Set Chrome policies for users or browsers

For administrators who manage Chrome policies from the Google Admin console.

You can enforce Chrome policies from your Admin console that apply to:

  • User accounts to sync policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome Browser with their managed account on any device.  
  • Enrolled browsers to enforce policies when users open Chrome Browser on managed Microsoft® Windows®, Apple® Mac®, or Linux computers. Signing in is not required.

Step 1: Understand when settings apply

Exactly when your Chrome policies are enforced depends on whether you set them for user accounts or enrolled browsers. 

Policies set for users

Available with G Suite, Chrome Browser Enterprise Support, Chrome Enterprise Upgrade, Chromebook Enterprise devices, and Cloud Identity.

Apply when users sign in with a managed Google Account on any device:

Don't apply when users:

  • Sign in to a Google Account outside of your organization, such as a personal Gmail account.
  • Sign in to a Chromebook as a guest.

Best for work settings and preferences that should sync across devices (work apps, home tabs, themes, and so on.)

Policies set for enrolled browsers

  • Apply when users open Chrome Browser on a computer where the browser is enrolled (Windows, Mac, or Linux).
  • Signing in is not required.
  • Best for policies that you want to enforce at the device level (security settings, blocked apps, and so on.).

Get started: Set up Chrome Browser Cloud Management

Step 2: Configure settings in your Admin console

Before you begin: To configure settings for a specific group of user accounts or enrolled Chrome Browsers, put the users or browsers in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.
  3. On the left, click Chrome browser management.
  4. Click User & browser settings
  5. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Configure the settings you want. Learn about each setting.

    Tip: Quickly find a setting by entering text in Search settings at the top.

    You see Inherited if a setting is inherited from a parent. Or, you see Locally applied if the setting is overridden for the child.

  7. Click Save.

    Settings typically take effect in minutes, but can take up to 24 hours to apply for everyone.

Learn about each setting

Many settings allow you to enforce a policy that users cannot change or set a default that users can change. For example, you can specify a homepage that everyone must use or let people set their own homepage.

Tip: Many admins leave the default settings and only configure settings, such as startup pages, new tab pages, apps and extensions, and themes.
 

General

Maximum user session length

Controls how long user sessions last. The remaining session time is shown on a countdown timer in the user's system tray. After the specified time, users are automatically signed out and the session ends. Enter a value between 1 minute and 1440 minutes (24 hours). For unlimited sessions, do not enter a value.

Custom avatar
Replaces the default avatar with a custom avatar. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 512 KB. Other file types are not supported.
Custom wallpaper

Replaces the default wallpaper with your own custom wallpaper. You can upload images in JPG format (.jpg or .jpeg files) up to a size of 16 MB. Other file types are not supported.

Smart Lock for Chrome

Available with Android 5.0 Lollipop and later devices and Chrome devices with Chrome version 40 and later.

Allows your users to unlock their Chrome device without a password using an Android phone. If the user and the devices are nearby, the user no longer needs to enter a password to unlock their Chrome device.

Sign-in settings


Specifies whether users can sign in to Chrome Browser and sync browser information to their Google Account.

Choose one of these options:

  • Disable browser sign-in—Users can’t sign in to Chrome Browser or sync browser information to their Google Account.
  • Enable browser sign-in—Users can sign in to Chrome Browser and sync browser information to their Google Account. Chrome Browser automatically signs in users when they sign in to a Google service, such as Gmail.
  • Force users to sign-in to use the browser—Forces users to sign in to Chrome Browser before they can use it. Chrome Browser does not let secondary users sign in. Sync is turned on by default and users can’t change it.


Allows you to specify a regular expression that determines which Google accounts can be set as browser primary accounts in Chrome Browser. For example, the value .*@example.com restricts sign in to accounts in the example.com domain.

If a user tries to set a browser primary account with a username that does not match your specified pattern, an error is displayed.

If this setting is not set or blank, the user can set any Google account as a browser primary account in Chrome Browser.

Mobile

Chrome Mobile (BETA)

Warning: An experimental feature—Inform your users before changing this setting. To provide feedback or report issues, fill out this form.

This setting allows you to select if supported policies should apply to Chrome Browser on mobile devices. Chrome Browser management needs to be turned on before enabling this setting. Once Chrome Browser management and this setting are enabled, users who are signed in to Chrome Browser on Android with your organization's account will begin receiving the settings you set. When a user signs out of a managed account, the policy stops applying and the local profile on the device is deleted.

Enrollment Controls

Open all  |  Close all

Microsoft® Active Directory®

You must be signed in as a super administrator for this task.

Enable Active Directory Management

Selecting Enable Active Directory Management lets you manage Chrome devices using Microsoft® Active Directory® or your Admin console. Use the Device management mode setting, described below, to specify whether devices that are enrolled by users in the selected organizational unit are integrated to Active Directory. You can see devices in your Google Admin console and domain controllers. For details, see Set up devices for Active Directory.

Identity Provider Metadata

Only available if you manage Chrome devices with Active Directory

To let Active Directory users access the Google Play Store, you need to upload the Active Directory Federation Services (AD FS) file. Then, apps that you approve for the domain will automatically show up for users when they open the managed Google Play store. For details, see Configure your domain to access the managed Google Play Store.

Domain Join Configuration

Only available if you manage Chrome devices with Active Directory

Upload a configuration template to minimize the amount of information that users need to enter when they’re joining their devices to the Active Directory domain. Users are prompted to only enter the Chromebook machine name and choose their configuration, such as sales or engineering.

Device management mode

Specifies whether Chrome devices are managed using Microsoft® Active Directory® or your Admin console. If you select Active Directory, devices that are enrolled by users in the selected organizational unit are integrated to Active Directory. You apply policies to them using Group Policy.

Device enrollment

Only takes effect if the device is being enrolled into the domain for the first time or if the device was previously deprovisioned

Selecting Keep Chrome device in current location means that when you enroll the Chrome device, it stays in the top-level organizational unit for your domain and pulls device settings from there.

Selecting Place Chrome device in user organization means that when you enroll the Chrome device, the device is placed in the organizational unit that the enrolling user is in. The settings you've applied for that user's organizational unit are applied to the device.

Place Chrome device in user organization is a useful setting if you need to manually enroll many devices. The device settings unique to the user's organizational unit are automatically added to the device, instead of requiring an additional step of manually moving each device into a specific organizational unit after enrollment.

Asset identifier during enrollment

The Asset identifier during enrollment setting controls whether users can add an asset ID and location for a device when they enroll it:

  • If you select Do not allow for users in this organization, users don't have the option to enter the asset ID and location.
  • If you select Users in this organization can provide asset ID and location during enrollment, users can enter the asset ID and location of the device.

If you choose to allow users to enter the asset ID and location, the Device information page is shown with pre-existing data for the fields or blank if no data exists. The user can edit or enter the device details before they complete enrollment to populate the asset ID and location fields in the Admin console and at chrome://policy.

Enrollment permissions

By default, users in this organizational unit are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes an upgrade. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new upgrade because the device is still managed.

Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime an upgrade would be consumed).

Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.

Apps & extensions

The new apps and extensions page centralizes all app and extension provisioning:

  • Allow and block apps
  • Force-install apps
  • Pin apps to the taskbar

The application settings page includes additional app and extension settings:
  • Install sources
  • Allowed app types
  • Block extensions by permission
  • Chrome Web Store homepage and permissions
Task manager

This setting allows you to block users from ending processes with the Chrome task manager. By default, users can end processes using the task manager.

Select Allow users to end processes with the Chrome task manager to allow users to end processes using the task manager.

If you select Block users from ending processes with the Chrome task manager, it means users can't end processes using the task manager. If you choose this setting, users can still open the task manager, but can’t use it to end a process because the End process button is disabled.

Site isolation

Site isolation

Turns on site isolation for managed Chrome Browser users on Chrome devices. Isolate websites and origins that you specify.

  • Turn on site isolation for all websites—Every site runs in a dedicated rendering process. All sites are isolated from each other. (Default setting if you don't specify anything)
  • Turn off site isolation for all websites, except those set below—Only the sites you specify run in a separate process. Each entry runs in a dedicated rendering process. 

You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

For details, see Protect your data with site isolation.

Site isolation (Chrome on Android)

Turn on site isolation for managed Chrome Browser users on Android devices. Isolate websites and origins that you specify.

Note: Enabling site isolation on Android devices can reduce Chrome Browser performance, so it's disabled by default on Android.

  • Allow user to choose to enable site isolation—User can choose whether to turn on site isolation.
  • Turn on site isolation for all websites—Every site runs in a dedicated rendering process. All sites are isolated from each other. 
  • Turn off site isolation for all websites, except those set below—Only the sites you specify run in a separate process. Each entry runs in a dedicated rendering process.

You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

Security

Open all  |  Close all

Password manager

When you choose Always allow use of password manager, users can have Chrome Browser remember passwords and provide them automatically the next time they sign in to a site. If you choose Never allow use of password manager, users cannot save new passwords but they can still use passwords that were previously saved. You can allow the user to configure password manager, or you can specify that it's always allowed or disallowed.

Lock screen

Turns on or off the lock screen on a user’s device. If you disable the lock screen (Do not allow locking screen), the system signs out the user in cases where the lock screen would normally have activated. Idle settings that lead to the lock screen (for example, Lock screen on sleep) will also sign the user out.

Quick unlock

Specifies whether users can use quick unlock modes, including PIN and fingerprint, to unlock the lock screen on their device.

Idle settings

Idle time in minutes

To specify the amount of idle time before a user’s device goes to sleep or signs them out, enter a value in minutes. To use the system default, which varies by device, leave the box empty.

Action on idle

Select what you want the device to do after the idle time expires:

  • Sleep—If you want the device to go into Sleep mode
  • Logout—If you want to sign out the current user
  • Lock Screen—If you want to lock the screen on the user's device without signing them out

Action on lid close

Select if you want a user's device to go to sleep or sign them out when they close the device lid.

Lock screen on sleep

Select to lock a user’s screen when the device goes to sleep or let the user decide. If you select Allow user to configure, users configure the option in their device settings.

Incognito mode

Specifies whether users can browse in Incognito mode.

Choose Disallow incognito mode to prevent users from opening new Incognito windows. However, it does not close Incognito windows that are already open or prevent users from opening new tabs in those windows.

Browser history

Controls whether the browser saves the user's browsing history.

Clear browser history

Specifies whether users can clear browser data, including their browsing and download history.

Note: Preventing users from clearing browser data doesn't guarantee that browser and download history is kept. For example, if a user deletes their profile, their browsing history is cleared.

Force ephemeral mode

Specifies whether users browse in Ephemeral mode or not.

Ephemeral mode lets your employees to work from their personal laptop or a shared device that they trust, while reducing the chances of any browsing information being left behind on their device.

Note: If you use this setting, we recommend that you do not disable Chrome sync in the Admin console.

Online revocation checks

If you select Perform online OCSP/CRL checks, Chrome devices will perform online revocation checks of HTTPS certificates.

Geolocation

Sets whether websites are allowed to track the user's physical location.

In the case of Chrome Browser, this policy corresponds to the user options in their Chrome settings. Tracking the physical location can be allowed by default, denied by default, or the user can be asked each time a website requests the physical location.

In the case of Android apps running on Chrome, if this policy is set to denied by default, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Single sign-on online login frequency

Sets the frequency of forced online sign-in flows for SAML-based single sign-on accounts. 

When you set this policy, each time users sign out after the set frequency period, they must go through the online sign-in flow for SAML-based single sign-on accounts.

Sign-on frequency options:

  • Every day
  • Every 3 days
  • Every week
  • Every 2 weeks
  • Every 3 weeks
  • Every 4 weeks
  • Never

Important: Before using this policy, review the requirements in Configure SAML single sign-on for Chrome devices.

Single sign-on

Allows you to enable or disable SAML-based single sign-on for Chrome devices.

Important: Before using this policy, review the requirements in Configure SAML single sign-on for Chrome devices.

RC4 cipher suite in TLS

Allows you to temporarily enable or disable Rivest Cipher 4 (RC4) cipher suite in TLS if certain legacy servers need it.

Note: RC4 is not secure. We recommend that you reconfigure servers to support AES encryption.

Local trust anchor certificates

Local anchors common name fallback

Controls whether to allow or block certificates issued by local trust anchors that are missing the subjectAlternativeName extension. When this setting is enabled, Chrome Browser will use the commonName of a server certificate to match a host name if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificate.

Note: Enabling is not recommended—It might allow bypassing the nameConstraints extension that restricts the host names for a given authorized certificate.

Symantec Corporation's legacy PKI infrastructure

Allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate. For non-Chrome OS systems, this policy depends on the operating system still recognizing certificates from Symantec's legacy infrastructure. If an OS update changes the OS handling of certificates, this policy no longer has an effect. This policy is intended as a temporary workaround to give enterprises more time to transition away from legacy Symantec certificates.

Certificate transparency URL whitelist

Specifies URLs where certificate-transparency requirements are not enforced on certificates. In turn, Chrome Browser can use certificates that were issued by the Certificate Authority (CA) and not publicly disclosed. If the CA issues illegitimate certificates for a specified URL, they might not be detected.

Only the host name portion of the URL is matched. Wildcard host names are not supported. For URL syntax, see Allow or deny websites—URL filter format.

Certificate transparency CA whitelist

If a certificate chain contains certificates with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Therefore, Chrome Browser can use certificates that were issued by the Certificate Authority (CA) to an organization but were not publicly disclosed.

For details on specifying a subjectPublicKeyInfo hash, see the CertificateTransparencyEnforcementDisabledForCas policy.

Certificate transparency legacy CA whitelist

If a certificate chain contains certificates issued by a legacy Certificate Authority (CA) with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Legacy CAs are trusted by some operating systems that run Chrome Browser, but not Chrome OS or Android. Chrome Browser can use certificates that were issued to an organization but were not publicly disclosed.

For details on specifying subjectPublicKeyInfo hashes, see the CertificateTransparencyEnforcementDisabledForLegacyCas policy.

CPU task scheduler

Specifies whether Intel® Hyper-Threading Technology® is optimized for stability or performance. Hyper-Threading Technology uses processor resources more efficiently and increases processor throughput.

Enable renderer code integrity

When on, prevents unknown and potentially hostile code from loading inside Chrome Browser renderer processes. By default, Enable renderer code integrity is turned on.

Unless you have compatibility issues with third-party software that must run inside Chrome Browser renderer processes, we do not recommend turning off this setting. If you turn off Enable renderer code integrity, it can impact Chrome Browser security and stability.

Enable leak detection for entered credentials

For Chrome Browser and devices running Chrome OS version 79 and later, controls whether Chrome checks for leaked usernames and passwords. 

This setting has no effect if Safe Browsing is not turned on. To make sure that Safe Browsing is turned on and users can’t change it, set the Safe Browsing setting to Always enable Safe Browsing. For details, see Safe Browsing.

Remote access

Remote access clients

Configures the required domain name for remote access clients and prevents users from changing the setting. Only clients from the specified domain can connect to the host device. If this setting is disabled or not set, the host allows connections from authorized users from any domain.

Curtaining of remote access hosts

Enables curtaining of a user's activity when remotely connected. If this setting is enabled, it prevents someone physically present at a host machine from seeing what a remotely-connected user is doing.

Elevated UI access for remote support

Allows your users in remote assistance sessions to execute commands with administrative privileges. If this setting is enabled, they can interact with elevated windows on the local user's desktop.

Session settings

Show logout button in tray

Select to show the sign out button explicitly in the shelf. This setting can be useful for users when they need to quickly sign out from a Chrome device.

Network

Open all  |  Close all

Proxy mode

Specifies how Chrome OS connects to the internet.

If you leave the setting at its default Allow user to configure, the user can change the proxy configuration in their Chrome settings. If you choose any of the other Proxy mode options, the user can't change the configuration.

  • Never use a proxy—Means that the Chrome device always establishes a direct connection to the internet without passing through a proxy server. A direct connection is also the default configuration for Chrome devices, if you do not set a policy and the user doesn't change the configuration.
  • Always auto detect the proxy—Instructs the Chrome device to determine which proxy server to connect to using the Web Proxy Autodiscovery Protocol (WPAD).
  • Always use the proxy specified below—Sets a specific proxy server for handling requests from this user. If you select this option, you need to enter the URL of the proxy server in the Proxy Server URL text box below. Format the Proxy Server URL as 'IP address:port', such as '192.168.1.1:3128'. Leave it empty for any other Proxy mode setting.
  • If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the Proxy Bypass List text box. If you include multiple URLs, separate them by putting one URL per line.
  • Always use the proxy auto-config specified below—Inserts the URL of the .pac file that should be used for network connections for the Proxy Server Auto Configuration File URL.

How Chrome OS handles bad proxies

PROXY (foo) is how one names a proxy server in Proxy autoconfiguration scripts. If your first proxy doesn’t work, Chrome will try the second, marking the first as a bad proxy.

Currently, when applying a proxy list resolved through PAC, Chrome can rearrange the proxy choices based on the past availability of the proxy. For instance, when applying "PROXY foo1; PROXY foo2;" Chrome might start by trying foo2 if foo1 timed out the last time it was tried (within the past 5 minutes).

If foo2 succeeds, then Chrome will mark foo1 as a bad proxy and redo the priority of the proxy list by putting foo2 first for every other subsequent request.

For Chrome OS devices, the management URLs require a direct path to the internet. Filtering through proxy can cause unexpected functionality.

Android apps running on Chrome OS

If you have enabled Android Apps on supported Chrome devices, a subset of proxy settings is made available to Android apps, which they might voluntarily choose to honor. Typically, apps using Android System WebView or the in-built network stack will do so). If you choose:

  • Never use a proxy server—Android apps are informed that no proxy is configured.
  • Use system proxy settings or fixed server proxy—Android apps are provided with the http proxy server address and port.
  • Auto detect proxy server—The script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy autodetection protocol is used.
  • .pac proxy script—The script URL is provided to Android apps.
Ignore proxy on captive portals

Specifies whether Chrome OS can bypass a configured proxy server for captive portal authentication. For example, captive portal pages such as landing or sign-in pages where users are prompted to accept terms or sign in before Chrome detects a successful internet connection.

A configured proxy server can be set:

  • In the Admin console using the Proxy mode setting
  • By users on their Chrome device in chrome://settings
  • By apps or extensions that are allowed to set or modify a proxy

When you set this policy to Ignore policies for captive portal pages, Chrome opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user. When you set it to Keep policies for captive portal pages, Chrome opens captive portal pages in a new browser tab and applies the current user’s policies and restrictions.

Supported authentication schemes

Specifies which HTTP authentication schemes are supported. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is selected. You can override the default behavior by disabling specific authentication schemes.

  • Basic—Most insecure method with authentication handled without any encryption.
  • Digest—A challenge-response scheme that is more secure than basic authentication.
  • NTLM—(NT LAN Manager) A more advanced challenge-response scheme that is more secure than digest.
  • Negotiate—The most secure option. We recommend this option if available. Otherwise, we recommend NTLM.
SSL record splitting

Only supported on Chrome devices

Enabling this setting will allow SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies.

Data compression proxy

Reduces cellular data usage and speeds up mobile web browsing by using proxy servers hosted at Google to optimize website content.

You can choose to Always enable data compression proxy or Always disable data compression proxy. The default setting is Allow the user to decide.

WebRTC UDP Ports

Allows you to specify a UDP port range to use for WebRTC connections from the user. The port range is 1024–65535 and the maximum should be greater than or equal to the minimum.

QUIC protocol

Allows the Quick UDP Internet Connections (QUIC) protocol to be used in Chrome. QUIC is a transport protocol that reduces latency compared to Transmission Control Protocol (TCP). For details, see Chromium.

DNS-over-HTTPS

Controls the default mode of the remote Domain Name System (DNS) resolution via the HTTPS protocol for each query. DNS-over-HTTPS (DoH) helps to improve safety and privacy while users are browsing the web. For example, attackers are prevented from observing what sites you visit or sending you to phishing websites.

Choose an option:

  • Disable DNS-over-HTTPS—Chrome never sends DoH queries to DNS servers. 
  • Enable DNS-over-HTTPS with insecure fallback—If a DNS server that supports DoH is available, Chrome first sends a DNS-over-HTTPS query. If an error is received or a server that supports DoH isn’t available, Chrome just sends a DNS query to the server instead.
  • Enable DNS-over-HTTPS without insecure fallback—Chrome sends DoH queries only to DNS servers.

If you enable DoH, you can add a list of the URI templates of DoH resolvers that you want to make available to your users. 

The default setting is Enable DNS-over-HTTPS with insecure fallback. However, sometimes it reverts to Disable DNS-over-HTTPS and users can’t change it. This happens if Chrome detects parental controls or enterprise policies. Chrome detects enterprise policies if:

  • You manage Chrome Browser on domain-joined computers.
  • You have set at least one active policy for Chrome Browser.
CORS legacy mode

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome Browser and devices running Chrome OS version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

Specifies whether Chrome Browser can use the legacy CORS protocol, which is less secure and strict than Out-Of-Renderer CORS.

CORS mitigations

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome Browser and devices running Chrome OS version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

To make Chrome extensions and specific HTTP headers exempt from CORS inspection, select Enable mitigations.

Android applications

Open all  |  Close all

Control Android backup and restore service

Allows users to back up content, data, and settings from Android apps to their Google Account. When users sign in to another Chrome device, they can restore their Android app data.

Google location services

Sets whether Android apps are allowed to track the user's physical location.

You can set to:

  • Disable location services for Android apps in Chrome OS—Android apps cannot access location information. 
  • Allow the user to decide whether an Android app in Chrome OS can use location services—User is asked to consent when an Android app wants to access location information.
Account Management

Chrome version 75 and earlier

By default, users can add a secondary account (for example, their personal Gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. To stop users from adding a second Google Account, check the Google account box.

Certificate Synchronization

By default, Chrome OS Certificate Authority (CA) certificates are not synchronized to Android apps. To make them available to Android apps, select Enable usage of Chrome OS CA certificates in Android apps.

Startup

Home button

Specifies whether the Home button appears on the toolbar. For Chrome, this policy corresponds to the user setting Show Home button in their Chrome Settings. 

Homepage

Controls what users see when they click the Home button on the toolbar. You can select Allow user to configure (default), Homepage is always the new tab page, or Homepage is always the URL set below.

To set a URL, you enter the URL in the box.

Pages to load on startup

Allows you to specify additional page URLs that should load when users start their Chrome devices. The pages you list here appear on additional tabs.

Content

Open all  |  Close all

Safe Search and Restricted Mode

Google SafeSearch

Allows you to turn on or off SafeSearch, which filters offensive content in user search results. You can select:

  • Do not enforce Safe Search for Google Web Search queries (default).
  • Always use Safe Search for Google Web Search queries—Users must use SafeSearch.

YouTube Restricted mode

Before you set restrictions on YouTube, we recommend updating to the latest stable version of Chrome.

  • Do not enforce Restricted Mode on YouTube (default).
  • Enforce at least Moderate Restricted Mode on YouTube—Forces users to use Restricted mode. The mode algorithmically limits which videos are viewable based on their content.

  • Enforce Strict Restricted Mode for YouTube—Forces users to use Strict Restricted mode to further limit available videos.

For details on restriction levels, see Manage your organization's YouTube settings.

Screenshot

Controls whether users in your organization can take screenshots on Chrome devices. The policy applies to screenshots taken by any means, including the keyboard shortcut and apps and extensions that use the Chrome API to capture screenshots.

If you enable Android apps on supported Chrome devices in your organization, screenshot policies also apply to those devices.

Client certificates

Allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome automatically selects for client certificates. If set, Chrome skips the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy is not set, auto-selection won’t be done for websites that request certificates.

The ISSUER/CN parameter specifies the common name of the certification authority that client certificates must have as their issuer to be autoselected.

How to format the JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

Example JSON string:

{"pattern": "https://[*.]ext.example.com", "filter": {}},
{"pattern": "https://[*.]corp.example.com", "filter": {}},
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}

Security key attestation

Specifies URLs and domains for which no prompt is shown when the device requests attestation certificates from security keys.

3D content

Controls whether the browser allows webpages to use the Web-based Graphics Library (WebGL) API and plugins. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Cookies

Default cookie setting

Sets whether websites are allowed to store browsing information, such as your site preferences or profile information.

This setting corresponds to a user’s cookie options in Chrome Settings. You can allow the user to configure the option. Or, you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.

Allow cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

  • "http://www.example.com"
  • "[*.]example.edu" 

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Block cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

  • "http://www.example.com"
  • "[*.]example.edu"

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Allow session-only Cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. You can put URLs in the following formats on separate lines:

  • "http://www.example.com"
  •  "[*.]example.edu"

The cookies after these sessions are deleted. If this policy is not set, what you specify under Default cookie setting is the global default, or a user can set their own configuration.

Third-party cookie blocking

You can select:

  • Allow the user to decide (default)
  • Allow third-party cookies—To allow third-party cookies

If you disable this setting, third-party cookies are blocked.

Default legacy SameSite cookie behavior

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome Browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can temporarily revert Chrome Browser to the legacy behavior, which is less secure. That way, users can continue to use services that developers have not yet updated, such as single sign-on and internal applications.

Choose an option:

  • Revert to legacy SameSite behavior for cookies on all sites—Cookies with the setting configured as SameSite=None do not require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. So, third-party cookies can continue to track users across sites. 
  • Use SameSite-by-default behavior for cookies on all sites—For cookies that don't specify a SameSite attribute, how Chrome Browser treats cookies depends on the default behavior specified in Chrome Browser.

To see how Chrome Browser treats cookies that don't specify a SameSite attribute:

  1. On a managed computer, open Chrome Browser. 
  2. In the address bar at the top, type chrome://flags.
  3. Press Enter.
  4. For #same-site-by-default-cookies, read the description and check to see if the flag is turned on or off.
Per-site legacy SameSite cookie behavior

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome Browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can specify the domains that you want Chrome Browser to temporarily revert to the legacy behavior, which is less secure. Don’t specify schemes or ports. Cookies with the setting configured as SameSite=None no longer require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. As a result, third-party cookies can continue to track users across specific sites. 

If no domains are listed, the Default legacy SameSite cookie behavior setting specifies how cookies are treated. Otherwise, how Chrome Browser treats cookies might vary, depending on the default behavior specified in Chrome Browser.

Images

Sets whether websites are allowed to display images. For Show images on these sites and Block images on these sites, put one URL pattern on each line.

JavaScript

Sets whether websites are allowed to run JavaScript. If you disable JavaScript, some sites might not work properly.

Notifications

Sets whether websites are allowed to display desktop notifications.

You can allow or deny notifications or ask the user each time a website wants to show desktop notifications.

Note: With Chrome version 64 and later, JavaScript alerts are no longer allowed to interrupt users. Apps that previously used alerts, such as Google Calendar, can send notifications instead. To allow this, in the Allow these sites to show notifications box, add calendar.google.com.

Flash Player

Sets whether websites are allowed to run plugins such as Adobe® Flash® Player®. Plugins are used by websites to enable certain types of web content that Chrome Browser can't process.

Flash Player will be deprecated in December 2020. In Chrome version 76 and later, Flash Player is turned off by default. For information, see Manage Flash in your users' Chrome Browsers

Enabled and disabled plugins

This setting is ignored if you Block all plugins in the Plugins setting.

Allows you to specify a list of plugins that are always enabled in Chrome, such as Java, and prevents users from changing the setting. Names of plugins are case-sensitive, and you enter one plugin per line.

The names can include wildcards. The * symbol matches an arbitrary number of characters. And, ? specifies an optional single character. The escape character is \. To match actual *, ?, or \ characters, put a \ in front of them.

For example, to enable the Chrome PDF Viewer plugin and anything with Gears in its name, you enter Chrome PDF Viewer *Gears* on separate lines. Disabled plugins specifies a list of plugins to block from running.

Exceptions to disabled plugins specifies a list of plugins that users can enable or disable in Chrome, even if they also match one or more entries in the Disabled plugins list.

Plugin finder

Allows Chrome to automatically search and install missing plugins on your users’ Chrome devices.

Plugin authorization

The default setting is that users are asked for permission to run plugins that could compromise security. If you change it to Always run plugins that require authorization, plugins that are not outdated or disabled can run in Chrome without first asking the user for permission.

Outdated Plugins

Ask user for permission to run outdated plugins is the default setting. Selecting Disallow outdated plugins will block them from running in Chrome. Allow outdated plugins to be used as normal plugins means that the outdated plugins are allowed to run as normal plugins.

Pop-ups

Sets whether websites are allowed to show pop-ups. If the browser blocks pop-ups for a site, users see and can click Blocked blocked pop-up alert on the address bar to see the pop-ups that have been blocked.

URL blocking

URL blacklist

Prevents Chrome Browser users from accessing specific URLs.

To configure this setting, enter up to 1,000 URLs on separate lines.

URL blacklist exceptions

Specifies exceptions to the URL blacklist.

To configure the setting, enter up to 1,000 URLs on separate lines.

URL syntax

Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1 to 65,535
  • The path to the resource
  • Query parameters

Notes:

  • To disable subdomain matching, put an extra period before the host.
  • You cannot use user:pass fields, such as http://user:pass@ftp.example.com/pub/bigfile.iso. Instead, enter http://ftp.example.com/pub/bigfile.iso.
  • When both URL blacklist and URL blacklist exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • You can use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by '&'.
  • The key-value tokens are separated by '='.
  • A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.

Examples

URL blacklist entry Result
example.com Blocks all requests to example.com, www.example.com, and sub.www.example.com
http://example.com Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS and FTP requests
https://* Blocks all HTTPS requests to any domain
mail.example.com Blocks requests to mail.example.com but not to www.example.com or example.com
.example.com Blocks example.com but not its subdomains, like example.com/docs
.www.example.com Blocks www.example.com but not its subdomains
* Blocks all requests except for those to blacklist exception URLs. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy
*:8080 Blocks all requests to port 8080
*/html/crosh.html Blocks Chrome Secure Shell (Also known as Crosh Shell)

chrome://settings

chrome://os-settings

Blocks all requests to chrome://os-settings

example.com/stuff Blocks all requests to example.com/stuff and its subdomains
192.168.1.2 Blocks requests to 192.168.1.2
youtube.com/watch?v=V1 Blocks youtube video with id V1

Using blacklists with Android apps

If you enable Android apps on supported Chrome devices in your organization, the URL blacklist and URL blacklist exception are not honored by apps that use Android System WebView. To enforce a blacklist on these apps, define the blacklisted URLs in a text file (see below). Then, apply the blacklist to the Android apps. For details, see Apply managed configurations to an Android app.

The following example shows how to define a blacklisted URL:

{ "com.android.browser:URLBlacklist": "[\"www.solamora.com\"]" }

For apps that don’t use Android System WebView, consult the app documentation for information on how to restrict access in a similar way.

Google Drive syncing

Lets you configure whether users can sync with Google Drive on their Chrome device. You can enable or disable Drive syncing or let users choose.

This setting has no effect on the Google Drive Android app on Chrome OS. To completely disable any syncing to Google Drive, configure this policy and do not allow the Google Drive Android app to be installed on supported Chrome devices. For details, see Use Android apps on Chrome devices.

Google Drive syncing over cellular

Lets you configure whether or not users can sync with Google Drive over a cellular connection on their Chrome device. This policy has no effect on the Google Drive Android app on Chrome OS.

Cast

Allow users to cast from Chrome

Decide if users can use a Chromecast device to cast from a Chrome tab.

Show Cast icon in the toolbar

Specify whether Cast  appears on the browser toolbar in Chrome. If you select Always show the Cast icon in the toolbar, it always appears on the toolbar or overflow menu and users can't remove it.

If you don't let users cast, you can't configure this policy. The Cast icon doesn't appear on the toolbar.

Strict treatment for mixed content

Supported on Chrome version 80 to 83 inclusive

Specifies how Chrome Browser and devices running Chrome OS treat insecure HTTP audio, video, and image mixed content.

By default, Chrome uses strict treatment for mixed content. On HTTPS sites:

  • Audio and video are automatically upgraded from HTTP to HTTPS.
  • There is no fallback if audio or video is not available over HTTPS.
  • Chrome shows a warning in the URL bar for pages that contain images.

Select Do not use strict treatment for mixed content to prevent Chrome from automatically upgrading audio and video to HTTPS and show no warning for images.

Control use of insecure content exceptions

For Chrome Browser and devices running Chrome OS, Google has started to automatically block mixed content. So, in future https:// pages will only load secure https:// resources, not http:// resources. For details about the roll-out plan, see this Chromium blog.

Selecting Allow users to add exceptions to allow blockable mixed content lets users specify certain pages that can run active mixed content. Otherwise, users can’t load active mixed content, such as scripts and iframes. Chrome does not automatically upgrade optionally-blockable mixed content from HTTP to HTTPS on sites users add as exceptions.

To run pages with active mixed content, tell users to:

  1. On your computer, open Chrome.
  2. At the top right, click More "" Settings.
  3. Under Privacy and security, click Site settings.
  4. Scroll to Insecure content.
  5. For Allow, click Add.
  6. Add URLs of the pages that you want to allow.

Note: URLs that you specify in the Allow insecure content on these sites and Block insecure content on these sites settings take precedence over this setting.

Allow insecure content on these sites

Specifies a list of pages that can display active mixed content, such as scripts and iframes. Also, Chrome does not automatically upgrade optionally-blockable, or passive, mixed content from HTTP to HTTPS. Passive mixed content includes images, audio, and video.

For information on valid URL patterns, see Enterprise policy URL pattern format.

Block insecure content on these sites

Specifies a list of pages that cannot display active mixed content, such as scripts and iframes. Also, Chrome automatically upgrades optionally-blockable, or passive, mixed content from HTTP to HTTPS. Chrome does not load passive mixed content that fails to load over https://. Passive mixed content includes images, audio, and video

For information on valid URL patterns, see Enterprise policy URL pattern format.

Re-enable Web Components v0 API until Chrome 84

This policy will be removed after Chrome 84.

Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018. They are disabled by default in Chrome version 80 and later. For Chrome Browser and devices running Chrome OS version 80 to 84 inclusive, select Re-enable Web Components v0 API  to temporarily re-enable the APIs for all sites.

Synchronous XHR requests during page dismissal

This policy will be removed in Chrome 88.

For Chrome Browser and devices running Chrome OS version 78 to 88 inclusive. Allows you to specify whether pages can send synchronous XMLHttpRequest (XHR) requests during page dismissal. For example, when users close tabs, quit the browser, type a new entry in the address bar, and so on.

Native window occlusion

Chrome Browser detects native window occlusion when a browser window is covered by another window. If that happens, Chrome Browser does not paint pixels on the covered page. Showing blank white pages helps to reduce CPU and power consumption.

Select Disable detection of window occlusion to prevent Chrome Browser on Microsoft® Windows® devices from showing blank pages when they’re covered.

Use legacy form controls

This policy will be removed after Chrome 84

Starting in Chrome version 83, we are refreshing standard form control elements, such as <select>, <button>, and <input type=date>. This will help to improve accessibility and platform uniformity.

For Chrome Browser and devices running Chrome OS version 83 and 84, select Use legacy (pre-M81) form control element for all sites to temporarily revert to legacy form control elements. Otherwise, updated form control elements are used as they are launched in Chrome versions 83 and 84.

Enable URL-keyed anonymized data collection
For Chrome Browser and devices running Chrome OS, URL-keyed anonymized data collection sends Google the URL of each site the user visits to make searching and browsing better. If this policy is not set it will be active by default, but the user will be able to change it.

Printing

Open all  |  Close all

Printing

You can enable or disable printing. When printing is disabled, a user won’t be able to print from the Chrome menu, extensions, JavaScript applications, and so on. 

This policy has no effect on Android apps running on Chrome OS.

Print preview

Selecting Allow using print preview lets your users see a print preview with Google Cloud Print. Selecting Always use the system print dialog instead of print preview will use the computer’s print dialog window and not Cloud Print when printing.

Google Cloud Print submission

Allows or blocks users from signing in to Cloud Print service to print. On Windows, Mac and Linux, turning this setting off, users can still print using their system print dialog box. If this setting is disabled, users won’t be able to print from Chrome OS.

Google Cloud Print proxy

Enabling this setting lets your user’s Chrome Browser on their Windows, Mac, or Linux computer to act as a proxy between Google Cloud Print and the printers connected to their device. Your users can set up Google Cloud Print by going to https://www.google.com/cloudprint and signing in with their Google Account.

Selecting disallow will block Chrome Browser from sharing your device’s printers with Google Cloud Print.

Print preview default

Settings also available for managed guest session devices.

Default printer selection

To use the default system printer as the default printer for Chrome, select Use default print behavior.

To define a default printer for users, select Define the default printer. When a user prints, the Chrome device tries to find a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.

This policy has no effect on Android apps running on Chrome OS.

Printer Types

Select the type of printer to search for and use as the default printer. To search for all types, select Cloud & Local.

Printer Matching

Select if you want to search for printers by name or ID.

Default Printer

Specify a regular expression that matches the name or ID of the printer that you want to use as the default printer. The expression is case-sensitive. Printing defaults to the first printer that matches the name. For example:

  • To match a printer named Solarmora Lobby, enter Solarmora Lobby.
  • To match a printer in solarmora-lobby-1 or solarmora-lobby-2, enter solarmora-lobby-.$.
  • To match a printer in solarmora-lobby-guest or solarmora-partner-guest, enter solarmora-.*-guest.

This policy has no effect on Android apps running on Chrome OS.

Native printers management

For Chrome devices running Chrome OS version 67 and later

Lets you allow or block your users from adding native printers to their Chrome devices.

The default is to Allow users to add new printers. To block your users from adding printers, select Do not allow users to add new printers.

For information about setting up native printing, see Manage local and network printers.

Default color printing mode

Specifies whether to print in color or black and white by default. Users can choose whether to print in color or black and white on individual print jobs.

Restrict color printing mode

Forces users to print in in color or black and white. To let users choose whether to print in color or black and white, select Do not restrict color printing mode.

Default page sides

Specifies whether users can print on both sides of paper. If you choose choose two-sided printing, select whether to bind pages along their long or short edge. Users can only print double-sided on printers with built-in duplex capability. Users can choose whether to print on one or both sides on individual print jobs.

Restrict page sides

Forces users to print in simplex or duplex mode on printers with built-in duplex capability. To let users choose whether to print on one or both sides on individual print jobs, select Do not restrict duplex printing mode.

Background graphics printing default

Specifies whether to print background graphics by default. Users can choose whether to print background graphics on individual print jobs.

Background graphics printing restriction

Lets you force or prevent users from printing background graphics. To let users choose whether to print background graphics on individual print jobs, select Allow the user to decide.

Native print job information

Select Include user account and filename in print job to include the user account and file name in the header of print jobs that are sent using a secure IPP over HTTPS (IPPS) connection to printers compatible with the Internet Printing Protocol (IPP). Third-party printing features, such as secure printing and usage tracking, can then be enabled, if supported.

Note: Selecting Include user account and filename in print job blocks users from printing to printers that do not support IPPS, even if the printers have already been added.

Print job history retention period

Specifies how long the metadata for completed print jobs is stored on Chrome devices. Enter a value in days.

  • To use the system default, which is 90 days, leave the field unset.
  • To store print job metadata indefinitely, enter -1.
  • To prevent print job metadata from being stored, enter 0.
Restrict PIN printing mode

For printers with built-in PIN-printing capability

Forces users to print with or without a PIN. To let users choose whether to print using a PIN, select Do not restrict PIN printing mode.

Default PIN printing mode

For printers with built-in PIN-printing capability

Specifies whether users can print using a PIN. If you choose With PIN, users can enter a code when they’re sending print jobs. Then, they need to enter the same code on the printer keypad to release the print job.

User Experience

Open all  |  Close all

Managed bookmarks

Lets you push a list of bookmarks for the convenience of users on Chrome on all platforms, including mobile devices. On Chrome devices and Chrome on desktop, the bookmarks appear in a folder on the bookmark bar. The user cannot modify the contents of this folder but can choose to hide it from the bookmark bar.

Bookmark bar

Determines whether users see a bookmark bar. Allow the user to decide is the default setting.

Shelf position

Specifies the position of the row of apps, also called the shelf, on users’ Chrome devices.

Bookmark editing

Allows users to add, edit, or remove items from their Chrome bookmarks bar.

Download location

Sets the default download location on Chrome devices and specifies whether a user is allowed to modify that location. The download location choices are:

  • Set local Downloads folder as default, but allow user to change
  • Set Google Drive as default, but allow user to change
  • Force Google Drive

If the user has already explicitly chosen a download location before you select Set Google Drive as default, but allow user to change or Set local Downloads folder as default, but allow user to change, the user's original choice is respected. If the user has not already chosen a download location before you select one of these two policies, the default is set but the user can change it later.

If you select Force Google Drive (regardless of prior user choice), Google Drive is forced to be the download folder and a user is not allowed to change it. However, the user can still move files between local folders and Google Drive using the Files app.

This setting has no effect on Android apps running on Chrome OS. Android apps usually download to a download folder mapped to the Chrome OS downloads folder, however they may download to other locations as well.

Spell check service

Lets you configure whether or not spell checking is enabled on Chrome or let users decide.

Google Translate

Lets you configure whether Chrome uses Google Translate, which offers content translation for web pages in languages not specified on a user's Chrome device. You can allow Chrome to always offer translation, never offer translation, or let users choose.

Alternate error pages

Controls whether Chrome Browser shows suggestions for a page when it is unable to connect to a web address. The user sees suggestions to navigate to other parts of the website or to search for the page.

Corresponds to the user option Use a web service to help resolve navigation errors in their Chrome settings. You can allow the user to configure the option, or you can specify that it is always on or always off.

Developer tools

Controls whether the Developer tools option appears on the Tools menu. Developer tools allow web developers and programmers access into the internals of the browser and their web applications. For more information about the tools, see the Developer Tools Overview.

The default for G Suite Enterprise customers is to Allow use of built-in developer tools except for force-installed extensions. This setting means all keyboard shortcuts, menu entries, and context menu entries that open the Developer tools or JavaScript console are enabled in general, but are disabled within extensions that are force-installed using enterprise policy.

The default for unmanaged users is Always allow use of built-in developer tools. To disable developer tools in all contexts, select Never allow use of built-in developer tools.

If you have enabled Android apps on supported Chrome devices in your organization, this setting will also control access to Android Developer Options. If set to Never allow use of built-in developer tools, users can’t access Developer Options. If set to any other value or unset, users can access Developer Options by tapping 7 times on the build number in the Android settings app.

Form Auto-fill

Specifies whether the user can use the autofill feature to simplify the completion of online forms. The first time a user fills out a form, Chrome automatically saves the entered information, such as name, address, phone number, or email address.

You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

DNS pre-fetching

When DNS prefetching is enabled, Chrome looks up the IP addresses of all links on a displayed webpage so that links the user clicks load faster.

You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Network prediction

Allows you to decide whether Chrome predicts network actions. You might want Chrome to use a prediction service so it loads pages faster or helps complete searches and URLs that users enter in the address bar.

As an administrator, you can disable or require network prediction. Or, if you select Allow the user to decide, the setting is on for Chrome. Users can then change their own prediction service settings.

Multiple sign-in access

Before using this setting, review Let multiple users sign in at the same time.

In the case of Android apps running on Chrome, even if you choose Unrestricted user access (allow any user to be added to any other user's session), only the primary user can use Android apps. If you choose Managed user must be the primary user (secondary users are allowed), Android apps can be used in the primary user as long as the device supports Android apps and you have enabled them in your organization.

Sign-in to secondary accounts

After signing in to their device, allows users to switch between accounts in their browser window and Google Play.

  1. Choose an option:
    • To allow users to sign in to any Google Account within the browser, select Allow users to sign-in to any secondary Google Accounts. For details, see Types of Google Accounts.
    • To block users from signing in or out of Google Accounts within the browser, select Block users from signing in to or out of secondary Google Accounts.
    • To allow users to access Google services using an account only from a list of specified G Suite domains, select Allow users to sign-in only to the G Suite domains set below.
  2. If you allow users to sign in only to specific G Suite domains:
    1. Make sure you list all of your organization’s domains. If you don’t, your users might not have access to Google services. To see a list of your domains, click organization’s domains under the domain list.
    2. To include consumer Google Accounts, such as @gmail.com and @googlemail.com, enter consumer_accounts in the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.
  3. If you allow users to sign in only to specific G Suite domains or block users from signing in or out in the browser, you should also:
    1. Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
    2. Turn off guest browsing on devices. For details, see Guest mode.
    3. Prevent users from browsing in Incognito mode. See Incognito Mode.
Unified Desktop (BETA)

Setting also available for managed guest sessions and kiosk apps

To let users span a window across multiple monitors or TVs, you can select Make Unified Desktop mode available to user. By default, this feature is turned off. Users can disable unified desktop and still use 2 external displays, but individual windows are in one display or the other, even if the desktop is extended across both.​

  • Up to 2 external displays are supported.
  • Unified desktop is intended to work across monitors of the same resolution.
  • When enabled, unified desktop is the default mode when a user connects a monitor to their device.
WebRTC Event Log

To allow web applications to generate and collect WebRTC event logs for your users, select Allow WebRTC Event Log Collection. The logs can help Google identify and resolve issues with audio and video meetings. They contain diagnostic information, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. The logs have no video or audio content from the meetings.

To collect logs for Hangouts Meet customers, you must enable both this setting and the Client logs upload policy in the Google Admin console.

Dinosaur game

Controls whether users can play the dinosaur game on Chrome Browser or devices running Chrome OS when devices are offline. Choose one of the options:

  • Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled Chrome devices—When devices are offline, users can’t play the dinosaur game on enrolled Chrome devices, but they can play it on Chrome Browser.
  • Allow users to play the dinosaur game when the device is offline—Users can play the dinosaur game when devices are offline.
  • Do not allow users to play the dinosaur game when the device is offline—Users can’t play the dinosaur game when devices are offline.
Previously installed app recommendations

When the search box is empty, controls whether the launcher on Chrome devices recommends apps that were previously installed on other devices. Choose one of the options:

  • Show app recommendations in the Chrome OS launcher
  • Do not show app recommendations in the Chrome OS launcher

Omnibox search provider

Search suggest

Allows you to enable or disable a prediction service for users to help complete the web addresses or search terms. You can specify that it’s always enabled or disabled or you can let the user configure it in their Chrome settings.

Omnibox search provider

Specifies the name of the default search provider. If you select Lock the Omnibox Search Provider settings to the values below, you can customize the following options:

Omnibox search provider name

Enter a name to use for the address bar. If you don't provide one, Chrome uses the host name from the Omnibox search provider search URL.

Omnibox search provider keyword

Specifies the keyword used as the shortcut to trigger the search.

Omnibox search provider search URL

Specifies the URL of the search engine.

The URL must contain the string '{searchTerms}', which is replaced at query time by the terms the user is searching for, for example, "http://search.my.company/search?q={searchTerms}".

To use Google as your search engine, enter:

{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}

Omnibox search provider suggest URL

Specifies the URL of the search engine used to provide search suggestions.

The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.

To use Google as the search engine that provides search suggestions, enter:

{google:baseURL}complete/search?output=chrome&q={searchTerms}

Omnibox search provider instant URL

Specifies the URL of the search engine used to provide instant results.

The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.

Omnibox search provider icon URL

Specifies the icon URL of the search provider. You need to access your search provider site at least once so that the icon file is retrieved and cached before you enable Lock the Omnibox Search Provider settings to the values below.

Omnibox search provider encodings

Specifies the character encodings supported by the search provider.

Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. The default is UTF-8.

Hardware

Open all  |  Close all

External storage devices

Controls whether users in your organization can use Chrome devices to mount external drives, including USB flash drives, external hard drives, optical storage, Secure Digital (SD) cards, and other memory cards. If you disallow external storage and a user attempts to mount an external drive, Chrome notifies the user that the policy is in effect.

If you choose to Allow external storage devices (read-only), users can read files from external devices but cannot write to them. Formatting of devices is also disallowed.

This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Audio input

Controls whether users in your organization can let websites access audio input from the built-in microphone on a Chrome device.

When a user connects an external audio input device, the audio on the Chrome device unmutes immediately.

If you have enabled Android apps on supported Chrome devices in your organization and have this setting disabled, the microphone input is disabled for all Android apps without exceptions.

Audio input allowed URLs

Allows URLs to be granted access to audio capture devices without prompt.

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to audio capture devices will be granted without prompting the user for confirmation.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format

Audio output

Controls whether users in your organization can play sound on their Chrome devices. The policy applies to all audio outputs on Chrome devices, including built-in speakers, headphone jacks, and external devices attached to HDMI and USB ports.

If you disable audio, the Chrome device still shows its audio controls but users can't change them. Also, a mute icon appears.

This setting has no effect on the Google Drive Android app on Chrome OS.

Video input

Specifies whether websites can access the built-in Chrome device webcam.

Disabling video input does not disable the webcam for Google voice and video chat. To disable the webcam for Google voice and video chat, use the Allowed Apps and Extensions setting in User & browser settings to block the following hfhhnacclhffhdffklopdkcgdhifgngh extension.

If you enabled Android apps on supported Chrome devices in your organization, this setting affects the built-in camera and can be disabled so that no Android app can access the built-in camera.

Video input allowed URLs

Allows URLs to be granted access to video capture devices without prompt.

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted without prompting the user for confirmation.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format

Keyboard

Determines the behavior of the top row of keys on the keyboard. If this setting is unset or set to media keys, the keyboard's top row of keys will act as media keys. If the policy is set for function keys, then the keys will act as function keys (such as F1, F2). In both scenarios, users can change the behavior. Also, users can turn a media key to a function key (and vice versa) by holding down the search key.

User verification

Verified Mode

You can select:

  • Require verified mode boot for Verified Access–User sessions on the devices in Dev mode will always fail the Verified Access check.
  • Skip boot mode check for Verified Access–Allows user sessions on the devices in Dev mode to work.
  • Service accounts which are allowed to receive user data–List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in the Google API Console.
  • Service accounts which can verify users but do not receive user data–List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in the Google API Console.

For instructions on using these settings with Verified Access, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Chrome management—partner access

Allow EMM partners access to device management

Not currently available for G Suite for Education domains

Gives EMM partners programmatic access to manage user policies for Chrome and Chrome devices. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual user policies that determine your users' experience on Chrome and Chrome devices. Therefore EMM partners no longer have to manage user policies by Admin console organizational unit structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same user using partner access and the Admin console. User-level policies configured using partner access controls take precedence over organizational unit policies set in the Admin console. To enforce policies on users by organizational unit, you must select Disable Chrome management—partner access.

You can also use your EMM console to set device policies. If you subscribe only to the Chrome Kiosk service, you can only set device policies.

Managed browsers

Cloud reporting

Controls Chrome Browser cloud reporting, which is available to admins using Chrome Browser Cloud Management. For more information, see Set up Chrome Browser Cloud Management.

Once this setting is enabled, admins using Chrome Browser Cloud Management can get a detailed view in the Admin console of Chrome Browsers and extensions used in their organization.

Chrome Safe Browsing

Open all  |  Close all

Safe Browsing

Specifies whether Google Safe Browsing is turned on for users.

Safe Browsing in Chrome helps protect users from websites that may contain malware or phishing content. The default setting is Allow user to decide. Alternatively, you can choose to Always enable Safe Browsing or Always disable Safe Browsing.

Help improve Safe Browsing

Specifies whether extended reporting is turned on and sends some system information and page content to Google to help detect dangerous apps and sites.

Safe Browsing whitelisted domains

Specifies URLs that Safe Browsing should trust. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs. Safe Browsing's download protection service does not check downloads hosted on these domains.

Download restrictions

Prevents users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those that Google Safe Browsing identifies as dangerous. If users try downloading dangerous files, Safe Browsing shows them a security warning.

Choose an option:

  • No special restrictions—All downloads are allowed. Users still receive warnings about sites identified as dangerous by Safe Browsing. But, they can bypass the warning and download the file.
  • Block dangerous downloads—All downloads are allowed, except those marked with Safe Browsing warnings of dangerous downloads.
  • Block potentially dangerous downloads—All downloads are allowed, except those marked with Safe Browsing warnings of potentially dangerous downloads. Users cannot bypass the warnings and download the file.
  • Block all downloads—No downloads are allowed.
Disable bypassing Safe Browsing warnings

Specifies whether users can bypass Safe Browsing warnings and access deceptive or dangerous sites or download potentially harmful files.

Password alert

Specifies whether you can prevent users from reusing their password on dangerous websites or on websites that aren’t whitelisted by your organization. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

Specify the domains that are exceptions to the URLs that appear on the Safe Browsing list. Whitelisted domains are not checked for:

  • Password reuse
  • Phishing and deceptive social engineering sites
  • Sites that host malware or unwanted software
  • Harmful downloads

Specify the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password. When users enter their password, a non-reversible hash is stored locally and used to detect password reuse. Make sure that the change password URL that you specify follows these guidelines.

Chrome updates

Open all  |  Close all

Component updates

Specifies whether Chrome Browser components, such as Adobe® Flash® and Widevine DRM (for encrypted media), automatically update.

This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.

Relaunch notification

Chrome version 83 and later

Controls how users are notified to relaunch Chrome Browser or restart their device running Chrome OS to get the latest update. Choose one of the options:

  • No relaunch notification—Chrome indicates to users that a relaunch is needed via subtle changes to its menu. No notification is shown.
  • Show notification recommending relaunch—Users see a recurring message that they should relaunch Chrome Browser or restart their Chrome device. Users can dismiss the notification and keep using the old version of Chrome until they choose to relaunch Chrome Browser or restart their Chrome device.
  • Force relaunch after a period—Users see a recurring message that Chrome Browser will automatically relaunch or their Chrome device will restart after a certain time. Users can dismiss the notification and continue to use Chrome until the end of the relaunch period, at which point it will automatically restart.

If you show notifications to users, you can set the time period, between 1and 168 hours, over which users are repeatedly notified to relaunch Chrome Browser or restart their Chrome device. To use the system default, which is 168 hours (7 days), leave the field unset. For Chrome devices, Chrome only shows notifications for the last 3 days of the time period that you specify, not the entire duration.

For Chrome devices, setting the Auto reboot after updates device setting to Allow auto-reboots automatically restarts devices when updates are applied. This minimizes the amount of notifications that users see. For details about configuring automatic updates on Chrome devices, read Auto-update settings.

Suppress auto-update check

Specifies a daily time period when automatic checks for Chrome Browser updates do not occur. Enter:

  • Start time—Time of day, in 24-hour format (hh:mm), that you want to begin suppressing checks for browser updates each day. 
  • Duration (minutes)— Length of time, in minutes, that you want to suppress browser update checks for.
Auto-update check period

Specifies the number of hours between automatic checks for Chrome Browser updates. Enter 0 to disable all auto-update checks (not recommended).

Download URL class override

Select Attempt to provide cache-friendly download URLs to get the Google Update server to attempt to provide cache-friendly URLs for update payloads in its responses. This helps to reduce bandwidth and improve response times.

Chrome browser updates

Specifies whether devices automatically update to new versions of Chrome Browser as they are released.

To make sure that users are protected by the latest security updates, we strongly recommend that you select Always allow updates. By running earlier versions of Chrome Browser, you will expose your users to known security issues. Specify the Target version prefix override and select Rollback to target version to temporarily roll back to the 3 latest major versions of Chrome Browser.

For details about how to manage Chrome Browser updates, see Manage Chrome updates (Admin console).

Legacy Browser Support

Open all  |  Close all

Legacy Browser Support

Specifies whether users can open some URLs in an alternative browser, such as Microsoft® Internet Explorer®.

Delay before launching alternative browser

Specifies the length of time, in seconds, that it takes to open the alternative browser. During this time, users see an interstitial page that lets them know they're switching to another browser. By default, URLs immediately open in the alternative browser, without showing the interstitial page.

Use Internet Explorer site list

Allows you to use your Internet Explorer site list to control whether URLs open in Chrome Browser or Internet Explorer.

Legacy Browser Support site list

Specifies the URL of the XML file that contains the list of website URLs that open in an alternative browser. You can review this sample XML file.

URL to list of websites to open in either browser

Specifies the URL of the XML file that contains the list of website URLs that do not trigger a browser switch.

Websites to open in alternative browser

Specifies a list of website URLs that open in an alternative browser.

Websites to open in either browser

Specifies a list of website URLs that do not trigger a browser switch.

Alternative browser parameters

By default, only the URL is passed as a parameter to the alternative browser. You can specify parameters to be passed to the alternative browser’s executable. Parameters that you specify are used when the alternative browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Alternative browser path

Lets you specify the program that's used as an alternative browser. For example, for Windows computers, the default alternative browser is Internet Explorer.

You can specify a file location or use one of these variables:

  • ${chrome}—Chrome Browser
  • ${firefox}— Mozilla® Firefox®
  • ${ie}—Internet Explorer
  • ${opera}—Opera®
  • ${safari}—Apple® Safari®
Chrome parameters

Windows only

Specifies the parameters to be passed to Chrome Browser's executable when returning from the alternative browser. By default, only the URL is passed as a parameter to Chrome Browser. Parameters that you specify are used when Chrome Browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Chrome path

Windows only

Specifies the executable of Chrome Browser to be launched when returning from the alternative browser.

You can specify a file location or use the variable ${chrome}, which is the default installation location for Chrome Browser.

Keep last Chrome tab

Specifies whether to close Chrome Browser after the last tab in the window switches to the alternative browser.

Chrome Browser tabs automatically close after switching to the alternative browser. If you specify Close Chrome completely and the last tab is open in the window before switching, Chrome Browser closes completely.

Accessibility

Note: By default, the accessibility settings are turned off until the user turns them on in the Chromebook accessibility settings or by using keyboard shortcuts. We strongly advise using caution before disabling any of the accessibility features, as this can cause problems for users with disabilities or particular needs. If a policy is left unset, users can access the feature anytime. However, if you set a policy, users can’t change or override it.

Open all  |  Close all

Accessibility shortcuts

Lets you configure whether or not accessibility keyboard shortcuts are disabled. If this policy is left unset, keyboard shortcuts will be available for your users, however you can set the policy to Disable accessibility shortcuts.

For more information, see Turn on Chromebook accessibility features.

ChromeVox spoken feedback

The ChromeVox screen reader helps users with visual impairments. When turned on, their Chromebook will read aloud text that is on the screen. For users who are hearing impaired, this feature will allow the text to be shown on a connected braille display.

For details, see Use the built-in screen readerand Use a braille device with your Chromebook.

Select-to-speak

Users can hear specific text on a page read aloud, including specific words, selections of text, or sections of the screen. View word-by-word highlighting as words are read aloud for a better audio and visual experience.

For details, see Hear text read aloud.

High contrast

High contrast mode changes the font and background color scheme to make pages easier to read. This setting can be turned on through the accessibility settings or by pressing Ctrl + Search + h.

Screen magnifier

Lets the user zoom in their screen up to 20x the default size. You can disable the screen magnifier or determine the type of screen magnifier that is enabled for your users.

For details, see Zoom in or magnify your Chromebook screen.

Sticky keys

Turns on the ability for shortcut key combinations to be typed in sequence without needing to press several keys at once. For example, instead of pressing the Ctrl and V keys at the same time, sticky keys lets the user activate this command by first pressing Ctrl and then pressing V after. This feature can be especially helpful for users who have physical disabilities.

For details, see Use keyboard shortcuts one key at a time

Virtual keyboard

This on-screen keyboard feature allows the input of characters without the need for physical keys. An on-screen keyboard is typically used on devices with a touchscreen interface, but it’s also accessible using a touchpad, mouse, or connected joystick.

For details, see Use the on-screen keyboard.

Dictation

Users can type long documents, emails and school essays using their voice instead of a keyboard.

For details, see Type text with your voice

Keyboard focus highlighting

This feature highlights objects on the screen as users navigate through them using the keyboard. It helps your users identify where they are on a page while filling in forms or selecting an option.

Caret highlight

While editing text, this feature highlights the area that surrounds the caret, also known as the cursor.

Auto-click

The mouse cursor will automatically click or scroll where it hovers. This can be helpful for users who find clicking the mouse or touchpad difficult.

For details, see Automatically click objects on your Chromebook.

Large cursor

Increases the size of the mouse cursor so that it's more visible on the screen.

Cursor highlight

Creates a colored focus ring around the mouse cursor for better visibility on the screen.

Primary mouse button

Changes the order of the primary mouse button and touchpad from left to right. If this policy is not set, the left mouse button will be primary, but it can be changed anytime.

Mono audio

Changes the audio outputs on Chrome devices so that the same volume plays through the left and right built-in speakers and headphones. This setting can be useful for users who have better hearing in one ear than the other.

Other settings

Chrome management for signed-in users

Specifies whether user-level Chrome policies that you set in your Admin console are enforced when users sign in to Chrome with their Google Account on any device. The default for this setting is Apply all user policies when users sign into Chrome, and provide a managed Chrome experience.

For backward compatibility, you can let users sign into Chrome as unmanaged users. Select Do not apply any policies when users sign into Chrome. Allow users to access Chrome as an unmanaged user. Then, when users sign in to Chrome, they no longer receive user-level policies that you set in the Admin console, including apps and extensions.

Turning Chrome management off and on again might cause some users to experience changes to their account. Before you turn it on again, inform your users. While Chrome management was turned off,  users might have signed in as unmanaged users. When the setting is turned back on again, Android apps might be removed or users might no longer be able to sign in multiple people at the same time on Chrome devices.

You don't need to turn on Chrome management to apply policies if you manage Chrome devices using your Admin console. User-level policies apply to those Chrome devices, even if you turn off this setting.

For information about how to set up Chrome Browser user-level management, see Manage user profiles on Chrome Browser.

Chrome browser memory limit

Allows you to set a limit on how much memory a single Chrome browser session can use before browser tabs start closing automatically to save memory. If the policy is set, the browser will start to close tabs in order to save memory once the limitation is exceeded. However, if the policy is not set, the browser will only attempt to save memory once it has detected that the amount of physical memory on its machine is low. 

Related topics

Was this helpful?
How can we improve it?