related options specified from the command line.

Leaving this policy not set will allow the users to choose the proxy settings on their own.

"direct" = Never use a proxy
"auto_detect" = Auto detect proxy settings
"pac_script" = Use a .pac proxy script
"fixed_servers" = Use fixed proxy servers
"system" = Use system proxy settings

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor:

If you choose to never use a proxy server, Android apps are informed that no proxy is configured.

If you choose to use system proxy settings or a fixed server proxy, Android apps are provided with the http proxy server address and port.

If you choose to auto detect the proxy server, the script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy auto-detection protocol is used.

If you choose to use a .pac proxy script, the script URL is provided to Android apps.

Example value:

"direct"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Proxy

ProxyServerMode (deprecated)

Choose how to specify proxy server settings

See deprecated policy ProxyServerMode

ProxyServer

Address or URL of proxy server

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ProxyServer

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ProxyServer

Mac/Linux preference name:

ProxyServer

Android restriction name:

ProxyServer

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

You can specify the URL of the proxy server here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings' and if the ProxySettings policy has not been specified.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For more options and detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:

"123.123.123.123:8080"

ProxyPacUrl

URL to a proxy .pac file

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ProxyPacUrl

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ProxyPacUrl

Mac/Linux preference name:

ProxyPacUrl

Android restriction name:

ProxyPacUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

You can specify a URL to a proxy .pac file here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings' and if the ProxySettings policy has not been specified.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:

"https://internal.site/example.pac"

ProxyBypassList

Proxy bypass rules

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ProxyBypassList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ProxyBypassList

Mac/Linux preference name:

ProxyBypassList

Android restriction name:

ProxyBypassList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Google Chrome will bypass any proxy for the list of hosts given here.

This policy only takes effect if you have selected manual proxy settings at 'Choose how to specify proxy server settings' and if the ProxySettings policy has not been specified.

You should leave this policy not set if you have selected any other mode for setting proxy policies.

For more detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.

Note for Google Chrome OS devices supporting Android apps:

You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.

Example value:

"https://www.example1.com,https://www.example2.com,https://internalsite/"

Quick unlock

Configures quick unlock related policies.

QuickUnlockModeWhitelist

Configure allowed quick unlock modes

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\QuickUnlockModeWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 56

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

A whitelist controlling which quick unlock modes the user can configure and use to unlock the lock screen.

This value is a list of strings; valid list entries are: "all", "PIN", "FINGERPRINT". Adding "all" to the list means that every quick unlock mode is available to the user, including ones implemented in the future. Otherwise, only the quick unlock modes present in the list will be available.

For example, to allow every quick unlock mode, use ["all"]. To allow only PIN unlock, use ["PIN"]. To allow PIN and fingerprint, use ["PIN", "FINGERPRINT"]. To disable all quick unlock modes, use [].

By default, no quick unlock modes are available for managed devices.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\QuickUnlockModeWhitelist\1 = "PIN"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : QuickUnlock

QuickUnlockTimeout

Set how often user has to enter password to use quick unlock

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\QuickUnlockTimeout

Supported on:

Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This setting controls how often the lock screen will request the password to be entered in order to continue using quick unlock. Each time the lock screen is entered, if the last password entry was more than this setting, the quick unlock will not be available on entering the lock screen. Should the user stay on the lock screen past this period of time, a password will be requested next time the user enters the wrong code, or re-enters the lock screen, whichever comes first.

If this setting is configured, users using quick unlock will be requested to enter their passwords on the lock screen depending on this setting.

If this setting is not configured, users using quick unlock will be requested to enter their password on the lock screen every day.

0 = Password entry is required every six hours
1 = Password entry is required every twelve hours
2 = Password entry is required every two days (48 hours)
3 = Password entry is required every week (168 hours)

Example value:

0x00000002 (Windows)

PinUnlockMinimumLength

Set the minimum length of the lock screen PIN

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PinUnlockMinimumLength

Supported on:

Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If the policy is set, the configured minimal PIN length is enforced. (The absolute minimum PIN length is 1; values less than 1 are treated as 1.)

If the policy is not set, a minimal PIN length of 6 digits is enforced. This is the recommended minimum.

Example value:

0x00000006 (Windows)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PinUnlock

PinUnlockMaximumLength

Set the maximum length of the lock screen PIN

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PinUnlockMaximumLength

Supported on:

Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If the policy is set, the configured maximal PIN length is enforced. A value of 0 or less means no maximum length; in that case the user may set a PIN as long as they want. If this setting is less than PinUnlockMinimumLength but greater than 0, the maximum length is the same as the minimum length.

If the policy is not set, no maximum length is enforced.

Example value:

0x00000000 (Windows)

PinUnlockWeakPinsAllowed

Enable users to set weak PINs for the lock screen PIN

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PinUnlockWeakPinsAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If false, users will be unable to set PINs which are weak and easy to guess.

Some example weak PINs: PINs containing only one digit (1111), PINs whose digits are increasing by 1 (1234), PINs whose digits are decreasing by 1 (4321), and PINs which are commonly used.

By default, users will get a warning, not error, if the PIN is considered weak.

Example value:

0x00000000 (Windows)

Remote access

Configure remote access options in Chrome Remote Desktop host. Chrome Remote Desktop host is a native service that runs on the target machine that a user can connect to using Chrome Remote Desktop application. The native service is packaged and executed separately from the Google Chrome browser. These policies are ignored unless the Chrome Remote Desktop host is installed.

RemoteAccessHostClientDomain (deprecated)

Configure the required domain name for remote access clients

See deprecated policy RemoteAccessHostClientDomain

RemoteAccessHostClientDomainList

Configure the required domain names for remote access clients

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostClientDomainList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostClientDomainList

Mac/Linux preference name:

RemoteAccessHostClientDomainList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 60
Google Chrome OS (Google Chrome OS) since version 60

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures the required client domain names that will be imposed on remote access clients and prevents users from changing it.

If this setting is enabled, then only clients from one of the specified domains can connect to the host.

If this setting is disabled or not set, then the default policy for the connection type is applied. For remote assistance, this allows clients from any domain to connect to the host; for anytime remote access, only the host owner can connect.

This setting will override RemoteAccessHostClientDomain, if present.

RemoteAccessHostFirewallTraversal

Enable firewall traversal from remote access host

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostFirewallTraversal

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostFirewallTraversal

Mac/Linux preference name:

RemoteAccessHostFirewallTraversal

Supported on:

Google Chrome (Linux, Mac, Windows) since version 14
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enables usage of STUN servers when remote clients are trying to establish a connection to this machine.

If this setting is enabled, then remote clients can discover and connect to this machines even if they are separated by a firewall.

If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network.

If this policy is left not set the setting will be enabled.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

RemoteAccessHostDomain (deprecated)

Configure the required domain name for remote access hosts

See deprecated policy RemoteAccessHostDomain

RemoteAccessHostDomainList

Configure the required domain names for remote access hosts

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostDomainList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList

Mac/Linux preference name:

RemoteAccessHostDomainList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 60
Google Chrome OS (Google Chrome OS) since version 60

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures the required host domain names that will be imposed on remote access hosts and prevents users from changing it.

If this setting is enabled, then hosts can be shared only using accounts registered on one of the specified domain names.

If this setting is disabled or not set, then hosts can be shared using any account.

This setting will override RemoteAccessHostDomain, if present.

See also RemoteAccessHostClientDomainList.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\Chrome\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList\1 = "my-awesome-domain.com" Software\Policies\Google\ChromeOS\RemoteAccessHostDomainList\2 = "my-auxiliary-domain.com"
Android/Linux:: [ "my-awesome-domain.com", "my-auxiliary-domain.com" ]
Mac:: <array> <string>my-awesome-domain.com</string> <string>my-auxiliary-domain.com</string> </array>

RemoteAccessHostTalkGadgetPrefix

Configure the TalkGadget prefix for remote access hosts

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostTalkGadgetPrefix

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostTalkGadgetPrefix

Mac/Linux preference name:

RemoteAccessHostTalkGadgetPrefix

Supported on:

Google Chrome (Linux, Mac, Windows) since version 22
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures the TalkGadget prefix that will be used by remote access hosts and prevents users from changing it.

If specified, this prefix is prepended to the base TalkGadget name to create a full domain name for the TalkGadget. The base TalkGadget domain name is '.talkgadget.google.com'.

If this setting is enabled, then hosts will use the custom domain name when accessing the TalkGadget instead of the default domain name.

If this setting is disabled or not set, then the default TalkGadget domain name ('chromoting-host.talkgadget.google.com') will be used for all hosts.

Remote access clients are not affected by this policy setting. They will always use 'chromoting-client.talkgadget.google.com' to access the TalkGadget.

Example value:

"chromoting-host"

RemoteAccessHostRequireCurtain

Enable curtaining of remote access hosts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostRequireCurtain

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostRequireCurtain

Mac/Linux preference name:

RemoteAccessHostRequireCurtain

Supported on:

Google Chrome (Linux, Mac, Windows) since version 23
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enables curtaining of remote access hosts while a connection is in progress.

If this setting is enabled, then hosts' physical input and output devices are disabled while a remote connection is in progress.

If this setting is disabled or not set, then both local and remote users can interact with the host when it is being shared.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

RemoteAccessHostAllowClientPairing

Enable or disable PIN-less authentication for remote access hosts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostAllowClientPairing

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostAllowClientPairing

Mac/Linux preference name:

RemoteAccessHostAllowClientPairing

Supported on:

Google Chrome (Linux, Mac, Windows) since version 30
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this setting is enabled or not configured, then users can opt to pair clients and hosts at connection time, eliminating the need to enter a PIN every time.

If this setting is disabled, then this feature will not be available.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

RemoteAccessHostAllowGnubbyAuth

Allow gnubby authentication for remote access hosts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostAllowGnubbyAuth

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostAllowGnubbyAuth

Mac/Linux preference name:

RemoteAccessHostAllowGnubbyAuth

Supported on:

Google Chrome (Linux, Mac, Windows) since version 35
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this setting is enabled, then gnubby authentication requests will be proxied across a remote host connection.

If this setting is disabled or not configured, gnubby authentication requests will not be proxied.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

RemoteAccessHostAllowRelayedConnection

Enable the use of relay servers by the remote access host

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostAllowRelayedConnection

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostAllowRelayedConnection

Mac/Linux preference name:

RemoteAccessHostAllowRelayedConnection

Supported on:

Google Chrome (Linux, Mac, Windows) since version 36
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Enables usage of relay servers when remote clients are trying to establish a connection to this machine.

If this setting is enabled, then remote clients can use relay servers to connect to this machine when a direct connection is not available (e.g. due to firewall restrictions).

Note that if the policy RemoteAccessHostFirewallTraversal is disabled, this policy will be ignored.

If this policy is left not set the setting will be enabled.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

RemoteAccessHostUdpPortRange

Restrict the UDP port range used by the remote access host

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostUdpPortRange

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostUdpPortRange

Mac/Linux preference name:

RemoteAccessHostUdpPortRange

Supported on:

Google Chrome (Linux, Mac, Windows) since version 36
Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Restricts the UDP port range used by the remote access host in this machine.

If this policy is left not set, or if it is set to an empty string, the remote access host will be allowed to use any available port, unless the policy RemoteAccessHostFirewallTraversal is disabled, in which case the remote access host will use UDP ports in the 12400-12409 range.

Example value:

"12400-12409"

RemoteAccessHostMatchUsername

Require that the name of the local user and the remote access host owner match

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostMatchUsername

Mac/Linux preference name:

RemoteAccessHostMatchUsername

Supported on:

Google Chrome (Linux) since version 25
Google Chrome (Mac) since version 25
Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this setting is enabled, then the remote access host compares the name of the local user (that the host is associated with) and the name of the Google account registered as the host owner (i.e. "johndoe" if the host is owned by "johndoe@example.com" Google account). The remote access host will not start if the name of the host owner is different from the name of the local user that the host is associated with. RemoteAccessHostMatchUsername policy should be used together with RemoteAccessHostDomain to also enforce that the Google account of the host owner is associated with a specific domain (i.e. "example.com").

If this setting is disabled or not set, then the remote access host can be associated with any local user.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

RemoteAccessHostTokenUrl

URL where remote access clients should obtain their authentication token

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostTokenUrl

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostTokenUrl

Mac/Linux preference name:

RemoteAccessHostTokenUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 28
Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.

This feature is currently disabled server-side.

Example value:

"https://example.com/issue"

RemoteAccessHostTokenValidationUrl

URL for validating remote access client authentication token

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostTokenValidationUrl

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostTokenValidationUrl

Mac/Linux preference name:

RemoteAccessHostTokenValidationUrl

Supported on:

Google Chrome (Linux, Mac, Windows) since version 28
Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.

This feature is currently disabled server-side.

Example value:

"https://example.com/validate"

RemoteAccessHostTokenValidationCertificateIssuer

Client certificate for connecting to RemoteAccessHostTokenValidationUrl

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostTokenValidationCertificateIssuer

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RemoteAccessHostTokenValidationCertificateIssuer

Mac/Linux preference name:

RemoteAccessHostTokenValidationCertificateIssuer

Supported on:

Google Chrome (Linux, Mac, Windows) since version 28
Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.

This feature is currently disabled server-side.

Example value:

"Example Certificate Authority"

RemoteAccessHostAllowUiAccessForRemoteAssistance

Allow remote users to interact with elevated windows in remote assistance sessions

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostAllowUiAccessForRemoteAssistance

Supported on:

Google Chrome (Windows) since version 55

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this setting is enabled, the remote assistance host will be run in a process with uiAccess permissions. This will allow remote users to interact with elevated windows on the local user's desktop.

If this setting is disabled or not configured, the remote assistance host will run in the user's context and remote users cannot interact with elevated windows on the desktop.

Example value:

0x00000001 (Windows)

RemoteAccessHostAllowFileTransfer

Allow remote access users to transfer files to/from the host

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RemoteAccessHostAllowFileTransfer

Mac/Linux preference name:

RemoteAccessHostAllowFileTransfer

Supported on:

Google Chrome (Linux, Mac, Windows) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls the ability of a user connected to a remote access host to transfer files between the client and the host. This does not apply to remote assistance connections, which do not support file transfer.

If this setting is disabled, file transfer will not be allowed. If this setting is enabled or not set, file transfer will be allowed.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

Remote attestation

Configure the remote attestation with TPM mechanism.

AttestationEnabledForDevice

Enable remote attestation for the device

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 28

Supported features:

Dynamic Policy Refresh: Yes

Description:

If true, remote attestation is allowed for the device and a certificate will automatically be generated and uploaded to the Device Management Server.

If it is set to false, or if it is not set, no certificate will be generated and calls to the enterprise.platformKeys extension API will fail.

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Attestation

AttestationEnabledForUser

Enable remote attestation for the user

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AttestationEnabledForUser

Supported on:

Google Chrome OS (Google Chrome OS) since version 28

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If true, the user can use the hardware on Chrome devices to remote attest its identity to the privacy CA via the Enterprise Platform Keys API using chrome.enterprise.platformKeys.challengeUserKey().

If it is set to false, or if it is not set, calls to the API will fail with an error code.

Example value:

0x00000001 (Windows)

AttestationExtensionWhitelist

Extensions allowed to to use the remote attestation API

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AttestationExtensionWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 28

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy specifies the allowed extensions to use the Enterprise Platform Keys API function chrome.enterprise.platformKeys.challengeUserKey() for remote attestation. Extensions must be added to this list to use the API.

If an extension is not in the list, or the list is not set, the call to the API will fail with an error code.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AttestationExtensionWhitelist\1 = "ghdilpkmfbfdnomkmaiogjhjnggaggoi"

AttestationForContentProtectionEnabled

Enable the use of remote attestation for content protection for the device

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 31

Supported features:

Dynamic Policy Refresh: Yes

Description:

Chrome OS devices can use remote attestation (Verified Access) to get a certificate issued by the Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Chrome OS CA which uniquely identifies the device.

If this setting is false, the device will not use remote attestation for content protection and the device may be unable to play protected content.

If this setting is true, or if it is not set, remote attestation may be used for content protection.

Safe Browsing settings

Configure Safe Browsing related policies.

SafeBrowsingEnabled

Enable Safe Browsing

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SafeBrowsingEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SafeBrowsingEnabled

Mac/Linux preference name:

SafeBrowsingEnabled

Android restriction name:

SafeBrowsingEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting.

If you enable this setting, Safe Browsing is always active.

If you disable this setting, Safe Browsing is never active.

If you enable or disable this setting, users cannot change or override the "Enable phishing and malware protection" setting in Google Chrome.

If this policy is left not set, this will be enabled but the user will be able to change it.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : SafeBrowsing

SafeBrowsingExtendedReportingEnabled

Enable Safe Browsing Extended Reporting

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SafeBrowsingExtendedReportingEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SafeBrowsingExtendedReportingEnabled

Mac/Linux preference name:

SafeBrowsingExtendedReportingEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 66
Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting.

Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites.

If the setting is set to true, then reports will be created and sent whenever necessary (such as when a security interstitial is shown).

If the setting is set to false, reports will never be sent.

If this policy is set to true or false, the user will not be able to modify the setting.

If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

SafeBrowsingExtendedReportingOptInAllowed (deprecated)

Allow users to opt in to Safe Browsing extended reporting

See deprecated policy SafeBrowsingExtendedReportingOptInAllowed

SafeBrowsingWhitelistDomains

Configure the list of domains on which Safe Browsing will not trigger warnings.

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SafeBrowsingWhitelistDomains

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SafeBrowsingWhitelistDomains

Mac/Linux preference name:

SafeBrowsingWhitelistDomains

Supported on:

Google Chrome (Linux, Mac, Windows) since version 68
Google Chrome OS (Google Chrome OS) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configure the list of domains which Safe Browsing will trust. This means: Safe Browsing will not check for dangerous resources (e.g. phishing, malware, or unwanted software) if their URLs match these domains. Safe Browsing's download protection service will not check downloads hosted on these domains. Safe Browsing's password protection service will not check for password reuse if the page URL matches these domains.

If this setting is enabled, then Safe Browsing will trust these domains. If this setting is disabled or not set, then default Safe Browsing protection is applied to all resources. This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\SafeBrowsingWhitelistDomains\1 = "mydomain.com" Software\Policies\Google\Chrome\SafeBrowsingWhitelistDomains\2 = "myuniversity.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\SafeBrowsingWhitelistDomains\1 = "mydomain.com" Software\Policies\Google\ChromeOS\SafeBrowsingWhitelistDomains\2 = "myuniversity.edu"
Android/Linux:: [ "mydomain.com", "myuniversity.edu" ]
Mac:: <array> <string>mydomain.com</string> <string>myuniversity.edu</string> </array>

PasswordProtectionWarningTrigger

Password protection warning trigger

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PasswordProtectionWarningTrigger

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PasswordProtectionWarningTrigger

Mac/Linux preference name:

PasswordProtectionWarningTrigger

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.

You can use 'PasswordProtectionLoginURLs' and 'PasswordProtectionChangePasswordURL' policies to configure which password to protect.

If this policy is set to 'PasswordProtectionWarningOff', no password protection warning will be shown. If this policy is set to 'PasswordProtectionWarningOnPasswordReuse', password protection warning will be shown when the user reuses their protected password on a non-whitelisted site. If this policy is set to 'PasswordProtectionWarningOnPhishingReuse', password protection warning will be shown when the user reuses their protected password on a phishing site. If this policy is left unset, password protection service will only protect Google passwords but the user will be able to change this setting.

0 = Password protection warning is off
1 = Password protection warning is triggered by password reuse
2 = Password protection warning is triggered by password reuse on phishing page

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : PasswordProtection

PasswordProtectionLoginURLs

Configure the list of enterprise login URLs where password protection service should capture fingerprint of password.

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PasswordProtectionLoginURLs

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs

Mac/Linux preference name:

PasswordProtectionLoginURLs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configure the list of enterprise login URLs (HTTP and HTTPS schemes only). Fingerprint of password will be captured on these URLs and used for password reuse detection. In order for Google Chrome to correctly capture password fingerprints, please make sure your login pages follow the guidelines on https://www.chromium.org/developers/design-documents/create-amazing-password-forms.

If this setting is enabled, then password protection service will capture fingerprint of password on these URLs for password reuse detection purpose. If this setting is disabled or not set, then password protection service will only capture password fingerprint on https://accounts.google.com. This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\Google\Chrome\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs\1 = "https://mydomain.com/login.html" Software\Policies\Google\ChromeOS\PasswordProtectionLoginURLs\2 = "https://login.mydomain.com"
Android/Linux:: [ "https://mydomain.com/login.html", "https://login.mydomain.com" ]
Mac:: <array> <string>https://mydomain.com/login.html</string> <string>https://login.mydomain.com</string> </array>

PasswordProtectionChangePasswordURL

Configure the change password URL.

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PasswordProtectionChangePasswordURL

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PasswordProtectionChangePasswordURL

Mac/Linux preference name:

PasswordProtectionChangePasswordURL

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configure the change password URL (HTTP and HTTPS schemes only). Password protection service will send users to this URL to change their password after seeing a warning in the browser. In order for Google Chrome to correctly capture the new password fingerprint on this change password page, please make sure your change password page follows the guidelines on https://www.chromium.org/developers/design-documents/create-amazing-password-forms.

If this setting is enabled, then password protection service will send users to this URL to change their password after seeing a warning in the browser. If this setting is disabled or not set, then password protection service will send users to https://myaccount.google.com to change their password. This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

"https://mydomain.com/change_password.html"

Sign-in settings

Controls the behavior of the sign-in screen, where users log into their accounts. Settings include who can log in, what type of accounts are allowed, what authentication methods should be used, as well as general accessibility, input method and locale settings.

DeviceGuestModeEnabled

Enable guest mode

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceGuestModeEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to true or not configured, Google Chrome OS will enable guest logins. Guest logins are anonymous user sessions and do not require a password.

If this policy is set to false, Google Chrome OS will not allow guest sessions to be started.

Example value:

0x00000001 (Windows)

DeviceUserWhitelist

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceUserWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes

Description:

Defines the list of users that are allowed to login to the device. Entries are of the form user@domain, such as madmax@managedchrome.com. To allow arbitrary users on a domain, use entries of the form *@domain.

If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the DeviceAllowNewUsers policy to be configured appropriately.

Note for Google Chrome OS devices supporting Android apps:

This policy controls who may start a Google Chrome OS session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceUserWhitelist\1 = "madmax@managedchrome.com"

DeviceAllowNewUsers

Allow creation of new user accounts

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceAllowNewUsers

Supported on:

Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes

Description:

Controls whether Google Chrome OS allows new user accounts to be created. If this policy is set to false, users that do not have an account already will not be able to login.

If this policy is set to true or not configured, new user accounts will be allowed to be created provided that DeviceUserWhitelist does not prevent the user from logging in.

Note for Google Chrome OS devices supporting Android apps:

This policy controls whether new users can be added to Google Chrome OS. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.

Example value:

0x00000001 (Windows)

DeviceLoginScreenDomainAutoComplete

Enable domain name autocomplete during user sign in

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenDomainAutoComplete

Supported on:

Google Chrome OS (Google Chrome OS) since version 44

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to a blank string or not configured, Google Chrome OS will not show an autocomplete option during user sign-in flow. If this policy is set to a string representing a domain name, Google Chrome OS will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension. The user will be able to overwrite this domain name extension. If the value of the policy is not a valid domain, the policy will not be applied.

Example value:

"students.school.edu"

DeviceShowUserNamesOnSignin

Show usernames on login screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceShowUserNamesOnSignin

Supported on:

Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes

Description:

If this policy is set to true or not configured, Google Chrome OS will show existing users on the login screen and allow to pick one.

If this policy is set to false, Google Chrome OS will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstitial screen (if enabled via the LoginAuthenticationBehavior policy) will be shown, unless a Managed Session is configured. When a Managed Session is configured, only the Managed Session accounts will be shown, allowing to pick one of them.

Note that this policy does not affect whether the device keeps or discards the local user data.

Example value:

0x00000001 (Windows)

DeviceWallpaperImage

Device wallpaper image

Data type:

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceWallpaperImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: Yes

Description:

Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the Chrome OS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If the device wallpaper policy is set, the Chrome OS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.

If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.

Schema:

{ "properties": { "hash": { "description": "The SHA-256 hash of the wallpaper image.", "type": "string" }, "url": { "description": "The URL from which the wallpaper image can be downloaded.", "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceWallpaperImage = { "hash": "1337c0ded00d84b1dbadf00dd15ea5eb000deaddeaddeaddeaddeaddeaddead0", "url": "https://example.com/device_wallpaper.jpg" }

DeviceEphemeralUsersEnabled

Wipe user data on sign-out

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceEphemeralUsersEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes

Description:

Determines whether Google Chrome OS keeps local account data after logout. If set to true, no persistent accounts are kept by Google Chrome OS and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.

Example value:

0x00000001 (Windows)

LoginAuthenticationBehavior

Configure the login authentication behavior

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 51

Supported features:

Dynamic Policy Refresh: Yes

Description:

When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:

If set to GAIA, login will be done via the normal GAIA authentication flow.

If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.

0 = Authentication via the default GAIA flow
1 = Redirect to SAML IdP after user confirmation

DeviceTransferSAMLCookies

Transfer SAML IdP cookies during login

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 38

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.

When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.

When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.

When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.

This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.

Note for Google Chrome OS devices supporting Android apps:

Cookies transferred to the user's profile are not accessible to Android apps.

LoginVideoCaptureAllowedUrls

URLs that will be granted access to video capture devices on SAML login pages

Data type:

List of strings

Supported on:

Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: Yes

Description:

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted on SAML login pages. If no match is found, access will be automatically denied. Wildcard patterns are not allowed.

DeviceLoginScreenExtensions

Configure the list of installed apps on the login screen

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenExtensions

Supported on:

Google Chrome OS (Google Chrome OS) since version 60

Supported features:

Dynamic Policy Refresh: Yes

Description:

Specifies a list of apps that are installed silently on the login screen, without user interaction, and which cannot be uninstalled. All permissions requested by the apps are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app.

Note that, for security and privacy reasons, extensions are not allowed to be installed using this policy. Moreover, the devices on the Stable channel will only install the apps that belong to the whitelist bundled into Google Chrome. Any items that don't conform to these conditions will be ignored.

If an app that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.

Each list item of the policy is a string that contains an extension ID and an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL should point to an Update Manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.

For example, gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx installs the Chrome Remote Desktop app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: https://developer.chrome.com/extensions/hosting.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceLoginScreenExtensions\1 = "gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx"

DeviceLoginScreenLocales

Device sign-in screen locale

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenLocales

Supported on:

Google Chrome OS (Google Chrome OS) since version 58

Supported features:

Dynamic Policy Refresh: No

Description:

Configures the locale which is enforced on the Google Chrome OS sign-in screen.

If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility). If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session. If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceLoginScreenLocales\1 = "en-US"

DeviceLoginScreenInputMethods

Device sign-in screen keyboard layouts

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods

Supported on:

Google Chrome OS (Google Chrome OS) since version 58

Supported features:

Dynamic Policy Refresh: Yes

Description:

Configures which keyboard layouts are allowed on the Google Chrome OS sign-in screen.

If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods\1 = "xkb:us::en" Software\Policies\Google\ChromeOS\DeviceLoginScreenInputMethods\2 = "xkb:ch::ger"

DeviceSecondFactorAuthentication

Integrated second factor authentication mode

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: No

Description:

Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.

If 'Disabled' is selected, no second factor is provided.

If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.

If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.

1 = Second factor disabled
2 = U2F (Universal Second Factor)
3 = U2F plus extensions for individual attestation

DeviceLoginScreenIsolateOrigins

Enable Site Isolation for specified origins

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenIsolateOrigins

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy applies to the sign-in screen. Please see also the IsolateOrigins policy which applies to the user session. If the policy is enabled, each of the named origins in a comma-separated list will run in its own process. This will also isolate origins named by subdomains; e.g. specifying https://example.com/ will also cause https://foo.example.com/ to be isolated as part of the https://example.com/ site. If the policy is not configured or disabled, the platform default site isolation settings will be used for the sign-in screen.

Example value:

"https://example.com/,https://othersite.org/"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : LoginScreenOrigins

DeviceLoginScreenAutoSelectCertificateForUrls

Automatically select client certificates for these sites on the sign-in screen

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLoginScreenAutoSelectCertificateForUrls

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes

Description:

Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.

If this policy is left not set, no auto-selection will be done for any site.

Schema:

{ "items": { "properties": { "filter": { "properties": { "ISSUER": { "properties": { "CN": { "type": "string" } }, "type": "object" } }, "type": "object" }, "pattern": { "type": "string" } }, "type": "object" }, "type": "array" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceLoginScreenAutoSelectCertificateForUrls\1 = "{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}"

Startup, Home page and New Tab page

Configure the pages to load on startup, the default home page and the default new tab page in Google Chrome and prevents users from changing them. The user's home page settings are only completely locked down if you either select the home page to be the new tab page, or set it to be a URL and specify a home page URL. If you don't specify the home page URL, then the user is still able to set the home page to the new tab page by specifying 'chrome://newtab'. The policy 'URLs to open on startup' is ignored unless you select 'Open a list of URLs' in 'Action on startup'.

ShowHomeButton

Show Home button on toolbar

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ShowHomeButton

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ShowHomeButton

Mac/Linux preference name:

ShowHomeButton

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Shows the Home button on Google Chrome's toolbar.

If you enable this setting, the Home button is always shown.

If you disable this setting, the Home button is never shown.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

Leaving this policy not set will allow the user to choose whether to show the home button.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

HomepageLocation

Configure the home page URL

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\HomepageLocation

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\HomepageLocation

Mac/Linux preference name:

HomepageLocation

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the default home page URL in Google Chrome and prevents users from changing it.

The home page is the page opened by the Home button. The pages that open on startup are controlled by the RestoreOnStartup policies.

The home page type can either be set to a URL you specify here or set to the New Tab Page. If you select the New Tab Page, then this policy does not take effect.

If you enable this setting, users cannot change their home page URL in Google Chrome, but they can still choose the New Tab Page as their home page.

Leaving this policy not set will allow the user to choose their home page on their own if HomepageIsNewTabPage is not set too.

The URL must have a standard scheme, e.g. "http://example.com" or "https://example.com".

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

"https://www.chromium.org"

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : Homepage

HomepageIsNewTabPage

Use New Tab Page as homepage

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\HomepageIsNewTabPage

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\HomepageIsNewTabPage

Mac/Linux preference name:

HomepageIsNewTabPage

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the type of the default home page in Google Chrome and prevents users from changing home page preferences. The home page can either be set to a URL you specify or set to the New Tab Page.

If you enable this setting, the New Tab Page is always used for the home page, and the home page URL location is ignored.

If you disable this setting, the user's homepage will never be the New Tab Page, unless its URL is set to 'chrome://newtab'.

If you enable or disable this setting, users cannot change their homepage type in Google Chrome.

Leaving this policy not set will allow the user to choose whether the new tab page is their home page on their own.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

NewTabPageLocation

Configure the New Tab page URL

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NewTabPageLocation

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NewTabPageLocation

Mac/Linux preference name:

NewTabPageLocation

Supported on:

Google Chrome (Linux, Mac, Windows) since version 58
Google Chrome OS (Google Chrome OS) since version 58

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the default New Tab page URL and prevents users from changing it.

The New Tab page is the page opened when new tabs are created (including the one opened in new windows).

This policy does not decide which pages are to be opened on start up. Those are controlled by the RestoreOnStartup policies. Yet this policy does affect the Home Page if that is set to open the New Tab page, as well as the startup page if that is set to open the New Tab page.

If the policy is not set or left empty the default new tab page is used.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

"https://www.chromium.org"

RestoreOnStartup

Action on startup

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RestoreOnStartup

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RestoreOnStartup

Mac/Linux preference name:

RestoreOnStartup

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to specify the behavior on startup.

If you choose 'Open New Tab Page' the New Tab Page will always be opened when you start Google Chrome.

If you choose 'Restore the last session', the URLs that were open last time Google Chrome was closed will be reopened and the browsing session will be restored as it was left. Choosing this option disables some settings that rely on sessions or that perform actions on exit (such as Clear browsing data on exit or session-only cookies).

If you choose 'Open a list of URLs', the list of 'URLs to open on startup' will be opened when a user starts Google Chrome.

If you enable this setting, users cannot change or override it in Google Chrome.

Disabling this setting is equivalent to leaving it not configured. The user will still be able to change it in Google Chrome.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

5 = Open New Tab Page
1 = Restore the last session
4 = Open a list of URLs

Example value:

0x00000004 (Windows), 4 (Linux), 4 (Mac)

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : RestoreOnStartup

RestoreOnStartupURLs

URLs to open on startup

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RestoreOnStartupURLs

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RestoreOnStartupURLs

Mac/Linux preference name:

RestoreOnStartupURLs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If 'Open a list of URLs' is selected as the startup action, this allows you to specify the list of URLs that are opened. If left not set no URL will be opened on start up.

This policy only works if the 'RestoreOnStartup' policy is set to 'RestoreOnStartupIsURLs'.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\Google\Chrome\RestoreOnStartupURLs\2 = "https://www.chromium.org"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\RestoreOnStartupURLs\1 = "https://example.com" Software\Policies\Google\ChromeOS\RestoreOnStartupURLs\2 = "https://www.chromium.org"
Android/Linux:: [ "https://example.com", "https://www.chromium.org" ]
Mac:: <array> <string>https://example.com</string> <string>https://www.chromium.org</string> </array>

User and device reporting

Controls what kind of user and device information is reported.

ReportDeviceVersionInfo

Report OS and firmware version

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 18

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report OS and firmware version of enrolled devices.

If this setting is not set or set to True, enrolled devices will report the OS and firmware version periodically. If this setting is set to False, version info will not be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

Policy atomic group:

This policy is part of the following atomic group (only policies from the highest priority source present in the group are applied) : UserAndDeviceReporting

ReportDeviceBootMode

Report device boot mode

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 18

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report the state of the device's dev switch at boot.

If the policy is set to false, the state of the dev switch will not be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceUsers

Report device users

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 32

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report list of device users that have recently logged in.

If the policy is set to false, the users will not be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceActivityTimes

Report device activity times

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 18

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report device activity times.

If this setting is not set or set to True, enrolled devices will report time periods when a user is active on the device. If this setting is set to False, device activity times will not be recorded or reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceNetworkInterfaces

Report device network interfaces

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report list of network interfaces with their types and hardware addresses to the server.

If the policy is set to false, the interface list will not be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceHardwareStatus

Report hardware status

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report hardware statistics such as CPU/RAM usage.

If the policy is set to false, the statistics will not be reported. If set to true or left unset, statistics will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceSessionStatus

Report information about active kiosk sessions

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report information about the active kiosk session, such as application ID and version.

If the policy is set to false, the kiosk session information will not be reported. If set to true or left unset, kiosk session information will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceBoardStatus

Report board status

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report hardware statistics for SoC components.

If the policy is set to false, the statistics will not be reported. If set to true or left unset, statistics will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDevicePowerStatus

Report power status

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report hardware statistics and identifiers related to power.

If the policy is set to false, the statistics will not be reported. If set to true or left unset, statistics will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportDeviceStorageStatus

Report storage status

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes

Description:

Report hardware statistics and identifiers for storage devices.

If the policy is set to false, the statistics will not be reported. If set to true or left unset, statistics will be reported.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportUploadFrequency

Frequency of device status report uploads

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 42

Supported features:

Dynamic Policy Refresh: Yes

Description:

How frequently device status uploads are sent, in milliseconds.

If this policy is unset, the default frequency is 3 hours. The minimum allowed frequency is 60 seconds.

Restrictions:

Minimum:60000

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

ReportArcStatusEnabled

Report information about status of Android

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 55

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Information about the status of Android is sent back to the server.

If the policy is set to false or left unset, no status information is reported. If set to true, status information is reported.

This policy only applies if Android apps are enabled.

HeartbeatEnabled

Send network packets to the management server to monitor online status

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: Yes

Description:

Send network packets to the management server to monitor online status, to allow the server to detect if the device is offline.

If this policy is set to true, monitoring network packets (so-called heartbeats) will be sent. If set to false or unset, no packets will be sent.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

HeartbeatFrequency

Frequency of monitoring network packets

Data type:

Integer

Supported on:

Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: Yes

Description:

How frequently monitoring network packets are sent, in milliseconds.

If this policy is unset, the default interval is 3 minutes. The minimum interval is 30 seconds and the maximum interval is 24 hours - values outside of this range will be clamped to this range.

Restrictions:

Minimum:30000

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

LogUploadEnabled

Send system logs to the management server

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 46

Supported features:

Dynamic Policy Refresh: Yes

Description:

Send system logs to the management server, to allow admins to monitor system logs.

If this policy is set to true, system logs will be sent. If set to false or unset, then no system logs will be sent.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the logging done by Android.

DeviceMetricsReportingEnabled

Enable metrics reporting

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceMetricsReportingEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 14

Supported features:

Dynamic Policy Refresh: Yes

Description:

Controls whether usage metrics and diagnostic data, including crash reports, are reported back to Google.

If set to true, Google Chrome OS will report usage metrics and diagnostic data.

If set to false, metrics and diagnostic data reporting will be disabled.

If not configured, metrics and diagnostic data reporting will be disabled on unmanaged devices and enabled on managed devices.

Note for Google Chrome OS devices supporting Android apps:

This policy also controls Android usage and diagnostic data collection.

Example value:

0x00000001 (Windows)

AbusiveExperienceInterventionEnforce

Abusive Experience Intervention Enforce

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AbusiveExperienceInterventionEnforce

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AbusiveExperienceInterventionEnforce

Mac/Linux preference name:

AbusiveExperienceInterventionEnforce

Supported on:

Google Chrome (Linux, Mac, Windows) since version 65
Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether sites with abusive experiences should be prevented from opening new windows or tabs.

If this policy is set to True, sites with abusive experiences will be prevented from opening new windows or tabs. However this behavior will not trigger if SafeBrowsingEnabled policy is set to False. If this policy is set to False, sites with abusive experiences will be allowed to open new windows or tabs. If this policy is left not set, True will be used.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

AdsSettingForIntrusiveAdsSites

Ads setting for sites with intrusive ads

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AdsSettingForIntrusiveAdsSites

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AdsSettingForIntrusiveAdsSites

Mac/Linux preference name:

AdsSettingForIntrusiveAdsSites

Supported on:

Google Chrome (Linux, Mac, Windows) since version 65
Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to set whether ads should be blocked on sites with intrusive ads.

If this policy is set to 2, ads will be blocked on sites with intrusive ads. However this behavior will not trigger if SafeBrowsingEnabled policy is set to False. If this policy is set to 1, ads will not be blocked on sites with intrusive ads. If this policy is left not set, 2 will be used.

1 = Allow ads on all sites
2 = Do not allow ads on sites with intrusive ads

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Mac)

AllowDeletingBrowserHistory

Enable deleting browser and download history

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowDeletingBrowserHistory

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowDeletingBrowserHistory

Mac/Linux preference name:

AllowDeletingBrowserHistory

Supported on:

Google Chrome (Linux, Mac, Windows) since version 57
Google Chrome OS (Google Chrome OS) since version 57

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables deleting browser history and download history in Google Chrome and prevents users from changing this setting.

Note that even with this policy disabled, the browsing and download history are not guaranteed to be retained: users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.

If this setting is enabled or not set, browsing and download history can be deleted.

If this setting is disabled, browsing and download history cannot be deleted.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

AllowDinosaurEasterEgg

Allow Dinosaur Easter Egg Game

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowDinosaurEasterEgg

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowDinosaurEasterEgg

Mac/Linux preference name:

AllowDinosaurEasterEgg

Supported on:

Google Chrome OS (Google Chrome OS) since version 48
Google Chrome (Linux, Mac, Windows) since version 48

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

Allow users to play dinosaur easter egg game when device is offline.

If this policy is set to False, users will not be able to play the dinosaur easter egg game when device is offline. If this setting is set to True, users are allowed to play the dinosaur game. If this policy is not set, users are not allowed to play the dinosaur easter egg game on enrolled Chrome OS, but are allowed to play it under other circumstances.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

AllowFileSelectionDialogs

Allow invocation of file selection dialogs

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowFileSelectionDialogs

Mac/Linux preference name:

AllowFileSelectionDialogs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 12

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows access to local files on the machine by allowing Google Chrome to display file selection dialogs.

If you enable this setting, users can open file selection dialogs as normal.

If you disable this setting, whenever the user performs an action which would provoke a file selection dialog (like importing bookmarks, uploading files, saving links, etc.) a message is displayed instead and the user is assumed to have clicked Cancel on the file selection dialog.

If this setting is not set, users can open file selection dialogs as normal.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

AllowOutdatedPlugins

Allow running plugins that are outdated

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowOutdatedPlugins

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowOutdatedPlugins

Mac/Linux preference name:

AllowOutdatedPlugins

Supported on:

Google Chrome (Linux, Mac, Windows) since version 12
Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If you enable this setting, outdated plugins are used as normal plugins.

If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them.

If this setting is not set, users will be asked for permission to run outdated plugins.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

AllowPopupsDuringPageUnload

Allows a page to show popups during its unloading

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowPopupsDuringPageUnload

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowPopupsDuringPageUnload

Mac/Linux preference name:

AllowPopupsDuringPageUnload

Android restriction name:

AllowPopupsDuringPageUnload

Supported on:

Google Chrome (Linux, Mac, Windows) since version 74
Google Chrome OS (Google Chrome OS) since version 74
Google Chrome (Android) since version 74

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

This policy allows an admin to specify that a page may show popups during its unloading.

When the policy is set to enabled, pages are allowed to show popups while they are being unloaded.

When the policy is set to disabled or not set, pages are not allowed to show popups while they are being unloaded, as per the spec (https://html.spec.whatwg.org/#apis-for-creating-and-navigating-browsing-contexts-by-name).

This policy will be removed in Chrome 82.

See https://www.chromestatus.com/feature/5989473649164288 .

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

AllowScreenLock

Permit locking the screen

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowScreenLock

Supported on:

Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this policy is set to false, users will not be able to lock the screen (only signing out from the user session will be possible). If this setting is set to true or not set, users who authenticated with a password can lock the screen.

Example value:

0x00000000 (Windows)

AllowedDomainsForApps

Define domains allowed to access G Suite

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AllowedDomainsForApps

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowedDomainsForApps

Mac/Linux preference name:

AllowedDomainsForApps

Android restriction name:

AllowedDomainsForApps

Supported on:

Google Chrome (Linux, Mac, Windows) since version 51
Google Chrome OS (Google Chrome OS) since version 51
Google Chrome (Android) since version 51

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome's restricted log in feature in G Suite and prevents users from changing this setting.

If you define this setting, the user will only be able to access Google Apps using accounts from the specified domains (note that to allow gmail.com/googlemail.com accounts, you should add "consumer_accounts" (without quotes) to the list of domains).

This setting will prevent the user from logging in, and adding a Secondary Account, on a managed device that requires Google authentication, if that account does not belong to the aforementioned list of allowed domains.

If you leave this setting empty/not-configured, the user will be able to access G Suite with any account.

This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.

Users cannot change or override this setting.

Example value:

"managedchrome.com,example.com"

AllowedInputMethods

Configure the allowed input methods in a user session

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowedInputMethods

Supported on:

Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures which keyboard layouts are allowed for Google Chrome OS user sessions.

If this policy is set, the user can only select one of the input methods specified by this policy. If this policy is not set or set to an empty list, the user can select all supported input methods. If the current input method is not allowed by this policy, the input method will be switched to the hardware keyboard layout (if allowed) or the first valid entry in this list. All invalid or unsupported input methods in this list will be ignored.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AllowedInputMethods\1 = "xkb:us::eng"

AllowedLanguages

Configure the allowed languages in a user session

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AllowedLanguages

Supported on:

Google Chrome OS (Google Chrome OS) since version 72

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

Configures the languages that can be used as the preferred languages by Google Chrome OS.

If this policy is set, the user can only add one of the languages listed in this policy to the list of preferred languages. If this policy is not set or set to an empty list, user can specify any languages as preferred. If this policy is set to a list with invalid values, all invalid values will be ignored. If a user previously added some languages that are not allowed by this policy to the list of preferred languages they will be removed. If the user had previously configured Google Chrome OS to be displayed in one of the languages not allowed by this policy, the display language will be switched to an allowed UI language next time user signs in. Otherwise, Google Chrome OS will switch to the first valid value specified by this policy, or to a fallback locale (currently en-US), if this policy only contains invalid entries.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AllowedLanguages\1 = "en-US"

AlternateErrorPagesEnabled

Enable alternate error pages

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AlternateErrorPagesEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AlternateErrorPagesEnabled

Mac/Linux preference name:

AlternateErrorPagesEnabled

Android restriction name:

AlternateErrorPagesEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables the use of alternate error pages that are built into Google Chrome (such as 'page not found') and prevents users from changing this setting.

If you enable this setting, alternate error pages are used.

If you disable this setting, alternate error pages are never used.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

If this policy is left not set, this will be enabled but the user will be able to change it.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

AlwaysOpenPdfExternally

Always Open PDF files externally

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AlwaysOpenPdfExternally

Mac/Linux preference name:

AlwaysOpenPdfExternally

Supported on:

Google Chrome (Linux, Mac, Windows) since version 55

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables the internal PDF viewer in Google Chrome. Instead it treats it as download and allows the user to open PDF files with the default application.

If this policy is left not set or disabled the PDF plugin will be used to open PDF files unless the user disables it.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ApplicationLocaleValue

Application locale

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ApplicationLocaleValue

Supported on:

Google Chrome (Windows) since version 8

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: No

Description:

Configures the application locale in Google Chrome and prevents users from changing the locale.

If you enable this setting, Google Chrome uses the specified locale. If the configured locale is not supported, 'en-US' is used instead.

If this setting is disabled or not set, Google Chrome uses either the user-specified preferred locale (if configured), the system locale or the fallback locale 'en-US'.

Example value:

"en"

AudioCaptureAllowed

Allow or deny audio capture

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AudioCaptureAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AudioCaptureAllowed

Mac/Linux preference name:

AudioCaptureAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 25
Google Chrome OS (Google Chrome OS) since version 23

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If enabled or not configured (default), the user will be prompted for audio capture access except for URLs configured in the AudioCaptureAllowedUrls list which will be granted access without prompting.

When this policy is disabled, the user will never be prompted and audio capture only be available to URLs configured in AudioCaptureAllowedUrls.

This policy affects all types of audio inputs and not only the built-in microphone.

Note for Google Chrome OS devices supporting Android apps:

For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

AudioCaptureAllowedUrls

URLs that will be granted access to audio capture devices without prompt

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AudioCaptureAllowedUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls

Mac/Linux preference name:

AudioCaptureAllowedUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to audio capture devices will be granted without prompt.

NOTE: Until version 45, this policy was only supported in Kiosk mode.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\Chrome\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\ChromeOS\AudioCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Android/Linux:: [ "https://www.example.com/", "https://[*.]example.edu/" ]
Mac:: <array> <string>https://www.example.com/</string> <string>https://[*.]example.edu/</string> </array>

AudioOutputAllowed

Allow playing audio

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AudioOutputAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 23

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this policy is set to false, audio output will not be available on the device while the user is logged in.

This policy affects all types of audio output and not only the built-in speakers. Audio accessibility features are also inhibited by this policy. Do not enable this policy if a screen reader is required for the user.

If this setting is set to true or not configured then users can use all supported audio outputs on their device.

Example value:

0x00000000 (Windows)

AutoFillEnabled (deprecated)

Enable AutoFill

See deprecated policy AutoFillEnabled

AutofillAddressEnabled

Enable AutoFill for addresses

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AutofillAddressEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AutofillAddressEnabled

Mac/Linux preference name:

AutofillAddressEnabled

Android restriction name:

AutofillAddressEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69
Google Chrome (Android) since version 69

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome's AutoFill feature and allows users to auto complete address information in web forms using previously stored information.

If this setting is disabled, Autofill will never suggest, or fill address information, nor will it save additional address information that the user might submit while browsing the web.

If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

AutofillCreditCardEnabled

Enable AutoFill for credit cards

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AutofillCreditCardEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AutofillCreditCardEnabled

Mac/Linux preference name:

AutofillCreditCardEnabled

Android restriction name:

AutofillCreditCardEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 63
Google Chrome OS (Google Chrome OS) since version 63
Google Chrome (Android) since version 63

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables Google Chrome's AutoFill feature and allows users to auto complete credit card information in web forms using previously stored information.

If this setting is disabled, Autofill will never suggest, or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web.

If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

AutoplayAllowed

Allow media autoplay

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AutoplayAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AutoplayAllowed

Mac/Linux preference name:

AutoplayAllowed

Supported on:

Google Chrome (Windows) since version 66
Google Chrome (Linux) since version 66
Google Chrome (Mac) since version 66
Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome.

If the policy is set to True, Google Chrome is allowed to autoplay media. If the policy is set to False, Google Chrome is not allowed to autoplay media. The AutoplayWhitelist policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The AutoplayWhitelist policy can be used to override this for certain URL patterns.

Note that if Google Chrome is running and this policy changes, it will be applied only to new opened tabs. Therefore some tabs might still observe the previous behavior.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

AutoplayWhitelist

Allow media autoplay on a whitelist of URL patterns

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\AutoplayWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\AutoplayWhitelist

Mac/Linux preference name:

AutoplayWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 66
Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Controls the whitelist of URL patterns that autoplay will always be enabled on.

If autoplay is enabled then videos can play automatically (without user consent) with audio content in Google Chrome.

A valid URL patterns specifications are:

- [*.]domain.tld (matches domain.tld and all sub-domains)

- host (matches an exact hostname)

- scheme://host:port (supported schemes: http,https)

- scheme://[*.]domain.tld:port (supported schemes: http,https)

- file://path (The path has to be an absolute path and start with a '/')

- a.b.c.d (matches an exact IPv4 ip)

- [a:b:c:d:e:f:g:h] (matches an exact IPv6 ip)

If the AutoplayAllowed policy is set to True then this policy will have no effect.

If the AutoplayAllowed policy is set to False then any URL patterns set in this policy will still be allowed to play.

Note that if Google Chrome is running and this policy changes, it will be applied only to new opened tabs. Therefore some tabs might still observe the previous behavior.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\AutoplayWhitelist\1 = "https://www.example.com" Software\Policies\Google\Chrome\AutoplayWhitelist\2 = "[*.]example.edu"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\AutoplayWhitelist\1 = "https://www.example.com" Software\Policies\Google\ChromeOS\AutoplayWhitelist\2 = "[*.]example.edu"
Android/Linux:: [ "https://www.example.com", "[*.]example.edu" ]
Mac:: <array> <string>https://www.example.com</string> <string>[*.]example.edu</string> </array>

BackgroundModeEnabled

Continue running background apps when Google Chrome is closed

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BackgroundModeEnabled

Mac/Linux preference name:

BackgroundModeEnabled

Supported on:

Google Chrome (Windows) since version 19
Google Chrome (Linux) since version 19

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Determines whether a Google Chrome process is started on OS login and keeps running when the last browser window is closed, allowing background apps and the current browsing session to remain active, including any session cookies. The background process displays an icon in the system tray and can always be closed from there.

If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings.

If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings.

If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.

Example value:

0x00000001 (Windows), true (Linux)

BlockThirdPartyCookies

Block third party cookies

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BlockThirdPartyCookies

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\BlockThirdPartyCookies

Mac/Linux preference name:

BlockThirdPartyCookies

Supported on:

Google Chrome (Linux, Mac, Windows) since version 10
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enabling this setting prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar.

Disabling this setting allows cookies to be set by web page elements that are not from the domain that is in the browser's address bar and prevents users from changing this setting.

If this policy is left not set, third party cookies will be enabled but the user will be able to change that.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

BookmarkBarEnabled

Enable Bookmark Bar

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BookmarkBarEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\BookmarkBarEnabled

Mac/Linux preference name:

BookmarkBarEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 12
Google Chrome OS (Google Chrome OS) since version 12

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If you enable this setting, Google Chrome will show a bookmark bar.

If you disable this setting, users will never see the bookmark bar.

If you enable or disable this setting, users cannot change or override it in Google Chrome.

If this setting is left not set the user can decide to use this function or not.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserAddPersonEnabled

Enable add person in user manager

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserAddPersonEnabled

Mac/Linux preference name:

BrowserAddPersonEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 39

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to true or not configured, Google Chrome will allow Add Person from the user manager.

If this policy is set to false, Google Chrome will not allow creation of new profiles from the user manager.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserGuestModeEnabled

Enable guest mode in browser

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserGuestModeEnabled

Mac/Linux preference name:

BrowserGuestModeEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 38

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.

If this policy is set to false, Google Chrome will not allow guest profiles to be started.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserGuestModeEnforced

Enforce browser guest mode

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserGuestModeEnforced

Mac/Linux preference name:

BrowserGuestModeEnforced

Supported on:

Google Chrome (Linux, Mac, Windows) since version 77

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this policy is set to enabled, Google Chrome will enforce guest sessions and prevents profile logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.

If this policy is set to disabled or not set or browser guest mode is disabled by BrowserGuestModeEnabled policy, Google Chrome will allow using new and existing profiles.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserNetworkTimeQueriesEnabled

Allow queries to a Google time service

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserNetworkTimeQueriesEnabled

Mac/Linux preference name:

BrowserNetworkTimeQueriesEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 60

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Setting this policy to false stops Google Chrome from occasionally sending queries to a Google server to retrieve an accurate timestamp. These queries will be enabled if this policy is set to True or is not set.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BrowserSignin

Browser sign in settings

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BrowserSignin

Mac/Linux preference name:

BrowserSignin

Android restriction name:

BrowserSignin

Supported on:

Google Chrome (Linux, Mac, Windows) since version 70
Google Chrome (Android) since version 70

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to Google Chrome with their account and use account related services like Chrome sync.

If the policy is set to "Disable browser sign-in" then the user can not sign in to the browser and use account based services. In this case browser level features like Chrome sync can not be used and will be unavailable. If the user was signed in and the policy is set "Disabled" they will be signed out the next time they run Chrome but their local profile data like bookmarks, passwords etc. will stay preserved. The user will still be able to sign into and use Google web services like Gmail.

If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser and is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Chrome sync will be turned on per default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Chrome sync, use the "SyncDisabled" policy.

If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. By default this turns on Chrome sync for the account, except for the case when sync was disabled by the domain admin or via the "SyncDisabled" policy. The default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556. This option does not support Linux and will fallback to "Enable browser sign-in" if used.

If this policy is not set then the user can decide if they want to enable the browser sign in option and use it as they see fit.

0 = Disable browser sign-in
1 = Enable browser sign-in
2 = Force users to sign-in to use the browser

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Android), 2 (Mac)

BuiltInDnsClientEnabled

Use built-in DNS client

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\BuiltInDnsClientEnabled

Mac/Linux preference name:

BuiltInDnsClientEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls whether the built-in DNS client is used in Google Chrome.

If this policy is set to true, the built-in DNS client will be used, if available.

If this policy is set to false, the built-in DNS client will never be used.

If this policy is left not set, the built-in DNS client will be enabled by default on MacOS, Android (when neither Private DNS nor VPN are enabled) and ChromeOS, and the users will be able to change whether the built-in DNS client is used by editing chrome://flags or specifying a command-line flag.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

BuiltinCertificateVerifierEnabled

Determines whether the built-in certificate verifier will be used to verify server certificates

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\BuiltinCertificateVerifierEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 77

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

When this setting is enabled, Google Chrome OS will perform verification of server certificates using the built-in certificate verifier. When this setting is disabled, Google Chrome OS will perform verification of server certificates using the legacy certificate verifier provided by the platform. When this setting is not set, Google Chrome OS the built-in or the legacy certificate verifier may be used.

This policy is planned to be removed in Google Chrome OS version 81, when support for the legacy certificate verifier on Google Chrome OS is planned to be removed.

Example value:

0x00000000 (Windows)

CaptivePortalAuthenticationIgnoresProxy

Captive portal authentication ignores proxy

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CaptivePortalAuthenticationIgnoresProxy

Supported on:

Google Chrome OS (Google Chrome OS) since version 41

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy allows Google Chrome OS to bypass any proxy for captive portal authentication.

This policy only takes effect if a proxy is configured (for example through policy, by the user in chrome://settings, or by extensions).

If you enable this setting, any captive portal authentication pages (i.e. all web pages starting from captive portal signin page until Google Chrome detects successful internet connection) will be displayed in a separate window ignoring all policy settings and restrictions for the current user.

If you disable this setting or leave it unset, any captive portal authentication pages will be shown in a (regular) new browser tab, using the current user's proxy settings.

Example value:

0x00000001 (Windows)

CertificateTransparencyEnforcementDisabledForCas

Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas

Mac/Linux preference name:

CertificateTransparencyEnforcementDisabledForCas

Android restriction name:

CertificateTransparencyEnforcementDisabledForCas

Supported on:

Google Chrome (Linux, Mac, Windows) since version 67
Google Chrome OS (Google Chrome OS) since version 67
Google Chrome (Android) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables enforcing Certificate Transparency requirements for a list of subjectPublicKeyInfo hashes.

This policy allows disabling Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used for Enterprise hosts.

In order for Certificate Transparency enforcement to be disabled when this policy is set, one of the following conditions must be met: 1. The hash is of the server certificate's subjectPublicKeyInfo. 2. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, that CA certificate is constrained via the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. 3. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForCas\2 = "sha256//////////////////////w=="
Android/Linux:: [ "sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w==" ]
Mac:: <array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>

CertificateTransparencyEnforcementDisabledForLegacyCas

Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas

Mac/Linux preference name:

CertificateTransparencyEnforcementDisabledForLegacyCas

Android restriction name:

CertificateTransparencyEnforcementDisabledForLegacyCas

Supported on:

Google Chrome (Linux, Mac, Windows) since version 67
Google Chrome OS (Google Chrome OS) since version 67
Google Chrome (Android) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables enforcing Certificate Transparency requirements for a list of Legacy Certificate Authorities.

In order for Certificate Transparency enforcement to be disabled when this policy is set, the hash must be of a subjectPublicKeyInfo appearing in a CA certificate that is recognized as a Legacy Certificate Authority (CA). A Legacy CA is a CA that has been publicly trusted by default one or more operating systems supported by Google Chrome, but is not trusted by the Android Open Source Project or Google Chrome OS.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas\1 = "sha256/AAAAAAAAAAAAAAAAAAAAAA==" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas\2 = "sha256//////////////////////w=="
Android/Linux:: [ "sha256/AAAAAAAAAAAAAAAAAAAAAA==", "sha256//////////////////////w==" ]
Mac:: <array> <string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string> <string>sha256//////////////////////w==</string> </array>

CertificateTransparencyEnforcementDisabledForUrls

Disable Certificate Transparency enforcement for a list of URLs

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls

Mac/Linux preference name:

CertificateTransparencyEnforcementDisabledForUrls

Android restriction name:

CertificateTransparencyEnforcementDisabledForUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 53
Google Chrome OS (Google Chrome OS) since version 53
Google Chrome (Android) since version 53

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Disables enforcing Certificate Transparency requirements to the listed URLs.

This policy allows certificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used, but makes it harder to detect misissued certificates for those hosts.

A URL pattern is formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format. However, because certificates are valid for a given hostname independent of the scheme, port, or path, only the hostname portion of the URL is considered. Wildcard hosts are not supported.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls\1 = "example.com" Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls\2 = ".example.com"
Android/Linux:: [ "example.com", ".example.com" ]
Mac:: <array> <string>example.com</string> <string>.example.com</string> </array>

ChromeCleanupEnabled

Enable Chrome Cleanup on Windows

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ChromeCleanupEnabled

Supported on:

Google Chrome (Windows) since version 68

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If disabled, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled.

If enabled or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000001 (Windows)

ChromeCleanupReportingEnabled

Control how Chrome Cleanup reports data to Google

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ChromeCleanupReportingEnabled

Supported on:

Google Chrome (Windows) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata, automatically installed extensions and registry keys as described by the Chrome Privacy Whitepaper.

If disabled, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so.

If enabled, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by SafeBrowsingExtendedReportingEnabled. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000001 (Windows)

ChromeOsLockOnIdleSuspend

Enable lock when the device become idle or suspended

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ChromeOsLockOnIdleSuspend

Supported on:

Google Chrome OS (Google Chrome OS) since version 9

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable lock when Google Chrome OS devices become idle or suspended.

If you enable this setting, users will be asked for a password to unlock the device from sleep.

If you disable this setting, users will not be asked for a password to unlock the device from sleep.

If you enable or disable this setting, users cannot change or override it.

If the policy is left not set the user can choose whether they want to be asked for password to unlock the device or not.

Example value:

0x00000001 (Windows)

ChromeOsMultiProfileUserBehavior

Control the user behavior in a multiprofile session

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ChromeOsMultiProfileUserBehavior

Supported on:

Google Chrome OS (Google Chrome OS) since version 31

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Control the user behavior in a multiprofile session on Google Chrome OS devices.

If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.

If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.

If you set this setting, users cannot change or override it.

If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.

If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.

"unrestricted" = Allow enterprise user to be both primary and secondary (Default behavior for non-managed users)
"primary-only" = Allow enterprise user to be primary multiprofile user only (Default behavior for enterprise-managed users)
"not-allowed" = Do not allow enterprise user to be part of multiprofile (primary or secondary)

Note for Google Chrome OS devices supporting Android apps:

When multiple users are logged in, only the primary user can use Android apps.

Example value:

"unrestricted"

ClientCertificateManagementAllowed

Allow users to manage installed client certificates.

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ClientCertificateManagementAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls whether user are able to import and remove client certificates via Certificate Manager.

If this policy is set to ''Allow users to manage all certificates'' or left not set, users will be able to manage certificates.

If this policy is set to ''Allow users to manage user certificates'', users will be able to manage user certificates, but not device-wide certificates.

If this policy is set to ''Disallow users to manage certificates'', users will not be able to manage certificates, they can only view certificates.

0 = Allow users to manage all certificates
1 = Allow users to manage user certificates
2 = Disallow users from managing certificates

Example value:

0x00000001 (Windows)

CloudManagementEnrollmentMandatory

Enable mandatory cloud management enrollment

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CloudManagementEnrollmentMandatory

Mac/Linux preference name:

CloudManagementEnrollmentMandatory

Supported on:

Google Chrome (Linux, Mac, Windows) since version 72

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this policy is set to True, cloud management enrollment is mandatory and blocks Chrome launch process if failed.

If this policy is left unset or set to False, cloud management enrollment is optional and does not blocks Chrome launch process if failed.

This policy is used by machine scope cloud policy enrollment on desktop and can be set by Registry or GPO on Windows, plist on Mac and JSON policy file on Linux.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

CloudManagementEnrollmentToken

The enrollment token of cloud policy on desktop

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CloudManagementEnrollmentToken

Mac/Linux preference name:

CloudManagementEnrollmentToken

Supported on:

Google Chrome (Linux, Mac, Windows) since version 72

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this policy is set, Google Chrome will try to register itself and apply associated cloud policy for all profiles.

The value of this policy is an Enrollment token that can be retrieved from the Google Admin console.

Example value:

"37185d02-e055-11e7-80c1-9a214cf093ae"

CloudPolicyOverridesPlatformPolicy

Google Chrome cloud policy overrides Platform policy.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CloudPolicyOverridesPlatformPolicy

Mac/Linux preference name:

CloudPolicyOverridesPlatformPolicy

Supported on:

Google Chrome (Linux, Mac, Windows) since version 75

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If the policy is set to true, cloud policy takes precedence if it conflicts with platform policy. If the policy is set to false or not configured, platform policy takes precedence if it conflicts with cloud policy.

This policy is only available as a mandatory machine platform policy and it only affects machine scope cloud policies.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

CommandLineFlagSecurityWarningsEnabled

Enable security warnings for command-line flags

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\CommandLineFlagSecurityWarningsEnabled

Mac/Linux preference name:

CommandLineFlagSecurityWarningsEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 76

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If disabled, prevents security warnings from appearing when Chrome is launched with some potentially dangerous command-line flags.

If enabled or unset, security warnings are displayed when some command-line flags are used to launch Chrome.

On Windows, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain or Windows 10 Pro or Enterprise instances that are enrolled for device management.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ComponentUpdatesEnabled

Enable component updates in Google Chrome

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ComponentUpdatesEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ComponentUpdatesEnabled

Mac/Linux preference name:

ComponentUpdatesEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 54
Google Chrome OS (Google Chrome OS) since version 54

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Enables component updates for all components in Google Chrome when not set or set to True.

If set to False, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code, or does not significantly alter the behavior of the browser, or is critical for its security will not be disabled. Examples of such components include the certificate revocation lists and Safe Browsing data. See https://developers.google.com/safe-browsing for more info on Safe Browsing.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ContextualSearchEnabled

Enable Tap to Search

Data type:

Boolean

Android restriction name:

ContextualSearchEnabled

Supported on:

Google Chrome (Android) since version 40

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables the availability of Tap to Search in Google Chrome's content view.

If you enable this setting, Tap to Search will be available to the user and they can choose to turn the feature on or off.

If you disable this setting, Tap to Search will be disabled completely.

If this policy is left not set, it is equivalent to being enabled, see description above.

Example value:

true (Android)

DataCompressionProxyEnabled

Enable the data compression proxy feature

Data type:

Boolean

Android restriction name:

DataCompressionProxyEnabled

Supported on:

Google Chrome (Android) since version 31

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable or disable the data compression proxy and prevents users from changing this setting.

If you enable or disable this setting, users cannot change or override this setting.

If this policy is left not set, the data compression proxy feature will be available for the user to choose whether to use it or not.

Example value:

true (Android)

DefaultBrowserSettingEnabled

Set Google Chrome as Default Browser

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DefaultBrowserSettingEnabled

Mac/Linux preference name:

DefaultBrowserSettingEnabled

Supported on:

Google Chrome (Windows 7) since version 11
Google Chrome (Mac) since version 11
Google Chrome (Linux) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Configures the default browser checks in Google Chrome and prevents users from changing them.

If you enable this setting, Google Chrome will always check on startup whether it is the default browser and automatically register itself if possible.

If this setting is disabled, Google Chrome will never check if it is the default browser and will disable user controls for setting this option.

If this setting is not set, Google Chrome will allow the user to control whether it is the default browser and whether user notifications should be shown when it isn't.

Note for administrators of Microsoft® Windows: Enabling this setting will only work for machines running Windows 7. For versions of Windows starting with Windows 8, you must deploy a "default application associations" file that makes Google Chrome the handler for the https and http protocols (and, optionally, the ftp protocol and file formats such as .html, .htm, .pdf, .svg, .webp, etc...). See https://support.google.com/chrome?p=make_chrome_default_win for more information.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

DefaultDownloadDirectory

Set default download directory

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\Recommended\DefaultDownloadDirectory

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\Recommended\DefaultDownloadDirectory

Mac/Linux preference name:

DefaultDownloadDirectory

Supported on:

Google Chrome (Linux, Mac, Windows) since version 64
Google Chrome OS (Google Chrome OS) since version 64

Supported features:

Can Be Mandatory: No, Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the default directory that Google Chrome will use for downloading files.

If you set this policy, it will change the default directory that Google Chrome downloads files to. This policy is not mandatory, so the user will be able to change the directory.

If you do not set this policy, Google Chrome will use its usual default directory (platform-specific).

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

Example value:

"/home/${user_name}/Downloads"

DeveloperToolsAvailability

Control where Developer Tools can be used

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DeveloperToolsAvailability

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeveloperToolsAvailability

Mac/Linux preference name:

DeveloperToolsAvailability

Supported on:

Google Chrome (Linux, Mac, Windows) since version 68
Google Chrome OS (Google Chrome OS) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to control where Developer Tools can be used.

If this policy is set to 'DeveloperToolsDisallowedForForceInstalledExtensions' (value 0, which is the default value), the Developer Tools and the JavaScript console can be accessed in general, but they can not be accessed in the context of extensions installed by enterprise policy. If this policy is set to 'DeveloperToolsAllowed' (value 1), the Developer Tools and the JavaScript console can be accessed and used in all contexts, including the context of extensions installed by enterprise policy. If this policy is set to 'DeveloperToolsDisallowed' (value 2), the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.

0 = Disallow usage of the Developer Tools on extensions installed by enterprise policy, allow usage of the Developer Tools in other contexts
1 = Allow usage of the Developer Tools
2 = Disallow usage of the Developer Tools

Note for Google Chrome OS devices supporting Android apps:

This policy also controls access to Android Developer Options. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access Developer Options. If you set this policy to another value or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Mac)

DeveloperToolsDisabled (deprecated)

Disable Developer Tools

See deprecated policy DeveloperToolsDisabled

DeviceLocalAccountManagedSessionEnabled

Allow managed session on device

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceLocalAccountManagedSessionEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to false, managed guest session will behave as documented in https://support.google.com/chrome/a/answer/3017014 - the standard "Public Session".

If this policy is set to true or left unset, managed guest session will take on "Managed Session" behaviour which lifts many of the restrictions that are in place for regular "Public Sessions".

If this policy is set, the user cannot change or override it.

Example value:

0x00000001 (Windows)

DevicePowerwashAllowed

Allow the device to request powerwash

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DevicePowerwashAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 77

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

This policy when set to False, does not allow the device to trigger powerwash. When set to True, it allows the device to trigger powerwash. If left unset, it defaults to False, meaning it doesn't allow the device to powerwash.

Example value:

0x00000001 (Windows)

DeviceRebootOnUserSignout

Force device reboot when user sign out

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceRebootOnUserSignout

Supported on:

Google Chrome OS (Google Chrome OS) since version 76

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy, when set to ArcSession, forces the device to reboot when a user sign out if Android has started. When set to Always, it forces the device to reboot on every user sign out. If left unset, it has no effect and no reboot is forced on user sign out. The same applies if set to Never. This policy has effect only for unaffiliated users.

1 = Do not reboot on user sign out.
2 = Reboot on user sign out if Android has started.
3 = Always reboot on user sign out.

Example value:

0x00000002 (Windows)

DeviceScheduledUpdateCheck

Set custom schedule to check for updates

Data type:

Dictionary

Supported on:

Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows setting a custom schedule to check for updates. This applies to all users, and to all interfaces on the device. Once set, the device will check for updates according to the schedule. The policy must be removed to cancel any more scheduled update checks.

Schema:

{ "properties": { "day_of_month": { "description": "Day of month [1-28] when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'MONTHLY'. If this is more than the maximum number of days in a given month then the last day of the month will be chosen. Currently it is restricted to 28 to resolve month rollover ambiguities.", "maximum": 28, "minimum": 1, "type": "integer" }, "day_of_week": { "$ref": "WeekDay", "description": "Day of week when the update check should happen, interpreted in the device's local time zone. Only used when 'frequency' is 'WEEKLY'." }, "frequency": { "description": "Frequency with which the update check should recur.", "enum": [ "DAILY", "WEEKLY", "MONTHLY" ], "type": "string" }, "update_check_time": { "$ref": "Time", "description": "Time when the update check should happen, interpreted in the device's local time zone." } }, "required": [ "update_check_time", "frequency" ], "type": "object" }

DeviceWebUsbAllowDevicesForUrls

Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DeviceWebUsbAllowDevicesForUrls

Supported on:

Google Chrome OS (Google Chrome OS) since version 77

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is left not set, the global default value will be used for all sites either from the 'DefaultWebUsbGuardSetting' policy if it is set, or the user's personal configuration otherwise.

URL patterns in this policy should not clash with the ones configured via WebUsbBlockedForUrls. If there is a clash, this policy will take precedence over WebUsbBlockedForUrls and WebUsbAskForUrls.

Values for this policy and the WebUsbAllowDevicesForUrls policy are merged together.

Schema:

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\DeviceWebUsbAllowDevicesForUrls = [ { "devices": [ { "product_id": 5678, "vendor_id": 1234 } ], "urls": [ "https://google.com", "https://requesting.com,https://embedded.com" ] } ]

Disable3DAPIs

Disable support for 3D graphics APIs

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\Disable3DAPIs

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\Disable3DAPIs

Mac/Linux preference name:

Disable3DAPIs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 9
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enabling this setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages can not access the WebGL API and plugins can not use the Pepper 3D API.

Disabling this setting or leaving it not set potentially allows web pages to use the WebGL API and plugins to use the Pepper 3D API. The default settings of the browser may still require command line arguments to be passed in order to use these APIs.

If HardwareAccelerationModeEnabled is set to false, Disable3DAPIs is ignored and it is equivalent to Disable3DAPIs being set to true.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

DisableSafeBrowsingProceedAnyway

Disable proceeding from the Safe Browsing warning page

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DisableSafeBrowsingProceedAnyway

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DisableSafeBrowsingProceedAnyway

Mac/Linux preference name:

DisableSafeBrowsingProceedAnyway

Android restriction name:

DisableSafeBrowsingProceedAnyway

Supported on:

Google Chrome (Linux, Mac, Windows) since version 22
Google Chrome OS (Google Chrome OS) since version 22
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

The Safe Browsing service shows a warning page when users navigate to sites that are flagged as potentially malicious. Enabling this setting prevents users from proceeding anyway from the warning page to the malicious site.

This policy only prevents users from proceeding on Safe Browsing warnings (e.g. malware and phishing) not for SSL certificate related issues like invalid or expired certificates.

If this setting is disabled or not configured then users can choose to proceed to the flagged site after being shown the warning.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

DisableScreenshots

Disable taking screenshots

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DisableScreenshots

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DisableScreenshots

Mac/Linux preference name:

DisableScreenshots

Supported on:

Google Chrome OS (Google Chrome OS) since version 22
Google Chrome (Linux, Mac, Windows) since version 22

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If enabled, screenshots cannot be taken using keyboard shortcuts or extension APIs.

If disabled or not specified, taking screenshots is allowed.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

DisabledPlugins (deprecated)

Specify a list of disabled plugins

See deprecated policy DisabledPlugins

DisabledPluginsExceptions (deprecated)

Specify a list of plugins that the user can enable or disable

See deprecated policy DisabledPluginsExceptions

DisabledSchemes (deprecated)

Disable URL protocol schemes

See deprecated policy DisabledSchemes

DiskCacheDir

Set disk cache directory

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DiskCacheDir

Mac/Linux preference name:

DiskCacheDir

Supported on:

Google Chrome (Linux, Mac, Windows) since version 13

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Configures the directory that Google Chrome will use for storing cached files on the disk.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--disk-cache-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because Google Chrome manages its contents.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default cache directory will be used and the user will be able to override it with the '--disk-cache-dir' command line flag.

Example value:

"${user_home}/Chrome_cache"

DiskCacheSize

Set disk cache size in bytes

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DiskCacheSize

Mac/Linux preference name:

DiskCacheSize

Supported on:

Google Chrome (Linux, Mac, Windows) since version 17

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Configures the cache size that Google Chrome will use for storing cached files on the disk.

If you set this policy, Google Chrome will use the provided cache size regardless whether the user has specified the '--disk-cache-size' flag or not. The value specified in this policy is not a hard boundary but rather a suggestion to the caching system, any value below a few megabytes is too small and will be rounded up to a sane minimum.

If the value of this policy is 0, the default cache size will be used but the user will not be able to change it.

If this policy is not set the default size will be used and the user will be able to override it with the --disk-cache-size flag.

Example value:

0x06400000 (Windows), 104857600 (Linux), 104857600 (Mac)

DownloadDirectory

Set download directory

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DownloadDirectory

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DownloadDirectory

Mac/Linux preference name:

DownloadDirectory

Supported on:

Google Chrome (Linux, Mac, Windows) since version 11
Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the directory that Google Chrome will use for downloading files.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified one or enabled the flag to be prompted for download location every time.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default download directory will be used and the user will be able to change it.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on Android apps. Android apps always use the default downloads directory and cannot access any files downloaded by Google Chrome OS into a non-default downloads directory.

Example value:

"/home/${user_name}/Downloads"

DownloadRestrictions

Allow download restrictions

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\DownloadRestrictions

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\DownloadRestrictions

Mac/Linux preference name:

DownloadRestrictions

Supported on:

Google Chrome (Linux, Mac, Windows) since version 61
Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the type of downloads that Google Chrome will completely block, without letting users override the security decision.

If you set this policy, Google Chrome will prevent certain types of downloads, and won't let user bypass the security warnings.

When the 'Block dangerous downloads' option is chosen, all downloads are allowed, except for those that carry Safe Browsing warnings.

When the 'Block potentially dangerous downloads' option is chosen, all downloads allowed, except for those that carry Safe Browsing warnings of potentially dangerous downloads.

When the 'Block all downloads' option is chosen, all downloads are blocked.

When this policy is not set, (or the 'No special restrictions' option is chosen), the downloads will go through the usual security restrictions based on Safe Browsing analysis results.

Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options.

See https://developers.google.com/safe-browsing for more info on Safe Browsing.

0 = No special restrictions
1 = Block dangerous downloads
2 = Block potentially dangerous downloads
3 = Block all downloads

Example value:

0x00000002 (Windows), 2 (Linux), 2 (Mac)

EasyUnlockAllowed

Allow Smart Lock to be used

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EasyUnlockAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 38

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.

If you disable this setting, users will not be allowed to use Smart Lock.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:

0x00000001 (Windows)

EcryptfsMigrationStrategy

Migration strategy for ecryptfs

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EcryptfsMigrationStrategy

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies the action that should be taken when the user's home directory was created with ecryptfs encryption.

If you set this policy to 'DisallowArc', Android apps will be disabled for the user and no migration from ecryptfs to ext4 encryption will be performed. Android apps will not be prevented from running when the home directory is already ext4-encrypted.

If you set this policy to 'Migrate', ecryptfs-encrypted home directories will be automatically migrated to ext4 encryption on sign-in without asking for user consent.

If you set this policy to 'Wipe', ecryptfs-encrypted home directories will be deleted on sign-in and new ext4-encrypted home directories will be created instead. Warning: This removes the user's local data.

If you set this policy to 'MinimalMigrate', ecryptfs-encrypted home directories will be deleted on sign-in and new ext4-encrypted home directories will be created instead. However, it will be attempted to preserve login tokens so that the user does not have to sign in again. Warning: This removes the user's local data.

If you set this policy to an option that is no longer supported ('AskUser' or 'AskForEcryptfsArcUsers'), it will be treated as if you had selected 'Migrate' instead.

This policy does not apply to kiosk users. If this policy is left not set, the device will behave as if 'DisallowArc' was chosen.

0 = Disallow data migration and ARC.
1 = Migrate automatically, don’t ask for user consent.
2 = Wipe the user’s ecryptfs home directory and start with a fresh ext4-encrypted home directory.
4 = Similar to Wipe (value 2), but tries to preserve login tokens so the user does not have to sign in again.

Example value:

0x00000002 (Windows)

EditBookmarksEnabled

Enable or disable bookmark editing

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EditBookmarksEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EditBookmarksEnabled

Mac/Linux preference name:

EditBookmarksEnabled

Android restriction name:

EditBookmarksEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 12
Google Chrome OS (Google Chrome OS) since version 12
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If you enable this setting, bookmarks can be added, removed or modified. This is the default also when this policy is not set.

If you disable this setting, bookmarks can not be added, removed or modified. Existing bookmarks are still available.

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

EnableDeprecatedWebPlatformFeatures

Enable deprecated web platform features for a limited time

Data type:

List of strings [Android:multi-select]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableDeprecatedWebPlatformFeatures

Mac/Linux preference name:

EnableDeprecatedWebPlatformFeatures

Android restriction name:

EnableDeprecatedWebPlatformFeatures

Supported on:

Google Chrome (Linux, Mac, Windows) since version 37
Google Chrome OS (Google Chrome OS) since version 37
Google Chrome (Android) since version 37

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specify a list of deprecated web platform features to re-enable temporarily.

This policy gives administrators the ability to re-enable deprecated web platform features for a limited time. Features are identified by a string tag and the features corresponding to the tags included in the list specified by this policy will get re-enabled.

If this policy is left not set, or the list is empty or does not match one of the supported string tags, all deprecated web platform features will remain disabled.

While the policy itself is supported on the above platforms, the feature it is enabling may be available on fewer platforms. Not all deprecated Web Platform features can be re-enabled. Only the ones explicitly listed below can be for a limited period of time, which is different per feature. The general format of the string tag will be [DeprecatedFeatureName]_EffectiveUntil[yyyymmdd]. As reference, you can find the intent behind the Web Platform feature changes at https://bit.ly/blinkintents.

"ExampleDeprecatedFeature_EffectiveUntil20080902" = Enable ExampleDeprecatedFeature API through 2008/09/02

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures\1 = "ExampleDeprecatedFeature_EffectiveUntil20080902"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\EnableDeprecatedWebPlatformFeatures\1 = "ExampleDeprecatedFeature_EffectiveUntil20080902"
Android/Linux:: [ "ExampleDeprecatedFeature_EffectiveUntil20080902" ]
Mac:: <array> <string>ExampleDeprecatedFeature_EffectiveUntil20080902</string> </array>

EnableOnlineRevocationChecks

Enable online OCSP/CRL checks

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnableOnlineRevocationChecks

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableOnlineRevocationChecks

Mac/Linux preference name:

EnableOnlineRevocationChecks

Supported on:

Google Chrome (Linux, Mac, Windows) since version 19
Google Chrome OS (Google Chrome OS) since version 19

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

In light of the fact that soft-fail, online revocation checks provide no effective security benefit, they are disabled by default in Google Chrome version 19 and later. By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed.

If the policy is not set, or is set to false, then Google Chrome will not perform online revocation checks in Google Chrome 19 and later.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

EnableSyncConsent

Enable displaying Sync Consent during sign-in

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnableSyncConsent

Supported on:

Google Chrome OS (Google Chrome OS) since version 66

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls if Sync Consent can be shown to the user during first sign-in. It should be set to false if Sync Consent is never needed for the user. If set to false, Sync Consent will not be displayed. If set to true or unset, Sync Consent can be displayed.

Example value:

0x00000000 (Windows)

EnabledPlugins (deprecated)

Specify a list of enabled plugins

See deprecated policy EnabledPlugins

EnterpriseHardwarePlatformAPIEnabled

Enables managed extensions to use the Enterprise Hardware Platform API

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\EnterpriseHardwarePlatformAPIEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\EnterpriseHardwarePlatformAPIEnabled

Mac/Linux preference name:

EnterpriseHardwarePlatformAPIEnabled

Android restriction name:

EnterpriseHardwarePlatformAPIEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 71
Google Chrome OS (Google Chrome OS) since version 71
Google Chrome (Android) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

When this policy is set to enabled, extensions installed by enterprise policy are allowed to use the Enterprise Hardware Platform API. When this policy is set to disabled or not set, no extensions are allowed to use the Enterprise Hardware Platform API. This policy also applies to component extensions such as the Hangout Services extension.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

ExternalStorageDisabled

Disable mounting of external storage

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExternalStorageDisabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 22

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

When this policy is set to true, external storage will not be available in the file browser.

This policy affects all types of storage media. For example: USB flash drives, external hard drives, SD and other memory cards, optical storage etc. Internal storage is not affected, therefore files saved in the Download folder can still be accessed. Google Drive is also not affected by this policy.

If this setting is disabled or not configured then users can use all supported types of external storage on their device.

Example value:

0x00000001 (Windows)

ExternalStorageReadOnly

Treat external storage devices as read-only

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ExternalStorageReadOnly

Supported on:

Google Chrome OS (Google Chrome OS) since version 54

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

When this policy is set to true, users cannot write anything to external storage devices.

If this setting is set to false or not configured, then users can create and modify files of external storage devices which are physically writable.

The ExternalStorageDisabled policy takes precedence over this policy - if ExternalStorageDisabled is set to true, then all access to external storage is disabled and this policy is consequently ignored.

Dynamic refresh of this policy is supported in M56 and later.

Example value:

0x00000001 (Windows)

ForceBrowserSignin (deprecated)

Enable force sign in for Google Chrome

See deprecated policy ForceBrowserSignin

ForceEphemeralProfiles

Ephemeral profile

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ForceEphemeralProfiles

Mac/Linux preference name:

ForceEphemeralProfiles

Supported on:

Google Chrome (Linux, Mac, Windows) since version 32

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.

In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.

If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.

If the policy is set to disabled or left not set signing in leads to regular profiles.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ForceGoogleSafeSearch

Force Google SafeSearch

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ForceGoogleSafeSearch

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ForceGoogleSafeSearch

Mac/Linux preference name:

ForceGoogleSafeSearch

Android restriction name:

ForceGoogleSafeSearch

Supported on:

Google Chrome (Linux, Mac, Windows) since version 41
Google Chrome OS (Google Chrome OS) since version 41
Google Chrome (Android) since version 41

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting.

If you enable this setting, SafeSearch in Google Search is always active.

If you disable this setting or do not set a value, SafeSearch in Google Search is not enforced.

Example value:

0x00000000 (Windows), false (Linux), false (Android), <false /> (Mac)

ForceMaximizeOnFirstRun

Maximize the first browser window on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ForceMaximizeOnFirstRun

Supported on:

Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

If this policy is set to true, Google Chrome will unconditionally maximize the first window shown on first run. If this policy is set to false or not configured, the decision whether to maximize the first window shown will be based on the screen size.

Example value:

0x00000001 (Windows)

ForceNetworkInProcess

Force networking code to run in the browser process

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ForceNetworkInProcess

Supported on:

Google Chrome (Windows) since version 72

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy forces networking code to run in the browser process.

This policy is disabled by default, and if enabled, leaves users open to the security issues once the networking process is sandboxed.

This policy is intended to give enterprises a chance to migrate to 3rd party software that does not depend on hooking the networking APIs. Proxy servers are recommended over LSPs and Win32 API patching.

If this policy is not set, networking code may run out of the browser process depending on field trials of the NetworkService experiment.

Example value:

0x00000000 (Windows)

ForceSafeSearch (deprecated)

Force SafeSearch

See deprecated policy ForceSafeSearch

ForceYouTubeRestrict

Force minimum YouTube Restricted Mode

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ForceYouTubeRestrict

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ForceYouTubeRestrict

Mac/Linux preference name:

ForceYouTubeRestrict

Android restriction name:

ForceYouTubeRestrict

Supported on:

Google Chrome (Linux, Mac, Windows) since version 55
Google Chrome OS (Google Chrome OS) since version 55
Google Chrome (Android) since version 55

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enforces a minimum Restricted Mode on YouTube and prevents users from picking a less restricted mode.

If this setting is set to Strict, Strict Restricted Mode on YouTube is always active.

If this setting is set to Moderate, the user may only pick Moderate Restricted Mode and Strict Restricted Mode on YouTube, but cannot disable Restricted Mode.

If this setting is set to Off or no value is set, Restricted Mode on YouTube is not enforced by Google Chrome. External policies such as YouTube policies might still enforce Restricted Mode, though.

0 = Do not enforce Restricted Mode on YouTube
1 = Enforce at least Moderate Restricted Mode on YouTube
2 = Enforce Strict Restricted Mode for YouTube

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.

Example value:

0x00000000 (Windows), 0 (Linux), 0 (Android), 0 (Mac)

ForceYouTubeSafetyMode (deprecated)

Force YouTube Safety Mode

See deprecated policy ForceYouTubeSafetyMode

FullscreenAllowed

Allow fullscreen mode

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\FullscreenAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\FullscreenAllowed

Mac/Linux preference name:

FullscreenAllowed

Supported on:

Google Chrome (Windows) since version 31
Google Chrome (Linux) since version 31
Google Chrome OS (Google Chrome OS) since version 31

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls the availability of fullscreen mode in which all Google Chrome UI is hidden and only web content is visible.

If this policy is set to true or not not configured, the user, apps and extensions with appropriate permissions can enter fullscreen mode.

If this policy is set to false, neither the user nor any apps or extensions can enter fullscreen mode.

On all platforms except Google Chrome OS, kiosk mode is unavailable when fullscreen mode is disabled.

Note for Google Chrome OS devices supporting Android apps:

This policy has no effect on the Android apps. They will be able to enter fullscreen mode even if this policy is set to False.

Example value:

0x00000001 (Windows), true (Linux)

HardwareAccelerationModeEnabled

Use hardware acceleration when available

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\HardwareAccelerationModeEnabled

Mac/Linux preference name:

HardwareAccelerationModeEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 46

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this policy is set to true or left unset, hardware acceleration will be enabled unless a certain GPU feature is blacklisted.

If this policy is set to false, hardware acceleration will be disabled.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

HideWebStoreIcon

Hide the web store from the New Tab Page and app launcher

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\HideWebStoreIcon

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\HideWebStoreIcon

Mac/Linux preference name:

HideWebStoreIcon

Supported on:

Google Chrome (Linux, Mac, Windows) since version 26
Google Chrome OS (Google Chrome OS) since version 68

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.

When this policy is set to true, the icons are hidden.

When this policy is set to false or is not configured, the icons are visible.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

Http09OnNonDefaultPortsEnabled (deprecated)

Enable HTTP/0.9 support on non-default ports

See deprecated policy Http09OnNonDefaultPortsEnabled

ImportAutofillFormData

Import autofill form data from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportAutofillFormData

Mac/Linux preference name:

ImportAutofillFormData

Supported on:

Google Chrome (Linux, Mac, Windows) since version 39

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.

If disabled, the autofill form data is not imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ImportBookmarks

Import bookmarks from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportBookmarks

Mac/Linux preference name:

ImportBookmarks

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces bookmarks to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.

If disabled, no bookmarks are imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ImportHistory

Import browsing history from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportHistory

Mac/Linux preference name:

ImportHistory

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces the browsing history to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.

If disabled, no browsing history is imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ImportHomepage

Import of homepage from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportHomepage

Mac/Linux preference name:

ImportHomepage

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces the home page to be imported from the current default browser if enabled.

If disabled, the home page is not imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ImportSavedPasswords

Import saved passwords from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportSavedPasswords

Mac/Linux preference name:

ImportSavedPasswords

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog.

If disabled, the saved passwords are not imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

ImportSearchEngine

Import search engines from default browser on first run

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ImportSearchEngine

Mac/Linux preference name:

ImportSearchEngine

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy forces search engines to be imported from the current default browser if enabled. If enabled, this policy also affects the import dialog.

If disabled, the default search engine is not imported.

If it is not set, the user may be asked whether to import, or importing may happen automatically.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

IncognitoEnabled (deprecated)

Enable Incognito mode

See deprecated policy IncognitoEnabled

IncognitoModeAvailability

Incognito mode availability

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\IncognitoModeAvailability

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\IncognitoModeAvailability

Mac/Linux preference name:

IncognitoModeAvailability

Android restriction name:

IncognitoModeAvailability

Supported on:

Google Chrome (Linux, Mac, Windows) since version 14
Google Chrome OS (Google Chrome OS) since version 14
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies whether the user may open pages in Incognito mode in Google Chrome.

If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.

If 'Disabled' is selected, pages may not be opened in Incognito mode.

If 'Forced' is selected, pages may be opened ONLY in Incognito mode.

0 = Incognito mode available
1 = Incognito mode disabled
2 = Incognito mode forced

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

InstantTetheringAllowed

Allow Instant Tethering to be used.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\InstantTetheringAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 60

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this setting is enabled, users will be allowed to use Instant Tethering, which allows their Google phone to share its mobile data with their device.

If this setting is disabled, users will not be allowed to use Instant Tethering.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:

0x00000001 (Windows)

IsolateOrigins

Enable Site Isolation for specified origins

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\IsolateOrigins

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\IsolateOrigins

Mac/Linux preference name:

IsolateOrigins

Supported on:

Google Chrome (Linux, Mac, Windows) since version 63
Google Chrome OS (Google Chrome OS) since version 63

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

NOTE: This policy does not apply on Android. To enable IsolateOrigins on Android, use the IsolateOriginsAndroid policy setting.

Example value:

"https://example.com/,https://othersite.org/"

IsolateOriginsAndroid

Enable Site Isolation for specified origins on Android devices

Data type:

String

Android restriction name:

IsolateOriginsAndroid

Supported on:

Google Chrome (Android) since version 68

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If the policy is enabled, each of the named origins in a comma-separated list will run in its own process. This will also isolate origins named by subdomains; e.g. specifying https://example.com/ will also cause https://foo.example.com/ to be isolated as part of the https://example.com/ site. If the policy is disabled, no explicit Site Isolation will happen and field trials of IsolateOriginsAndroid and SitePerProcessAndroid will be disabled. Users will still be able to enable IsolateOrigins manually, via command line flag. If the policy is not configured, the user will be able to change this setting.

NOTE: On Android, Site Isolation is experimental. Support will improve over time, but currently it may cause performance problems.

NOTE: This policy applies only to Chrome on Android running on devices with strictly more than 1GB of RAM. To apply the policy on non-Android platforms, use IsolateOrigins.

Example value:

"https://example.com/,https://othersite.org/"

JavascriptEnabled (deprecated)

Enable JavaScript

See deprecated policy JavascriptEnabled

KeyPermissions

Key Permissions

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\KeyPermissions

Supported on:

Google Chrome OS (Google Chrome OS) since version 45

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Grants access to corporate keys to extensions.

Keys are designated for corporate usage if they're generated using the chrome.enterprise.platformKeys API on a managed account. Keys imported or generated in another way are not designated for corporate usage.

Access to keys designated for corporate usage is solely controlled by this policy. The user can neither grant nor withdraw access to corporate keys to or from extensions.

By default an extension cannot use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to false for that extension.

Only if allowCorporateKeyUsage is set to true for an extension, it can use any platform key marked for corporate usage to sign arbitrary data. This permission should only be granted if the extension is trusted to secure access to the key against attackers.

Note for Google Chrome OS devices supporting Android apps:

Android apps cannot get access to corporate keys. This policy has no effect on them.

Schema:

{ "additionalProperties": { "properties": { "allowCorporateKeyUsage": { "description": "If set to true, this extension can use all keys that are designated for corporate usage to sign arbitrary data. If set to false, it cannot access any such keys and the user cannot grant such permission either.", "type": "boolean" } }, "type": "object" }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\KeyPermissions = { "extension1": { "allowCorporateKeyUsage": true }, "extension2": { "allowCorporateKeyUsage": false } }

MachineLevelUserCloudPolicyEnrollmentToken (deprecated)

The enrollment token of cloud policy on desktop

See deprecated policy MachineLevelUserCloudPolicyEnrollmentToken

ManagedBookmarks

Managed Bookmarks

Data type:

Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ManagedBookmarks

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ManagedBookmarks

Mac/Linux preference name:

ManagedBookmarks

Android restriction name:

ManagedBookmarks

Supported on:

Google Chrome (Android) since version 30
Google Chrome (Linux, Mac, Windows) since version 37
Google Chrome OS (Google Chrome OS) since version 37

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures a list of managed bookmarks.

The policy consists of a list of bookmarks whereas each bookmark is a dictionary containing the keys "name" and "url" which hold the bookmark's name and its target. A subfolder may be configured by defining a bookmark without an "url" key but with an additional "children" key which itself contains a list of bookmarks as defined above (some of which may be folders again). Google Chrome amends incomplete URLs as if they were submitted via the Omnibox, for example "google.com" becomes "https://google.com/".

These bookmarks are placed in a folder that can't be modified by the user (but the user can choose to hide it from the bookmark bar). By default the folder name is "Managed bookmarks" but it can be customized by adding to the list of bookmarks a dictionary containing the key "toplevel_name" with the desired folder name as the value.

Managed bookmarks are not synced to the user account and can't be modified by extensions.

Schema:

{ "items": { "id": "BookmarkType", "properties": { "children": { "items": { "$ref": "BookmarkType" }, "type": "array" }, "name": { "type": "string" }, "toplevel_name": { "type": "string" }, "url": { "type": "string" } }, "type": "object" }, "type": "array" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ManagedBookmarks = [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ManagedBookmarks = [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Android/Linux:: ManagedBookmarks: [ { "toplevel_name": "My managed bookmarks folder" }, { "name": "Google", "url": "google.com" }, { "name": "Youtube", "url": "youtube.com" }, { "children": [ { "name": "Chromium", "url": "chromium.org" }, { "name": "Chromium Developers", "url": "dev.chromium.org" } ], "name": "Chrome links" } ]
Mac:: <key>ManagedBookmarks</key> <array> <dict> <key>toplevel_name</key> <string>My managed bookmarks folder</string> </dict> <dict> <key>name</key> <string>Google</string> <key>url</key> <string>google.com</string> </dict> <dict> <key>name</key> <string>Youtube</string> <key>url</key> <string>youtube.com</string> </dict> <dict> <key>children</key> <array> <dict> <key>name</key> <string>Chromium</string> <key>url</key> <string>chromium.org</string> </dict> <dict> <key>name</key> <string>Chromium Developers</string> <key>url</key> <string>dev.chromium.org</string> </dict> </array> <key>name</key> <string>Chrome links</string> </dict> </array>

MaxConnectionsPerProxy

Maximal number of concurrent connections to the proxy server

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\MaxConnectionsPerProxy

Mac/Linux preference name:

MaxConnectionsPerProxy

Supported on:

Google Chrome (Linux, Mac, Windows) since version 14

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies the maximal number of simultaneous connections to the proxy server.

Some proxy servers can not handle high number of concurrent connections per client and this can be solved by setting this policy to a lower value.

The value of this policy should be lower than 100 and higher than 6 and the default value is 32.

Some web apps are known to consume many connections with hanging GETs, so lowering below 32 may lead to browser networking hangs if too many such web apps are open. Lower below the default at your own risk.

If this policy is left not set the default value will be used which is 32.

Example value:

0x00000020 (Windows), 32 (Linux), 32 (Mac)

MaxInvalidationFetchDelay

Maximum fetch delay after a policy invalidation

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\MaxInvalidationFetchDelay

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\MaxInvalidationFetchDelay

Mac/Linux preference name:

MaxInvalidationFetchDelay

Supported on:

Google Chrome (Linux, Mac, Windows) since version 30
Google Chrome OS (Google Chrome OS) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service.

Setting this policy overrides the default value of 5000 milliseconds. Valid values for this policy are in the range from 1000 (1 second) to 300000 (5 minutes). Any values not in this range will be clamped to the respective boundary.

Leaving this policy not set will make Google Chrome use the default value of 5000 milliseconds.

Example value:

0x00002710 (Windows), 10000 (Linux), 10000 (Mac)

MediaRouterCastAllowAllIPs

Allow Google Cast to connect to Cast devices on all IP addresses.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\MediaRouterCastAllowAllIPs

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\MediaRouterCastAllowAllIPs

Mac/Linux preference name:

MediaRouterCastAllowAllIPs

Supported on:

Google Chrome (Linux, Mac, Windows) since version 67
Google Chrome OS (Google Chrome OS) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to true, Google Cast will connect to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.

If this policy is set to false, Google Cast will connect to Cast devices on RFC1918/RFC4193 private addresses only.

If this policy is not set, Google Cast will connect to Cast devices on RFC1918/RFC4193 private addresses only, unless the CastAllowAllIPs feature is enabled.

If the policy "EnableMediaRouter" is set to false, then this policy's value would have no effect.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

MetricsReportingEnabled

Enable reporting of usage and crash-related data

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\MetricsReportingEnabled

Mac/Linux preference name:

MetricsReportingEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: No, Per Profile: No

Description:

Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting.

If this setting is enabled, anonymous reporting of usage and crash-related data is sent to Google. If it is disabled, this information is not sent to Google. In both cases, users cannot change or override the setting. If this policy is left not set, the setting will be what the user chose upon installation / first run.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management. (For Chrome OS, see DeviceMetricsReportingEnabled.)

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

NTPContentSuggestionsEnabled

Show content suggestions on the New Tab page

Data type:

Boolean

Android restriction name:

NTPContentSuggestionsEnabled

Supported on:

Google Chrome (Android) since version 54

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this is set to true or not set, the New Tab page may show content suggestions based on the user's browsing history, interests, or location.

If this is set to false, automatically-generated content suggestions are not shown on the New Tab page.

Example value:

true (Android)

NetworkPredictionOptions

Enable network prediction

Data type:

Integer [Android:choice, Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\NetworkPredictionOptions

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NetworkPredictionOptions

Mac/Linux preference name:

NetworkPredictionOptions

Android restriction name:

NetworkPredictionOptions

Supported on:

Google Chrome (Linux, Mac, Windows) since version 38
Google Chrome OS (Google Chrome OS) since version 38
Google Chrome (Android) since version 38

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables network prediction in Google Chrome and prevents users from changing this setting.

This controls DNS prefetching, TCP and SSL preconnection and prerendering of web pages.

If you set this policy, users cannot change or override this setting in Google Chrome.

If this policy is left not set, network prediction will be enabled but the user will be able to change it.

0 = Predict network actions on any network connection
1 = Predict network actions on any network that is not cellular. (Deprecated in 50, removed in 52. After 52, if value 1 is set, it will be treated as 0 - predict network actions on any network connection.)
2 = Do not predict network actions on any network connection

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Android), 1 (Mac)

NoteTakingAppsLockScreenWhitelist

Whitelist note-taking apps allowed on the Google Chrome OS lock screen

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\NoteTakingAppsLockScreenWhitelist

Supported on:

Google Chrome OS (Google Chrome OS) since version 61

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies list of apps that can be enabled as a note-taking app on the Google Chrome OS lock screen.

If the preferred note-taking app is enabled on the lock screen, the lock screen will contain UI element for launching the preferred note taking app. When launched, the app will be able to create an app window on top of the lock screen, and create data items (notes) in the lock screen context. The app will be able to import created notes to the primary user session, when the session is unlocked. Currently, only Chrome note-taking apps are supported on the lock screen.

If the policy is set, the user will be allowed to enable an app on the lock screen only if the app's extension ID is contained in the policy list value. As a consequence, setting this policy to an empty list will disable note-taking on the lock screen entirely. Note that the policy containing an app ID does not necessarily mean that the user will be able to enable the app as a note-taking app on the lock screen - for example, on Chrome 61, the set of available apps is additionally restricted by the platform.

If the policy is left unset, there will be no restrictions on the set of apps the user can enable on the lock screen imposed by the policy.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\NoteTakingAppsLockScreenWhitelist\1 = "abcdefghabcdefghabcdefghabcdefgh"

OpenNetworkConfiguration

User-level network configuration

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\OpenNetworkConfiguration

Supported on:

Google Chrome OS (Google Chrome OS) since version 16

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows pushing network configuration to be applied per-user to a Google Chrome OS device. The network configuration is a JSON-formatted string as defined by the Open Network Configuration format.

Note for Google Chrome OS devices supporting Android apps:

Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.

Expanded schema description:

https://chromium.googlesource.com/chromium/src/+/master/components/onc/docs/onc_spec.md

Example value:

OverrideSecurityRestrictionsOnInsecureOrigin

Origins or hostname patterns for which restrictions on insecure origins should not apply

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin

Mac/Linux preference name:

OverrideSecurityRestrictionsOnInsecureOrigin

Android restriction name:

OverrideSecurityRestrictionsOnInsecureOrigin

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69
Google Chrome (Android) since version 69

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.

The intent is to allow organizations to set whitelist origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.

Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.

This policy will override UnsafelyTreatInsecureOriginAsSecure, if present.

For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin\1 = "http://testserver.example.com/" Software\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin\2 = "*.example.org"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin\1 = "http://testserver.example.com/" Software\Policies\Google\ChromeOS\OverrideSecurityRestrictionsOnInsecureOrigin\2 = "*.example.org"
Android/Linux:: [ "http://testserver.example.com/", "*.example.org" ]
Mac:: <array> <string>http://testserver.example.com/</string> <string>*.example.org</string> </array>

ParentAccessCodeConfig

Parent Access Code Configuration

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ParentAccessCodeConfig

Supported on:

Google Chrome OS (Google Chrome OS) since version 73

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy specifies configuration that is used to generate and verify Parent Access Code.

This policy applies only to child user. When this policy is set Parent Access Code can be verified on child user's device. When this policy is unset it is not possible to verify Parent Access Code on child user's device.

Schema:

{ "properties": { "current_config": { "description": "Configuration used to generate and verify Parent Access Code.", "id": "Config", "properties": { "access_code_ttl": { "description": "Time that access code is valid for (in seconds).", "maximum": 3600, "minimum": 60, "type": "integer" }, "clock_drift_tolerance": { "description": "The allowed difference between the clock on child and parent devices (in seconds).", "maximum": 1800, "minimum": 0, "type": "integer" }, "shared_secret": { "description": "Secret shared between child and parent devices.", "type": "string" } }, "type": "object" }, "future_config": { "$ref": "Config" }, "old_configs": { "items": { "$ref": "Config" }, "type": "array" } }, "sensitiveValue": true, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ParentAccessCodeConfig = { "current_config": { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "oOA9nX02LdhYdOzwMsGof+QA3wUKP4YMNlk9S/W3o+w=" }, "future_config": { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "KMsoIjnpvcWmiU1GHchp2blR96mNyJwS" }, "old_configs": [ { "access_code_ttl": 600, "clock_drift_tolerance": 300, "shared_secret": "sTr6jqMTJGCbLhWI5plFTQb/VsqxwX2Q" } ] }

PinnedLauncherApps

List of pinned apps to show in the launcher

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PinnedLauncherApps

Supported on:

Google Chrome OS (Google Chrome OS) since version 20

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Lists the application identifiers Google Chrome OS shows as pinned apps in the launcher bar.

Chrome Apps are specified by their Id, e.g. "pjkljhegncpnkpknbcohdijeoejaedia", Android Apps by their package name, e.g. "com.google.android.gm", and Web Apps are specified by the URL used in WebAppInstallForceList e.g. "https://google.com/maps".

If this policy is configured, the set of applications is fixed and can't be changed by the user.

If this policy is left unset, the user may change the list of pinned apps in the launcher.

Note for Google Chrome OS devices supporting Android apps:

This policy can also be used to pin Android apps.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PinnedLauncherApps\1 = "pjkljhegncpnkpknbcohdijeoejaedia" Software\Policies\Google\ChromeOS\PinnedLauncherApps\2 = "com.google.android.gm" Software\Policies\Google\ChromeOS\PinnedLauncherApps\3 = "https://google.com/maps"

PolicyDictionaryMultipleSourceMergeList

Allow merging dictionary policies from different sources

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PolicyDictionaryMultipleSourceMergeList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PolicyDictionaryMultipleSourceMergeList

Mac/Linux preference name:

PolicyDictionaryMultipleSourceMergeList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 76
Google Chrome OS (Google Chrome OS) since version 76

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows the selected policies to be merged when they come from different sources, with the same scopes and level.

The merging consists in merging the first level keys of the dictionary from each source. In case of conflict between keys, the key coming from the highest priority source will be applied.

If a policy is in the list, in case there is conflict between two sources, given that they have the same scopes and level, the values will be merged into a new policy dictionary.

If a policy is in the list, in case there is conflict between two sources but also between different scopes and/or level, the policy with the highest priority will be applied.

If a policy is not in the list, in case there is any conflict between sources, scopes and/or level, the policy with the highest priority will be applied.

"ContentPackManualBehaviorURLs" = Managed user manual exception URLs
"DeviceLoginScreenPowerManagement" = Power management on the login screen
"ExtensionSettings" = Extension management settings
"KeyPermissions" = Key Permissions
"PowerManagementIdleSettings" = Power management settings when the user becomes idle
"ScreenBrightnessPercent" = Screen brightness percent
"ScreenLockDelays" = Screen lock delays

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PolicyDictionaryMultipleSourceMergeList\1 = "ExtensionSettings"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PolicyDictionaryMultipleSourceMergeList\1 = "ExtensionSettings"
Android/Linux:: [ "ExtensionSettings" ]
Mac:: <array> <string>ExtensionSettings</string> </array>

PolicyListMultipleSourceMergeList

Allow merging list policies from different sources

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList

Mac/Linux preference name:

PolicyListMultipleSourceMergeList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 75
Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows the selected policies to be merged when they come from different sources, with the same scopes and level.

If a policy is in the list, in case there is conflict between two sources, given that they have the same scopes and level, the values will be merged into a new policy list.

If a policy is in the list, in case there is conflict between two sources but also between different scopes and/or level, the policy with the highest priority will be applied.

If a policy is not in the list, in case there is any conflict between sources, scopes and/or level, the policy with the highest priority will be applied.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList\1 = "ExtensionInstallWhitelist" Software\Policies\Google\Chrome\PolicyListMultipleSourceMergeList\2 = "ExtensionInstallBlacklist"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList\1 = "ExtensionInstallWhitelist" Software\Policies\Google\ChromeOS\PolicyListMultipleSourceMergeList\2 = "ExtensionInstallBlacklist"
Android/Linux:: [ "ExtensionInstallWhitelist", "ExtensionInstallBlacklist" ]
Mac:: <array> <string>ExtensionInstallWhitelist</string> <string>ExtensionInstallBlacklist</string> </array>

PolicyRefreshRate

Refresh rate for user policy

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PolicyRefreshRate

Supported on:

Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies the period in milliseconds at which the device management service is queried for user policy information.

Setting this policy overrides the default value of 3 hours. Valid values for this policy are in the range from 1800000 (30 minutes) to 86400000 (1 day). Any values not in this range will be clamped to the respective boundary. If the platform supports policy notifications, the refresh delay will be set to 24 hours because it is expected that policy notifications will force a refresh automatically whenever policy changes.

Leaving this policy not set will make Google Chrome use the default value of 3 hours.

Example value:

0x0036ee80 (Windows)

PromotionalTabsEnabled

Enable showing full-tab promotional content

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PromotionalTabsEnabled

Mac/Linux preference name:

PromotionalTabsEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows you to control the presentation of full-tab promotional and/or educational content in Google Chrome.

If not configured or enabled (set to true), Google Chrome may show full-tab content to users to provide product information.

If disabled (set to false), Google Chrome will not show full-tab content to users to provide product information.

This setting controls the presentation of the welcome pages that help users sign into Google Chrome, choose it as their default browser, or otherwise inform them of product features.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

PromptForDownloadLocation

Ask where to save each file before downloading

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\PromptForDownloadLocation

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\PromptForDownloadLocation

Mac/Linux preference name:

PromptForDownloadLocation

Supported on:

Google Chrome (Linux, Mac, Windows) since version 64
Google Chrome OS (Google Chrome OS) since version 64

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

ProxySettings

Proxy settings

Data type:

Dictionary [Android:string, Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ProxySettings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ProxySettings

Mac/Linux preference name:

ProxySettings

Android restriction name:

ProxySettings

Supported on:

Google Chrome (Linux, Mac, Windows) since version 18
Google Chrome OS (Google Chrome OS) since version 18
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Configures the proxy settings for Google Chrome. These proxy settings will be available for ARC-apps too.

If you enable this setting, Google Chrome and ARC-apps ignore all proxy-related options specified from the command line.

Leaving this policy not set will allow the users to choose the proxy settings on their own.

If the ProxySettings policy is set, it will override any of the individual policies ProxyMode, ProxyPacUrl, ProxyServer, ProxyBypassList and ProxyServerMode.

The ProxyMode field allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

The ProxyPacUrl field is a URL to a proxy .pac file.

The ProxyServer field is a URL of the proxy server.

The ProxyBypassList field is a list of proxy hosts that Google Chrome will bypass.

The ProxyServerMode field is deprecated in favor of the field 'ProxyMode'. It allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.

If you choose the value 'direct' as 'ProxyMode', a proxy will never be used and all other fields will be ignored.

If you choose the value 'system' as 'ProxyMode', the systems's proxy will be used and all other fields will be ignored.

If you choose the value 'auto_detect' as 'ProxyMode', all other fields will be ignored.

If you choose the value 'fixed_server' as 'ProxyMode', the 'ProxyServer' and 'ProxyBypassList' fields will be used.

If you choose the value 'pac_script' as 'ProxyMode', the 'ProxyPacUrl' and 'ProxyBypassList' fields will be used.

Note for Google Chrome OS devices supporting Android apps:

Only a subset of proxy configuration options are made available to Android apps. Android apps may voluntarily choose to use the proxy. You cannot force them to use a proxy.

Schema:

{ "properties": { "ProxyBypassList": { "type": "string" }, "ProxyMode": { "enum": [ "direct", "auto_detect", "pac_script", "fixed_servers", "system" ], "type": "string" }, "ProxyPacUrl": { "type": "string" }, "ProxyServer": { "type": "string" }, "ProxyServerMode": { "$ref": "ProxyServerMode" } }, "type": "object" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\ProxySettings = { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "direct", "ProxyPacUrl": "https://internal.site/example.pac", "ProxyServer": "123.123.123.123:8080", "ProxyServerMode": 2 }
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\ProxySettings = { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "direct", "ProxyPacUrl": "https://internal.site/example.pac", "ProxyServer": "123.123.123.123:8080", "ProxyServerMode": 2 }
Android/Linux:: ProxySettings: { "ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/", "ProxyMode": "direct", "ProxyPacUrl": "https://internal.site/example.pac", "ProxyServer": "123.123.123.123:8080", "ProxyServerMode": 2 }
Mac:: <key>ProxySettings</key> <dict> <key>ProxyBypassList</key> <string>https://www.example1.com,https://www.example2.com,https://internalsite/</string> <key>ProxyMode</key> <string>direct</string> <key>ProxyPacUrl</key> <string>https://internal.site/example.pac</string> <key>ProxyServer</key> <string>123.123.123.123:8080</string> <key>ProxyServerMode</key> <integer>2</integer> </dict>

QuicAllowed

Allow QUIC protocol

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\QuicAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\QuicAllowed

Mac/Linux preference name:

QuicAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 43
Google Chrome OS (Google Chrome OS) since version 43

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If this policy is set to true or not set usage of QUIC protocol in Google Chrome is allowed. If this policy is set to false usage of QUIC protocol is disallowed.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

RelaunchHeadsUpPeriod

Set the time of the first user relaunch notification

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RelaunchHeadsUpPeriod

Supported on:

Google Chrome OS (Google Chrome OS) since version 76

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows you to set the time period, in milliseconds, between the first notification that a Google Chrome OS device must be restarted to apply a pending update and the end of the time period specified by the RelaunchNotificationPeriod policy.

If not set, the default period of 86400000 milliseconds (one day) is used for Google Chrome OS devices.

Restrictions:

Minimum:3600000

Example value:

0x05265c00 (Windows)

RelaunchNotification

Notify a user that a browser relaunch or device restart is recommended or required

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RelaunchNotification

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RelaunchNotification

Mac/Linux preference name:

RelaunchNotification

Supported on:

Google Chrome (Linux, Mac, Windows) since version 66
Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Notify users that Google Chrome must be relaunched or Google Chrome OS must be restarted to apply a pending update.

This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, Google Chrome indicates to the user that a relaunch is needed via subtle changes to its menu, while Google Chrome OS indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for Google Chrome and four days for Google Chrome OS, and may be configured via the RelaunchNotificationPeriod policy setting.

The user's session is restored following the relaunch/restart.

1 = Show a recurring prompt to the user indicating that a relaunch is recommended
2 = Show a recurring prompt to the user indicating that a relaunch is required

Example value:

0x00000001 (Windows), 1 (Linux), 1 (Mac)

RelaunchNotificationPeriod

Set the time period for update notifications

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RelaunchNotificationPeriod

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RelaunchNotificationPeriod

Mac/Linux preference name:

RelaunchNotificationPeriod

Supported on:

Google Chrome (Linux, Mac, Windows) since version 67
Google Chrome OS (Google Chrome OS) since version 67

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allows you to set the time period, in milliseconds, over which users are notified that Google Chrome must be relaunched or that a Google Chrome OS device must be restarted to apply a pending update.

Over this time period, the user will be repeatedly informed of the need for an update. For Google Chrome OS devices, a restart notification appears in the system tray according to the RelaunchHeadsUpPeriod policy. For Google Chrome browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the RelaunchNotification policy follow this same schedule.

If not set, the default period of 345600000 milliseconds (four days) is used for Google Chrome OS devices and 604800000 milliseconds (one week) for Google Chrome.

Restrictions:

Minimum:3600000

Example value:

0x240c8400 (Windows), 604800000 (Linux), 604800000 (Mac)

ReportCrostiniUsageEnabled

Report information about usage of Linux apps

Data type:

Boolean

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Information about the usage of Linux apps is sent back to the server.

If the policy is set to false or left unset, no usage information is reported. If set to true, usage information is reported.

This policy only applies if Linux app support is enabled.

RequireOnlineRevocationChecksForLocalAnchors

Require online OCSP/CRL checks for local trust anchors

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RequireOnlineRevocationChecksForLocalAnchors

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RequireOnlineRevocationChecksForLocalAnchors

Mac/Linux preference name:

RequireOnlineRevocationChecksForLocalAnchors

Supported on:

Google Chrome OS (Google Chrome OS) since version 30
Google Chrome (Linux) since version 30
Google Chrome (Windows) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this setting is enabled, Google Chrome will always perform revocation checking for server certificates that successfully validate and are signed by locally-installed CA certificates.

If Google Chrome is unable to obtain revocation status information, such certificates will be treated as revoked ('hard-fail').

If this policy is not set, or it is set to false, then Google Chrome will use the existing online revocation checking settings.

Example value:

0x00000000 (Windows), false (Linux)

RestrictAccountsToPatterns

Restrict accounts that are visible in Google Chrome

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Android restriction name:

RestrictAccountsToPatterns

Supported on:

Google Chrome (Android) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Contains a list of patterns which are used to control the visiblity of accounts in Google Chrome.

Each Google account on the device will be compared to patterns stored in this policy to determine the account visibility in Google Chrome. The account will be visible if its name matches any pattern on the list. Otherwise, the account will be hidden.

Use the wildcard character '*' to match zero or more arbitrary characters. The escape character is '\', so to match actual '*' or '\' characters, put a '\' in front of them.

If this policy is not set, all Google accounts on the device will be visible in Google Chrome.

Example value:

Android/Linux:: [ "*@example.com", "user@managedchrome.com" ]

RestrictSigninToPattern

Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RestrictSigninToPattern

Mac/Linux preference name:

RestrictSigninToPattern

Supported on:

Google Chrome (Linux, Mac, Windows) since version 21

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in Google Chrome (i.e. the account that is chosen during the Sync opt-in flow).

An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.

If this policy is left not set or blank, then the user can set any Google account as a browser primary account in Google Chrome.

Example value:

".*@example.com"

RoamingProfileLocation

Set the roaming profile directory

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RoamingProfileLocation

Supported on:

Google Chrome (Windows) since version 57

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Configures the directory that Google Chrome will use for storing the roaming copy of the profiles.

If you set this policy, Google Chrome will use the provided directory to store the roaming copy of the profiles if the RoamingProfileSupportEnabled policy has been enabled. If the RoamingProfileSupportEnabled policy is disabled or left unset the value stored in this policy is not used.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default roaming profile path will be used.

Example value:

"${roaming_app_data}\chrome-profile"

RoamingProfileSupportEnabled

Enable the creation of roaming copies for Google Chrome profile data

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RoamingProfileSupportEnabled

Supported on:

Google Chrome (Windows) since version 57

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If you enable this setting, the settings stored in Google Chrome profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the RoamingProfileLocation policy. Enabling this policy disables cloud sync.

If this policy is disabled or left not set only the regular local profiles will be used.

The SyncDisabled policy disables all data synchronization, overriding RoamingProfileSupportEnabled.

Example value:

0x00000001 (Windows)

RunAllFlashInAllowMode

Extend Flash content setting to all content

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\RunAllFlashInAllowMode

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\RunAllFlashInAllowMode

Mac/Linux preference name:

RunAllFlashInAllowMode

Supported on:

Google Chrome (Linux, Mac, Windows) since version 63
Google Chrome OS (Google Chrome OS) since version 63

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If you enable this setting, all Flash content embedded on websites that have been set to allow Flash in content settings -- either by the user or by enterprise policy -- will be run, including content from other origins or small content.

To control which websites are allowed to run Flash, see the "DefaultPluginsSetting", "PluginsAllowedForUrls", and "PluginsBlockedForUrls" policies.

If this setting is disabled or not set, Flash content from other origins or small content might be blocked.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

SAMLOfflineSigninTimeLimit

Limit the time for which a user authenticated via SAML can log in offline

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SAMLOfflineSigninTimeLimit

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).

When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.

Leaving this policy not set will make Google Chrome OS use a default time limit of 14 days after which the user must use online authentication again.

This policy affects only users who authenticated using SAML.

The policy value should be specified in seconds.

Restrictions:

Minimum:-1

Example value:

0x00000020 (Windows)

SSLErrorOverrideAllowed

Allow proceeding from the SSL warning page

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SSLErrorOverrideAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SSLErrorOverrideAllowed

Mac/Linux preference name:

SSLErrorOverrideAllowed

Android restriction name:

SSLErrorOverrideAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 44
Google Chrome OS (Google Chrome OS) since version 44
Google Chrome (Android) since version 44

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Chrome shows a warning page when users navigate to sites that have SSL errors. By default or when this policy is set to true, users are allowed to click through these warning pages. Setting this policy to false disallows users to click through any warning page.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

SSLVersionMin

Minimum SSL version enabled

Data type:

String [Android:choice, Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SSLVersionMin

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SSLVersionMin

Mac/Linux preference name:

SSLVersionMin

Android restriction name:

SSLVersionMin

Supported on:

Google Chrome (Linux, Mac, Windows) since version 66
Google Chrome OS (Google Chrome OS) since version 66
Google Chrome (Android) since version 66

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is not configured then Google Chrome uses a default minimum version which is TLS 1.0.

Otherwise it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored.

"tls1" = TLS 1.0
"tls1.1" = TLS 1.1
"tls1.2" = TLS 1.2

Example value:

"tls1"

SafeBrowsingForTrustedSourcesEnabled

Enable Safe Browsing for trusted sources

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SafeBrowsingForTrustedSourcesEnabled

Supported on:

Google Chrome (Windows) since version 61

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Identify if Google Chrome can allow download without Safe Browsing checks when it's from a trusted source.

When False, downloaded files will not be sent to be analyzed by Safe Browsing when it's from a trusted source.

When not set (or set to True), downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.

This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain. or Windows 10 Pro or Enterprise instances that enrolled for device management.

Example value:

0x00000000 (Windows)

SafeSitesFilterBehavior

Control SafeSites adult content filtering.

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SafeSitesFilterBehavior

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SafeSitesFilterBehavior

Mac/Linux preference name:

SafeSitesFilterBehavior

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy controls the application of the SafeSites URL filter. This filter uses the Google Safe Search API to classify URLs as pornographic or not.

When this policy is not configured or set to "Do not filter sites for adult content", sites will not be filtered.

When this policy is set to "Filter top level sites for adult content", sites classified as pornographic will be filtered.

0 = Do not filter sites for adult content
1 = Filter top level sites (but not embedded iframes) for adult content

Example value:

0x00000000 (Windows), 0 (Linux), 0 (Mac)

SavingBrowserHistoryDisabled

Disable saving browser history

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SavingBrowserHistoryDisabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SavingBrowserHistoryDisabled

Mac/Linux preference name:

SavingBrowserHistoryDisabled

Android restriction name:

SavingBrowserHistoryDisabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables saving browser history in Google Chrome and prevents users from changing this setting.

If this setting is enabled, browsing history is not saved. This setting also disables tab syncing.

If this setting is disabled or not set, browsing history is saved.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

SchedulerConfiguration

Select task scheduler configuration

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SchedulerConfiguration

Supported on:

Google Chrome OS (Google Chrome OS) since version 74

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Instructs Google Chrome OS to use the task scheduler configuration identified by the specified name.

This policy can be set to "conservative" and "performance", which select task scheduler configurations that are tuned for stability vs. maximum performance, respectively.

If the policy is left unset, the user can make their own choice.

"conservative" = Optimize for stability.
"performance" = Optimize for performance.

Example value:

"performance"

SearchSuggestEnabled

Enable search suggestions

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SearchSuggestEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SearchSuggestEnabled

Mac/Linux preference name:

SearchSuggestEnabled

Android restriction name:

SearchSuggestEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11
Google Chrome (Android) since version 30

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting.

If you enable this setting, search suggestions are used.

If you disable this setting, search suggestions are never used.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

If this policy is left not set, this will be enabled but the user will be able to change it.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

SecondaryGoogleAccountSigninAllowed

Allow Multiple Sign-in Within the Browser

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SecondaryGoogleAccountSigninAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

This setting allows users to switch between Google accounts within the content area of their browser window after they sign into their Google Chrome OS device.

If this policy is set to false, signing in to a different account from non-Incognito browser content area will not be allowed.

If this policy is unset or set to true, the default behavior will be used: signing in to a different account from the browser content area will be allowed, except for child accounts where it will be blocked for non-Incognito content area.

In case signing in to a different account shouldn't be allowed via the Incognito mode, consider blocking that mode using the IncognitoModeAvailability policy.

Note that users will be able to access Google services in an unauthenticated state by blocking their cookies.

Example value:

0x00000000 (Windows)

SecurityKeyPermitAttestation

URLs/domains automatically permitted direct Security Key attestation

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SecurityKeyPermitAttestation

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SecurityKeyPermitAttestation

Mac/Linux preference name:

SecurityKeyPermitAttestation

Supported on:

Google Chrome (Linux, Mac, Windows) since version 65
Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies URLs and domains for which no prompt will be shown when attestation certificates from Security Keys are requested. Additionally, a signal will be sent to the Security Key indicating that individual attestation may be used. Without this, users will be prompted in Chrome 65+ when sites request attestation of Security Keys.

URLs (like https://example.com/some/path) will only match as U2F appIDs. Domains (like example.com) only match as webauthn RP IDs. Thus, to cover both U2F and webauthn APIs for a given site, both the appID URL and domain would need to be listed.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\SecurityKeyPermitAttestation\1 = "https://example.com"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\SecurityKeyPermitAttestation\1 = "https://example.com"
Android/Linux:: [ "https://example.com" ]
Mac:: <array> <string>https://example.com</string> </array>

SelectToSpeakEnabled

Enable select to speak

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SelectToSpeakEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 77

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable the select to speak accessibility feature.

If this policy is set to true, the select to speak will always be enabled.

If this policy is set to false, the select to speak will always be disabled.

If you set this policy, users cannot change or override it.

If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.

Example value:

0x00000001 (Windows)

SessionLengthLimit

Limit the length of a user session

Data type:

Integer [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SessionLengthLimit

Supported on:

Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.

When this policy is not set, the session length is not limited.

If you set this policy, users cannot change or override it.

The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.

Example value:

0x0036ee80 (Windows)

SessionLocales

Set the recommended locales for a managed session

Data type:

List of strings

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SessionLocales

Supported on:

Google Chrome OS (Google Chrome OS) since version 38

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Sets one or more recommended locales for a managed session, allowing users to easily choose one of these locales.

The user can choose a locale and a keyboard layout before starting a managed session. By default, all locales supported by Google Chrome OS are listed in alphabetic order. You can use this policy to move a set of recommended locales to the top of the list.

If this policy is not set, the current UI locale will be pre-selected.

If this policy is set, the recommended locales will be moved to the top of the list and will be visually separated from all other locales. The recommended locales will be listed in the order in which they appear in the policy. The first recommended locale will be pre-selected.

If there is more than one recommended locale, it is assumed that users will want to select among these locales. Locale and keyboard layout selection will be prominently offered when starting a managed session. Otherwise, it is assumed that most users will want to use the pre-selected locale. Locale and keyboard layout selection will be less prominently offered when starting a managed session.

When this policy is set and automatic login is enabled (see the |DeviceLocalAccountAutoLoginId| and |DeviceLocalAccountAutoLoginDelay| policies), the automatically started managed session will use the first recommended locale and the most popular keyboard layout matching this locale.

The pre-selected keyboard layout will always be the most popular layout matching the pre-selected locale.

This policy can only be set as recommended. You can use this policy to move a set of recommended locales to the top but users are always allowed to choose any locale supported by Google Chrome OS for their session.

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\SessionLocales\1 = "de" Software\Policies\Google\ChromeOS\SessionLocales\2 = "fr"

ShelfAutoHideBehavior

Control shelf auto-hiding

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ShelfAutoHideBehavior

Supported on:

Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Control auto-hiding of the Google Chrome OS shelf.

If this policy is set to 'AlwaysAutoHideShelf', the shelf will always auto-hide.

If this policy is set to 'NeverAutoHideShelf', the shelf never auto-hide.

If you set this policy, users cannot change or override it.

If the policy is left not set, users can choose whether the shelf should auto-hide.

"Always" = Always auto-hide the shelf
"Never" = Never auto-hide the shelf

Example value:

"Always"

ShowAppsShortcutInBookmarkBar

Show the apps shortcut in the bookmark bar

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ShowAppsShortcutInBookmarkBar

Mac/Linux preference name:

ShowAppsShortcutInBookmarkBar

Supported on:

Google Chrome (Linux, Mac, Windows) since version 37

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables or disables the apps shortcut in the bookmark bar.

If this policy is not set then the user can choose to show or hide the apps shortcut from the bookmark bar context menu.

If this policy is configured then the user can't change it, and the apps shortcut is always shown or never shown.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

ShowLogoutButtonInTray

Add a logout button to the system tray

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\ShowLogoutButtonInTray

Supported on:

Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If enabled, a big, red logout button is shown in the system tray while a session is active and the screen is not locked.

If disabled or not specified, no big, red logout button is shown in the system tray.

Example value:

0x00000001 (Windows)

SignedHTTPExchangeEnabled

Enable Signed HTTP Exchange (SXG) support

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SignedHTTPExchangeEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SignedHTTPExchangeEnabled

Mac/Linux preference name:

SignedHTTPExchangeEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 75
Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable support for Signed HTTP Exchange (SXG).

If this policy is unset or set to Enabled, Google Chrome will accept web contents served as Signed HTTP Exchanges.

If this policy is set to Disabled, Signed HTTP Exchanges cannot be loaded.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

SigninAllowed (deprecated)

Allow sign in to Google Chrome

See deprecated policy SigninAllowed

SitePerProcess

Enable Site Isolation for every site

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SitePerProcess

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SitePerProcess

Mac/Linux preference name:

SitePerProcess

Supported on:

Google Chrome (Linux, Mac, Windows) since version 63
Google Chrome OS (Google Chrome OS) since version 63

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This setting, SitePerProcess, may be used to disallow users from opting out of the default behavior of isolating all sites. Note that the IsolateOrigins policy may also be useful for isolating additional, finer-grained origins. If the policy is enabled, users will be unable to opt out of the default behavior where each site runs in its own process. If the policy is not configured or disabled, the user will be able to opt out of site isolation (e.g. using "Disable site isolation" entry in chrome://flags). Setting the policy to disabled and/or not configuring the policy does not turn off Site Isolation. On Google Chrome OS version 76 and earlier, it is recommended to also set the DeviceLoginScreenSitePerProcess device policy to the same value. If the values specified by the two policies don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.

NOTE: This policy does not apply on Android. To enable SitePerProcess on Android, use the SitePerProcessAndroid policy setting.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

SitePerProcessAndroid

Enable Site Isolation for every site

Data type:

Boolean

Android restriction name:

SitePerProcessAndroid

Supported on:

Google Chrome (Android) since version 68

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

You might want to look at the IsolateOriginsAndroid policy setting to get the best of both worlds, isolation and limited impact for users, by using IsolateOriginsAndroid with a list of the sites you want to isolate. This setting, SitePerProcessAndroid, isolates all sites. If the policy is enabled, each site will run in its own process. If the policy is disabled, no explicit Site Isolation will happen and field trials of IsolateOriginsAndroid and SitePerProcessAndroid will be disabled. Users will still be able to enable SitePerProcess manually. If the policy is not configured, the user will be able to change this setting.

NOTE: On Android, Site Isolation is experimental. Support will improve over time, but currently it may cause performance problems.

NOTE: This policy applies only to Chrome on Android running on devices with strictly more than 1GB of RAM. To apply the policy on non-Android platforms, use SitePerProcess.

Example value:

true (Android)

SmartLockSigninAllowed

Allow Smart Lock Signin to be used.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SmartLockSigninAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this setting is enabled, users will be allowed to sign into their account with Smart Lock. This is more permissive than usual Smart Lock behavior which only allows users to unlock their screen.

If this setting is disabled, users will not be allowed to use Smart Lock Signin.

If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.

Example value:

0x00000001 (Windows)

SmsMessagesAllowed

Allow SMS Messages to be synced from phone to Chromebook.

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SmsMessagesAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this setting is enabled, users will be allowed to set up their devices to sync SMS messages between their phones and Chromebooks. Note that if this policy is allowed, users must explicitly opt into this feature by completing a setup flow. Once the setup flow is complete, users will be able to send and receive SMS messages on their Chromebooks.

If this setting is disabled, users will not be allowed to set up SMS syncing.

If this policy is left not set, the default is not allowed for managed users and allowed for non-managed users.

Example value:

0x00000001 (Windows)

SpellCheckServiceEnabled

Enable or disable spell checking web service

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SpellCheckServiceEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SpellCheckServiceEnabled

Mac/Linux preference name:

SpellCheckServiceEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 22
Google Chrome OS (Google Chrome OS) since version 22

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Google Chrome can use a Google web service to help resolve spelling errors. If this setting is enabled, then this service is always used. If this setting is disabled, then this service is never used.

Spell checking can still be performed using a downloaded dictionary; this policy only controls the usage of the online service.

If this setting is not configured then users can choose whether the spell checking service should be used or not.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

SpellcheckEnabled

Enable spellcheck

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SpellcheckEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SpellcheckEnabled

Mac/Linux preference name:

SpellcheckEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 65
Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If this policy is not set, the user can enable or disable spellcheck in the language settings.

If this policy is set to true, spellcheck is enabled and the user cannot disable it. On Microsoft® Windows, Google Chrome OS and Linux, spellcheck languages can be individually toggled on or off, so the user can still effectively disable spellcheck by toggling off every spellcheck language. To avoid that, the SpellcheckLanguage policy can be used to force specific spellcheck languages to be enabled.

If this policy is set to false, spellcheck is disabled and the user cannot enable it. The SpellcheckLanguage and SpellcheckLanguageBlacklist policies have no effect when this policy is set to false.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

SpellcheckLanguage

Force enable spellcheck languages

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SpellcheckLanguage

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SpellcheckLanguage

Mac/Linux preference name:

SpellcheckLanguage

Supported on:

Google Chrome (Windows) since version 65
Google Chrome (Linux) since version 65
Google Chrome OS (Google Chrome OS) since version 65

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.

If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.

If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.

If the SpellcheckEnabled policy is set to false, this policy will have no effect.

If a language is included in both this policy and the SpellcheckLanguageBlacklist policy, this policy is prioritized and the spellcheck language is enabled.

The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\SpellcheckLanguage\1 = "fr" Software\Policies\Google\Chrome\SpellcheckLanguage\2 = "es"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\SpellcheckLanguage\1 = "fr" Software\Policies\Google\ChromeOS\SpellcheckLanguage\2 = "es"
Android/Linux:: [ "fr", "es" ]

SpellcheckLanguageBlacklist

Force disable spellcheck languages

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SpellcheckLanguageBlacklist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SpellcheckLanguageBlacklist

Mac/Linux preference name:

SpellcheckLanguageBlacklist

Supported on:

Google Chrome (Windows) since version 75
Google Chrome (Linux) since version 75
Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.

If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.

If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.

If the SpellcheckEnabled policy is set to false, this policy will have no effect.

If a language is included in both this policy and the SpellcheckLanguage policy, the latter is prioritized and the spellcheck language will be enabled.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\SpellcheckLanguageBlacklist\1 = "fr" Software\Policies\Google\Chrome\SpellcheckLanguageBlacklist\2 = "es"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\SpellcheckLanguageBlacklist\1 = "fr" Software\Policies\Google\ChromeOS\SpellcheckLanguageBlacklist\2 = "es"
Android/Linux:: [ "fr", "es" ]

StartupBrowserWindowLaunchSuppressed

Suppress launching of browser window

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\StartupBrowserWindowLaunchSuppressed

Supported on:

Google Chrome OS (Google Chrome OS) since version 76

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

This policy controls whether the browser window should be launched at the start of the session.

If this policy is enabled, the browser window will not be launched.

If this policy is disabled or not set, the browser window is allowed to launch. Note that the browser window might not launch due to other policies or command-line flags.

Example value:

0x00000001 (Windows)

SuppressUnsupportedOSWarning

Suppress the unsupported OS warning

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SuppressUnsupportedOSWarning

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SuppressUnsupportedOSWarning

Mac/Linux preference name:

SuppressUnsupportedOSWarning

Supported on:

Google Chrome (Linux, Mac, Windows) since version 49
Google Chrome OS (Google Chrome OS) since version 49

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Suppresses the warning that appears when Google Chrome is running on a computer or operating system that is no longer supported.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

SyncDisabled

Disable synchronization of data with Google

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\SyncDisabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\SyncDisabled

Mac/Linux preference name:

SyncDisabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 8
Google Chrome OS (Google Chrome OS) since version 11

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting.

If you enable this setting, users cannot change or override this setting in Google Chrome.

If this policy is left not set Google Sync will be available for the user to choose whether to use it or not.

To fully disable Google Sync, it is recommended that you disable the Google Sync service in the Google Admin console.

This policy should not be enabled when RoamingProfileSupportEnabled policy is set to enabled as that feature shares the same client side functionality. The Google-hosted synchronization is disabled in this case completely.

Note for Google Chrome OS devices supporting Android apps:

Disabling Google Sync will cause Android Backup and Restore to not function properly.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

TabLifecyclesEnabled

Enables or disables tab lifecycles

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\TabLifecyclesEnabled

Supported on:

Google Chrome (Windows) since version 69

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

The tab lifecyles feature reclaims CPU and eventually memory associated with running tabs that have not been used in a long period of time, by first throttling them, then freezing them and finally discarding them.

If the policy is set to false then tab lifecycles are disabled, and all tabs will be left running normally.

If the policy is set to true or left unspecified then tab lifecycles are enabled.

Example value:

0x00000000 (Windows)

TaskManagerEndProcessEnabled

Enable ending processes in Task Manager

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\TaskManagerEndProcessEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\TaskManagerEndProcessEnabled

Mac/Linux preference name:

TaskManagerEndProcessEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 52
Google Chrome OS (Google Chrome OS) since version 52

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If set to false, the 'End process' button is disabled in the Task Manager.

If set to true or not configured, the user can end processes in the Task Manager.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

TermsOfServiceURL

Set the Terms of Service for a device-local account

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\TermsOfServiceURL

Supported on:

Google Chrome OS (Google Chrome OS) since version 26

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Sets the Terms of Service that the user must accept before starting a device-local account session.

If this policy is set, Google Chrome OS will download the Terms of Service and present them to the user whenever a device-local account session is starting. The user will only be allowed into the session after accepting the Terms of Service.

If this policy is not set, no Terms of Service are shown.

The policy should be set to a URL from which Google Chrome OS can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.

Example value:

"https://www.example.com/terms_of_service.txt"

ThirdPartyBlockingEnabled

Enable third party software injection blocking

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\ThirdPartyBlockingEnabled

Supported on:

Google Chrome (Windows) since version 65

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

If the policy is set to false then third party software will be allowed to inject executable code into Chrome's processes. If the policy is unset or set to true then third party software will be prevented from injecting executable code into Chrome's processes.

Regardless of the value of this policy, the browser will not currently block third party software from injecting executable code into its processes on a machine that is joined to a Microsoft® Active Directory® domain.

Example value:

0x00000000 (Windows)

TouchVirtualKeyboardEnabled

Enable virtual keyboard

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\TouchVirtualKeyboardEnabled

Supported on:

Google Chrome OS (Google Chrome OS) since version 37

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy configures enabling the virtual keyboard as an input device on ChromeOS. Users cannot override this policy.

If the policy is set to true, the on-screen virtual keyboard will always be enabled.

If set to false, the on-screen virtual keyboard will always be disabled.

If you set this policy, users cannot change or override it. However, users will still be able to enable/disable an accessibility on-screen keyboard which takes precedence over the virtual keyboard controlled by this policy. See the |VirtualKeyboardEnabled| policy for controlling the accessibility on-screen keyboard.

If this policy is left unset, the on-screen keyboard is disabled initially but can be enabled by the user anytime. Heuristic rules may also be used to decide when to display the keyboard.

Example value:

0x00000000 (Windows)

TranslateEnabled

Enable Translate

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\TranslateEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\TranslateEnabled

Mac/Linux preference name:

TranslateEnabled

Android restriction name:

TranslateEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 12
Google Chrome OS (Google Chrome OS) since version 12
Google Chrome (Android) since version 30

Supported features:

Can Be Recommended: Yes, Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enables the integrated Google Translate service on Google Chrome.

If you enable this setting, Google Chrome will offer translation functionality to the user by showing an integrated translate toolbar (when appropriate) and a translate option on the right-click context menu.

If you disable this setting, all built-in translate features will be disabled.

If you enable or disable this setting, users cannot change or override this setting in Google Chrome.

If this setting is left not set the user can decide to use this function or not.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

URLBlacklist

Block access to a list of URLs

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\URLBlacklist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\URLBlacklist

Mac/Linux preference name:

URLBlacklist

Android restriction name:

URLBlacklist

Android WebView restriction name:

com.android.browser:URLBlacklist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15
Google Chrome OS (Google Chrome OS) since version 15
Google Chrome (Android) since version 30
Android System WebView (Android) since version 47

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy prevents the user from loading web pages from blacklisted URLs. The blacklist provides a list of URL patterns that specify which URLs will be blacklisted.

A URL pattern has to be formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format.

Exceptions can be defined in the URL whitelist policy. These policies are limited to 1000 entries; subsequent entries will be ignored.

Note that it is not recommended to block internal 'chrome://*' URLs since this may lead to unexpected errors.

From M73 you can block 'javascript://*' URLs. However, it affects only JavaScript typed in address bar (or, for example, bookmarklets). Note that in-page JavaScript URLs, as long as dynamically loaded data, are not subject to this policy. For example, if you block 'example.com/abc', page 'example.com' will still be able to load 'example.com/abc' via XMLHTTPRequest.

If this policy is not set no URL will be blacklisted in the browser.

Note for Google Chrome OS devices supporting Android apps:

Android apps may voluntarily choose to honor this list. You cannot force them to honor it.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\URLBlacklist\1 = "example.com" Software\Policies\Google\Chrome\URLBlacklist\2 = "https://ssl.server.com" Software\Policies\Google\Chrome\URLBlacklist\3 = "hosting.com/bad_path" Software\Policies\Google\Chrome\URLBlacklist\4 = "https://server:8080/path" Software\Policies\Google\Chrome\URLBlacklist\5 = ".exact.hostname.com" Software\Policies\Google\Chrome\URLBlacklist\6 = "file://*" Software\Policies\Google\Chrome\URLBlacklist\7 = "custom_scheme:*" Software\Policies\Google\Chrome\URLBlacklist\8 = "*"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\URLBlacklist\1 = "example.com" Software\Policies\Google\ChromeOS\URLBlacklist\2 = "https://ssl.server.com" Software\Policies\Google\ChromeOS\URLBlacklist\3 = "hosting.com/bad_path" Software\Policies\Google\ChromeOS\URLBlacklist\4 = "https://server:8080/path" Software\Policies\Google\ChromeOS\URLBlacklist\5 = ".exact.hostname.com" Software\Policies\Google\ChromeOS\URLBlacklist\6 = "file://*" Software\Policies\Google\ChromeOS\URLBlacklist\7 = "custom_scheme:*" Software\Policies\Google\ChromeOS\URLBlacklist\8 = "*"
Android/Linux:: [ "example.com", "https://ssl.server.com", "hosting.com/bad_path", "https://server:8080/path", ".exact.hostname.com", "file://*", "custom_scheme:*", "*" ]
Mac:: <array> <string>example.com</string> <string>https://ssl.server.com</string> <string>hosting.com/bad_path</string> <string>https://server:8080/path</string> <string>.exact.hostname.com</string> <string>file://*</string> <string>custom_scheme:*</string> <string>*</string> </array>

URLWhitelist

Allow access to a list of URLs

Data type:

List of strings [Android:string] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\URLWhitelist

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\URLWhitelist

Mac/Linux preference name:

URLWhitelist

Android restriction name:

URLWhitelist

Android WebView restriction name:

com.android.browser:URLWhitelist

Supported on:

Google Chrome (Linux, Mac, Windows) since version 15
Google Chrome OS (Google Chrome OS) since version 15
Google Chrome (Android) since version 30
Android System WebView (Android) since version 47

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows access to the listed URLs, as exceptions to the URL blacklist.

See the description of the URL blacklist policy for the format of entries of this list.

This policy can be used to open exceptions to restrictive blacklists. For example, '*' can be blacklisted to block all requests, and this policy can be used to allow access to a limited list of URLs. It can be used to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths.

The most specific filter will determine if a URL is blocked or allowed. The whitelist takes precedence over the blacklist.

This policy is limited to 1000 entries; subsequent entries will be ignored.

If this policy is not set there will be no exceptions to the blacklist from the 'URLBlacklist' policy.

Note for Google Chrome OS devices supporting Android apps:

Android apps may voluntarily choose to honor this list. You cannot force them to honor it.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\URLWhitelist\1 = "example.com" Software\Policies\Google\Chrome\URLWhitelist\2 = "https://ssl.server.com" Software\Policies\Google\Chrome\URLWhitelist\3 = "hosting.com/good_path" Software\Policies\Google\Chrome\URLWhitelist\4 = "https://server:8080/path" Software\Policies\Google\Chrome\URLWhitelist\5 = ".exact.hostname.com"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\URLWhitelist\1 = "example.com" Software\Policies\Google\ChromeOS\URLWhitelist\2 = "https://ssl.server.com" Software\Policies\Google\ChromeOS\URLWhitelist\3 = "hosting.com/good_path" Software\Policies\Google\ChromeOS\URLWhitelist\4 = "https://server:8080/path" Software\Policies\Google\ChromeOS\URLWhitelist\5 = ".exact.hostname.com"
Android/Linux:: [ "example.com", "https://ssl.server.com", "hosting.com/good_path", "https://server:8080/path", ".exact.hostname.com" ]
Mac:: <array> <string>example.com</string> <string>https://ssl.server.com</string> <string>hosting.com/good_path</string> <string>https://server:8080/path</string> <string>.exact.hostname.com</string> </array>

UnifiedDesktopEnabledByDefault

Make Unified Desktop available and turn on by default

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UnifiedDesktopEnabledByDefault

Supported on:

Google Chrome OS (Google Chrome OS) since version 47

Supported features:

Can Be Recommended: No, Dynamic Policy Refresh: Yes, Per Profile: No

Description:

If this policy is set to true, Unified Desktop is allowed and enabled by default, which allows applications to span multiple displays. The user may disable Unified Desktop for individual displays by unchecking it in the display settings.

If this policy is set to false or unset, Unified Desktop will be disabled. In this case, the user cannot enable the feature.

Example value:

0x00000001 (Windows)

UnsafelyTreatInsecureOriginAsSecure (deprecated)

Origins or hostname patterns for which restrictions on insecure origins should not apply

See deprecated policy UnsafelyTreatInsecureOriginAsSecure

UrlKeyedAnonymizedDataCollectionEnabled

Enable URL-keyed anonymized data collection

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\UrlKeyedAnonymizedDataCollectionEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UrlKeyedAnonymizedDataCollectionEnabled

Mac/Linux preference name:

UrlKeyedAnonymizedDataCollectionEnabled

Android restriction name:

UrlKeyedAnonymizedDataCollectionEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 69
Google Chrome OS (Google Chrome OS) since version 69
Google Chrome (Android) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Enable URL-keyed anonymized data collection in Google Chrome and prevents users from changing this setting.

URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better.

If you enable this policy, URL-keyed anonymized data collection is always active.

If you disable this policy, URL-keyed anonymized data collection is never active.

If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.

Example value:

0x00000001 (Windows), true (Linux), true (Android), <true /> (Mac)

UsageTimeLimit

Time Limit

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UsageTimeLimit

Supported on:

Google Chrome OS (Google Chrome OS) since version 69

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allows you to lock the user's session based on the client time or the usage quota of the day.

The |time_usage_limit| specifies a daily screen quota, so when the user reaches it, the user's session is locked. There is a property for each day of the week, and it should be set only if there is an active quota for that day. |usage_quota_mins| is the amount of time that the managed device can be use in a day and |reset_at| is the time when the usage quota is renewed. The default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}). |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.

|overrides| is provided to invalidate temporarily one or more of the previous rules. * If neither time_window_limit nor time_usage_limit is active |LOCK| can be used to lock the device. * |LOCK| temporarily locks a user session until the next time_window_limit or time_usage_limit starts. * |UNLOCK| unlocks a user's session locked by time_window_limit or time_usage_limit. |created_time_millis| is the UTC timestamp for the override creation, it is sent as a String because the timestamp wouldn't fit in an integer It is used to determine whether this override should still be applied. If the current active time limit feature (time usage limit or time window limit) started after the override was created, it should not take action. Also if the override was created before the last change of the active time_window_limit or time_usage_window it should not be applied.

Multiple overrides may be sent, the newest valid entry is the one that is going to be applied.

Schema:

{ "properties": { "overrides": { "items": { "properties": { "action": { "enum": [ "LOCK", "UNLOCK" ], "type": "string" }, "action_specific_data": { "properties": { "duration_mins": { "minimum": 0, "type": "integer" } }, "type": "object" }, "created_at_millis": { "type": "string" } }, "type": "object" }, "type": "array" }, "time_usage_limit": { "properties": { "friday": { "$ref": "TimeUsageLimitEntry" }, "monday": { "id": "TimeUsageLimitEntry", "properties": { "last_updated_millis": { "type": "string" }, "usage_quota_mins": { "minimum": 0, "type": "integer" } }, "type": "object" }, "reset_at": { "$ref": "Time" }, "saturday": { "$ref": "TimeUsageLimitEntry" }, "sunday": { "$ref": "TimeUsageLimitEntry" }, "thursday": { "$ref": "TimeUsageLimitEntry" }, "tuesday": { "$ref": "TimeUsageLimitEntry" }, "wednesday": { "$ref": "TimeUsageLimitEntry" } }, "type": "object" }, "time_window_limit": { "properties": { "entries": { "items": { "properties": { "effective_day": { "$ref": "WeekDay" }, "ends_at": { "$ref": "Time" }, "last_updated_millis": { "type": "string" }, "starts_at": { "id": "Time", "properties": { "hour": { "maximum": 23, "minimum": 0, "type": "integer" }, "minute": { "maximum": 59, "minimum": 0, "type": "integer" } }, "type": "object" } }, "type": "object" }, "type": "array" } }, "type": "object" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\UsageTimeLimit = { "overrides": [ { "action": "UNLOCK", "action_specific_data": { "duration_mins": 30 }, "created_at_millis": "1250000" } ], "time_usage_limit": { "friday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "monday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "reset_at": { "hour": 6, "minute": 0 }, "saturday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "sunday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "thursday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "tuesday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 }, "wednesday": { "last_updated_millis": "1200000", "usage_quota_mins": 120 } }, "time_window_limit": { "entries": [ { "effective_day": "WEDNESDAY", "ends_at": { "hour": 7, "minute": 30 }, "last_updated_millis": "1000000", "starts_at": { "hour": 21, "minute": 0 } } ] } }

UserAvatarImage

User avatar image

Data type:

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserAvatarImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 34

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which Google Chrome OS can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.

The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download and use the avatar image.

If you set this policy, users cannot change or override it.

If the policy is left not set, the user can choose the avatar image representing them on the login screen.

Schema:

{ "properties": { "hash": { "description": "The SHA-256 hash of the avatar image.", "type": "string" }, "url": { "description": "The URL from which the avatar image can be downloaded.", "type": "string" } }, "type": "object" }

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\UserAvatarImage = { "hash": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", "url": "https://example.com/avatar.jpg" }

UserDataDir

Set user data directory

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\UserDataDir

Mac/Linux preference name:

UserDataDir

Supported on:

Google Chrome (Windows) since version 11
Google Chrome (Mac) since version 11

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Configures the directory that Google Chrome will use for storing user data.

If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a volume's root directory or to a directory used for other purposes, because Google Chrome manages its contents.

See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.

If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.

Example value:

"${users}/${user_name}/Chrome"

UserDisplayName

Set the display name for device-local accounts

Data type:

String [Windows:REG_SZ]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserDisplayName

Supported on:

Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Controls the account name Google Chrome OS shows on the login screen for the corresponding device-local account.

If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.

If the policy is left not set, Google Chrome OS will use the device-local account's email account ID as the display name on the login screen.

This policy is ignored for regular user accounts.

Example value:

"Policy User"

UserFeedbackAllowed

Allow user feedback

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\UserFeedbackAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\UserFeedbackAllowed

Mac/Linux preference name:

UserFeedbackAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 77
Google Chrome OS (Google Chrome OS) since version 77

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Allow user feedback. If the policy is set to false, users can not send feedback to Google.

If the policy is unset or set to true, users can send feedback to Google via Menu->Help->Report an Issue or key combination.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

VideoCaptureAllowed

Allow or deny video capture

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\VideoCaptureAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VideoCaptureAllowed

Mac/Linux preference name:

VideoCaptureAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 25
Google Chrome OS (Google Chrome OS) since version 25

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If enabled or not configured (default), the user will be prompted for video capture access except for URLs configured in the VideoCaptureAllowedUrls list which will be granted access without prompting.

When this policy is disabled, the user will never be prompted and video capture only be available to URLs configured in VideoCaptureAllowedUrls.

This policy affects all types of video inputs and not only the built-in camera.

Example value:

0x00000000 (Windows), false (Linux), <false /> (Mac)

VideoCaptureAllowedUrls

URLs that will be granted access to video capture devices without prompt

Data type:

List of strings

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\VideoCaptureAllowedUrls

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls

Mac/Linux preference name:

VideoCaptureAllowedUrls

Supported on:

Google Chrome (Linux, Mac, Windows) since version 29
Google Chrome OS (Google Chrome OS) since version 29

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted without prompt.

NOTE: Until version 45, this policy was only supported in Kiosk mode.

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\VideoCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\Chrome\VideoCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls\1 = "https://www.example.com/" Software\Policies\Google\ChromeOS\VideoCaptureAllowedUrls\2 = "https://[*.]example.edu/"
Android/Linux:: [ "https://www.example.com/", "https://[*.]example.edu/" ]
Mac:: <array> <string>https://www.example.com/</string> <string>https://[*.]example.edu/</string> </array>

VpnConfigAllowed

Allow the user to manage VPN connections

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\VpnConfigAllowed

Supported on:

Google Chrome OS (Google Chrome OS) since version 71

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: No

Description:

Allow the user to manage VPN connections.

If this policy is set to false, all Google Chrome OS user interfaces that would allow the user to disconnect or modify VPN connections are disabled.

If this policy is unset or set to true, users can disconnect or modify VPN connections as usual.

If the VPN connection is created via a VPN app, the UI inside the app remains unaffected by this policy. Therefore, the user might still be able to use the app to modify the VPN connection.

This policy is meant to be used together with the "Always on VPN" feature, that lets the admin decide to establish a VPN connection on boot.

Example value:

0x00000000 (Windows)

WPADQuickCheckEnabled

Enable WPAD optimization

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WPADQuickCheckEnabled

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WPADQuickCheckEnabled

Mac/Linux preference name:

WPADQuickCheckEnabled

Supported on:

Google Chrome (Linux, Mac, Windows) since version 35
Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Allows to turn off WPAD (Web Proxy Auto-Discovery) optimization in Google Chrome.

If this policy is set to false, WPAD optimization is disabled causing Google Chrome to wait longer for DNS-based WPAD servers. If the policy is not set or is enabled, WPAD optimization is enabled.

Independent of whether or how this policy is set, the WPAD optimization setting cannot be changed by users.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

WallpaperImage

Wallpaper image

Data type:

External data reference [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WallpaperImage

Supported on:

Google Chrome OS (Google Chrome OS) since version 35

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

This policy allows you to configure the wallpaper image that is shown on the desktop and on the login screen background for the user. The policy is set by specifying the URL from which Google Chrome OS can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication.

The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.

If this policy is set, Google Chrome OS will download and use the wallpaper image.

If you set this policy, users cannot change or override it.

If the policy is left not set, the user can choose an image to be shown on the desktop and on the login screen background.

Schema:

Example value:

Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\WallpaperImage = { "hash": "baddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecafbaddecaf", "url": "https://example.com/wallpaper.jpg" }

WebAppInstallForceList

Configure list of force-installed Web Apps

Data type:

Dictionary [Windows:REG_SZ] (encoded as a JSON string, for details see https://www.chromium.org/administrators/complex-policies-on-windows)

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebAppInstallForceList

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebAppInstallForceList

Mac/Linux preference name:

WebAppInstallForceList

Supported on:

Google Chrome (Linux, Mac, Windows) since version 75
Google Chrome OS (Google Chrome OS) since version 75

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

Specifies a list of websites that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

Each list item of the policy is an object with a mandatory member: "url" and two optional members: "default_launch_container" and "create_desktop_shortcut". "url" should be the URL of the web app to install, "launch_container" should be either "window" or "tab" to indicate how the Web App will be opened once installed, and "create_desktop_shortcut" should be true if a desktop shortcut should be created on Linux and Windows. If "default_launch_container" is omitted, the app will open in a tab by default. Regardless of the value of "default_launch_container", users are able to change which container the app will open in. If "create_desktop_shortcuts" is omitted, no desktop shortcuts will be created. See PinnedLauncherApps policy for pinning apps to the ChromeOS shelf.

Schema:

{ "items": { "properties": { "create_desktop_shortcut": { "type": "boolean" }, "default_launch_container": { "enum": [ "tab", "window" ], "type": "string" }, "url": { "type": "string" } }, "required": [ "url" ], "type": "object" }, "type": "array" }

Example value:

Windows (Windows clients):: Software\Policies\Google\Chrome\WebAppInstallForceList = [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" } ]
Windows (Google Chrome OS clients):: Software\Policies\Google\ChromeOS\WebAppInstallForceList = [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" } ]
Android/Linux:: WebAppInstallForceList: [ { "create_desktop_shortcut": true, "default_launch_container": "window", "url": "https://www.google.com/maps" }, { "default_launch_container": "tab", "url": "https://docs.google.com" } ]
Mac:: <key>WebAppInstallForceList</key> <array> <dict> <key>create_desktop_shortcut</key> <true/> <key>default_launch_container</key> <string>window</string> <key>url</key> <string>https://www.google.com/maps</string> </dict> <dict> <key>default_launch_container</key> <string>tab</string> <key>url</key> <string>https://docs.google.com</string> </dict> </array>

WebDriverOverridesIncompatiblePolicies

Allow WebDriver to Override Incompatible Policies

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebDriverOverridesIncompatiblePolicies

Mac/Linux preference name:

WebDriverOverridesIncompatiblePolicies

Supported on:

Google Chrome (Linux, Mac, Windows) since version 65

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

This policy allows users of the WebDriver feature to override policies which can interfere with its operation.

Currently this policy disables SitePerProcess and IsolateOrigins policies.

If the policy is enabled, WebDriver will be able to override incomaptible policies. If the policy is disabled or not configured, WebDriver will not be allowed to override incompatible policies.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

WebRtcEventLogCollectionAllowed

Allow collection of WebRTC event logs from Google services

Data type:

Boolean [Windows:REG_DWORD]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebRtcEventLogCollectionAllowed

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebRtcEventLogCollectionAllowed

Mac/Linux preference name:

WebRtcEventLogCollectionAllowed

Supported on:

Google Chrome (Linux, Mac, Windows) since version 70
Google Chrome OS (Google Chrome OS) since version 70

Supported features:

Dynamic Policy Refresh: Yes, Per Profile: Yes

Description:

If the policy is set to true, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g. Google Meet), and upload those logs to Google.

If the policy is set to false, or is unset, Google Chrome may not collect nor upload such logs.

These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call.

This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.

Google may associate these logs, by means of a session ID, with other logs collected by the Google service itself; this is intended to make debugging easier.

Example value:

0x00000001 (Windows), true (Linux), <true /> (Mac)

WebRtcUdpPortRange

Restrict the range of local UDP ports used by WebRTC

Data type:

String [Windows:REG_SZ]

Windows registry location for Windows clients:

Software\Policies\Google\Chrome\WebRtcUdpPortRange

Windows registry location for Google Chrome OS clients:

Software\Policies\Google\ChromeOS\WebRtcUdpPortRange

Mac/Linux preference name:

WebRtcUdpPortRange

Android restriction name:

WebRtcUdpPortRange

Supported on:

Google Chrome (Linux, Mac, Windows) since version 54
Google Chrome OS (Google Chrome OS) since version 54
Google Chrome (Android) since version 54

Supported features:

Dynamic Policy Refresh: No, Per Profile: Yes

Description:

If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).

If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.

Example value:

"10000-11999"

Subpages (5): Atomic Policy Groups Cookie Legacy SameSite Policies Deprecated Policies Extension Settings Full Description Supported Directory Variables

Comments