Planning your return to office strategy? See how Chrome OS can help.

Archived release notes

Note: For information about the current Chrome versions and targeted releases, see Chrome Enterprise release notes.
 

For administrators who manage Chrome browser or Chrome OS devices for a business or school.

 

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Previous release notes

Open all   |   Close allChrome 98

Chrome browser updates

   

 

  • Use Chrome passwords in other apps on iOS   back to top

    Chrome 98 informs iOS users that they can use any passwords saved in Chrome in other apps on their device.

    The Chrome > Settings > Passwords screen shows a new option for Passwords in Other Apps, which guides users to turn on this feature in iOS autofill settings.

    You can control if users can save passwords using Chrome with the PasswordManagerEnabled policy.

   

 

  • Update GREASE brand list generation   back to top

    User-Agent Client Hints GREASE aims to prevent bad or exclusionary assumptions from being built on top of the proposed replacement for User-Agent strings. This means that users of less well-tested browsers will not be rejected for not matching the precise format of a more-well tested browsers UA string.

    This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we are rolling out this change gradually and continue to watch for negative impacts, such as WAF software flagging headers as invalid traffic, admins can opt out using the UserAgentClientHintsGREASEUpdateEnabled enterprise policy.

   

 

  • Chrome disables the U2F API by default  back to top

    The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). Chrome 98 disables the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.

    Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.

    Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.

    If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.

   

 

  • Chrome no longer allows TLS 1.0 or TLS 1.1   back to top

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91, we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it is not possible to bypass the interstitial.

   

 

  • Private network access preflights for subresources   back to top

    Chrome sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new Access-Control-Request-Private-Network: true header, and the response must carry a matching Access-Control-Allow-Private-Network: true header.

    A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, an Intranet, to a localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.

    Chrome 98 sends these preflight requests but does not yet require them to succeed. Failed preflights only display warnings in DevTools, which you can use to detect problematic fetches in your web apps.  In Chrome 101 at the earliest, failed preflights will cause the entire request to fail depending on compatibility data. See the blog post for more information.

    You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.

↑ back to top  

   

 

  • Integrate Enhanced Safe Browsing preference with account settings   back to top

    Chrome now prompts users who opt in to Account Enhanced Safe Browsing to enable Enhanced Safe Browsing in Chrome. Their Safe Browsing setting is still controlled by the SafeBrowsingProtectionLevel policy.

   

 

  • TFLite model for client-side phishing detection   back to top

    Chrome uses an on-device Machine Learning (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt. This was previously launched for Android in Chrome 92, and is now on desktop platforms as well.

    With this change, Chrome sends the following to the Safe Browsing service:
    • the version of the model that was executed
    • the scores the model gave for each category
    • a boolean describing whether the new model was used to generate the scores

    You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the protection level set at 1 or greater.

   

 

  • Chrome deprecates the installed_browser_version field in the Directory API   back to top

    The installedBrowserVersion property in Chromebrowser resources in Directory API: Chrome Browsers has been deprecated and replaced by the pendingBrowserVersion property. The pendingBrowserVersion represents the version of Chrome browser that is installed on browser restart.

   

 

  • New extensions must be submitted with Manifest v3   back to top

    As part of the gradual deprecation of Manifest V2, the Chrome Web Store has stopped accepting submissions of new Manifest V2 extensions as of January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.

    This change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows. For more details, refer to the Manifest V2 support timeline.

   

 

↑ back to top  

Chrome OS updates

   

 

  • Expanded keyboard shortcuts for Desks   back to top

    Chrome 98 adds a new shortcut to make it faster and easier to switch Desks. Create up to 8 desks to organize your projects and use the shortcut Shift + Search  + 1 through Shift + Search  + 8 to jump from one desk to another using only the keyboard.

   

 

  • Add Save to settings to screen capture   back to top

    Now users can save screen captures to any local or drive folder of their choice, making capturing and using content even more efficient.

   

 

  • Support for Network Based Recovery (NBR)   back to top

    In Chrome 98, some users can re-flash their devices with a fresh copy of the OS and firmware, letting them recover if the message: Chrome OS is missing or damaged appears. NBR requires a network connection. This feature will roll out to more devices in later releases.


Admin console updates

   

 

  • Search devices by version or model   back to top

    In the Chrome filters view for the devices page for ChromeOS, you can now filter and search the devices by version and by model.

   

 

↑ back to top  



Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes


   

  • Chrome Major Version number will reach 100   back to top

    Chrome will reach a 3-digit major version number in March, 2022.  When browsers went from version 9 to 10, the increase in the number of digits uncovered many issues in User-Agent string parsing libraries. In order to avoid the same issue again, developers and IT admins should test their services in advance. 

    To help, the Chrome team created the ForceMajorVersion100InUserAgent flag (chrome://flags/#force-major-version-to-100). This forces the browser to send 100 as the major version number (blog).  You should use this flag to uncover and address any issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here

   

 

  • Network Service on Windows will be sandboxed   back to top

    As early as Chrome 100, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.

   

 

  • WebHID enterprise policies   back to top

    As early as Chrome 100, Chrome will add policies to manage the WebHID API. DefaultWebHidGuardSetting configures the default API behavior for all URLs and can be configured to allow origins to Ask for new device permissions or Block all permission requests. The WebHidAskForUrls and WebHidBlockedForUrls policies override the default policy for specific URLs.

    Three new policies are added for automatically granting device permissions. URLs contained in the WebHidAllowAllDevicesForUrls policy will be automatically granted permissions for any connected device. The WebHidAllowDevicesForUrls and WebHidAllowDevicesWithHidUsagesForUrls policies can be used to grant narrower permissions by matching against vendor and product IDs or application collection usages in the HID report descriptor.

   

 

  • Default to origin-keyed agent clustering   back to top

    As early as Chrome 103, websites will be unable to set document.domain. Websites will need to use alternative approaches  such as postMessage() or Channel Messaging API  to communicate cross-origin. If a website relies on same-origin policy relaxation via document.domain to function correctly, it will need to send an Origin-Agent-Cluster: ?0 header along with all documents that require that behavior. 

    Note: document.domain has no effect if only one document sets it.

    An enterprise policy will be available when this change ships to extend the current behavior.

   

 

  • Change tab-sharing blue border behavior   back to top

    When a user chooses to share their tab from a site participating in the region capture origin trial, the blue border used to signify that a tab is being shared will no longer be shown.

↑ back to top  

Chrome 97
Chrome browser updates Security User productivity/ Apps Management
Launch Control Flow Guard for Windows    
Certificate Transparency enabled on Chrome for Android    
About this site    
Test improvements to the Manage search engines settings     
Chrome 97 removes profiles from memory when their windows are closed    
Chrome disables WebSQL in third-party contexts     
New Manifest V2 extensions not accepted after January 17, 2022  
Improved Chrome Autofill on Desktop  
Optimized user experience on iOS    
Private Network Access preflights for subresources    
New and updated policies in Chrome browser    
Chrome OS updates Security User productivity/ Apps Management
Chrome Management Telemetry API  
Revamped user and device reporting controls    
Chrome Policy API supports Device settings  
Offline grammar check    
Magnifier continuous panning    
Gallery app supports audio playing and multi window    
Admin console updates Security User productivity/ Apps Management
Browser list data downloadable in CSV format    
Read-only privilege for managed browsers    
Reports overview page    
Insights report: Devices that need attention    
New policies in the Admin console    
Upcoming Chrome browser changes Security User productivity/ Apps Management
Network Service on Windows will be sandboxed    
Use of Chrome passwords in other apps on iOS    
Update GREASE brand list generation  
Chrome will maintain its own default root store    
Chrome will disable the U2F API by default  
Chrome will no longer allow TLS 1.0 or TLS 1.1    
Chrome may leverage MiraclePtr to improve security    
Feature flag to force the Chrome Major Version number to 100  

 

DOWNLOAD Release notes (PDF)

↑ back to top

 

Chrome browser updates

   

 

  • Launch Control Flow Guard for Windows   back to top

    Chrome 97 improves security by introducing Control Flow Guard (CFG) for Windows to make memory corruption vulnerabilities more difficult to exploit. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues. 

    As CFG affects how Chrome is compiled, it is not possible to control it using enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97.

   

 

   

 

  • About this site   back to top

    Some users in Chrome 97 see a short description of a website in the Site information UI if the Make searches and browsing better setting is enabled. 
     
    About this site
     

   

 

  • Test improvements to the Manage search engines settings   back to top

    Site search helps users save time by searching through specific sites directly from the address bar on Chrome desktop. We are improving the Settings>Manage search engines page to help users have better control over Site search. Chrome 97 tests a number of these improvements: 
     
    • To help users better understand Site search, we renamed the page to Manage search engines and site search and added explanations to each section of the page.
    • Now, when users visit a site that is eligible to work with Site search, that is, compliant with the OpenSearch spec, it will no longer be automatically activated for Site search. To activate a site, users select Settings>Manage search engines and site search>Inactive shortcuts>Activate. To prevent user workflows from being disrupted, Site search providers that people have used before in Chrome remain activated.
    • The DefaultSearchProviderEnabled enterprise policy maintains the same behavior.  

   

 

  • Chrome 97 removes profiles from memory when their windows are closed   back to top

    Previously, when users closed Chrome windows for a profile, the profile object would stay loaded in memory. It would continue using memory and other system resources. It would also run jobs in the background like Sync and extension background scripts. The only way to unload a profile from memory was to exit Chrome entirely.

    Chrome 97 removes profiles from memory when their windows are closed. This can save lots of system resources in multi-profile scenarios. It also lets Chrome clean up ephemeral profile data from disk more efficiently, strengthening its privacy guarantees.  

↑ back to top  

   

 

  • Chrome disables WebSQL in third-party contexts   back to top

    Chrome 97 disables WebSQL in third-party contexts, such as cross-origin iframes, as a continuation to the deprecation in Chrome 94. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.

    An enterprise policy, WebSQLInThirdPartyContextEnabled, can re-enable WebSQL in third-party contexts until Chrome 101, when support for WebSQL in third-party contexts will be removed entirely.

   

 

  • New Manifest V2 extensions not accepted after January 17, 2022   back to top

    As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.

    The change does not affect updates to already published extensions. Also, it does not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. 

    Note that the next phase of deprecation, in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.

    For more details, refer to the Manifest V2 support timeline.  

   

 

  • Improved Chrome Autofill on Desktop   back to top

    A shifted Autofill position enables users to preview autofilling more clearly within form fields. The addition of visual icons is a first step to clarifying what fields are expected to be filled. For example, a profile icon means Autofill fills any form fields related to address and contact info saved in Autofill. 
    Shifted Autofill menu

   

 

  • Optimized user experience on iOS   back to top

    Chrome on iOS optimizes user experience by fetching page load metadata from a Google service, based on the pages that users navigate to. All requests to Google are anonymous, and you can control this behavior with the UrlKeyedAnonymizedDataCollectionEnabled enterprise policy. 

   

 

  • Private Network Access preflights for subresources   back to top

    Sends a CORS preflight request ahead of any private network requests for subresources, asking for explicit permission from the target server. This request carries a new `Access-Control-Request-Private-Network: true` header, and the response must carry a matching `Access-Control-Allow-Private-Network: true` header.

    A private network request is any request from a public website to a private IP address or localhost, or from a private website, for example, intranet, to localhost. Sending a preflight request mitigates the risk of cross-site request forgery attacks against private network devices such as routers, which are often not prepared to defend against this threat.

    You can control this behavior using enterprise policies InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls.  

↑ back to top  

   

 

Chrome OS updates

   

 

  • Chrome Management Telemetry API   back to top

    This is a new API that provides telemetry information from managed Chrome OS devices. The initial set of telemetry data focuses on hardware performance—CPU, memory, storage, and graphics. You can see the full documentation here.  

   

 

  • Revamped user and device reporting controls   back to top

    There are now additional controls for reporting within device settings. You can view all available data for features that require reporting, such as the device details, insight reports, or the Telemetry API. Please see the support article for additional information.  

   

 

  • Chrome Policy API supports Device settings   back to top

    The Chrome Policy API is a suite of services that allows Chrome administrators to view, manage, and get insights about the usage of Chrome OS and Chrome browsers in their organization. The API was launched in March 2021 with support for User and printer settings. Subsequently, support for Apps and Extensions settings was added. Now in Chrome 97, the API includes support for Device Settings. 

↑ back to top  

   

 

  • Offline grammar check   back to top

    Grammar check is now available on Chrome OS devices with or without the internet. It’s enabled by default, so just click on the suggested text to accept it. It works on text fields across the web so you can write notes, send calendar invites, build docs, and more. 

   

 

  • Magnifier continuous panning   back to top

    Chrome OS Magnification now allows you to choose to move the portion of the screen that is magnified continuously as you move the mouse. This is in addition to the previous existing options that allow you to move the magnified area when your mouse touches the edge of the screen or the option that keeps the mouse in the center of the screen. To access this feature, go to Chrome OS Settings > Advanced > Accessibility > Manage accessibility features > Enable fullscreen magnifier

   

 

  • Gallery app supports audio playing and multi window   back to top

    Audio playing experience on Chrome OS gets a brand new look under the Gallery app. Additionally, Gallery now supports multiple windows. This means users can view and edit multiple media files simultaneously.  

 

Admin console updates

   

 

  • Browser list data downloadable in CSV format   back to top

    Chrome introduces an optional CSV format to download the browser list data from the Admin console. 

   

 

  • Read-only privilege for managed browsers   back to top

    Chrome introduces a read-only privilege for managed browsers. Admins can easily create custom admin roles with read-only access to managed browsers in the Admin console. 

↑ back to top  

   

 

  • Reports overview page   back to top

    A new reports overview page provides a summary of all the reports available. The new page is available under the Device > Chrome > Reports menu. 

   

 

  • Insights report: Devices that need attention  back to top

    A new report highlights categories of devices that require attention. The new report is available under the Device > Chrome > Reports > Insights menu.

    The categories are:
    • Devices that have not synched policies in 28 days
    • Devices that have not seen user activity in 28 days
    • Devices that are pending OS updates
    • Devices that are not compliant with the OS version that was set by policy 
      • For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90.
    • Devices that are unable to apply a policy due to an OS mismatch 
      • For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90.

    Clicking on the category takes you to the device list page with filters applied according to the category. For more details, see this Help Center article.

   

 

Coming soon

 

Upcoming Chrome browser changes

   

 

  • Network Service on Windows will be sandboxed   back to top

    As early as Chrome 98, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter. 

   

 

  • Use of Chrome passwords in other apps on iOS   back to top

    From Chrome 98, iOS users will be informed that they can use their saved passwords in other apps on their device.

    The Chrome > Settings > Passwords screen will show a new option for Passwords in Other Apps, which will guide users to turn on this feature in iOS autofill settings. 

↑ back to top

   

 

  • Update GREASE brand list generation   back to top

    User-Agent GREASE aims to prevent bad or exclusionary assumptions from being built on top of User-Agent strings. This change aligns our implementation of GREASE in User-Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. While we will roll out this change gradually and watch for negative impacts, admins can opt out via the UserAgentClientHintsGREASEUpdateEnabled enterprise policy escape hatch (available in Chrome 98). 

   

 

  • Chrome will maintain its own default root store   back to top

    As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.  

   

 

  • Chrome will disable the U2F API by default   back to top

    The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn). In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.

    Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.

    Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.

    If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details.

   

 

  • Chrome will no longer allow TLS 1.0 or TLS 1.1   back to top

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial.  

   

 

  • Chrome may leverage MiraclePtr to improve security   back to top

    As early as Chrome 99, Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 101. 

   

 

  • Feature flag to force the Chrome Major Version number to 100   back to top

    Users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number. When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries. With this feature flag, we can uncover and address these issues before Chrome 100 rolls out. We encourage admins to submit any issues encountered here.  

↑ back to top  

Chrome 96
Chrome browser updates Security User productivity/ Apps Management
Chrome on Android no longer supports Android Lollipop    
Apps shortcut in the bookmarks bar defaults to off    
Network data moves to a new folder on Windows    
New security events for BeyondCorp Enterprise Threat and Data Protection     
Feature flag to force the Chrome Major Version number to 100    
DNS-based HTTP to HTTPS redirect     
Chrome shows Journeys in the History page    
Chrome starts deprecating the U2F security key API  
Chrome on Android shows reuse warnings for Google passwords    
Chrome sync ends support for Chrome 48 and earlier    
Google Toolbar for Internet Explorer no longer available    
Chrome installer for macOS now available as a single universal version    
New and updated policies in Chrome browser    
Chrome OS updates Security User productivity/ Apps Management
Long-term support channel    
Cloud Based Certificate Provisioning using SCEP  
SAML password change : Chrome Device Token API    
Terms of Service for managed user sessions    
Side Search on Chrome OS    
Nearby Share from ARC++ sharesheet    
Switch Access Setup Guide    
New preference setting for Link capturing    
Add clipboard suggestions to on-screen keyboard    
Chrome Wallpaper app enhancements    
Notification settings move to Chrome OS Settings    
Admin console updates Security User productivity/ Apps Management
New interface for selecting Chrome apps and extensions  
New policies in the Admin console    
Upcoming Chrome browser changes Security User productivity/ Apps Management
Launch Control Flow Guard for Windows    
Network Service on Windows will be sandboxed    
Certificate Transparency enabled on Chrome for Android    
CORS Authorization mishandling    
Chrome will maintain its own default root store    
Chrome will no longer allow TLS 1.0 or TLS 1.1    
Chrome autofill will be more predictable    
New Manifest V2 extensions not accepted after January 17, 2022  
Different-origin iframes JavaScript dialogs deprecation has been postponed indefinitely    
Upcoming Admin console changes Security User productivity/ Apps Management
Browser list data downloadable in CSV format    
Read-only privilege for managed browsers    
Reports overview page    
Insights report: Devices that need attention    

 

↑ back to top

 

Chrome browser updates

 

  • Chrome on Android no longer supports Android Lollipop   

    Chrome 96 does not support or ship to users running Android Lollipop.

    The last version of Chrome that supports Android Lollipop is Chrome 95, and it included a message to affected users informing them to upgrade their operating system. 

 

  • Apps shortcut in the bookmarks bar defaults to off   

    The Apps shortcut in the bookmarks bar now defaults to off. Chrome also updates the current state for all users who have not changed their setting to the new default (off). 

 

  • Network data moves to a new folder on Windows   

    Data that is needed by the network service, including cookies and other data files, is now stored in a subdirectory underneath the previous location called Network. This is to support the upcoming Network Sandbox (see below). This migration happens automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files. 

 

  • New security events for BeyondCorp Enterprise Threat and Data Protection   

    Chrome 96 adds two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality allows admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches. 

↑ back to top
 

 

  • Feature flag to force the Chrome Major Version number to 100   

    Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number.  When browsers went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries.  With this feature flag, we can uncover and address these issues before Chrome 100 rolls out.  We encourage admins to submit any issues encountered here

 

  • DNS-based HTTP to HTTPS redirect   

    Chrome queries DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome always connects to the website via HTTPS (Chrome Status). This was previously enabled for 50% of users on the Canary, Dev, and Beta channels. 

 

  • Chrome shows Journeys in the History page   

    For some users, Chrome 96 clusters local browsing activity on the History page into Journeys to make it easier to find prior activity and continue it with related search suggestions. For keywords typed into the Omnibox that match a cluster, an action chip displays for seamless access to the Journeys view. Users can delete clusters and disable Journeys, if desired. Additionally, admins will have the option to disable this feature using the HistoryClustersVisible policy, starting in Chrome 97. 

 

  • Chrome starts deprecating the U2F security key API   

    The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn).  Beginning with Chrome 96, when sites make U2F API requests, users might see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.

    Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.

    Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.

    If you run a website that still uses this API, please refer to the deprecation announcement and blog post for more details. 

 

  • Chrome on Android shows reuse warnings for Google passwords   

    Similar to Chrome on other platforms, Chrome on Android now shows warnings if it detects that your Google passwords were reused on a malicious website. You can control this behavior using the PasswordProtectionWarningTrigger enterprise policy. 

↑ back to top
 

 

  • Chrome sync ends support for Chrome 48 and earlier   

    As previously communicated, Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync. 

 

  • Google Toolbar for Internet Explorer no longer available   

    The Google Toolbar for Internet Explorer is being phased out. As of mid-November, it will no longer be available for download. 

 

  • Chrome installer for macOS now available as a single universal version   

    The .dmg installer available to users on macOS now contains both the x86_64 and the arm64 versions of the product. When installing, users no longer have to choose the CPU architecture. With Chrome 96, existing Chrome installations will be updated to universal automatically. This may increase the size of Chrome on disk.

    Note that the enterprise-specific .pkg installer was already a universal installer. 

 

↑ back to top
 

Chrome OS updates

 

For over a decade, Chrome OS has delivered new milestone releases every six weeks, providing users and IT with a secure, speedy, and stable experience. Earlier this year, we announced that Chrome OS would switch to a 4-week stable release, starting with Chrome 96. This shift allows us to deliver features and security updates more quickly.

 

 

  • Long-term support channel   

    From Chrome 96, Chrome OS provides an option for organizations to use a new Long-term support (LTS) channel, with feature milestone updates every six months. Devices on the LTS channel will still receive frequent security updates. Admins can easily switch from LTS to other channels if desired. For more details, see this article

 

  • Cloud Based Certificate Provisioning using SCEP   

    Chrome OS provides a new way to provision and renew certificates on managed devices in Microsoft Active Directory Certificate Service (ADCS) environments using the Simple Certificate Enrollment Protocol (SCEP). The new provisioning flow, for device-based certificates, enables automated certificate deployment and renewals that occur with no end user interaction and before user sign-in. For more details, see this article

 

  • SAML password change : Chrome Device Token API   

    Chrome 96  supports password updates on Chrome OS devices after a user’s password is changed on a third-party Identity Provider (IdP). This helps to increase the convenience for the end user, and to enforce corporate policies on Chrome OS devices. Admins can use the Chrome Device Token API to allow IdPs to notify Chrome OS devices that users have changed their password. API documentation is available, and this article (step 4/5) has been updated with guidance for administrators. 

 

  • Terms of Service for managed user sessions   

    Admins can now display their Terms of Service to users at the beginning of every managed user’s session. This functionality was previously available for managed guest sessions only. 

 

  • Side Search on Chrome OS   

    To make it easier to compare search results and find what you’re looking for more quickly in Chrome browser, there’s a new side panel in Chrome OS. You can now view a page and the search results at the same time. This lets you view a page right in your main browser window without needing to navigate back and forth or losing your search results. Admins can disable this feature via the SideSearchEnabled policy. 

↑ back to top
 

 

  • Nearby Share from ARC++ sharesheet   

    This feature allows users to use Nearby Share from Android Runtime for Chrome (ARC++). Prior to this Nearby Share has been available in Files app, PWAs and other system apps. Nearby Share allows users to easily share content across devices, for example, from Chromebook to a device running Chrome browser, such as an Android phone or a Windows PC. 

 

  • Switch Access setup guide   

    Switch Access is an alternate input method that enables users to control their device with just one or more buttons. As of Chrome 96, Switch Access users will now have a setup guide which will help walk new users through the process of setting up and using their switches. 

 

  • New preference setting for link capturing   

    This adds a new preference to Apps settings that allows users to set apps as the default handler of supported links. For example, the Zoom PWA can become the default handler for zoom.us links. 

 

  • Add clipboard suggestions to on-screen keyboard   

    Chrome 96 suggests recently copied items in the on-screen keyboard or Virtual Keyboard suggestion row to simplify your paste actions. If you copy an item and open your Virtual Keyboard you should see that item as an option in the top row. Click it to paste. Previously, Chrome 94 made clipboard items accessible from the virtual keyboard. Chrome 96 adds clipboard items copied within the last two minutes to the suggestion row in the virtual keyboard for even easier access. 

 

  • Chrome Wallpaper app enhancements   

    TheChrome OS wallpaper picker now has a more visual UI that helps users to select from a variety of wallpaper collections or their own images. Users can open it from the  home screen using right-click > Set wallpaper

↑ back to top
 

 

  • Notification settings move to Chrome OS Settings   

    Chrome 96 includes a new dedicated Notifications page in Chrome OS Settings. In earlier releases, Notifications were accessed from the Quick Settings menu. 

Admin console updates

 

  • New interface for selecting Chrome apps and extensions   

    The Admin console now uses the same user interface as the Chrome Web Store for selecting new Chrome apps and extensions.

    Web store app settings

 

  • New policies in the Admin console   
     
    Policy Name Pages Supported on Category/Field

    DevicePciPeripheralDataAccessEnabled

    Device Settings

    Chrome OS

    Other settings > Data access protection for peripherals

    InsecurePrivateNetworkRequestsAllowed

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content > Request from insecure websites to more-private network endpoints

    VirtualKeyboardFeatures

    Device Settings

    Chrome OS

    Kiosk settings > Kiosk virtual keyboard features

    AllowedInputMethods

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome OS

    User experience > Allowed input methods

    DisplayCapturePermissionsPolicyEnabled

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Security > Insecure Media Capture

    AllowedLanguages

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome OS

    User experience > Allowed chrome OS languages

    SpellcheckLanguage

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    User experience > Spell check > Enforced spellcheck languages

    SpellcheckLanguageBlocklist

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    User experience > Spell check > Disabled spellcheck languages

    CrossOriginWebAssemblyModuleSharingEnabled

    User & Browser Settings

    Chrome

    Chrome OS

    Content > Allow WebAssembly cross-origin

    LockScreenReauthenticationEnabled

    User & Browser Settings

    Chrome OS

    Security > SAML single sign-on password synchronization flows

    SamlInSessionPasswordChangeEnabled

    User & Browser Settings

    Chrome OS

    Security > SAML single sign-on password synchronization > Password synchronization between third-party SSO providers and Chrome devices

    SamlPasswordExpirationAdvanceWarningDays

    User & Browser Settings

    Chrome OS

    Security > SAML single sign-on password synchronization > How many days in advance to notify SAML users when their password is due to expire

    ManagedAccountsSigninRestriction

    User & Browser Settings

    Chrome

    Sign-in settings > Separate profile for managed Google Identity

    ArcAppToWebAppSharingEnabled

    User & Browser Settings

    Chrome OS

    Android applications > Sharing from Android apps to Web apps

     

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

 

Upcoming Chrome browser changes

 

  • Launch Control Flow Guard for Windows   

    As early as Chrome 97, Chrome will make security improvements by introducing Control Flow Guard (CFG) for Windows. This change might cause interoperability issues with software that injects code into Chrome’s process space, such as Data Loss Prevention software. Please file a bug to let us know if you encounter issues. 

    As CFG affects how Chrome is compiled, it will  not be possible to control it via enterprise policies, but you can test it in the Dev and Beta channels for Chrome 97. 

 

  • Network Service on Windows will be sandboxed   

    As early as Chrome 97, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter. 

↑ back to top
 

 

 

  • CORS Authorization mishandling   

    When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.

    Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change. 

 

  • Chrome will maintain its own default root store   

    As early as Chrome 98, to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet. 

 

  • Chrome will no longer allow TLS 1.0 or TLS 1.1   

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. In Chrome 98, it will no longer be possible to bypass the interstitial. 

 

  • Chrome Autofill will be more predictable   

    Chrome Autofill will be more visible with a new menu position. It will also add dynamic highlighting to show precisely what fields will be filled automatically. 

↑ back to top
 

 

  • New Manifest V2 extensions not accepted after January 17, 2022   

    As part of the gradual deprecation of Manifest V2, the Chrome Web Store will stop accepting submissions of new Manifest V2 extensions after January 17, 2022. This applies to all new extension submissions with visibility set to Public or Unlisted.

    The change will not affect updates to already published extensions. Also, it will not impact extensions with visibility set to Private. The change is not expected to affect the operation of any existing extensions already deployed in Chrome. 

    Note that the next phase of deprecation in June of 2022, is expected to expand this restriction to extensions with Private visibility, which may have a more significant impact on Enterprise extension workflows.

    For more details, refer to the Manifest V2 support timeline

 

  • Different-origin iframes JavaScript dialogs deprecation has been postponed indefinitely   

    Previously, we announced a planned change that would cause Chrome to prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt), if the iframe is a different origin from the top-level page. This change was originally planned for Chrome 92, but has been postponed indefinitely due to the feedback we received on this change. We will provide advance notice in the future if we decide to re-enable this change. 

    You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag. 

 

Upcoming Admin console changes

 

 

  • Browser list data downloadable in CSV format   

    As early as Chrome 97, Chrome will introduce an optional CSV format to download the browser list data from the Admin console. 

 

  • Read-only privilege for managed browsers   

    As early as Chrome 97, Chrome will introduce a read-only privilege for managed browsers. Admins will be able to easily create custom admin roles with read-only access to managed browsers in the Admin console. 

 

  • Reports overview page   

    A new reports overview page will provide a summary of all the reports available. The new page will be available under the Device > Chrome > Reports menu. 

 

  • Insights report: Devices that need attention   

    A new report will highlight categories of devices that require attention. The new report will be available under the Device > Chrome > Reports > Insights menu.

    The categories are:
    • Devices that have not synched policies in 28 days
    • Devices that have not seen user activity in 28 days
    • Devices that are pending OS updates
    • Devices that are not compliant with the OS version that was set by policy
      • For example, if a device policy requires Chrome 94 running on devices, but several devices are on Chrome 90
    • Devices that are unable to apply a policy due to an OS mismatch 
      • For example, if a set policy due to be applied has a minimum supported Chrome OS version of Chrome 96, but devices are on Chrome 90

    Clicking on the category will take you to the device list page with filters applied according to the category.

    For more details, see this Help Center article

↑ back to top
 

Chrome 95

These Chrome 95 release notes contain Chrome Browser updates only. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 and will include all relevant security fixes on the Chrome 94 milestone.

 

Chrome browser updates Security User productivity/ Apps Management
Stricter parsing rules for Legacy Browser Support    
Origin Trial for reduced User-Agent strings    
Chrome deprecates WebAssembly cross-origin module sharing    
Explicit user prompts for Autofill addresses  
New Side Panel feature    
New and updated policies in Chrome browser    
Admin console updates Security User productivity/ Apps Management
New policies in the Admin console    
Upcoming Chrome browser updates Security User productivity/ Apps Management
Chrome on Android will no longer support Android Lollipop    
Apps shortcut in the bookmarks bar will default to off    
Network data will be migrated to a new folder on Windows    
Network service on Windows will be sandboxed    
New security events for BeyondCorp Enterprise Threat and Data Protection  
NewTabPageLocation enterprise policy on Incognito    
Feature flag to force the Chrome major version number to 100    
DNS-based HTTP to HTTPS redirect    
Chrome will begin deprecating the U2F Security Key API  
CORS Authorization mishandling    
Chrome will maintain its own default root store  
Chrome will remove legacy policies with non-inclusive names    
Chrome will no longer allow TLS 1.0 or TLS 1.1  
Different-origin iframes will no longer trigger JavaScript dialogs  
Upcoming Admin console updates Security User productivity/ Apps Management
Browser list data downloadable in CSV format    

 

↑ back to top

 

Chrome browser updates

 
  • Stricter parsing rules for Legacy Browser Support   

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to IESiteListMode, Chrome interprets those rules in the same way as Edge and Internet Explorer. 
  • Origin Trial for reduced User-Agent strings

    Chrome 95 begins an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string appears in both the User-Agent HTTP request header and the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  This Origin Trial will run over the next six releases, until the reduced User-Agent starts a phased rollout. Subsequently, for sites that may need more time for migration, a deprecation Origin Trial will be available. Enterprises can opt in to the Origin Trial here when it is available. 
  • Chrome deprecates WebAssembly cross-origin module sharing

    Chrome 95 prevents WebAssembly module sharing between cross-origin but same-site environments. This allows agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec (Chrome Status).

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy CrossOriginWebAssemblyModuleSharingEnabled is available to allow module sharing for cross-origin same-site environments. This policy will be removed in Chrome 97. 
  • Explicit user prompts for Autofill addresses

    In previous releases, when Autofill was enabled, Chrome saved detected addresses as users submitted forms. This update provides more transparency and control to the user by adding a save prompt, and giving the user the control to edit, save, update, or discard the detected address before it is stored. When the AutofillAddressEnabled policy is set to false, this feature is not enabled. 
  • New Side Panel feature

    Chrome on Windows, Mac, ChromeOS, and Linux, introduces a new side panel feature. This panel, opened by a toolbar icon, provides easier access to the Reading list and Bookmarks, in a vertical list. The side panel can be left open while the user browses. 

↑ back to top

  • New and updated policies in Chrome browser
     

    Policy

    Description

    BrowserLegacyExtensionPointsBlocked

    Setting the policy to Enabled or leaving it unset will enable ProcessExtensionPointDisablePolicy to block legacy extension points in the Browser process.

    BrowserSwitcherParsingMode

    This policy controls how Google Chrome interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.

    ContextAwareAccessSignalsAllowlist

    Enables Chrome Enterprise Platform Identity Connector for a list of URLs.  
    Setting this policy specifies which URLs should be allowed to be part of the attestation flow to get the set of signals from the machine.

    PrintPdfAsImageDefault

    Controls if Google Chrome makes the Print as image option default to set when printing PDFs.

    PrintPostScriptMode

    Controls how Google Chrome prints on Microsoft Windows.

 

↑ back to top

Admin console updates

  • New policies in the Admin console
     

    Policy Name

    Pages

    Supported on

    Category/Field

    SuggestLogoutAfterClosingLastWindow

    Managed Guest Session Settings

    Chrome OS

    Session settings / Display the logout confirmation dialog

    DeviceMinimumVersion

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates

    DeviceMinimumVersionAueMessage

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message

    JavaScriptJitAllowedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Allow JavaScript to use JIT on these sites

    DefaultJavaScriptJitSetting

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT

    JavaScriptJitBlockedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Block JavaScript from using JIT on these sites

    RemoteDebuggingALlowed

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Security / Allow remote debugging

    DesktopSharingHubEnabled

    User & Browser Settings

    Chrome

    Content / Desktop sharing in the omnibox and 3-dot menu

 

↑ back to top

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

 

Upcoming Chrome browser changes

 

  • Chrome on Android will no longer support Android Lollipop

    The last version of Chrome that will support Android Lollipop will be Chrome 95, and it includes a message to affected users informing them to upgrade their operating system. Chrome 96 will not support nor ship to users running Android Lollipop. 
  • Apps shortcut in the bookmarks bar will default to off   

    As early as Chrome 96, Chrome will make the Apps shortcut in the bookmark bar default to off. Chrome will also update the current state for all users who have never changed their setting to the new default (off).
  • Network data will be migrated to a new folder on Windows   

    In Chrome 96, data that is needed by the network service, including cookies and other data files, will be migrated to a subdirectory underneath the current location called Network. This is to support the upcoming Network Sandbox (see below). This migration will happen automatically and transparently. No action is required, however, you might need to update any scripts that rely on the location of these files.
  • Network Service on Windows will be sandboxed   

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service (as early as Chrome 97). As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. An enterprise policy has been added to allow early testing of the new sandbox, and to disable the sandbox if incompatibilities are discovered. Please consider testing the sandbox in your environment using these instructions and report any issues encountered.
  • New security events to BeyondCorp Enterprise Threat and Data Protection   

    Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow admins to understand enterprise credential usage, to shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.

↑ back to top

  • NewTabPageLocation enterprise policy on Incognito 

    Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows).
  • Feature flag to force the Chrome Major Version number to 100   

    Starting in Chrome 96, users and site owners can experiment with the upcoming three-digit (Chrome 100) major release version number in the User-Agent string by turning on the ForceMajorVersion100InUserAgent flag. This forces the browser to send 100 as the major version number.  When Chrome went from version 9 to 10, the increase in the number of digits in the major version number uncovered many issues in User-Agent string parsing libraries.  With this feature flag, we can uncover and address these issues before Chrome 100 rolls out.  We encourage admins to submit any issues encountered here.
  • DNS-based HTTP to HTTPS redirect

    As early as Chrome 96, Chrome will query DNS for HTTPS records (alongside traditional A and AAAA queries). When a website has deployed an HTTPS DNS record and Chrome receives it, Chrome will always connect to the website via HTTPS (Chrome Status). 
  • Chrome will begin deprecating the U2F security key API

    The U2F API is Chrome's legacy API for interacting with USB security keys. It has been superseded by the W3C Web Authentication API (WebAuthn).  Beginning with Chrome 96, when sites make U2F API requests, users may see a prompt that includes a notice about the U2F API’s deprecation. In Chrome 98, Chrome will disable the U2F API by default. With Chrome 104, the U2F API will be removed from Chrome.

    Sites can continue to use the U2F API beyond Chrome 98 if they enroll in an Origin Trial. Using the Origin Trial also suppresses the deprecation prompt on the enrolled pages. The Origin Trial will end on July 26, 2022, shortly before the release of Chrome 104.

    Enterprises can suppress deprecation related changes, and keep the U2F enabled, by using the U2fSecurityKeyApiEnabled enterprise policy. This enterprise policy will be removed from Chrome, together with the U2F API, in Chrome 104.

    If you run a website that still uses this API, please refer to the deprecation announcement for more details. 
  • CORS Authorization mishandling

    When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response (Chrome Status). The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.

    Note that Authorization headers attached by Chrome during the authentication process are out of scope for this change. 

↑ back to top

  • Chrome will maintain its own default root store

    To improve user security, and provide a consistent experience across different platforms, Chrome, as early as Chrome 97, intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
  • Chrome will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. Deprecated policies will be available in the Deprecated policies folder and deleted policies will be in the Removed policies folder in the GPO editor.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
     

    Legacy Policy Name

    New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled

     

    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

 

↑ back to top

  • Chrome will no longer allow TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 98, it will no longer be possible to bypass the interstitial. 
  • Different-origin iframes will no longer trigger JavaScript dialogs

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.

    You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag. 

Upcoming Admin console changes

 
  • Browser list data downloadable in CSV format

    As early as Chrome 97, a CSV format will be introduced as an option to download the browser list data from the Admin console. 

↑ back to top

Chrome 94 OS

Chrome OS updates

 
  • Enhanced voices in select-to-speak

    Select-to-speak supports people who have challenges reading text content due to vision impairments and conditions like dyslexia, by allowing them to select pieces of text and hear them out loud. This enhancement gives select-to-speak the ability to produce realistic, natural-sounding voices as it speaks the text content.

     
  • Include desk labels when moving tabs

    If you use desks on Chrome OS, it's now easier to organize your browser tabs. Windows in the same desk appear together when you select Move tab to another window.

     
  • Document scanning in the camera app

    The camera app now supports document scanning. With document scanning, the camera can identify, capture, and crop your documents. You can also save your documents as a PDF or image.

     

Admin console updates

 
  • Extensions version pinning

    Chrome browser and Chrome OS admins can now pin extensions (and apps) to specific versions, either by self-hosting them or from the Chrome Webstore (based on an automatic hosting in Google Cloud Storage).  Learn more

     
  • Read-only delegated admin

    A new read-only delegated admin permission allows IT admins to grant read-only access to Chrome OS device info in their Google Admin console and in the Directory API.  Read-only access is useful for help desk admins, 3P partners, for reporting tools, and more!

     
  • Search by on-device policy name

    IT admins can now search by on-device policy name to the Admin console. For example, if an admin searches for ProxyPacUrl, they’ll see the corresponding setting, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.

     
  • New policies in the Admin console
     

    Policy Name

    Pages

    Supported on

    Category/Field

    SuggestLogoutAfterClosingLastWindow

    Managed Guest Session Settings

    Chrome OS

    Session settings / Display the logout confirmation dialog

    DeviceMinimumVersion

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates

    DeviceMinimumVersionAueMessage

    Device Settings

    Chrome OS

    Device update settings / Auto-update settings / Enforce updates Auto Update Expiration (AUE) message

    JavaScriptJitAllowedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Allow Javascript to use JIT on these sites

    DefaultJavaScriptJitSetting

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT

    JavaScriptJitBlockedForSites

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Android

    Content / JavaScript JIT / Block JavaScript from using JIT on these sites

    TripleDESEnabled

    User & Browser Settings

    Chrome

    Chrome OS

    Android

    Security / 3DES cipher suites in TLS

    RemoteDebuggingAllowed

    User & Browser Settings;

    Managed Guest Session Settings

    Chrome

    Chrome OS

    Security / Allow remote debugging

    DesktopSharingHubEnabled

    User & Browser Settings

    Chrome

    Content / Desktop sharing in the omnibox and 3-dot menu


     
Chrome 94

Chrome browser updates

 
  • Chrome moves to a 4-week stable channel and introduces an 8-week extended stable channel 

    Chrome on mobile, Windows, Mac, and Linux moves from its 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. 

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you can use the existing TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new major release every 8 weeks instead. You can find more details in our help center article. Note: If you decide to move to the extended stable channel, we recommend testing it out on a small set of machines or organizational units before deploying it on your entire fleet. Extended Stable is identical to Stable for the first 4 weeks of each cycle, so this sort of testing is most valuable in the last 4 weeks of the Extended Stable cycle.

    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 

     
  • Chrome on iOS can apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, MOBILECONFIG files can be downloaded and installed from Safari and Mail apps. Chrome on iOS now allows users to download these files. Users then have to manually install the profile from the Settings app.
     
  • Chrome deprecates WebSQL in third-party contexts

    Chrome 94 no longer uses WebSQL in third-party contexts, such as cross-origin iframes. A console message is printed each time a WebSQL database opens in a third-party context to alert developers of the upcoming removal. This change does not affect WebSQL in first-party contexts, but the eventual goal is to deprecate and remove all WebSQL.

    WebSQL in third-party contexts will be disabled in Chrome 97, but an enterprise policy will be made available to re-enable it. As of Chrome 101, WebSQL in third-party contexts will be removed entirely.

     
  • Chrome launches HTTPS-First mode (Android and desktop)

    HTTPS-First mode attempts to upgrade all page loads to HTTPS and displays a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible. Users see a warning before connecting to sites over HTTP.

    An enterprise policy, HttpsOnlyMode, is available to control the use of this mode.

     
  • Chrome blocks the MK external protocol

    Chrome now blocks the legacy external MK protocol for use with Internet Explorer. This protocol enables legacy web apps to extract information from compressed files. This is a legacy asynchronous pluggable protocol that is disabled by default in Internet Explorer. Chrome now blocks this protocol to mitigate potential malicious use.

     
  • Chrome / Citrix Workspace (self-service plugin) stability

    Recent versions of Citrix Workspace install a DLL on Windows that can interfere with the Chrome browser process. Only Windows 10 or 11 systems with Control-flow Enforcement Technology (CET) or Hardware-enforced Stack Protection (Intel 11th Gen and AMD Zen 3 CPUs) with Citrix Workspace installed and Client Protection enabled are affected. While we are working with Citrix to resolve this, please consider using Citrix Workspace with Client Protection Disabled as a temporary workaround.

     
  • PWAs can register as (platform level) URL handlers

    Chrome 94 runs an Origin Trial to allow Progressive Web Apps (PWAs) to register as URL handlers. This means that PWAs can be launched in response to URL link activations, including activations from native apps. PWAs can register to handle any HTTPS URL, not just URLs from their own app scope. If you’re interested in learning more about PWAs as URL handlers, please refer to this article.

     
  • Chrome sync ends support for Chrome 48 and earlier

    Chrome sync no longer supports Chrome 48 and earlier. You need to upgrade to a more recent version of Chrome if you want to continue using Chrome sync.

     
  • Chrome launches a sharing hub

    In Chrome 94, users can more easily share their current page, including Send to your devices, get a QR code for the current URL, and share to third-party websites. The option to Send to your devices is only available to signed-in users. If the user is not signed in, the option does not appear. You can control this feature using an enterprise policy called DesktopSharingHubEnabled.

     
  • Admins can enforce profile separation through enterprise policy

    Chrome 94 updates the dialog when users sign into a managed profile if the ManagedAccountsSigninRestriction policy is set. The new notice clarifies that a separate profile is required by the admin, and the choices for the user are simplified. Some users see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.

     
  • New enterprise policies for the Web Serial API

    The Web Serial API allows websites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policies could only control how the feature was blocked. In Chrome 94, SerialAllowAllPortsForUrls and SerialAllowUsbDevicesForUrls allow admins to grant a website access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.

     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience is available starting with Chrome 94.

     
  • Chrome updates Certificate Transparency log list via Component Updater

    Chrome 94 uses Component Updater to dynamically update the Certificate Transparency log list, separating these updates from full browser updates. This allows out-of-date clients to keep enforcing Certificate Transparency. Note that full browser updates still contain the transparency log list.

     
  • Chrome introduces tab grid bulk actions 

    Chrome for iOS adds an edit mode to the tab grid to allow easier management of open tabs. Users can select multiple tabs and then add them to the reading list, bookmarked, shared, or closed.

     
  • New onboarding experience for Chrome on iOS 

    Chrome 94 revamps the existing onboarding screens, separating the sign-up and sync features.

     
  • Chrome removes the UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. Chrome 94 removes this policy.

     
  • Chrome launches an API that allows sites to know when the user is active

    Chrome 94 launches the Idle Detection API, allowing websites to request to know if users are idle, allowing messaging apps to direct notifications to the best device. This was previously in Origin Trial and is now rolled out to Stable.

     
  • Chrome launches display-capture

    The display-capture permissions-policy allows sites to more safely embed documents in an iframe. It does so by controlling such documents’ access to screen-capture APIs. This permissions-policy’s default setting prevents screen-capture by cross-origin iframes. For websites that are non-compliant with the spec and need more time to implement the display-capture feature, an enterprise policy, named DisplayCapturePermissionsPolicyEnabled, allows selective bypassing of the display-capture permissions-policy. This enterprise policy will be removed after Chrome 100.

     
  • BeyondCorp Enterprise: custom warnings and bypass justifications

    Today BeyondCorp Enterprise shows generic, predefined warn and block messages when files are flagged due to DLP Rule violations or other Chrome Security events. Chrome 94 introduces the ability to provide more meaningful, customized warning messages to end users. Administrators can now customize these warning messages to make it meaningful, and also add a learn more link to such warnings.

     
  • Chrome launches What's New in Chrome

    What’s New in Chrome is a way for users to discover new features. Starting in Chrome 94, some users see a page that highlights a few features. What’s New in Chrome automatically displays as the focused tab. You can disable this feature by using the existing PromotionalTabsEnabled enterprise policy.

     

New and updated policies in Chrome browser

 
Policy Description

CrossOriginWebAssemblyModuleSharingEnabled

Specifies whether WebAssembly modules can be sent to another window or worker cross-origin. Cross-origin WebAssembly module sharing will be deprecated as part of the efforts to deprecate document.domain, see https://github.com/mikewest/deprecating-document-domain. This policy allows admins to re-enable cross-origin WebAssembly module sharing to offer a longer transition period in the deprecation process.

DisplayCapturePermissionsPolicyEnabled

The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration. However, if this policy is Disabled, this requirement is not enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 100. It is intended to unblock Enterprise users whose application is non-spec compliant, but needs time to be fixed.

HttpsOnlyMode

Controls whether users can enable HTTPS-Only Mode in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS.

LensRegionSearchEnabled

Leaving this policy unset or setting it to Enabled allows users to view and use the Google Lens region search menu item in the context menu.

ManagedAccountsSigninRestriction

Controls whether a managed account must be a primary account.

PrintPdfAsImageAvailability

Controls how Google Chrome makes the Print as image option available on Microsoft Windows and macOS when printing PDFs.

PrintRasterizePdfDpi

Controls print image resolution when Google Chrome prints PDFs with rasterization.

SameOriginTabCaptureAllowedByOrigins

Lets you set a list of URL patterns that can capture tabs with their same Origin.

ScreenCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.

SerialAllowAllPortsForUrls

Allows you to list sites which are automatically granted permission to access all available serial ports.

SerialAllowUsbDevicesForUrls

Allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.

TabCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Tab Capture.

WindowCaptureAllowedByOrigins

Lets you set a list of URL patterns that can use Window and Tab Capture.

Admin console updates

 
  • Search by on-device policy name in the Admin console

    Chrome 94 adds the ability to search by on-device policy name to the Admin console. Now when admins enter an on-device policy name, for example, ProxyPacUrl, into the search bar, they’ll see the corresponding setting, for example, Proxy mode, in the Admin console. Admins can also use new info bubbles that appear next to a setting name to see the corresponding on-device policy name.

     
On-device policy search
  • New channel option Extended Stable for Chrome Browser Cloud Management

    Chrome adds Extended Stable as a drop-down option for channel selection in the Chrome update section.

     

New policies in the Admin console

Policy Name Pages Supported on Category/Field

DesktopSharingHubEnabled

User & Browser Settings

Chrome Win/Mac/Linux

Content/Desktop sharing in the omnibox and 3-dot menu

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome browser changes

 
  • Chrome 95 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft Edge or Internet Explorer can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge and Internet Explorer.

     
  • As early as Chrome 95, the network Service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome 95 will conduct an Origin Trial for User-Agent Reduction

    Chrome 95 will be conducting an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string will appear in both the User-Agent HTTP request header as well as the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  The Origin Trial will last six milestones until the reduced User-Agent string becomes the default in Chrome, with a deprecation Origin Trial to continue receiving the full User-Agent string for those sites that still need more time to migrate. Enterprises can opt in to the Origin Trial here when it is available.

     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.

     
  • As early as Chrome 95, Apps shortcut in the bookmarks bar will default to off

    Chrome will make the Apps shortcut in the bookmark bar default to off and update the current state for all users who have never changed their setting to the new default (off).

     
  • Chrome 96 will add new security events to BeyondCorp Enterprise Threat and Data Protection (Password leak and login)

    Chrome 96 will add two new security events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow administrators to understand enterprise credential usage and Shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.

     
  • Migrate to Open Screen Library Cast channel

    Chrome 96 will use a new implementation, Open Screen Library, to connect to devices that support Cast like Chromecast, Nest Hub and Android TV.  Chrome users will not observe any differences in how Cast works.

     
  • NewTabPageLocation enterprise policy on Incognito

    Chrome 96 will fix a bug that prevents users from starting new Incognito sessions when the enterprise policy NewTabPageLocation is set to a chrome://… URL. In future, this policy will be ignored in Incognito mode. Users on Incognito will see the default new tab page. There’s no change in how the policy is applied on regular mode (non-Incognito windows).

     
  • As early as Chrome 97, Chrome will no longer allow TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 97, it will no longer be possible to bypass the interstitial.

     
  • CORS Authorization mishandling

    When scripts make a cross-origin network request via fetch() and XMLHttpRequest with an Authorization header, the header should be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. The wildcard symbol (*) in the Access-Control-Allow-Headers should not work. This has not been implemented correctly, and the wildcard symbol has taken effect. This will be fixed in Chrome 97.

    Please note that Authorization headers attached by Chrome during the authentication process are out of scope for this change.

     
  • As early as Chrome 97, Chrome will maintain its own default root store

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

     
  • Chrome 97 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97. Please ensure you're using the corresponding policy from the right column instead:
     
    Legacy Policy Name New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled


     
    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

     
  • In Chrome 98, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 98. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy called ChromeAppEnabled will be available to extend support for them until June 2022.

     
  • As early as Chrome 98, different-origin iframes will no longer trigger JavaScript dialogs

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. Once this deprecation launches, you can control the behavior with the enterprise policy SuppressDifferentOriginSubframeDialogs.

    You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.

     

Upcoming Admin console changes

 
  • Browser list data will be available for download in CSV format in the Admin console

    As early as Chrome 95, a CSV format will be introduced as an option to download the browser list data from the Admin console.

     
  • Chrome will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort, as early as chrome 95, we will launch a new policy that will automatically delete inactive browser information from Google servers.

    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value (Allowable range: 28 - 730 days).

     
Chrome 93

Chrome browser updates

 
  • SyncXHR policy is no longer available

    Chrome 93 removes the AllowSyncXHRInPageDismissal enterprise policy. Before updating to Chrome 93, web application owners must update all apps that previously relied on legacy platform behavior. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.

     
  • New RelaunchWindow policy

    The RelaunchWindow enterprise policy allows admins to specify a window of time when Chrome relaunches to force an update to apply. You can use this policy, in conjunction with RelaunchNotification, RelaunchNotificationPeriod, and RelaunchHeadsUpPeriod to control when Chrome relaunches to apply an update. RelaunchWindow helps you to minimize disruption and to force a relaunch outside of business hours. In Chrome 93, these policies are available in Group Policy. These policies will become available in the Admin console at a later date.

     
  • New JavaScript JIT setting policies 

    Chrome 93 introduces three new policies: 
    These policies allow Chrome's JavaScript engine to default to using the Ignition interpreter in a JIT-less mode for a set of enterprise-defined sites.

    Disabling the JavaScript JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and currently disables some parts of JavaScript, including WebAssembly.

     
  • Full launch of Drive priority launchpad on New tab page

    To help users get work done faster, Chrome 93 shows the Drive files the user is more likely to need on the New tab page. This feature uses Drive’s existing priority API, which powers the Priority section of drive.google.com. Some users see this change in Chrome 93.

     
  • Publishing updates to extensions requires 2-Step Verification

    As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts before adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.

    Developer accounts belonging to organizations where the admin has disabled 2-Step Verification for their organization are exempt from this requirement.

     
  • Updates to the lock icon in the address bar 

    Some users might see a new icon replacing the lock in the address bar, which is shown on sites that support HTTPS. The new icon aims to improve the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. A Not Secure indicator continues to appear on sites without HTTPS support. An enterprise policy, LockIconInAddressBarEnabled, is available to revert to the original lock icon. See our blog post Increasing HTTPS Adoption for more information.

     
  • New feature changes to the User-Agent Client Hints API updates

    Chrome 93 adds four feature changes to the User-Agent client hints API:
    • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
    • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Prior to this change, this hint would need to be requested.
    • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.

    • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) is now useful.

    An enterprise policy UserAgentClientHintsEnabled is available to control this feature. This policy will be removed in Chrome 94. Developers can leave feedback at crbug.com/1241062 on any issues related to this feature.

     
  • Chrome on iOS adds a new way to sign in

    On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled. You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.

     
  • Chrome performs sentiment measurement

    Chrome 93 performs sentiment measurement of users of Trusted Surface, Privacy Settings and Transactions. These surveys are delivered on the New tab page after the user has engaged with the feature. The delivery of these surveys can be disabled by disabling metrics via the MetricsReportingEnabled policy.

     
  • Chrome redesigns desktop page info surface

    Chrome 93 continues to redesign the desktop page info surface. The purpose of this redesign is to improve scalability by introducing modular subpages, toggles for permissions and restructuring the main view to surface the important information first.

     
  • Tab Groups in desktop Recently closed menu

    Chrome 93 allows users to see their tab groups in the Recently closed menu and helps alleviate worry about permanent loss of groups. This launch enables the whole group and individual tabs inside a group to restore from the Chrome desktop recently closed menu.

     
  • Save payment information to a Google Account 

    In Chrome 93, users who are signed in to their managed Google Account see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy. This was previously available on Android and desktop and is now also available on iOS.

     
  • URL protocol handlers in web manifests

    Chrome 93 is running an Origin Trial for URL protocol handlers in web manifests. This Origin Trial started in Chrome 92 and will end in Chrome 94. The handlers follow the PWA's lifecycle -- they are set up on PWA install, and removed on PWA uninstall. You can find out more in this article.

    Note: The Origin Trial started in Chrome 92 but was initially not part of the Chrome 92 blog post.

     
  • New Incognito Exit Point on Clear browsing data

    Chrome 93 introduces a new Close windows confirmation dialog which is displayed when a user selects Clear browsing data from the overflow menu or Chrome Actions on Omnibox while on Incognito mode. This dialog contains text explaining that Clear browsing data ends the Incognito session, and two call-to-action buttons: Close windows and Cancel.

     
  • Pausing quantum computer resistant security 

    Some devices behaved unexpectedly when Chrome offered quantum-resistant cryptography for TLS connections. We’re working with those companies to provide fixed firmware for their devices and have temporarily disabled this technology.

    For more details, see the Chromium Open Source Project.

     
  • 3DES TLS cipher suites are no longer supported

    Chrome 93 removes support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy was made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.

     
  • Ubuntu 16.04 is no longer supported

    Ubuntu 16.04 is past the end of standard support, and is no longer supported. The updated system requirements for Chrome are available here.

     
  • New and updated policies in Chrome browser
     

    Policy

    Description

    DefaultJavaScriptJitSetting

    Allows you to set whether Google Chrome runs the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.

    DesktopSharingHubEnabled

    Enable the sharing icon from the omnibox and the entry from the 3-dot menu.

    JavaScriptJitAllowedForSites

    Allows you to set a list of site URL patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.

    JavaScriptJitBlockedForSites

    Allows you to set a list of site URL patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.

    LockIconInAddressBarEnabled

    Controls the treatment for lock icon in the omnibox. From Chrome 93, there is a new omnibox icon for secure connections. If the policy is Enabled, Chrome uses the existing lock icon for secure connections. If the policy is Disabled or not set, Chrome uses the default icon for secure connections.

    RelaunchWindow

    Specify a target time window for the end of the relaunch notification period.

    RemoteDebuggingAllowed

    Controls whether users may use remote debugging.

Chrome OS updates

 
  • Enable Android applications to access Chrome OS certificates

    Previously Android applications could only access certificates provisioned within Android, but not those in Chrome OS. Admins can now enable Android apps to access Chrome OS user and device certificates.

    For more information, see the Help Center.

     
  • Regular online re-authentication for identity providers on the login and lock screen

    Regular online authentication provides additional security for organizations that require 2FA or MFA authentication and organizations that use third-party identity providers like Okta.

    As an admin, you can require regular online re-authentication on the login screen for users of third-party identity providers.  Chrome OS 93 expands this capability to re-authenticate using the lock screen and also extends re-authentication support to users of Google identity, including those using 2FA like Yubikeys or SMS.

    There are now three new controls to help manage online re-authentication: 
     
    1. SAML single sign-on unlock frequency
    2. Google online login frequency
    3. Google online unlock frequency
     

Admin console updates

 
  • Sending Extension Requests for Chrome browser Desktop and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a Request button so that you can see their requests from within the Admin console and take an action to allow or to block the extensions.  To enable the feature, please follow the steps in the Help Center.

     
  • Chrome Browser Cloud Management is available for Chrome-on-iOS

    Chrome Browser Cloud Management now supports Chrome-on-iOS.  The policies for Chrome-on-iOS can be seen at https://chromeenterprise.google/policies (then filter for iOS platform).  To get started, please visit the Help Center.

     
  • Chrome Browser Cloud Management Release Channel selector

    Admin console now has a release channel selector (Stable, Beta, Dev) for Chrome Browser Cloud Management on Windows, Mac, or Linux.  For more details, see the Help Center.

     

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome 94 is moving to a 4-week stable channel and introducing an 8-week extended stable channel 

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. Note that Chrome 94’s shorter development cycle means Chrome 93 will be live in the stable channel for less time as well; specific release dates for both milestones can be found on our schedule

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. The option of Extended Stable will be added to the Target Channel Control in the Admin console in Chrome 94. You can find more details in our blog post at blog.chromium.org

    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 

    To provide commercial users with another dependably secure stable platform, Chrome OS will also introduce a new channel with a 6-month update cadence by Chrome 96. More details to be announced soon.

     

Upcoming Chrome browser changes

 
  • As early as Chrome 94, the browser list data will be available for download in CSV format in the Admin console

    Chrome will introduce the CSV format as an option to download the browser list data from the Admin console.

     
  • Chrome 94 on iOS will be able to apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, mobileconfig files can be downloaded and installed from Safari and Mail apps. Chrome will be able to download these files and continue to settings so the user can apply them.

     
  • Chrome 94 will support usage of Android phones as security keys

    When Chrome on a desktop or laptop is signed into the same account as Chrome on an Android phone, that phone can be used as a security key.

    This feature requires that the desktop has a Bluetooth Low Energy (BLE) adaptor. Communication between the devices is end-to-end encrypted with keys exchanged over BLE to prove proximity with the phone.

     
  • Chrome 94 will launch What's New in Chrome

    What’s New will be an effortless way for users to discover new features. Starting in Chrome 94 some users will see a page that highlights a few features. What’s New will automatically show as the focused tab. You can disable this feature by using the existing PromotionalTabsEnabled enterprise policy.

     
  • Chrome 94 will no longer allow insecure public pages to make requests to private or local URLs

    Non-secure contexts served from public IP addresses will no longer be able to make subresource requests to IP addresses belonging to a more private address space (as defined in Private Network Access). For example, http://public.example served on IP 1.2.3.4 will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which became available for testing in Chrome 92.

     
  • Ability for PWAs to be registered as (platform level) URL handlers

    Chrome 94 will run an Origin Trial to allow Progressive Web Apps (PWAs) to register as URL handlers. This means that PWAs can be launched in response to URL link activations, including activations from native apps. PWAs will be allowed to register to handle any https URL, not just URLs from their own app scope. If you’re interested in learning more about PWAs as URL handlers, please refer to this article.

     
  • Launching a sharing hub

    In Chrome 94, users will be able to more easily share their current page, including the ability to send the current page to their devices, get a QR code for the current URL, and share to third-party apps. You will be able to control this feature using an enterprise policy called DesktopSharingHubEnabled.

     
  • Chrome 94 will use updated language in managed profile sign-in notice

    Chrome 94 will update the notice when users sign into a managed profile. The new notice will have language clarifying that a separate profile is required and the available buttons will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.

     
  • Chrome 94 will add a new enterprise policy for the Web Serial API

    The Web Serial API allows sites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policy controls could only control how the feature was blocked. In Chrome 94, admins will be able to grant a site access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.

     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience will be available starting with Chrome 94.

     
  • Chrome 94 will launch HTTPS-First mode (Android and Desktop)

    HTTPS-First mode will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don’t support it. Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP. An enterprise policy will exist to disable the use of this mode. 

     
  • Chrome 94 will update certificate transparency log list via component updater

    Chrome 94 will start using Component Updater to dynamically update the certificate transparency log list, separating these updates from full browser updates, and allowing out-of-date clients to keep enforcing Certificate Transparency.

     
  • Chrome 94 will introduce tab grid bulk actions 

    Chrome for iOS will add an edit mode to the tab grid to allow easier management of open tabs. Multiple tabs can be selected and then added to the reading list, bookmarked, shared, or closed.

     
  • As early as Chrome 94, Chrome will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort, we will launch a new policy that will automatically delete inactive browser information from Google servers.

    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value.

     
  • Chrome 94 will test Chrome Accuracy Check

    Chrome plans to remind users to evaluate the accuracy of information. Chrome Accuracy Check will show users tips for evaluating information quality for news sites when they might be helpful.

     
  • Chrome 94 will remove UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. This policy will be removed in Chrome 94.

     
  • Chrome 94 will add new Security Events to BeyondCorp Enterprise Threat and Data Protection (Password Leak and Login)

    Chrome 94 will add two new Security Events to BeyondCorp Enterprise Threat and Data Protection: Password leak and login. This functionality will allow administrators to understand enterprise credential usage and Shadow IT within their organization, and to stay ahead of potential security incidents regarding passwords exposed in data breaches.
     
  • Chrome 94 will launch an API that allows sites to know when the user is active

    Chrome 94 will launch the Idle Detection API, allowing websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device. This was previously in Origin Trial and is now rolled out to Stable.

     
  • Chrome 94 will launch display-capture

    The display-capture permissions-policy allows sites to more safely embed documents in an iframe. The display-capture permissions-policy can be used to remove the capability of a document in an iframe initiating a screen-capture.  An enterprise policy will be created to control this feature - DisplayCapturePermissionsPolicyEnabled. This policy will be removed in Chrome 100.

     
  • Migrate to Open Screen Library Cast channel

    Chrome 95 will use a new implementation to connect to devices that support Cast like Chromecast, Nest Hub and Android TV.  Chrome users will not observe any differences in how Cast works.

     
  • Chrome 95 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft® Edge® or Internet Explorer® can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge® and Internet Explorer®.

     
  • In Chrome 95, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.

     
  • As early as Chrome 95, Chrome will no longer allow TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.

    In Chrome 91 we announced that the policy no longer works, but users could still bypass the interstitial. As early as Chrome 95, it will no longer be possible to bypass the interstitial.

     
  • As early as Chrome 95, the network Service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome 95 will conduct an Origin Trial for User-Agent Reduction

    Chrome 95 will be conducting an Origin Trial for the fully reduced User-Agent string.  We would like sites to begin participating in the trial so we may collect feedback and allow sites to have ample time to address breakage. The reduced User-Agent string will appear in both the User-Agent HTTP request header as well as the JavaScript APIs that access the User-Agent string (navigator.userAgent, navigator.appVersion, navigator.platform).  The Origin Trial will last six milestones until the reduced User-Agent string becomes the default in Chrome, with a deprecation Origin Trial to continue receiving the full User-Agent string for those sites that still need more time to migrate. Enterprises can opt in to the Origin Trial here when it is available.

     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments.This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.

    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.

     
  • As early as Chrome 95, Apps shortcut in the Bookmarks Bar will default to off

    Chrome will make the Apps shortcut in the bookmark bar default to off and update the current state for all users to the new default (off).

     
  • As early as Chrome 97, Chrome may leverage MiraclePtr to improve security

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 97.

     
  • As early as Chrome 97, Chrome will maintain its own default root store

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

     
  • Chrome 97 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names. To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.

    This transition period will end in Chrome 97, and the following policies in the left column will no longer function. This change was originally announced for Chrome 95, but has been extended to Chrome 97.  

    Please ensure you're using the corresponding policy from the right column instead:
     

    Legacy Policy Name

    New Policy Name

    NativeMessagingBlacklist

    NativeMessagingBlocklist

    NativeMessagingWhitelist

    NativeMessagingAllowlist

    AuthNegotiateDelegateWhitelist

    AuthNegotiateDelegateAllowlist

    AuthServerWhitelist

    AuthServerAllowlist

    SpellcheckLanguageBlacklist

    SpellcheckLanguageBlocklist

    AutoplayWhitelist

    AutoplayAllowlist

    SafeBrowsingWhitelistDomains

    SafeBrowsingAllowlistDomains

    ExternalPrintServersWhitelist

    ExternalPrintServersAllowlist

    NoteTakingAppsLockScreenWhitelist

    NoteTakingAppsLockScreenAllowlist

    PerAppTimeLimitsWhitelist

    PerAppTimeLimitsAllowlist

    URLWhitelist

    URLAllowlist

    URLBlacklist

    URLBlocklist

    ExtensionInstallWhitelist

    ExtensionInstallAllowlist

    ExtensionInstallBlacklist

    ExtensionInstallBlocklist

    UserNativePrintersAllowed

    UserPrintersAllowed

    DeviceNativePrintersBlacklist

    DevicePrintersBlocklist

    DeviceNativePrintersWhitelist

    DevicePrintersAllowlist

    DeviceNativePrintersAccessMode

    DevicePrintersAccessMode

    DeviceNativePrinters

    DevicePrinters

    NativePrinters

    Printers

    NativePrintersBulkConfiguration

    PrintersBulkConfiguration

    NativePrintersBulkAccessMode

    PrintersBulkAccessMode

    NativePrintersBulkBlacklist

    PrintersBulkBlocklist

    NativePrintersBulkWhitelist

    PrintersBulkAllowlist

    UsbDetachableWhitelist

    UsbDetachableAllowlist

    QuickUnlockModeWhitelist

    QuickUnlockModeAllowlist

    AttestationExtensionWhitelist

    AttestationExtensionAllowlist

    PrintingAPIExtensionsWhitelist

    PrintingAPIExtensionsAllowlist

    AllowNativeNotifications

    AllowSystemNotifications

    DeviceUserWhitelist

    DeviceUserAllowlist

    NativeWindowOcclusionEnabled

    WindowOcclusionEnabled



    If you're managing Chrome via the Admin console (for example, Chrome Browser Cloud Management), no action is required; the Admin console will manage the transition automatically.

     
  • As early as Chrome 98, different-origin iframes will no longer trigger JavaScript dialogs

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change will prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself. Please note that this change was originally planned for Chrome 92, but has been postponed until at least Chrome 98 due to the feedback we received on this change. You can test if this future change will affect applications now by setting the enable_features=SuppressDifferentOriginSubframeJSDialogs flag.

     
 
Chrome 92

Chrome browser updates

 

  • Chrome blocks ports 989 and 990

    Chrome 92 adds ports 989 (ftps-data) and 990 (ftps) to the restricted ports list and blocks traffic through them. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
    If you're affected by this change, you can use the ExplicitlyAllowedNetworkPorts enterprise policy to allow these specific ports in your environment. You can specifically allow ports 989 and 990 until February 2022.
     
  • Chrome adds FLoC controls to Privacy Sandbox settings 

    Last year, we announced a new initiative, known as Privacy Sandbox, to develop a set of open standards to fundamentally enhance privacy on the web. Chrome 92 adds controls to the Privacy Sandbox settings page to provide improved transparency and control for Federated Learning of Cohorts (FLoC). You can disable the complete Privacy Sandbox, including FLoC, by policy in general by blocking 3P cookies, or all cookies. Alternatively for specific sites, you can disable the sandbox by blocking cookies for a URL.
     
  • Chrome on Android includes a new on-device model for phishing detection

    Chrome on Android uses an on-device Machine Language (ML) model to better detect phishing attempts, and better protect users. As in earlier versions, Chrome displays a full-page interstitial warning if Chrome detects a possible phishing attempt.

    With this change, Chrome sends the following to the Safe Browsing service: 
    • the version of the model that was executed
    • the scores the model gave for each category
    • a boolean describing whether the new model was used to generate the scores

    You can control Safe Browsing using the SafeBrowsingProtectionLevel policy. This feature applies to users with the SafeBrowsingProtectionLevel policy set at protection level of 1 or greater.
     
  • Back/forward cache desktop full launch for all websites

    As a follow-up to a previous launch on Chrome for Android, Chrome 92 launches back/forward cache on desktop platforms. Back/forward cache is a browser optimization that enables instant back and forward navigations. You can temporarily disable this feature via the BackForwardCacheEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about the issue that led you to disable back/forward cache.
     
  • Magic Toolbar is now available on Chrome on Android 

    The Chrome toolbar on Android now includes a new customizable button that shows different shortcuts depending on what the user is most likely to need.
     
  • Publishing updates to extensions requires 2-Step Verification

    As part of the rollout of a set of updates and clarifications to the Chrome Web Store extension policies, the Chrome Web Store now requires 2-Step Verification on developer accounts prior to adding a new extension or updating an existing extension. This does not impact extensions that are self-hosted, sideloaded, or that are no longer being updated.
     
  • Chrome expands DNS HTTPS record queries for users using classic DNS 

    In previous versions, Chrome only queried and parsed DNS HTTPS records alongside the traditional A and AAAA records for users using Secure DNS. Chrome 92 expands this behavior to users using classic DNS. Chrome uses these records to improve privacy and performance of HTTPS web connections. You can temporarily disable these extra queries for users using classic DNS with the AdditionalDnsQueryTypesEnabled policy with Group Policy or in the Google Admin console. If you do so, please share details about issues that led you to use the policy as a workaround. Note that this policy has no effect for users using Secure DNS.
     
  • Different-origin iframes cannot trigger JavaScript dialogs

    Chrome 92 prevents iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.
    If you have any web apps affected by this change, you can use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 95.
     
  • SharedArrayBuffers need Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy 

    If your organization uses apps that leverage SharedArrayBuffers, those apps need to set Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in the HTTP header. Web apps not setting the appropriate policies can no longer access SharedArrayBuffers.
     
  • Android removes setting for “Show suggestions for similar pages”

    Chrome 92 on Android removes the end user setting for "Show suggestions for similar pages when a page can't be found" from the Sync and Google services settings. This setting was previously removed on Desktop.
    You can control the DNS probes associated with this feature with the AlternateErrorPagesEnabled enterprise policy. 
     
  • Drive priority launchpad on New Tab page

    To help users get work done faster, Chrome 92 shows the Drive docs the user is more likely to need on the New Tab page. This feature uses Drive’s existing priority API, which powers the Priority section drive.google.com. Some users see this change in Chrome 92 and a full launch is expected in Chrome 93.
     
  • Developers can change the name and icon of PWAs

    Developers can now update the name and icon for default Progressive Web Apps (PWAs) and PWAs installed using the ExtensionInstallForcelist enterprise policy.
     
  • Chrome trials the suppression of autofill suggestions

    In Chrome 92, we are conducting a short trial on a small randomly selected number of forms where the browser doesn't show autofill suggestions. The trial is limited to address and credit card forms. Passwords are not affected. You can opt out by using the ChromeVariations policy. Setting the policy to CriticalFixesOnly (value 1) allows only variations considered critical security or stability fixed to be applied to Google Chrome.
     
  • Google Lens replaces Search by Image on Chrome Desktop

    In Chrome 92, for Chrome users whose default search engine is set to Google, the Search with Google Lens context menu item replaces the Search Google for Image desktop context menu item. The new menu item sends users to a standalone Lens Web app. If desired, however, users can navigate to Google Image Search from Lens.
     
  • Chrome separates sign-in and sync on iOS 

    On iOS, Chrome 92 separates the Sync and Google services settings into two items: Sync and Google services. There is a new control in Google services, Allow Chrome sign-in, to disable Chrome sign-in (and therefore also sync).
     
  • Chrome displays a new warning text if a download might lead to account compromise 

    If a user initiates a download that Safe Browsing determined is associated with stealing cookies, some users on desktop platforms see a new warning, filename.exe could let attackers steal your personal information.
     
  • Incognito removes UI links to history

    Chrome does not save history in Incognito mode, but some platforms still show a link to history on the Incognito UI. On Android, to make it clear that Chrome is not saving history, the History menu item in Incognito windows temporarily links to an explainer page instead of linking to a user's history.
     
  • Chrome disables extensions removed from the Chrome Web Store

    Chrome disables extensions that were removed from the Chrome Web Store due to non-compliance with our Chrome Web Store policies. However, if an admin has force-installed an extension, Chrome does not disable it.
    Remember, if you need help with an extension that you manage, you can visit Chrome Web Store One Stop Support.
     

Chrome OS updates

 

  • Chrome improves Android and Linux app support for Desks
    http://crbug/1203496

    You can now assign Android and Linux apps to desks. Right-click on the app window to assign it to a specific desk or to all desks.
     
  • Chrome supports continuous dictation 
    http://crbug/1200667

    Dictation now allows you to continuously dictate your text and only times out if you stop talking.
     
  • Point Scanning for Switch Access 
    http://crbug/1167368

    Point Scanning is a new navigation mode for Switch Access. It allows users to select any spot on the screen and trigger an action. The user first presses their switch when the correct horizontal position is selected, and presses their switch again when the correct vertical position is selected.
     
  • Chrome adds further integrations to Tote
    http://crbug/1201265

    You can now quickly find downloads from your Android Apps and from your Chrome print to pdf functionality in Tote.
     
  • MultiPaste now available for Virtual Keyboard
    http://crbug/1175122

    Chrome OS makes its clipboard history, which launched in Chrome OS 89, accessible from the Virtual Keyboard in Chrome OS 91 and later.
     
  • Chrome 92 improves shortcuts for international keyboards
    http://crbug/1159454

    Chrome OS improves keyboard shortcuts for both international and US users; you can see these updates in the Shortcuts app.
     
  • Chrome OS Camera now supports PTZ Controls
    http://crbug/1186787

    You can now pan, tilt, or zoom your camera from the Chrome Camera app. This feature requires a camera with PTZ support.
     
  • Emoji picker for physical keyboards
    http://crbug/1152237

    Chrome OS includes a new emoji picker, with search functionality and multi-skintone support.
     
  • Chrome OS device help in launcher search
    http://crbug/1126816

    Quickly find help for your Chrome OS device by searching for it in launcher search.
     
  • Some protected content may no longer play on M89 and earlier
    Chrome known issues

    From August 3rd, some protected video and audio content may no longer play on M89 and earlier.
     

Admin console updates

 

  • Additional policies in the Admin console

 

Policy Name

Pages

Supported on

Category/Field

SystemFeaturesDisableMode

Managed Guest Session Settings

Chrome OS

User experience / Disabled system features visibility

SuppressDifferentOriginSubframeDialogs

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Content / Cross-origin JavaScript dialogs

EnterpriseHardwarePlatformAPIEnabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Hardware / Enterprise Hardware Platform API

LensCameraAssistedSearchEnabled

User & Browser Settings

Android

User experience / Google Lens camera assisted search

NearbyShareAllowed

User & Browser Settings

Chrome OS

Connected devices / Nearby share

SharedArrayBufferUnrestrictedAccessAllowed

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / SharedArrayBuffer

WebRtcIPHandling

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Network / WebRTC IP handling

FetchKeepaliveDurationSecondsOnShutdown

User & Browser Settings

Chrome

Power and shutdown / Keepalive duration / Fetch keepalive duration on Shutdown (in seconds)

CECPQ2Enabled

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / CECPQ2 post-quantum key-agreement for TLS

AudioProcessHighPriorityEnabled

User & Browser Settings

Chrome

Hardware / Audio process priority / Adjust the priority for the Chrome audio process

ExplicitlyAllowedNetworkPorts

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Android

Network / Allowed network ports

AllowSystemNotifications

User & Browser Settings

Chrome

Security / System notifications

DefaultFileHandlingGuardSetting

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API

FileHandlingBlockedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Block the File Handling API for these URLs

FileHandlingAllowedForUrls

User & Browser Settings; Managed Guest Session Settings

Chrome

Chrome OS

Content / File Handling API / Allow the File Handling API for these URLs

BrowserThemeColor

User & Browser Settings

Chrome

General / Custom theme color / Hex color

PdfAnnotationsEnabled

User & Browser Settings

Chrome OS

Content / PDF Annotations

DeviceSystemWideTracingEnabled

Device Settings

Chrome OS

User and device reporting / System-wide performance trace collection

GaiaOfflineSigninTimeLimitDays

User Settings

Chrome OS

Security/Google online login frequency

 

  • New and updated policies (Chrome and Chrome OS)
     

Policy

Description

InsecurePrivateNetworkRequestsAllowed

Controls whether insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

CloudUserPolicyMerge

Allows policies associated with a Google Workspace account to be merged into machine-level policies.

GaiaLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen.

SamlLockScreenOfflineSigninTimeLimitDays

Limit the time for which a user authenticated via SAML can log in offline at the lock screen.

AdditionalDnsQueryTypesEnabled

Allow DNS queries for additional DNS record types.

PromptForDownloadLocation

Ask where to save each file before downloading.

DataLeakPreventionReportingEnabled

Enable data leak prevention reporting.

DataLeakPreventionRulesList

Sets a list of data leak prevention rules.

DeviceDebugPacketCaptureAllowed

Allow debug network packet captures.

SuggestLogoutAfterClosingLastWindow

Display the logout confirmation dialog.

TripleDESEnabled

Enable 3DES cipher suites in TLS.

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly. Note that Chrome 94’s shorter development cycle means Chrome 93 will be live in the stable channel for less time as well; specific release dates for both milestones can be found on our schedule
    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. You can find more details on our blog post at blog.chromium.org
    To ensure continuous improvements to the Chrome OS platform, Chrome OS will move to a 4-week stable channel starting with Chrome 96. To bridge the gap between Chrome 94 and Chrome 96, Chrome OS will skip Chrome 95 (see the updated Chrome schedule page for milestone-specific details). 
    To provide commercial users with another dependably secure stable platform, Chrome OS will also introduce a new channel with a 6-month update cadence by Chrome 96. More details to be announced soon.
     

Upcoming Chrome browser changes

 

  • Chrome 93 will no longer allow insecure public pages to make requests to private or local URLs

    Non-secure contexts served from public IP addresses will no longer be able to make subresource requests to IP addresses belonging to a more private address space (as defined in Private Network Access).
    For example, http://public.example served on IP 1.2.3.4 will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. Similarly, http://intranet.example served on IP 192.168.0.1 will not be able to make requests targeting localhost. You can control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies, which are available for testing in Chrome 92.
     
  • Chrome 93 will add a new enterprise policy for the Web Serial API

    The Web Serial API allows sites to request access to serial devices (USB, Bluetooth, etc.) through a device selection prompt. In previous Chrome versions, policy controls could only control how the feature was blocked. In Chrome 93, admins will be able to grant a site access to specific (or all) connected serial devices, streamlining workflows by removing the need for users to select the correct device.
     
  • New feature changes to the User-Agent Client Hints API updates

    Chrome 93 will add four feature changes to the User-Agent client hints API:
    • Adding a Sec-CH-UA-Bitness User Agent Client Hint to return the bitness of the platform, which might be useful, for example, for sending optimized binaries during a download.
    • Making Sec-CH-UA-Platform a low-entropy hint that is sent by default. Before this change, this hint would need to be requested.
    • Including low-entropy hints by default in UADataValues (returned by getHighEntropyValues()): if a hint moves from high to low-entropy, this prevents site compatibility issues.
    • Adding a toJSON method to NavigatorUAData. Instead of returning {}, JSON.stringify(navigator.userAgentData) will now be useful.
  • Chrome 93 will support using Android phones as security keys

    When Chrome on a desktop or laptop is signed into the same account as Chrome on an Android phone, that phone can be used as a security key.
    This feature requires that the desktop has a Bluetooth Low Energy (BLE) adaptor. Communication between the devices is end-to-end encrypted with keys exchanged over BLE to prove proximity with the phone.
     
  • Chrome 93 will use updated language in managed profile sign-in notice

    Chrome will update the notice when users sign into a managed profile. The new notice will have language clarifying that a separate profile is required and the available buttons will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.
     
  • Chrome 93 will test replacing the lock icon with a new icon

    Some users will see a new icon replacing the lock in the address bar, improving the discoverability of the Page Info surface, which includes site-level security and privacy information and controls. An enterprise policy, LockIconInAddressBarEnabled, will become available to revert to the original lock icon.
     
  • Chrome 93 will launch a sharing hub

    Users will be able to more easily share their current page, including the ability to send the current page to their devices, get a QR code for the current URL, and share to third party apps. You will be able to control this feature using an enterprise policy called DesktopSharingHubEnabled.
     
  • Chrome 93 will make Chrome Browser Cloud Management available on iOS

    The Chrome Enterprise team is working to support Chrome-on-iOS for Chrome Browser Cloud Management. If you are interested in testing this functionality out earlier in Chrome 92, please sign up for our Trusted Tester program.
     
  • Chrome 93 on iOS will be able to apply .mobileconfig files

    A .mobileconfig file can be used to configure an iPhone, iPod touch, and iPad to work with certain enterprise systems. Since iOS 12.2, mobileconfig files can be downloaded and installed from Safari and Mail apps. Chrome will be able to download these files and continue to settings so the user can apply them.
     
  • As early as Chrome 94, the network service on Windows will be sandboxed

    To improve the security and reliability of the service, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third party code that is currently able to tamper with the network service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Chrome settings restructure

    To aid in navigability, Chrome will replace the single long page in Chrome settings with individual sections. The updated experience will be available starting with Chrome 94.
     
  • Chrome 93 on iOS will prefer https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then fallback to http://example.com if required. For more information, see Chrome’s blog post, A safer default for navigation: HTTPS.
    Desktop and Android users already have this change, and iOS will be rolled out in Chrome 93.
     
  • Chrome 93 on iOS will add a new way to sign in

    On iOS, when a user signs in to their Google Account on the web, they can sign in to Chrome with a Google Account that’s already saved on their device. This does not enable Chrome sync by default; the user can opt into that separately if they want sync enabled.
    You can control the behavior of sign-in on Chrome on iOS and other platforms using the BrowserSignIn policy.
     
  • Chrome 93 will delete inactive browsers from Chrome Browser Cloud Management 

    Many enterprise customers have to adhere to regulation around data retention. To aid in this effort we will launch a new policy that will automatically delete inactive browser information from Google servers.
    By default, browsers that do not connect to the Google servers for 365 days will be considered inactive and automatically deleted. Admins will be able to modify the default value.
     
  • Chrome 93 will introduce JavaScript JIT setting policies 

    Chrome 93 will introduce three new policies; 
    • DefaultJavaScriptJitSetting
    • JavaScriptJitAllowedForSites
    • JavaScriptJitBlockedForSites 
    These policies will allow you to switch Chrome's JavaScript engine to use the Ignition interpreter in a JIT-less mode, by default.
    Disabling JIT in this way may allow Chrome to render web content in a more secure configuration, as no executable permissions are needed for memory regions. However, disabling JIT has performance costs and disables some parts of JavaScript, including WebAssembly.
     
  • Chrome 93 will no longer support SyncXHR policy 

    Chrome 93 will remove the AllowSyncXHRInPageDismissal enterprise policy. Admins must update any apps that rely on the legacy web platform behavior before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • Chrome 93 will no longer support Ubuntu 16.04

    Ubuntu 16.04 is past the end of standard support, and will not be supported as of Chrome 93. The updated system requirements for Chrome are available here.
     
  • Chrome 93 will remove 3DES TLS cipher suites

    Chrome will remove support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy will be made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
     
  • Chrome 94 will introduce stricter parsing rules for Legacy Browser Support

    Organizations that rely on Legacy Browser Support (LBS) to redirect their users to Microsoft® Edge® or Internet Explorer® can use the BrowserSwitcherParsingMode policy to choose how their site list is interpreted by Chrome. If set to strict mode, Chrome will interpret those rules in the same way as Edge® and Internet Explorer®.
     
  • As early as Chrome 94, Chrome may leverage MiraclePtr to improve security

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team gathered data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel were excluded from MiraclePtr builds during that phase. A full release of MiraclePtr in Chrome is planned as early as Chrome 94.
     
  • In Chrome 94, Chrome apps will be deprecated on Mac, Windows, and Linux

    As part of the previously-communicated plan to replace Chrome apps with the open web, Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 94. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.
     
  • Chrome 94 will remove UserAgentClientHintsEnabled policy 

    The use of Structured Headers in the User Agent Client Hints, and in particular, the Sec-CH-UA and Sec-CH-UA-Mobile headers, caused some unintended consequences where not all servers were able to accept all characters. An enterprise policy UserAgentClientHintsEnabled was created to disable this feature. This policy will be removed in Chrome 94.
     
  • As early as Chrome 95, Chrome will maintain its own default root store

    To improve user security, and to provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own Certificate Authority (CA), you should not have to manage multiple root stores. We do not anticipate any changes will be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • Chrome 95 will deprecate WebAssembly cross-origin module sharing

    Chrome 95 will prevent WebAssembly module sharing between cross-origin but same-site environments. This will allow agent clusters to be tied to origins in the long-term. This change conforms to recent changes in the WebAssembly spec.
    If your enterprise needs any additional time to adjust to this change, a temporary enterprise policy will be made available to allow module sharing for cross-origin same-site environments.
     
  • Chrome 95 will remove legacy policies with non-inclusive names

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist blacklist). To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead:
     

Legacy Policy Name

New Policy Name

NativeMessagingBlacklist

NativeMessagingBlocklist

NativeMessagingWhitelist

NativeMessagingAllowlist

AuthNegotiateDelegateWhitelist

AuthNegotiateDelegateAllowlist

AuthServerWhitelist

AuthServerAllowlist

SpellcheckLanguageBlacklist

SpellcheckLanguageBlocklist

AutoplayWhitelist

AutoplayAllowlist

SafeBrowsingWhitelistDomains

SafeBrowsingAllowlistDomains

ExternalPrintServersWhitelist

ExternalPrintServersAllowlist

NoteTakingAppsLockScreenWhitelist

NoteTakingAppsLockScreenAllowlist

PerAppTimeLimitsWhitelist

PerAppTimeLimitsAllowlist

URLWhitelist

URLAllowlist

URLBlacklist

URLBlocklist

ExtensionInstallWhitelist

ExtensionInstallAllowlist

ExtensionInstallBlacklist

ExtensionInstallBlocklist

UserNativePrintersAllowed

UserPrintersAllowed

DeviceNativePrintersBlacklist

DevicePrintersBlocklist

DeviceNativePrintersWhitelist

DevicePrintersAllowlist

DeviceNativePrintersAccessMode

DevicePrintersAccessMode

DeviceNativePrinters

DevicePrinters

NativePrinters

Printers

NativePrintersBulkConfiguration

PrintersBulkConfiguration

NativePrintersBulkAccessMode

PrintersBulkAccessMode

NativePrintersBulkBlacklist

PrintersBulkBlocklist

NativePrintersBulkWhitelist

PrintersBulkAllowlist

UsbDetachableWhitelist

UsbDetachableAllowlist

QuickUnlockModeWhitelist

QuickUnlockModeAllowlist

AttestationExtensionWhitelist

AttestationExtensionAllowlist

PrintingAPIExtensionsWhitelist

PrintingAPIExtensionsAllowlist

AllowNativeNotifications

AllowSystemNotifications

DeviceUserWhitelist

DeviceUserAllowlist

NativeWindowOcclusionEnabled

WindowOcclusionEnabled

 

If you're managing Chrome via the Google Admin console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin console will manage the transition automatically.

 
Chrome 91

Chrome browser updates

 
  • Chrome pauses collapsed tab groups 

    Chrome allows users to organize tabs into collapsible groups, helping them stay productive. For some users, Chrome 91 pauses those tabs when the user collapses them, to reduce CPU and power consumption. Chrome does not pause tabs if they are playing audio, holding a web lock, holding an IndexedDB lock, connected to a USB device, capturing video or audio, being mirrored, or capturing a window or display.
     
  • Chrome blocks port 10080 and adds a policy for allowing specific ports 

    Chrome 91 adds port 10080 to the restricted ports list and blocks traffic through it. This does not affect customers using standard ports, but custom configurations using non-standard ports may be affected.
    If you're affected by this change, or if you were affected by the previous change that blocked port 554, Chrome introduces the ExplicitlyAllowedNetworkPorts enterprise policy, where you can allow these specific ports in your environment.
     
  • Chrome enables quantum computer resistant security 

    Chrome 91 supports a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages fit in a single network frame.
    You can set the CECPQ2Enabled policy to disable this mechanism. You can also disable it by setting the ChromeVariations policy to a non-default value. For more details, see https://www.chromium.org/cecpq2.
     
  • Chrome no longer allows TLS 1.0 or TLS 1.1

    The SSLVersionMin policy no longer allows setting a minimum version of TLS 1.0 or 1.1. This means the policy can no longer be used to suppress Chrome's interstitial warnings for TLS 1.0 and 1.1. Administrators must upgrade any remaining TLS 1.0 and 1.1 servers to TLS 1.2.
    We previously communicated that this would happen as early as January 2021, but we extended the deadline until Chrome 91.
     
  • PWAs can launch when the user logs into the OS

    Users expect some apps, like chat apps, to launch as soon as they log into a Windows or Mac device. Chrome 91 allows users to set Progressive Web Apps (PWAs) to launch as soon as the user logs into the OS.
    As an admin, you can configure a PWA at install time with the option to launch automatically when a user logs in to its OS session.  
    You control this behavior using the WebAppSettings enterprise policy.
     
  • Chrome on iOS warns users if they reuse their saved passwords on known phishing sites

    To better protect users from phishing schemes, Chrome warns users if it appears that they've entered a saved password on a known phishing site. This feature is now being expanded to Chrome on iOS.  
    You control your organization's use of this feature using the PasswordManagerEnabled enterprise policy.

     
  • Chrome introduces initial_preferences

    As part of Chrome's move to using more inclusive naming, admins can control the browser's initial preferences using a file named initial_preferences. This file behaves the same way as, and will eventually replace, the master_preferences file that exists today. To minimize any disruption, Chrome continues to support the master_preferences file and more notice will be given before we remove support for master_preferences.
     
  • Chrome uses DNS-over-HTTPS on Linux
     
    DNS-over HTTPS protects user privacy by encrypting DNS queries, and was already enabled for Windows, Mac, ChromeOS, and Android in prior releases. Chrome 91 supports this feature on Linux. The DNS requests of all users will be auto-upgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available (based on a list of known DoH-capable servers).  
     
    You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy with Group Policy or in the Google Admin Console. Setting it to off ensures that your users are not affected by Secure DNS.
     
  • Chrome adds Referrer Chain to Client Side Detection pings
     
    To better protect users, Chrome conducts client-side checks of suspicious websites. In Chrome 91, if Enhanced Protection is enabled, the referrers of the website are also sent to Chrome.
     
    You control this behavior using the SafeBrowsingProtectionLevel enterprise policy.
     
  • Download deep scanning available for Enhanced Safe Browsing users
     
    Users who consented to Enhanced Safe Browsing can send downloads to Google for deep scanning when the existing safety checks are inconclusive.  
     
    You can disable this by controlling the user's Safe Browsing setting via the SafeBrowsingProtectionLevelpolicy. 
     
  • Chrome adds Google Account-tied tokens to Enhanced Safe Browsing pings
     
    For users who consented to Enhanced Safe Browsing, who have signed in to their Google accounts, Google Account-tied tokens are added to various phishing detection pings. This provides better protection and reduces false positives.  

    You control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy.
     
  • Chrome rollout status is available with the Chrome VersionHistory API
     
    The Chrome VersionHistory API is a web service API for retrieving information about Chrome versions and releases. It may be useful for administrators who want to see which versions of Chrome are currently rolled out, including to which fraction of users, to also see the history of Chrome rollouts.
     
    For more details, see https://developer.chrome.com/docs/versionhistory/.
     
  • Chrome can survey users about their experience managing Privacy Sandbox settings
     
    Users who visit the Privacy Sandbox settings page may be asked for their opinion about their experience. 
     
    You control if such surveys appear for your users with the MetricsReportingEnabled policy.
     
  • Chrome on Android tablets requests the desktop site
     
    Chrome 90 on Android tablets requested the desktop version of websites for some users. This is rolling out to all users in Chrome 91.
     
  • BrowserSignIn enterprise policy is available on iOS
     
    Admins can use the BrowserSignIn policy to allow, disable, or force users to sign into Chrome. Chrome 91 extends this policy to iOS. On iOS, you can use this policy to allow or disable user sign-in, but not force users to sign in.
     
  • Chrome uses updated table rendering
     
    Chrome 91 updates the way it renders tables on web pages. This change fixes known issues and brings Chrome closer to the behavior of other browsers, so we expect the impact to be minimal. However, you should test important workflows in your environment for unexpected issues. A full explainer is available here.

     
  • Chrome no longer accepts server certificates issued by the Camerfirma
     
    Websites that use server certificates issued by the Camerfirma Certification Authority are distrusted in Chrome 91. Affected sites should have already been contacted by Camerfirma and have migration plans in place. Note that this does not affect client certificates, only those used for authentication of TLS servers.
     
  • Network state partitioned in Chrome 91
     
    Today, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome 91 partitions many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag: 
    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey
     
  • Legacy Browser Support (LBS) parsing fix reverted in Chrome 91
     
    A fix in LBS was made in M90 that resulted in our rules parsing engine to be more strict and similar to the IE-sitelist rules parsing engine.  We have learned, however, that many customers relied on less-strict parsing behavior.  Due to the unintended impact, we are reverting the fix for Chromium bug 1176742.

    Please verify that your LBS rules work in M91 before deployment.  In a future release, we will offer a new policy to enable stricter rules parsing.
     

Chrome OS updates

 
  • Nearby Share on Chrome OS
     
    Nearby Share is a platform that provides easy, reliable, and secure file, text, and URL sharing across Chrome OS and Android devices.
     
  • VPN before login 
     
    Admins can configure built-in VPNs on Chrome OS so that users can connect to a VPN from the login screen. This allows users to authenticate securely via a VPN connection, which is especially helpful for enterprise-hosted single sign-on situations. Built-in VPN support includes L2TP/IPsec and OpenVPN.
     

Admin Console updates

 
  • Pin extensions to the browser toolbar
     
    Admins can now pin Chrome extensions to the browser toolbar from the Apps & Extension Page.  We recommend admins test out the feature on a small set of devices and browsers before deploying to their fleet. For more details, see here.
     
  • Chrome insights report: AUE Report
     
    The Auto Update Expiration (AUE) Chrome insights report allows admins to easily see how many Chrome OS devices in their fleet have reached their AUE dates or are expiring soon. Admins can navigate directly to the Device List from the report to view all devices expiring in the time frame selected. 
     
  • Sending Remote Commands for Chrome Desktop
     
    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac). For example, you can delete browser cache or cookies remotely.  For more details on sending commands, see here.
     
  • Additional policies in the Admin console 
     
Policy Name Pages Supported on Category/Field
KerberosRememberPasswordEnabled User & Browser Settings Chrome OS Kerberos / Remember Kerberos passwords
KerberosAddAccountsAllowed User & Browser Settings Chrome OS Kerberos / Kerberos accounts
SecurityTokenSessionBehavior User & Browser Settings; Managed Guest Session Settings Chrome OS Security / Security token removal / Action on security token removal (for example, smart card)
SecurityTokenSessionNotificationSeconds User & Browser Settings; Managed Guest Session Settings Chrome OS Security / Security token removal / Removal notification duration (seconds)
WebXRImmersiveArEnabled User & Browser Settings Android Other settings / WebXR "immersive-ar" sessions
SSLErrorOverrideAllowedForOrigins User & Browser Settings; Managed Guest Session Settings Chrome
Chrome OS
Android
Network / SSL error override allowed domains / Domains that allow clicking through SSL warnings
SystemProxySettings Device Settings Chrome OS Other settings / Authenticated Proxy Traffic
DeviceAllowMGSToStoreDisplayProperties Managed Guest Session Settings Chrome OS User experience / Persist display settings
DeviceAllowedBluetoothServices Device Settings Chrome OS Other settings / Bluetooth services allowed / Only allow connection to Bluetooth services in the list
DevicePciPeripheralDataAccessEnabled Device Settings Chrome OS Other settings / Data access protection for peripherals 

AccessibilityShortcutsEnabled

AutoclickEnabled

CaretHighlightEnabled

CursorHighlightEnabled

DictationEnabled

FloatingAccessibilityMenuEnabled

HighContrastEnabled

KeyboardFocusHighlightEnabled

LargeCursorEnabled

MonoAudioEnabled

PrimaryMouseButtonSwitch

ScreenMagnifierType

SelectToSpeakEnabled

SpokenFeedbackEnabled

StickyKeysEnabled

VirtualKeyboardEnabled

Device Settings

Chrome OS

Kiosk accessibility

  • New and updated policies (Chrome and Chrome OS)
Policy Description
BrowserThemeColor
Browser Only
Configure the color of the browser's theme
CECPQ2Enabled CECPQ2 post-quantum key-agreement enabled for TLS
DefaultFileHandlingGuardSetting Lets web apps ask for access to file types via the File Handling API.
DeviceAllowedBluetoothServices
Chrome OS Only
Only allow connection to the Bluetooth services in the list
ExplicitlyAllowedNetworkPorts Permits bypassing the list of restricted ports
FileHandlingAllowedForUrls Specifies web apps allowed to access file types via the File Handling API.
FileHandlingBlockedForUrls Specifies web apps blocked from accessing file types via the File Handling API.
ForcedLanguages
Browser Only
Configure the content and order of preferred languages
HeadlessMode Control use of the Headless Mode
SharedArrayBufferUnrestrictedAccessAllowed Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context.
SuppressDifferentOriginSubframeDialogs Specifies if JavaScript dialogs triggered from a different origin subframe will be blocked
URLBlocklist
New on iOS
Specifies disallowed URLs
URLAllowlist
New on iOS
Specificies allowed URLs
WebAppSettings
Browser only
Specifies settings for web apps installed through WebAppInstallForceList Note: This is an experimental policy that may be replaced in a future version of Chrome.
WebRtcIPHandling WebRTC will use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy

Coming soon


Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
 
  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94
     
    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.
     
    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to use the TargetChannel policy to switch Chrome on Mac and Windows to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org
     
    Chrome OS is working on the changes to the release cadence and will send a separate announcement.  As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.
     

Upcoming Chrome browser changes

 
  • Managed profile sign-in popup will be more clear in Chrome 92
     
    Chrome will update the notice when users sign into a managed profile. The new notice will use clear language and the available actions will be simplified. Some users will see a link to open Chrome in guest mode when they sign in to a new profile that's different from the profile signed in to Chrome.  
     
  • SharedArrayBuffers will need Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in Chrome 92
     
    If your organization uses apps that leverage SharedArrayBuffers, those apps will need to set Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy in the HTTP header. Web apps not setting the appropriate policies will no longer be able to access SharedArrayBuffers.  
    If your organization needs additional time to make the transition, the SharedArrayBufferUnrestrictedAccessAllowed policy will be available in Chrome 91. This is a temporary policy that will eventually be removed. The removal timeline will be communicated in future release notes.
     
  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 92
     
    Insecure pages will no longer be able to make subresource requests to IPs belonging to a more private address space (as defined in Private Network Access). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • Different-origin iframes will not be able to trigger javascript dialogs in Chrome 92
     
    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.
    If you have any web apps affected by this change, you'll be able to use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 95.
     
  • Chrome will launch a sharing hub in Chrome 92
     
    Users will be able to more easily share their current page in Chrome 92, including the ability to send the current page to their devices, get a QR code for the current URL,  screenshot and markup the current page, and share to third party apps.
    You'll be able to control this feature using an enterprise policy.
     
  • Chrome 92 on iOS will prefer https to http when not specified in the address bar
     
    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then fallback to http://example.com if required. For more information, see Chrome’s blog post, A safer default for navigation: HTTPS.
    Desktop and Android users already had this change, and iOS will be rolled out in Chrome 92.
     
  • Chrome 92 on Android will introduce the Magic Toolbar 

    The Chrome toolbar on Android will add a new adaptable button, which will show different shortcuts depending on what the user is most likely to need and will also be customizable. 
     
  • Chrome 92 will expand DNS HTTPS records queries for users using classic DNS 
     
    Chrome is currently querying and parsing DNS HTTPS records alongside the traditional A and AAAA records for users using Secure DNS. From Chrome 92,  we will expand this behavior to users using classic DNS. The information from these records will be used to improve privacy and performance of HTTPS web connections. You can temporarily disable these extra queries for users using classic DNS, via the AdditionalDnsQueryTypesEnabled policy with Group Policy or in the Google Admin Console. Please share details about issues that led you to use the policy as a workaround. Note that this policy has no effect for users using Secure DNS.
     
  • Lock in address bar will be replaced in Chrome 93
     
    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.
     
  • Network Service on Windows will be sandboxed as early as Chrome 93
     
    The network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data loss Prevention software.You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Chrome may leverage MiraclePtr to improve security, as early as Chrome 93
     
    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities relating to memory safety. The Chrome team is gathering data on the performance cost of MiraclePtr in Chrome 91, but domain-joined enterprises on the stable channel are excluded from MiraclePtr builds during this phase. A full release of MiraclePtr in Chrome may be as early as Chrome 93.
     
  • UserAgentClientHintsEnabled will be removed in Chrome 93
     
    When Chrome introduced User-Agent Client Hints, some servers were not able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard.
    To give enterprises extra time updating these servers, the UserAgentClientHintsEnabled policy was introduced. This transition period will end with Chrome 93, and the policy will be removed.
     
  • SyncXHR policy will no longer be supported on Chrome 93
     
    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • LegacySameSiteCookieBehaviorEnabled will be removed in Chrome 93
     
    When same-site cookie behavior was introduced, Chrome included policies to give admins extra time to adjust the implementation of any enterprise apps that relied on the legacy cookie behavior.
    The first phase of the transition plan will end in Chrome 93, and LegacySameSiteCookieBehaviorEnabled will no longer take effect. You will still be able to opt specific sites into the legacy cookie behavior using LegacySameSiteCookieBehaviorEnabledForDomainList until Chrome 109.
     
  • Chrome 93 will not support Ubuntu 16.04 

    Ubuntu 16.04 is past the end of standard support, and will not be supported as of Chrome 93. The updated system requirements for Chrome are available here.
     
  • Chrome 93 will remove 3DES TLS cipher suites 

    Chrome will remove support for 3DES TLS cipher suites. The TripleDESEnabled enterprise policy will be made available in Chrome 92 to test this change, and will be available temporarily until Chrome 95, to give enterprises additional time to adjust.
     
  • Chrome apps will be deprecated in Chrome 94 on Mac, Windows, and Linux 

    Chrome apps will no longer function on Mac, Windows, and Linux in Chrome 94, as part of the previously-communicated plan to replace Chrome apps with the open web. For enterprises that need extra time to adjust to the removal of Chrome apps, a policy will be available to extend support for them until June 2022.
     
  • Chrome will maintain its own default root store as early as Chrome 95 

    To improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • Legacy policies with non-inclusive names will be removed in Chrome 95 

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist blacklist). To minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.
    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy.
    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead:

     

    Legacy Policy Name New Policy Name
    NativeMessagingBlacklist NativeMessagingBlocklist
    NativeMessagingWhitelist NativeMessagingAllowlist
    AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
    AuthServerWhitelist AuthServerAllowlist
    SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
    AutoplayWhitelist AutoplayAllowlist
    SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
    ExternalPrintServersWhitelist ExternalPrintServersAllowlist
    NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist
    PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist
    URLWhitelist URLAllowlist
    URLBlacklist URLBlocklist
    ExtensionInstallWhitelist ExtensionInstallAllowlist
    ExtensionInstallBlacklist ExtensionInstallBlocklist
    UserNativePrintersAllowed UserPrintersAllowed
    DeviceNativePrintersBlacklist DevicePrintersBlocklist
    DeviceNativePrintersWhitelist DevicePrintersAllowlist
    DeviceNativePrintersAccessMode DevicePrintersAccessMode
    DeviceNativePrinters DevicePrinters
    NativePrinters Printers
    NativePrintersBulkConfiguration PrintersBulkConfiguration
    NativePrintersBulkAccessMode PrintersBulkAccessMode
    NativePrintersBulkBlacklist PrintersBulkBlocklist
    NativePrintersBulkWhitelist PrintersBulkAllowlist
    UsbDetachableWhitelist UsbDetachableAllowlist
    QuickUnlockModeWhitelist QuickUnlockModeAllowlist
    AttestationExtensionWhitelist AttestationExtensionAllowlist
    PrintingAPIExtensionsWhitelist PrintingAPIExtensionsAllowlist
    AllowNativeNotifications AllowSystemNotifications
    DeviceUserWhitelist DeviceUserAllowlist
    NativeWindowOcclusionEnabled WindowOcclusionEnabled

If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
 

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser Desktop and Chrome OS 
     
    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a “Request” button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.  You can sign up to get early access to this feature by filling out our Trusted Tester form. 

     
 
Chrome 90

Chrome Browser updates

 
  • Single words are not treated as intranet locations by default

    By default, Chrome improves user privacy and reduces load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" is no longer directed to "https://helpdesk/".
    You can control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.).
    Some users saw this change in Chrome 88 and 89; a full rollout is happening in Chrome 90.
     
  • Chrome prefers https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome attempts to navigate using https first, then falls back to http if https is not available. For example, if the user navigates to example.com, Chrome first attempts to navigate to https://example.com, then falls back to http://example.com if required. See Chrome’s blog post, A safer default for navigation: HTTPS, for more information.
    Desktop and Android users see this in Chrome 90, with a release on iOS following soon after.
     
     
  • Chrome blocks port 554 in Chrome 90

    Port 554 is added to the restricted ports list,  so Chrome blocks traffic through port 554. This should have no effect on customers using standard ports, but custom configurations (for example, delivering PAC scripts) using non-standard ports may be affected. You should instead use standard ports for your use case (for example, delivering PAC scripts via HTTPS through port 443).

     
  • The TargetChannel policy allows you to set Chrome's channel

    Chrome 90 allows you to choose between stable, beta, and dev channels via the enterprise policy TargetChannel. You can read more about setting the policies for Mac and Windows.

     
  • Chrome compresses public HTTPS images

    When Chrome Lite mode is enabled, Chrome compresses public HTTPS images to reduce users’ data costs, by routing the requests through a Google service. You can control this using the DataCompressionProxyEnabled enterprise policy.

     
  • Chrome saves data with Lite videos

    To reduce the data-cost and improve the experience of videos on metered and limited data connections, Chrome on Android reduces the effective bitrate of videos for Lite mode users on cellular connection. You can control this feature using the DataCompressionProxyEnabled policy.

     
  • AllowNativeNotifications updated to AllowSystemNotifications

    As part of Chrome's move to using more inclusive policy names, AllowNativeNotifications is renamed to AllowSystemNotifications. The existing AllowNativeNotifications policy will be available until Chrome 95.

     
  • Chrome supports Intel CET

    Chrome supports Intel’s Control Flow Enforcement Technology (CET), known as Hardware-enforced Shadow Stacks on Windows. This only affects Chrome running on hardware that supports CET (Intel 11th Gen or AMD Zen 3). While no issues are expected, you can manage CET by manipulating Image File Execution Options (IFEO) through group policy.

     
  • Some permission requests are less intrusive

    Permission requests that the user is unlikely to allow are automatically blocked, when Safe Browsing is set to Enhanced. A less intrusive UI allows the user to manage permissions for each site.


    You can control this feature on your environment using the SafeBrowsingProtectionLevel enterprise policy. Set it to 1 (standard), 2 (enhanced), or leave the policy unset to enable the quieter requests. Set it to 0 (disabled) to always use the standard requests instead of the quieter requests.

    You can also explicitly allow or disable notifications for certain sites using the NotificationsAllowedForUrls and NotificationsBlockedForUrls. This may be better suited for your use case and doesn't require the user to be prompted at all.

     
  • Extension settings load from the same place for all channels on Mac

    All Chrome channels read the extension policies from the same .plist file. For example, the extension Password Alert always loads its policies from com.google.Chrome.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist instead of com.google.Chrome.canary.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist in Chrome Canary.

     
  • Security key enterprise attestation

    Chrome supports device-unique attestation of security keys without needing a policy configured. This is useful in situations where security keys are distributed by an enterprise to personnel who may use them on non-policy-managed computers. This requires specially-manufactured security keys—talk to your security key vendor if this sounds useful.

     
  • WebXR depth sensing API will be supported

    The WebXR Depth Sensing API allows Chrome to measure distance from the user’s device to real world geometry in the user’s environment. With this, Chrome will be able to power immersive experiences in WebXR-powered apps (for example, for physics, and lifelike occlusion for augmented reality).

    You will be able to control access to WebXR and other augmented reality APIs using the WebXRImmersiveArEnabled enterprise policy.

     
  • Admin controls on shutdown delay for fetch keepalive

    When Chrome is closed, any outstanding fetch keepalive requests are cancelled by default. In Chrome 90, you can use the FetchKeepaliveDurationSecondsOnShutdown enterprise policy to block browser shutdown for a specified period of time to serve any outstanding fetch keepalive requests.

    This may be suitable for enterprise web applications that require the fetch keepalive requests to signal the end of a user session.

     
  • Legacy browser support works between Chrome and Microsoft Edge

    You can configure Legacy Browser Support to automatically switch between multiple browsers, assigning certain sites to always open in Chrome, while other sites always open in another browser, for example, Internet Explorer. With Chrome 90, we now support configuring your environment to switch between Chrome and Microsoft Edge in IE mode. See this help center article for more details.

     
  • Chrome on Android tablets requests the desktop site

    Chrome 90 on Android tablets requests the desktop version of websites for some users. This is expected to be rolled out to all users in Chrome 91.

     

Chrome OS updates

 
  • Deprecation of AMR and GSM audio codecs

    AMR-NB, AMR-WB, and GSM audio codecs are deprecated as part of this release. Affected users should file bugs here and may temporarily rollback this change via the use of chrome://flags/#deprecate-low-usage-codecs. Users with long-term need for these codecs may use stand-alone applications found in the Google Play Store.

 

  • New Diagnostics app

    The new Diagnostics app helps users understand how their Chrome OS device [battery, CPU, and memory] is performing. Within the app, users can also run troubleshooting tests – results are saved in a session log file for easy sharing with customer support.

     
  • Device Dock Update

    Device updates provide users the ability to have reliable and safe peripherals, by providing an avenue to update their software if needed. In Chrome OS 90, we are releasing a path for updates to docks with minimal user experience disruption, making it simple and safe for all our users that use Works With Chromebook certified accessories.

     
  • Updated UI for recent screenshots and downloads

    Quickly access your recent screenshots and downloads. Pin your important Files to launch, copy, or drag with one click. Visit here for more information.

     
  • Better account manager and add account flow

    Chrome OS’s account manager is getting a brand new design to help users better understand the Chrome OS identity model, such as the difference between device account and secondary Google Accounts, and the implications of adding multiple Google Accounts to a user session. Instead of being nested under the "People'' section, the redesigned account manager is part of a new "Accounts" section for clarity and ease of access. Finally, the add account flow is also redesigned to help nudge users away from adding their Google Accounts to user sessions that are not their own.

     
  • Add Live captions settings to Chrome OS settings

    Chrome Live Caption now supports Chrome OS. Live Captions enables you to caption any audio or video in your browser.

     
  • YouTube and Maps open in standalone windows for new users

    New users can now experience YouTube and Maps in standalone app windows by default, rather than opening as browser tabs. Existing users can right-click on the YouTube or Maps app icon, then select Open link in new tab or Open link in new window.

     
  • Files app: Enable offline for Docs, Sheets, and Slides files on Drive

    Users now have the ability to make Google Docs, Sheets, and Slides available for offline access directly from their Drive folder in the Chrome OS file manager.

     

Admin console updates

 
  • Chrome Policy API

    The Chrome Policy API is a brand new API for configuring Admin console Chrome policies. Admins can use the API to script changes across multiple OUs, compare policies or copy policies across multiple OUs, and more. The Chrome Policy API is now available with support for user & browser settings, as well as printer settings. Future versions of the API will also support managing apps & extensions, device settings, kiosk, and managed guest session settings.

     
  • Update Controls for macOS

    Admin Console now supports configuring update controls for macOS. Please see the Help Center article on how to configure these settings.

     
  • Version History API

    The Chrome Update team released a web service API for retrieving information about Chrome versions and releases.

     
  • Additional policies in the Admin console

    Many new policies are available in the Admin console, including:
     
Policy Name Pages Supported on Category/Field
BasicAuthOverHttpEnabled User & Browser Settings Chrome OS, Windows, Mac, Linux Network / Allow Basic authentication for HTTP
BrowserLabsEnabled User & Browser Settings Windows, Mac, Linux User experience / Browser experiments icon in toolbar
DefaultSensorsSetting User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Default access
EnableDeprecatedPrivetPrinting User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Printing / Deprecated privet printing
FullscreenAlertEnabled User & Browser Settings Chrome OS User experience / Fullscreen alert
IntegratedWebAuthenticationAllowed User & Browser Settings Chrome OS Network / Login credentials for network authentication
NTPCardsVisible User & Browser Settings Chrome OS, Windows, Mac, Linux User experience / Show cards on the New Tab Page
PhoneHubAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
PhoneHubNotificationsAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
PhoneHubTaskContinuationAllowed User & Browser Settings Chrome OS Connected devices / Phone Hub
ProfilePickerOnStartupAvailability User & Browser Settings Windows, Mac, Linux Startup / Profile picker availability on browser startup
RemoteAccessHostDomainList User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Remote access / Remote access hosts / Remote access host domain
SensorsAllowedForUrls User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Allow access to sensors on these sites
SensorsBlockedForUrls User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Hardware / Sensors / Block access to sensors on these sites
SigninInterceptionEnabled User & Browser Settings Windows, Mac, Linux Sign-in settings / Signin interception
TargetBlankImpliesNoOpener User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux, Android Security / Popup interactions
WifiSyncAndroidAllowed User & Browser Settings Chrome OS Other settings / Wi-Fi network configurations sync

 

  • New and updated policies (Chrome Browser and Chrome OS)
     
Policy Description
AllowSystemNotifications
Linux Only
Allow system notifications
AudioProcessHighPriorityEnabled
Windows Only
Allow the audio process to run with priority above normal on Windows
FetchKeepaliveDurationSecondsOnShutdown Fetch keepalive duration on Shutdown
SSLErrorOverrideAllowedForOrigins Allow proceeding from the SSL warning page on specific origins
WebXRImmersiveArEnabled Allow creating WebXR's "immersive-ar" sessions
WindowOcclusionEnabled
Browser only
Enable Window Occlusion

 

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome is moving to a 4-week stable channel and introducing an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.

    No action is required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to switch Chrome to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org.

    Chrome OS is also planning changes to the release cycle during the same release. As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.

     

Upcoming Chrome Browser changes

 
  • Chrome 91 will block port 10080 and add a policy for allowing specific ports

    Port 10080 will be added to the restricted ports list and traffic will be blocked through it. This should have no effect on customers using standard ports, but custom configurations using non-standard ports may be affected.

    If you're affected by this change, or other changes blocking ports for security reasons, Chrome will introduce an enterprise policy where you can allow specific ports in your environment.
     
  • Collapsed tab groups will be frozen in Chrome 91

    Chrome allows users to group tabs into collapsible groups, helping them stay organized and productive. In Chrome 91, those tabs will be frozen when the user collapses them, freeing up resources on the system. Chrome will not freeze tabs if they are playing audio, holding a web lock, holding an IndexedDB lock, connected to a USB device, capturing video or audio, being mirrored, or capturing a window or display.

     
  • Web apps will be able to run when the user logs into the OS in Chrome 91

    Users will be able to configure Progressive Web Apps to start automatically when they log into the OS. This allows some apps that the user expects to be always-on to behave as expected.

    You will be able to control which apps can start on OS login using the WebAppSettings enterprise policy.

     
  • Chrome will introduce initial_preferences in Chrome 91

    As part of Chrome's move to using more inclusive naming, Chrome will support an admin using a file to control the browser's initial preferences, named initial_preferences. This file behaves the same way as, and will eventually replace the master_preferences file that exists today. To minimize any disruption, master_preferences will continue to be supported in Chrome 90 and more notice will be given before support for master_preferences is removed.
     
  • Different-origin iframes will not be able to trigger javascript dialogs in Chrome 91

    Chrome will prevent iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. This change is intended to prevent embedded content from spoofing the user into believing a message is coming from the website they're visiting, or from Chrome itself.

    If you have any web apps affected by this change, you'll be able to use the temporary enterprise policy SuppressDifferentOriginSubframeDialogs to revert to the previous behavior. This policy will be removed in Chrome 94.

    You can test apps in your environment for compatibility using Chrome 91 Canary, and Chrome 91 Beta on April 22.
     
  • Network state will be partitioned in Chrome 91

    At present, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome will partition many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag:

    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey

     
  • The BrowserSignIn enterprise policy will be available for Chrome 91 on iOS

    The BrowserSignIn policy allows you to either disable or force users to sign into Chrome browser. The IncognitoModeAvailability policy allows you to disable Incognito mode. Both of these policies will be available for Chrome 90 on iOS.
     
  • Quantum computer resistant security will be enabled in Chrome 91

    Chrome will start supporting a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages will fit in a single network frame.

    The CECPQ2Enabled policy can be set to disable this. It will also be disabled if the ChromeVariations policy is set to a non-default value. For more details on this rollout, see https://www.chromium.org/cecpq2

     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

     
  • Server certificates issued by the Camerfirma will no longer be accepted, no later than Chrome 91

    Websites that use server certificates issued by the Camerfirma Certification Authority will be distrusted in a future release of Chrome. Affected sites should have already been contacted by Camerfirma and have migration underway. Note that this does not affect client certificates, only those used for authentication of TLS servers.

     
  • Chrome 91 on iOS will warn users if they reuse their saved passwords on known phishing sites

    To better protect users from phishing schemes, Chrome warns users if it appears that they've entered a saved password on a known phishing site. In Chrome 91, this feature will be expanded to Chrome on iOS.

    You can control your organization's use of this feature using the PasswordManagerEnabled enterprise policy.

     
  • Chrome 91 will use updated table rendering

    Chrome is updating the way it renders tables on web pages. This change fixes known issues and brings Chrome closer to the behavior of other browsers, so impact is expected to be minimal. However, you should test important workflows in your environment for unexpected issues. A full explainer is available here.

    You can enable the new rendering behavior using chrome://flags/#enable-table-ng in Chrome 90 and above. If you experience any unexpected issues when testing with the flag enabled, please file a chromium bug.

     
  • Managed profile sign-in popup will be more clear, with changes as early as Chrome 91

    Chrome will update the notice when users sign into a managed profile. The new notice has more clear language and the available actions have been simplified. Some users will see a link to open Chrome in guest mode when they sign into a new profile that's different from the profile signed into Chrome.

     
  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 92

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

     
  • Lock in address bar will be replaced in Chrome 92

    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.

     
  • The Network Service on Windows will be sandboxed as early as Chrome 92

    The network service, already running in its own process, will be sandboxed on Windows to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data loss Prevention software.You'll be able to disable the change with an enterprise policy when it becomes available.

     
  • Chrome will leverage MiraclePtr to improve security, as early as Chrome 93

    Chrome will leverage MiraclePtr to reduce the risk of security vulnerabilities related to memory safety. The Chrome team is gathering data on the performance cost of MiraclePtr in Chrome 91, but enterprises on the stable channel are excluded from MiraclePtr builds during this phase. A full release of MiraclePtr in Chrome may be as early as Chrome 93.
     
  • Chrome will maintain its own default root store as early as Chrome 92

    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores.We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.  
     
  • Chrome will launch a sharing hub in Chrome 92

    Users will be able to more easily share their current page in Chrome 92, including the ability to send the current page to their devices, get a QR code for the current URL,  screenshot and markup the current page, and share to third party apps.

    You'll be able to control this feature using an enterprise policy. 
     
  • UserAgentClientHintsEnabled will be removed in Chrome 93

    When Chrome introduced User-Agent Client Hints, some servers were not able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard.

    To give enterprises extra time updating these servers, the UserAgentClientHintsEnabled policy was introduced. This transition period will be ending with Chrome 93, and the policy will be removed. 
     
  • SyncXHR policy will no longer be supported on Chrome 93

    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications. 
     
  • LegacySameSiteCookieBehaviorEnabled will be removed in Chrome 93

    When same-site cookie behavior was introduced, Chrome included policies to give admins extra time to adjust the implementation of any enterprise apps that relied on the legacy cookie behavior. The first phase of the transition plan will end in Chrome 93, and LegacySameSiteCookieBehaviorEnabled will no longer take effect. You will still be able to opt specific sites into the legacy cookie behavior using LegacySameSiteCookieBehaviorEnabledForDomainList until Chrome 97. 
     
  • Legacy policies with non-inclusive names will be removed in Chrome 95

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (for example, whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome. 

    Note: If both the legacy policy and the new policy are set for any row in the table below, the new policy will override the legacy policy. 

    This transition period will end in Chrome 95, and the following policies in the left column will no longer function. Please ensure you're using the corresponding policy from the right column instead: 
     
Legacy Policy Name New Policy Name
NativeMessagingBlacklist NativeMessagingBlocklist
NativeMessagingWhitelist NativeMessagingAllowlist
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
AuthServerWhitelist AuthServerAllowlist
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
AutoplayWhitelist AutoplayAllowlist
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
ExternalPrintServersWhitelist ExternalPrintServersAllowlist
NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist<
PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist
URLWhitelist URLAllowlist
URLBlacklist URLBlocklist
ExtensionInstallWhitelist ExtensionInstallAllowlist
ExtensionInstallBlacklist ExtensionInstallBlocklist
UserNativePrintersAllowed UserPrintersAllowed
DeviceNativePrintersBlacklist DevicePrintersBlocklist
DeviceNativePrintersWhitelist DevicePrintersAllowlist
DeviceNativePrintersAccessMode DevicePrintersAccessMode
DeviceNativePrinters DevicePrinters
NativePrinters Printers
NativePrintersBulkConfiguration PrintersBulkConfiguration
NativePrintersBulkAccessMode PrintersBulkAccessMode
NativePrintersBulkBlacklist PrintersBulkBlocklist
NativePrintersBulkWhitelist PrintersBulkAllowlist
UsbDetachableWhitelist UsbDetachableAllowlist
QuickUnlockModeWhitelist QuickUnlockModeAllowlist
AttestationExtensionWhitelist AttestationExtensionAllowlist
PrintingAPIExtensionsWhitelist PrintingAPIExtensionsAllowlist
AllowNativeNotifications AllowSystemNotifications
DeviceUserWhitelist DeviceUserAllowlist
NativeWindowOcclusionEnabled WindowOcclusionEnabled
 

If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
 

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a “Request” button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.

     
  • Sending Remote Commands for Chrome Desktop

    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac/Linux). For example, you will be able to delete browser cache or cookies remotely.

     
 
Chrome 89

Chrome Browser updates

 
  • Single words will not be treated as intranet locations by default

    By default, Chrome will improve user privacy and will reduce load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. That is, a user typing helpdesk will no longer be directed to https://helpdesk/.

    You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean http://intranetsite/ infobars.).

    Some users saw this change in Chrome 88; a full rollout is planned in Chrome 89.

  • Chrome will prefer https to http when not specified in the address bar

    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to example.com, Chrome will first attempt to navigate to https://example.com, then will fallback to http://example.com if required.

    Some users on Windows, Mac, Linux, and Android will see this change in Chrome 89, and all users should see this change in Chrome 90.

  • Users can search open tabs

    Users can search for open tabs across windows, as shown in this screenshot:

  • Enterprise realtime URL checking enabled by BeyondCorp Enterprise

    Chrome 89 will introduce new security capabilities enabled by BeyondCorp Enterprise allowing checking URLs for phishing attacks in realtime for BeyondCorp Enterprise customers.

  • Chrome profiles for separating users or accounts

    Chrome will add new features to help different users keep their browsing data like bookmarks, history, and settings separate.

    Users will be given the option to create a new Chrome profile and move their account over, when they sign in to a profile where another account is already signed in.

    If a user signs in with an account that is already signed in to another profile, they will be offered the option to switch. Users who have multiple profiles set up will see a profile picker on startup. 

    You can control whether Chrome offers to create or switch profiles with the SigninInterceptionEnabled enterprise policy and ProfilePickerOnStartupAvailability enterprise policies.
  • Certain features will be available to users who have signed in without having to enable Chrome Sync 

    Some users who have signed into Chrome may be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

    You can control users' access to payment methods on Chrome on Android using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including passwords in SyncTypesListDisabled.
     
  • Chrome on Android will require the device to be certified

    Chrome on Android will only be able to run on devices that are Play Protect certified. This will affect all instances of Chrome including PWAs, but does not include WebView.

    Chrome on VMs and emulators will continue to work if an emulator is emulating an approved device or the emulator is Google-developed.

    See the Android Help Center article for details on how to verify a device’s certification status.  
     
  • Version pinning for self-hosted extensions & apps

    To increase the stability in high-reliability environments, Chrome 89 will facilitate the pinning of extensions and apps to a specific version. Administrators can self-host the extension or app of their choice, and instruct Chrome to use the update URL from the extension forcelist instead of the extension manifest. This will be via a new boolean parameter in ExtensionSettings policy. As a result, extensions & apps will not be updated via the updateURL that was originally configured in their manifest, and will stay on one specific version.  
     
  • Chrome introduces privacy-preserving APIs to replace some of the functionality of third-party cookies

    Several changes are coming in Chrome 89 to build a more private web. We originally announced these changes in the Chromium Blog.

    FLoC, an interest-based targeting API will be introduced as an origin trial. This API will allow working with cohorts—groups of users with similar interests. Users cannot be individually identified.

    An event-level conversion API will continue in the origin-trial stage for Chrome 89. This API will enable the correlation of an ad click on a website with a subsequent conversion on an advertiser site (a sale, a sign-up, etc). Users cannot be individually identified.

    Platform-provided trust tokens will be introduced to the ongoing Trust Token API Origin Trial. This experiment will be used to ascertain the value of tokens incorporating on-device state as a mechanism for anti-spam and anti-abuse systems, and to evaluate the feature’s performance relative to standard web-issued trust tokens. 

    First party sets will be introduced as an origin trial. This will allow a collection of related, commonly-owned domains to declare themselves as a first party set, so that browsers can consider this relationship when applying cross-site communication policies. 

    Schemeful Same-Site, which evolves the definition of same-site to include the URL scheme, will be fully rolled out and available to all audiences.

    User Agent Client Hints will also be fully rolled out and available to all audiences.

    See the chromium privacy sandbox page for details on these APIs and the privacy sandbox.
     
  • Chrome will require SSE3 for Chrome on x86

    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

  • Chrome introduces BrowsingDataLifetime and ClearBrowsingDataOnExitList policies

    Chrome will give you more control over data in your environment by introducing two policies that clear browsing data after a specified amount of time, or once Chrome has been closed: BrowsingDataLifetime and ClearBrowsingDataOnExitList. These policies will be useful for customers that have strict regulatory requirements around data being stored on client devices.

  • Metrics reporting can be disabled by the user even if admin has it turned on

    To improve user privacy, end users will be able to turn off metrics reporting for themselves, even if you have set MetricsReportingEnabled to true. If you set MetricsReportingEnabled to false, users will not be able to enable metrics.

  • Chrome introduces the Serial API

    The Serial API will provide a way for websites to read and write from a serial device through script. You can read an explainer on the Serial API here.

    You will be able to control access to the Serial API using the DefaultSerialGuardSetting policy. You can also use the SerialAskForUrls and SerialBlockedForUrls policies to control serial device access on a site-by-site basis.

  • Chrome on iOS introduces biometric authentication for Incognito tabs

    Users will have a setting to enable access control for their Incognito tabs. When this setting is turned on, users will be prompted to re-authenticate themselves with biometric authentication when they return to Incognito tabs after closing Chrome on iOS.

Chrome OS updates

 
  • Extended auto-update blockout windows 

    Already as of today, the Chrome OS auto update blockout window device policy allows admins to block updates for their kiosk devices during certain business hours. This helps to save bandwidth in cases where Chromebooks are located at sites with limited network connectivity. From Chrome 89 on (official launch March 9th, 2021), the auto update blockout window policy will be extended. (1) Instead of only applying to kiosk sessions, it will also apply to user sessions & managed guest sessions (MGS). (2) Instead of only influencing the start of an update download, it will also pause previously started updates during blockout windows.

    Due to the extended impact of the auto-update blockout window policy, an adjustment of your policy settings might be required to guarantee continuous updates of your devices.

  • Scaled Print Server Support 

    Admins will be able to assign any number of IPP based print servers to be remotely configured from the admin console. Users will select a specific print server to connect to if the user has more than 16 print servers assigned. If there are less than 16 configured, Chrome OS will automatically query all assigned print servers simultaneously.

  • Scanning support

    Chrome OS will support the scanning functionality of compatible multifunction printers. Access to the Scan app on Chrome OS can be controlled by Admins.
     
  • QR code scanning support

    You can now scan QR codes with the Chrome OS Camera app. Just point your camera at a QR code and the results will automatically be scanned.

  • Switch Access settings Improvements

    Switch Access settings will allow you to use any key or external switch and will make setting up your switches easier by replacing the drop down menu with just pressing the switch you want to use. 
  • Enhanced Screen Capture

    Chrome OS screen capture just got better. Screen capture functionality is now always accessible via quick settings. A new capture mode provides users with an intuitive UI to switch between functionality. After taking a partial screenshot, you can adjust the selection to perfect your capture. New screen recording functionality lets you capture and share motion.


     
  • Desk improvements

    Improvements for frictionless smart creation and management of multiple workspaces (restore desks for browser, send to desk, and virtual desk improvements).
     
  • Wi-Fi Sync improvements

    Wi-Fi Sync is now even more powerful, with added support for Wi-Fi network sharing between Chrome OS and Android.
     
  • Clipboard: visual clipboard history

    Chrome OS introduces an extended clipboard to quickly transfer multiple pieces of content. Transfer everything you need with speed and ease.
     
  • Tote: quick access to recent and important Files

    Quickly access your recent screenshots and downloads. Pin your important Files to launch, copy, or drag with one click.
     
  • Improved Media Controls

    Brings unified media controls to quick settings. Access all your media sources in one place quickly.
     
  • App icon refresh

    The icons for the built-in apps on your Chromebook have a fresh new look, making it easier for you to distinguish between the core essential apps (for example, Canvas, Explore) that are made for Chrome OS and third-party apps that you’ve downloaded.
     
  • Enhanced Select-to-speak to better support users with Dyslexia

    Improve the Select-to-speak accessibility service with navigation controls (play/pause, navigate sentences and paragraphs, adjust speed in context).


     

Admin console updates

 
  • Apps & Extension Usage Report

    The Apps & Extension Usage Report report will allow admins to get a comprehensive view of the apps and extensions installed across their fleet of ChromeOS and Chrome Desktop devices.  Refer to the View app and extension usage details article on how to enable it. 
     
  • Reports API

    The Reports API will allow you to generate reports that give you aggregate information on your managed Chrome OS device / Chrome Browser deployment.  Please see the documentation here on how to use it. 
     
  • Additional policies in the Admin console

    Many new policies will be available in the Admin console, including:
Policy Name Pages Supported on Category/Field
NTPContentSuggestionsEnabled User & Browser Settings Android Startup / New Tab page content suggestions
RestrictAccountsToPatterns User & Browser Settings Android User experience / Visible Accounts / Restrict accounts that are visible in Chrome to those matching one of the patterns specified
MediaRecommendationsEnabled User & Browser Settings Chrome OS, Windows, Mac, Linux User experience / Media Recommendations
AllowFileSelectionDialogs User & Browser Settings Windows, Mac, Linux User experience / File selection dialogs
AllowWakeLocks User & Browser Settings; Managed Guest Session Settings Chrome OS Power and shutdown / Wake locks
IntranetRedirectBehavior User & Browser Settings; Managed Guest Session Settings Chrome OS, Windows, Mac, Linux Network / Intranet Redirection Behavior

 

  • New and updated policies (Chrome Browser and Chrome OS)

 

Policy Description

BrowsingDataLifetime

Browsing Data Lifetime Settings

ClearBrowsingDataOnExitList

Clear Browsing Data on Exit

EnableDeprecatedPrivetPrinting

Enable deprecated privet printing

ManagedConfigurationPerOrigin

Sets managed configuration values to websites to specific origins

PhoneHubTaskContinuationAllowed

Chrome OS only

Allow Phone Hub task continuation to be enabled

PhoneHubAllowed

Chrome OS only

Allow Phone Hub to be enabled

PhoneHubNotificationsAllowed

Chrome OS only

Allow Phone Hub notifications to be enabled

ProfilePickerOnStartupAvailability

Browser only

Profile picker availability on startup

RemoteAccessHostAllowRemoteAccessConnections

Browser only

Allow remote access connections to this machine

RemoteAccessHostMaximumSessionDurationMinutes

Browser only

Maximum session duration allowed for remote access connections

SigninInterceptionEnabled

Browser only

Enable signin interception

Coming soon

 

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

  • Chrome will move to a 4-week stable channel and will introduce an 8-week extended stable channel as early as Chrome 94

    Chrome on mobile, Windows, Mac, and Linux will move from its current 6-week release cycle to a 4-week release cycle, allowing security features, new functionality and bug fixes to reach users more quickly.

    No action will be required for most enterprises, but if you manually update or test new releases of Chrome and prefer a slower release cadence, you'll be able to switch Chrome to an extended stable channel, with a new release every 8 weeks instead. More details can be found on our blog post at blog.chromium.org

    Chrome OS is also planning changes to the release cycle during the same release. As always, Chrome OS will prioritize the latest security updates, and maintain a high quality and stable experience for users, customers, partners, and developers.

Upcoming Chrome Browser changes

 
  • Chrome 90 will block port 554

    Port 554 will be added to the restricted ports list and traffic through it will be blocked. This should have no effect on customers using standard ports, but custom configurations (for example, delivering PAC scripts) using non-standard ports may be affected. You should instead use standard ports for your use case (for example, delivering PAC scripts via HTTPS through port 443).
     
  • Launch of PDF XFA forms in Chrome 90

    PDF XFA forms will be partially supported in Chrome 90, expanding the range of PDF documents that can open directly in Chrome.
     
  • Managed profile sign-in popup will be more clear in Chrome 90

    Chrome 90 will update the notice when users sign into a managed profile. The new notice will have more clear language and the available actions will be simplified.
     
  • Some permission requests will be less intrusive in Chrome 90

    Permission requests that the user is unlikely to allow will be automatically blocked. A less intrusive UI will allow the user to manage permissions for each site.

     
  • Chrome 90 will support Intel CET

    Chrome 90 will support Intel’s Control Flow Enforcement Technology (CET), known as Hardware-enforced Shadow Stacks on Windows. This will only affect Chrome running on hardware that supports CET. While no issues are expected, you can manage CET by manipulating Image File Execution Options (IFEO) through group policy.
     
  • Chrome 90 will introduce initial_preferences

    As part of Chrome's move to using more inclusive naming, Chrome will support an admin using a file to control the browser's initial preferences, named initial_preferences. This file will behave the same way as, and will eventually replace the master_preferences file that exists today. To minimize any disruption, master_preferences will continue to be supported in Chrome 90 and more notice will be given before support for master_preferences is removed.
     
  • AllowNativeNotifications updated to AllowSystemNotifications in Chrome 90

    As part of Chrome's move to using more inclusive policy names, AllowNativeNotifications will be renamed to AllowSystemNotifications. The existing AllowNativeNotifications policy will be available until Chrome 95.
     
  • Extension settings will load from the same place for all channels on Mac in Chrome 90

    All Chrome channels will read the extension policies from the same .plist file. For example, the extension Password Alert will always load its policies from com.google.Chrome.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist instead of com.google.Chrome.canary.extensions.noondiphcddnnabmjcihcjfbhfklnnep.plist in Chrome Canary.
     
  • Chrome will save data with Lite videos in Chrome 90

    To reduce the data-cost and improve the experience of videos on metered and limited data connections, Chrome on Android will reduce the effective bitrate of videos for Lite mode users on cellular connection. You will be able to control this feature using the DataCompressionProxyEnabled policy.
     
  • Data Saver: Chrome will compress public HTTPS images in Chrome 90

    Public HTTPS images will be compressed when Chrome lite mode is enabled, to further provide a rich web experience to users with unreliable internet connections.
     
  • Security key enterprise attestation in Chrome 90

    Chrome will support device-unique attestation of security keys without needing policy configured. This will be useful in situations where security keys are distributed by an enterprise to personnel who may use them on non-policy-managed computers. This will require specially-manufactured security keys—talk to your security key vendor if this sounds useful.
     
  • Launch WebXR capability - Depth Sensing API in Chrome 90

    The WebXR Depth Sensing API will allow Chrome to measure distance from the user’s device to real world geometry in the user’s environment. With this, Chrome will be able to power immersive experiences in WebXR-powered apps (e.g. for physics, and lifelike occlusion for augmented reality). You will be able to control access to WebXR and other augmented reality APIs using the WebXRImmersiveArEnabled enterprise policy.
     
  • Partition Network State in Chrome 90

    Today, some network objects are shared globally for performance reasons, but this makes it possible to fingerprint users and track them across sites. To protect user privacy, Chrome will partition many network objects by topmost frame domain and iframe domain. A comprehensive description is available here.

    No impact is expected other than minor performance changes, but you can test the change in advance by using the command line flag: 
    --enable-features=PartitionConnectionsByNetworkIsolationKey,PartitionExpectCTStateByNetworkIsolationKey,PartitionHttpServerPropertiesByNetworkIsolationKey,PartitionNelAndReportingByNetworkIsolationKey,PartitionSSLSessionsByNetworkIsolationKey,SplitHostCacheByNetworkIsolationKey
     
  • Legacy Browser Support for Edge in IE Mode will be available in Chrome 90

    For organizations accessing legacy web content in Microsoft Edge's IE mode, Chrome 90 will allow admins to configure Legacy Browser Support (LBS) to switch between Microsoft Edge in IE mode and Chrome. You can already use LBS to switch directly between Microsoft Internet Explorer and Chrome.
     
  • The Network Service on Windows will be sandboxed in Chrome 91

    The network service, already running in its own process, will be sandboxed on Windows in Chrome 90 to improve the security and reliability of the service. As part of this, third party code that is currently able to tamper with the Network Service will be prevented from doing so. This may cause problems when connecting to software such as:
    • Custom Authentication Packages.
    • Custom SSO (Single Sign-on) providers.
    • Custom Winsock Namespace/transport providers.
    • Data Loss Prevention software.
    • NTLM with Windows integrated authentication.

    Enterprises are encouraged to try the sandboxed network stack on Dev and Canary channel and report any issues via crbug.com. You'll be able to disable the change with an enterprise policy when it becomes available.
     
  • Lock in address bar will be replaced in Chrome 91

    The lock in the address bar will be replaced with a new icon. Chrome is moving to security messaging that highlights known security issues, and shows neutral messaging otherwise. Showing an icon that implies safety based solely on the connection's encryption may lead to a false sense of security.
     
  • Quantum computer resistant security will be enabled in Chrome 91

    Chrome will start supporting a post-quantum key-agreement mechanism in TLS when communicating with some domains. This increases the size of TLS handshake messages which, in rare cases, may cause issues with network middleboxes that incorrectly assume that TLS messages will fit in a single network frame.
    The CECPQ2Enabled policy can be set to disable this. It will also be disabled if the ChromeVariations policy is set to a non-default value.

    For more details on this rollout, see CECPQ2
     
  • Insecure public pages will no longer be allowed to make requests to private or local URLs in Chrome 91

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • The address bar may show the domain rather than the full URL as early as Chrome 90

    To protect your users from some common phishing strategies, Chrome will test showing only the domain in the address bar for some users. This change will make it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change has been enabled for some users, with a potential full rollout in a later release.
     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy will allow you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.
     
  • Chrome will maintain its own default root store as early as Chrome 92

    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores.We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • SyncXHR policy will no longer be supported on Chrome 93

    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
     
  • Old policies with non-inclusive names will be removed in Chrome 95

    Chrome 86 through Chrome 90 introduced new policies to replace policies with less inclusive names (e.g. whitelist, blacklist). In order to minimize disruption for existing managed users, both the old and the new policies currently work. This transition time is to ensure it's easy for you to move to and test the new policies in Chrome.

    This transition period will end in Chrome 95. A full list of the policies to be removed will be provided closer to the removal date. If you're managing Chrome via the Google Admin Console (for example, Chrome Browser Cloud Management), no action is required; the Google Admin Console will manage the transition automatically.
     

Upcoming Chrome OS changes

 
  • Deprecation of AMR and GSM audio codecs in Chrome OS 90

    AMR-NB, AMR-WB, and GSM audio codecs will be deprecated as part of this release. Affected users should file bugs here and may temporarily rollback this change via the use of chrome://flags/#deprecate-low-usage-codecs. Users with long-term need for these codecs may use stand-alone applications found in the Google Play Store.

Upcoming Admin Console changes

 
  • Sending Extension Requests for Chrome Browser and Chrome OS

    As an admin, you can block users from installing extensions and the Chrome Web Store will now have a Request button so that you can see their requests from within the Admin Console and take an action to allow or to block the extensions.
     
  • Sending Remote Commands for Chrome Desktop

    As an admin, you can use your Google Admin console to remotely send actions to managed Chrome Desktop Browsers (Win/Mac/Linux). For example, you will be able to delete browser cache or cookies remotely.
 
Chrome 88

Chrome Browser updates

  • Chrome will warn about mixed content forms
    Web forms that load using HTTPS but submit their content using HTTP (unsecured) pose potential risk to user privacy. Chrome 85 and above shows a warning on such forms, letting the user know that the form is insecure. Chrome 88 will show an interstitial warning when the form is submitted, which stops any data transmission, so the user will be able to choose whether to proceed or cancel the submission. This was previously rolled out in Chrome 87 but was rolled back due to the way it interacted with redirects. It is being rolled out again in Chrome 88, but will only show warnings for forms that either submit directly to an http:// URL, or when a redirect to an http:// happens and the form data is exposed across the redirect. For example, 307 or 308 code redirects for POST method forms.





    You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy. To test this behavior before the rollout, use the Mixed Forms Interstitial Chrome flag.
     
  • Improved resource consumption for background tabs
    To save on CPU load and prolong battery life, Chrome will limit the power consumption of background tabs. Specifically, Chrome will allow the timers in the background tabs to only run once per minute. Network event handlers are not affected, which allows sites like Gmail or Slack® to continue delivering timely notifications in the background. Some users saw this feature in Chrome 87. It's now available to all users in Chrome 88.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.
     
  • Insecure downloads are blocked from secure pages, with changes through Chrome 88
    In Chrome 88 on Windows®, Mac®, and Linux®, downloads from insecure sources will no longer be allowed when started from secure pages. This change has been rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files were blocked in Chrome 85.
  • Archives—Users were warned in the Chrome developer console in Chrome 85, and files were blocked in Chrome 86.
  • Other non-safe types, for example, PDFs—Users were warned in the Chrome developer console in Chrome 86, and files were blocked in Chrome 87.
  • Other files—Users were warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

    Warnings on Android will lag behind desktop warnings by one release. For example, executables showed a warning starting in Chrome 85.

    The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.
  • The new tab page allows users to complete previously started workflows
    The Chrome new tab page will show cards to help users return to searches and workflows that were already in progress, like searching for recipes or price comparisons. Users are able to control and remove these cards.

    These cards appeared for some users in Chrome 87, and are now included in Chrome 88. You can control these cards using the NTPCardsVisible policy. 
     
  • Chrome introduces profiles for separating users or accounts
    Some users will be given the option to create a new Chrome profile and move their account over when they sign in to a profile where another account is already signed in. This allows different users to keep bookmarks, history, and settings separate. If a user signs in with an account that is already signed in to another profile, they’re offered to switch. Some users who have multiple profiles set up will see a profile picker on startup.

    You can control whether Chrome offers to create or switch profiles with the SigninInterceptionEnabled enterprise policy. In Chrome 89, you'll also be able to control the startup behavior for the profile picker with the ProfilePickerOnStartupAvailability enterprise policy.


    A wider release to more users is planned for a later release

  • Certain features are available to users who have signed in without having to enable Chrome Sync 
    Some users who have signed into Chrome might be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

    On Chrome on Android, you can control a user's access to payment methods using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including "passwords" in SyncTypesListDisabled.
     
  • DTLS 1.0 has been removed
    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, has been removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted by using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.
     
  • Chrome supports manifest v3
    Chrome 88 supports extensions written in the new Manifest V3 format. Manifest V3 is a new platform that makes extensions more secure, performant, and privacy-respecting by default. There is no breaking change at this time; extensions using Manifest v2 will continue to function normally in Chrome 88.
     
  • Chrome is launching an origin trial for detecting idle state
    An early origin trial allows websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device.
     
  • Single words are no longer being treated as intranet locations by default

    By default, Chrome improves user privacy and reduces load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. For example, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You can control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.).
  • Chrome introduces a new permission chip UI
    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome now shows a less intrusive permissions chip in the address bar. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.




    This change will be rolled out gradually throughout Chrome 88.
     
  • The Legacy Browser Support extension has been removed from the Chrome Web Store
    Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it is disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here. The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.
     
  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site)
    Chrome 88 modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other which will restrict cookies using SameSite. For additional information please see the Schemeful Same-Site explainer. We recommend testing critical sites using the testing instructions.

    You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. These policies will be available at least until Chrome 93, with the domain list planned to be available longer. For more details, including availability, please see Cookie Legacy SameSite Policies.
     
  • Chrome 88 on Mac does not support OS X 10.10 (Yosemite)
    Chrome 88 does not support OS X 10.10 (OS X Yosemite). Chrome on Mac requires OS X 10.11 or later.
     
  • Popup on page unload policy is no longer supported on Chrome 88
    The AllowPopupsDuringPageUnload enterprise policies have been removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them immediately.
     
  • Chrome treats an empty string as an unset policy on Android for some policies in Chrome 88
    To integrate better with mobile management UEMs, Chrome on Android will not set list or dictionary policies from empty strings.
     
  • The BasicAuthOverHttpEnabled policy allows you to disable authentication over HTTP
    You can set the new BasicAuthOverHttpEnabled policy to disabled to disallow non-secure HTTP requests from using the Basic authentication scheme. If you do, only secure HTTPS will be allowed.

  • The Chrome Cleanup Tool can reset Chrome shortcuts
    When users run the Chrome Cleanup Tool, it will modify command line flags within Chrome shortcuts. This helps users restore Chrome to a safe state if malware has inserted malicious command line flags into the shortcut.

    You can control the Chrome Cleanup Tool using the ChromeCleanupEnabled policy, which will prevent this behavior.
     
  • Notifications will be suspended while presenting
    While Chrome is sharing a screen, web-notifications from Chrome will not show their content by default. They will be presented to the user after the screen sharing session ends or by manually revealing them via a notification action. Note that sharing a single window or tab does not affect the delivery of notifications from Chrome.
     
  • The microphone is visible beside the address bar for some users on Android
    The microphone button is visible in the top UI bar of Chrome for some users on Android. Users can to ask the Google Assistant to read the current page, or translate it to another language.

    When users interact with the microphone button, the URL of the current page is shared with Google. You can control this feature using the AudioCaptureAllowed policy.
     
  • Cloud Print is no longer supported
    The Google Cloud Print service is no longer supported on any Operating Systems.

    Chrome OS admins can select a print solution provider or migrate to the Chrome OS local and network printer solution. Admins of Windows®, Mac®, and Linux® operating systems can use the respective OS print workflow or engage with a print solution provider. Learn more about Cloud Print migration
     
  • Save to Drive is no longer supported
    Saving to Google Drive is no longer available from the Chrome print dialog on Mac®, Windows®, Linux® devices. Users can instead install the Save to Drive Chrome extension which has been updated to include this feature or print locally to PDF then upload the file to Google Drive through drive.google.com and select New > File upload. You can also set up automatic syncing between local files and Google Drive with Backup and Sync or Drive File Stream. More details on printing from Chrome are available here
     
  • FTP support has been removed
    Chrome 88 has removed support for FTP URLs. The legacy FTP implementation in Chrome no longer supports encrypted connections (FTPS), or proxies. Usage of FTP is very low, and more capable FTP clients are available on all affected platforms.

    More information is available here.

Chrome OS updates

  • WebAuthn using Fingerprint & PIN
    Tired of typing long passwords? Chrome OS now lets you sign in to supported websites without having to type your passwords for that website, if you have set up a PIN or fingerprint on your Chromebook. This feature, called Web Authentication, makes use of established protocols to make authentication into website simpler and more secure. Your Chromebook PIN/fingerprint are never shared with the websites requesting verification from your Chromebook and you don't have to worry about malicious attackers phishing for your passwords to websites.  If your organization has U2F enabled, the Webauthn feature will not work; U2F will be supported in a future release.
     
  • Autocorrect UI improvements
    For users with autocorrect enabled, we have improved the user interface with visual indications that autocorrects have happened, as well as new ways to undo them.
     
  • Magnifier Focus Following and Keyboard Support
    Chrome OS Magnifier can now be panned using the keyboard. Use Ctrl + Alt and the arrow key to pan the viewport.



     
  • Text app Screen Reader mode
    Text app now has a screen reader mode to support Chromevox users.
     
  • Improved switching between virtual desks
    Switching between virtual desks with the keyboard and touchpad is now faster and more responsive. You can double or triple tap the <Search> + [ or <Search> + ] shortcut to move between multiple desks.
     
  • Reverse Scrolling + Touchpad gesture consistency
    Touchpad gestures are now more consistent with your preference for Reverse Scrolling.
     
  • Chrome OS Camera now saves to a new location
    Photos and videos captured with the Chrome OS Camera app will now get saved to a new Camera folder under My files. Any previously captured photos/videos will remain in your Downloads folder.

Admin console updates

  • API for remote commands
    The Admin SDK Directory API now supports issuing remote commands to devices, including wipe users, remote powerwash, remote reboot (kiosk only), screenshot (kiosk only), and set volume (kiosk only). See the developer documentation for details.
     
  • Filter Chrome devices by version
    The Chrome device list now supports filtering by Chrome version.  Now you can quickly check which devices are up to date or out of date.
     
  • Bookmark Management improvements
    Admin Console has a new and improved bookmarks manager.  Enterprise admins can more easily create, delete, and move around hundreds or even thousands of bookmarks.  Details on the feature are described in the help center article.
     
  • New summary report for Chrome versions
    Admin Console has a new version report that shows the number of managed browsers and devices on each Chrome version.  Details on the feature are described in the help center article.
     
  • Group-based policy for printer management
    Group-based management is now available for printers. From the printers page, select a group, and then configure which printers are available to users in that group.
     
  • Kerberos credential manager
    As an admin, you can now enable Kerberos tickets on Chrome devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. Details on the feature are described in the help center article.

Additional policies in the Admin console

Many new policies are available in the Admin console, including:

Policy name Pages Category/Field
AbusiveExperienceInterventionEnforce

User & Browser Settingsand then
Managed Guest Session Settings

Chrome Safe Browsing / Abusive Experience Intervention
AccessibilityImageLabelsEnabled User & Browser Settingsand then
Managed Guest Session Settings
Accessibility / Image descriptions
AdsSettingForIntrusiveAdsSites User & Browser Settingsand then
Managed Guest Session Settings
Chrome Safe Browsing / Sites with intrusive ads
AdvancedProtectionAllowed User & Browser Settings Security / Advanced Protection program
AuthAndroidNegotiateAccountType User & Browser Settings Network / Account type for HTTP Negotiate authentication / Account type
AutoOpenAllowedForURLs User & Browser Settingsand then
Managed Guest Session Settings
Content / Auto open downloaded files / Auto open URLs
AutoOpenFileTypes User & Browser Settingsand then
Managed Guest Session Settings
Content / Auto open downloaded files / Auto open files types
BackForwardCacheEnabled User & Browser Settings Content / Back-forward cache
BrowserNetworkTimeQueriesEnabled User & Browser Settings Other settings / Google time service
CACertificateManagementAllowed User & Browser Settings Security / User management of installed CA certificates
ClientCertificateManagementAllowed User & Browser Settings Security / User management of installed client certificates.
CommandLineFlagSecurity
WarningsEnabled
User & Browser Settings Security / Command-line flags
ContextualSearchEnabled User & Browser Settings User experience / Touch to search
DefaultFileSystemReadGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access
DefaultFileSystemWriteGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access
DefaultSerialGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / Serial Port API / Control use of the Serial Port API
DefaultWebUsbGuardSetting User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Can web sites ask for access to connected USB devices
DeviceAllowRedeemChromeOs
RegistrationOffers
Device Settings Other settings / Redeem offers through Chrome OS registration
DeviceQuirksDownloadEnabled Device Settings Other settings / Hardware profiles
DeviceShowLowDiskSpaceNotification Device Settings Other settings / Low disk space notification
DeviceWebBasedAttestation
AllowedUrls
Device Settings Sign-in settings / Single sign-on verified access / Allowed IdP redirect URLs
DNSInterceptionChecksEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / DNS interception checks enabled
ExtensionCacheSize Device Settings Other settings / Apps and extensions cache size / Cache size in bytes
ExternalProtocolDialogShow
AlwaysOpenCheckbox
User & Browser Settings Content / Show "Always open" checkbox in external protocol dialog
FileSystemReadAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access / Allow file system read access on these sites
FileSystemReadBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system read access / Block read access on these sites
FileSystemWriteAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access / Allow write access to files and directories on these sites
FileSystemWriteBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / File system write access / Block write access to files and directories on these sites
GloballyScopeHTTPAuthCacheEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / Globally scoped HTTP authentication cache
GSSAPILibraryName User & Browser Settings Network / GSSAPI library name / Library name or full path
HSTSPolicyBypassList User & Browser Settingsand then
Managed Guest Session Settings
Network / HSTS policy bypass list / List of hostnames that will bypass the HSTS policy check
InsecureFormsWarningsEnabled User & Browser Settingsand then
Managed Guest Session Settings
Content / Insecure forms
KerberosAccounts User & Browser Settings Kerberos / Kerberos tickets
KerberosEnabled User & Browser Settings Kerberos / Kerberos tickets
LookalikeWarningAllowlistDomains User & Browser Settingsand then
Managed Guest Session Settings
Chrome Safe Browsing / Suppress lookalike domain warnings on domains / Allowlisted Domains
MaxConnectionsPerProxy User & Browser Settings Network / Max connections per proxy / Maximum number of concurrent connections to the proxy server
MaxInvalidationFetchDelay User & Browser Settingsand then
Managed Guest Session Settings
Other settings / Policy fetch delay / Maximum fetch delay after a policy invalidation
NativeMessagingAllowlist User & Browser Settings User experience / Native Messaging allowed hosts / Native Messaging hosts not subject to the blocklist
NativeMessagingBlocklist User & Browser Settings User experience / Native Messaging blocked hosts / Prohibited Native Messaging hosts
NativeMessagingUserLevelHosts User & Browser Settings User experience / Native Messaging user-level hosts
NtlmV2Enabled User & Browser Settings Network / NTLMv2 authentication
OverrideSecurityRestrictions
OnInsecureOrigin
User & Browser Settingsand then
Managed Guest Session Settings
Security / Override insecure origin restrictions / Origin or hostname patterns to ignore insecure origins security restrictions
PaymentMethodQueryEnabled User & Browser Settingsand then
Managed Guest Session Settings
User experience / Payment methods
PrinterTypeDenyList User & Browser Settingsand then
Managed Guest Session Settings
Printing / Blocked printer types
PrintRasterizationMode User & Browser Settings Printing / Print rasterization mode
RequireOnlineRevocationChecks
ForLocalAnchors
User & Browser Settingsand then
Managed Guest Session Settings
Network / Require online OCSP/CRL checks for local trust anchors

SafeBrowsingForTrusted
SourcesEnabled

User & Browser Settings Chrome Safe Browsing / Safe Browsing for trusted sources
ShowAppsShortcutInBookmarkBar User & Browser Settings User experience / Apps shortcut in the bookmark bar
SignedHTTPExchangeEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / Signed HTTP Exchange (SXG) support
SpellcheckEnabled User & Browser Settingsand then
Managed Guest Session Settings
User experience / Spell check
SuppressUnsupportedOSWarning User & Browser Settingsand then
Managed Guest Session Settings
Security / Unsupported system warning
UserFeedbackAllowed User & Browser Settingsand then
Managed Guest Session Settings
User experience / Allow user feedback
WebRtcLocalIpsAllowedUrls User & Browser Settings Network / WebRTC ICE candidate URLs for local IPs / URLs for which local IPs are exposed in WebRTC ICE candidates.
WebUsbAskForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Allow these sites to ask for USB access
WebUsbBlockedForUrls User & Browser Settingsand then
Managed Guest Session Settings
Hardware / WebUSB API / Block these sites from asking for USB access
WPADQuickCheckEnabled User & Browser Settingsand then
Managed Guest Session Settings
Network / WPAD optimization


New and updated policies (Chrome Browser and Chrome OS)

Policy Description
BasicAuthOverHttpEnabled Non-secure HTTP connections are not permitted to use Basic authentication; HTTPS is required
NTPCardsVisible Show cards on the New Tab Page

ProfilePickerOnStartupAvailability
Browser only

Specifies whether the profile picker is enabled, disabled or forced at the browser startup

SigninInterceptionEnabled
Browser only

This settings enables or disables sign in interception
TargetBlankImpliesNoOpener Do not set window.opener for links targeting _blank


Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.


Upcoming Chrome Browser changes

  • Facilitated version pinning for self-hosted extensions & apps in Chrome 89

    To increase the stability in high-reliability environments, Chrome 89 facilitates the pinning of extensions and apps to a specific version. Administrators will be able to self-host the extension or app of their choice, and instruct Chrome to use the update URL from the extension forcelist instead of the extension manifest. This will be via a new boolean parameter in ExtensionSettings policy. As a result, extensions & apps will not be updated via the updateURL that was originally configured in their manifest, and will stay on one specific version.

  • Users will be able to search open tabs in Chrome 89
    Users will be able to search for open tabs across windows, as shown in this screenshot:

 

  • Chrome 89 will introduce privacy-preserving APIs to replace some of the functionality of third-party cookies
    An interest-based targeting API will be introduced as an origin trial. This API allows working with cohorts—groups of users with similar interests. Users cannot be individually identified.

    An event-level conversion API will continue in origin-trial stage for Chrome 89 This API enables the correlation of an ad click on a website with a subsequent conversion on an advertiser site, such as a sale, a sign-up, and so on. Users cannot be individually identified.

    See the chromium privacy sandbox page for details on these APIs and the privacy sandbox.
     
  • Some permission requests will be less intrusive in Chrome 89
    Permission requests that the user is unlikely to allow will be automatically blocked. A less intrusive UI will allow the user to manage permissions for each site.

 

  • Chrome 89 will require SSE3 for Chrome on x86
    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.
     
  • Chrome 89 will prefer https to http when not specified in the address bar
    When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to google.com, Chrome will first attempt to navigate to https://google.com, then fallback to http://google.com if required.

    This change is planned for Windows, Mac, Linux, and Android in Chrome 89, and in Chrome 90 for iOS.
     
  • Chrome 89 will introduce the Serial API
    The Serial API provides a way for websites to read and write from a serial device through script. You can read an explainer on the Serial API here.

    You will be able to control access to the Serial API using the DefaultSerialGuardSetting policy. You can also use the SerialAskForUrls and SerialBlockedForUrls policies to control serial device access on a site-by-site basis.
  • Insecure public pages will no longer allowed to make requests to private or local URLs in Chrome 91
    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
     
  • Chrome will maintain its own default root store as early as Chrome 92
    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
     
  • The address bar might show the domain rather than the full URL as early as Chrome 90
    To protect your users from some common phishing strategies, Chrome will test showing only the domain in the address bar for some users. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change has been enabled for some users, with a potential full rollout in a later release.
     
  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91
    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.
     
  • SyncXHR policy will no longer be supported on Chrome 93
    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.
 
Chrome 87

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. Pinning to or keeping an earlier version of Chrome through any other mechanism, will not prevent this change.

You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 should use a HARMAN solution with Legacy Browser Support.

With Flash removed, Chrome 88 will no longer support these policies: DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls, AllowOutdatedPlugins, DisabledPlugins, DisabledPluginsExceptions, EnabledPlugins.
 

Chrome Browser updates

  • Google Cloud Print will no longer be supported after December 31, 2020
    As of January 1, 2021 Google Cloud Print will no longer be supported on Chrome. You can continue to use the Windows®, Mac®, and Linux® operating system print solutions or engage with a print solution provider. Chrome OS admins can select a print solution provider or migrate to the Chrome OS local and network printer solution. Learn more about Cloud Print migration.

  • Saving to Google Drive will no longer be available from the print dialog after December 31, 2020

    Mac®, Windows®, Linux® devices and Chrome Browser will no longer be able to save directly to Google Drive from the print dialog, starting on January 1, 2021. Users can instead print locally to PDF then upload the file to Google Drive through drive.google.com and select Newand thenFile upload. You can also set up automatic syncing between local files and Google Drive with Backup and Sync or Drive File Stream. More details on printing from Chrome are available here.

    Chrome OS has a new way of saving to Google Drive. See the Chrome OS section below for more information.

  • Legacy Browser Support might be affected by IE + Edge redirection

    Starting in November, Microsoft Edge® might enable automatic redirection from Internet Explorer to Microsoft Edge® for specific URLs. If you're using Legacy Browser Support, this might interfere with your existing setup. You can disable the redirection by setting the Microsoft Edge® policy RedirectSitesFromInternetExplorerRedirectMode to 0.

  • Improved resource consumption for background tabs

    To save on CPU load and prolong battery life, Chrome limits the power consumption of background tabs. Specifically, Chrome allows the timers in the background tabs to only run once per minute. Network event handlers are not affected, which allows sites like Gmail or Slack® to continue delivering timely notifications in the background. Some users will see this feature in Chrome 87, with a wider release planned for Chrome 88.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • Updated PDF viewer

    Chrome has updated PDF viewer to include toolbar updates, table of contents, thumbnails, two-up view, and the ability to view annotations.    

     

 

     

 

        

  • Users can sign into the browser when they sign into Google web services

    When users sign into a Google web service while using an Android device, Chrome offers for them to sign in with the Google account already signed in on the device. Signing into Chrome doesn’t turn on sync; that’s a separate, optional step.

    This simplifies Android sign-in, makes the feature more consistent with Chrome on desktop, and provides signed-in users access to features without sync enabled. For example, click-to-call.

    You can control this feature with the BrowserSignin enterprise policy.

  • Certain features are available to users who have signed in without having to enable Chrome Sync

    Users who have signed into Chrome might be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

    You can control users' access to payment methods on Chrome on Android using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including "passwords" in SyncTypesListDisabled.

  • Enhanced Safe Browsing

    Users will be prompted to consider enabling Enhanced Safe Browsing in Chrome, which provides better protection against phishing attacks. These prompts will show up on security warning interstitials and the new tab page, but only if you are not setting either of the SafeBrowsingProtectionLevel or SafeBrowsingEnabled policies. If one of these policies is set, your users can't change the setting and will not see any prompts to do so.

  • The new tab page allows users to complete previously started workflows

    The Chrome new tab page will show cards to help users return to searches and workflows that were already in progress, like searching for recipes or price comparisons. Users are able to control and remove these cards.

    They appear for some users in Chrome 87, but a wider rollout, by way of policy, is planned for a later release.

  • Chrome warns about mixed content forms

    Web forms that load using HTTPS but submit their content using HTTP (unsecured) pose potential risk to user privacy. Chrome 85 shows a warning on such forms, letting the user know that the form is insecure. Chrome 87 shows an interstitial warning when the form is submitted, which stops any data transmission, so the user will be able to choose whether to proceed or cancel the submission. This was previously planned for Chrome 86 but the rollout was delayed and is now available in Chrome 87.


    You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

 

  • Insecure downloads are blocked from secure pages, with changes through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

  • Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

    Warnings on Android will lag behind computer warnings by one release. For example, executables showed a warning starting in Chrome 85.

    The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.
  • Introducing more inclusive policy names

    Chrome is moving to more inclusive policy names. The terms "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist". If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

    The following policies have been deprecated, and equivalent policies are now available in Chrome 87 and 88. The deprecated policies will continue to work, and there is not yet any removal date planned. Future plans to remove the policies will be published in the enterprise release notes once confirmed.

    Deprecated Policy Name New Policy Name Version
    DeviceNativePrintersBlacklist DevicePrintersBlocklist 87
    DeviceNativePrintersWhitelist DevicePrintersAllowlist 87
    DeviceNativePrintersAccessMode DevicePrintersAccessMode 87
    DeviceNativePrinters DevicePrinters 87
    UsbDetachableWhitelist UsbDetachableAllowlist 87
    QuickUnlockModeWhitelist QuickUnlockModeAllowlist 87
    AttestationExtensionWhitelist AttestationExtensionAllowlist 87
    DeviceUserWhitelist DeviceUserAllowlist 87
    PrintingAPIExtensionsWhitelist PrintingAPIExtensionsAllowlist 87
    AllowNativeNotifications AllowSystemNotifications 88

     

  • Chrome Actions allow the user to accomplish tasks directly from the address bar

    Some Chrome users will be able take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. A wider rollout is planned for a later release.

  • Chrome will support remote commands from Chrome Browser Cloud Management in the future

    Admins using Chrome Browser Cloud Management will soon be able to issue remote commands to enrolled Chrome Browsers, for example remotely clearing cache and cookies. Although the functionality will come to the Admin console in the future, support for this set of features will be added in Chrome 87.

  • The CORB/CORS allowlist has been removed

    Chrome has removed the CORB/CORS allowlist in Chrome 87. Please test Chrome extensions that your business depends on to make sure they work with the new behavior.

    Please test Chrome 87.0.4266.0 or later versions of Chrome and run through critical workflows using your extension. Watch for fetches or XHRs that are initiated by content scripts and blocked by CORB or CORS. Some typical error messages are shown below:

    • Cross-Origin Read Blocking (CORB) blocked cross-origin response <URL> with MIME type <type>. See https://www.chromestatus.com/feature/5629709824032768 for more details.

    • Access to fetch at 'https://another-site.com/' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

      If the extension's content scripts create requests that don’t work when Chrome is launched with the chrome://flags listed above, then make sure you keep the extension updated so that it continues to work in Chrome 87 and above. In particular, the extensions must be updated to initiate cross-origin fetches from the extension background page (instead of from a content script).

      For more details see: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

  • The Chrome Web Store displays more privacy-focused information for extension

    The Chrome Web Store provides more information to users about how an extension uses their data, including authentication information, personally identifiable information, and user activity.

    Developers are required to provide privacy disclosures regarding their data collection and usage. This is mandatory for every update and publishing of extensions.

Chrome OS updates

  • Devices have a new way of saving to Google Drive

    The Save to Drive feature has been expanded upon, users can now rename the file or save the file to a specified Google Drive folder location.

  • Switch Access

    For users with motor impairments who are unable to use a traditional mouse or keyboard, Switch Access lets you interact with your Chrome OS Device using one or more switches. Switch Access works by scanning the items on your screen until you make a selection. Ablenet, one of the top producers of switch devices, is now in our Works with Chromebooks program, as well.

  • Tab Search

    Tab Search lets users search through their open tabs across all windows. This feature is currently available in Chrome OS 87 and will be available for Mac® and Windows® in Chrome OS 88.

  • Bluetooth battery levels

    Users can now view their connected Bluetooth peripheral battery levels in Settings and Quick Settings.
     

     

 

  • Coexistence of Multiple sign-in access and policy-provided custom trust anchors for TLS

    Starting in Chrome OS 87, the coexistence of Multiple sign-in access and policy-provided custom trust anchors for TLS is no longer blocked. If trust anchors are configured, they will be applied to the primary user account. As a result, users can switch faster between accounts in managed environments that require trust roots.

  • Language settings improvement for multilingual users

    Language settings can get extremely confusing if you are bilingual or multilingual. In Chrome OS 87, we have updated the user experience to address the needs of multilingual users.   

  • More interactive Alt+Tab

    When using Alt+Tab to switch between windows, you can now select a window with your mouse, touch screen, or stylus.

  • Renaming Virtual Desks & Launcher folders

    In Chrome OS 87, you will see visual improvements for the Virtual Desk renaming component. The visual improvements will also apply to folders in the Launcher as they use the same component.

  • Zero-touch enrollment

    Admins can configure devices to automatically enroll during the device setup process without requiring a user to invoke enterprise enrollment. More details can be found here.

Admin console updates

  • Website icons and titles now display in the Admin console and Kiosk devices

    In the Admin console, web apps that have been added under Apps & extensions now display the website's icon and title. In Kiosk devices, the website icons and titles are also displayed in the list of Kiosk web apps.

 

  • Restrict access to VPN (openVPN and L2TP)

    Admins can now add VPN to the list of Restricted Network Interfaces in the Admin console. This prevents users from connecting to OS-supported VPN options (openVPN and L2TP). Any third-party VPNs will need to be blocked through application management policies.

  • Additional policies in the Admin console

    Many new policies are available in the Admin console, including:

    Policy control Admin console location Description
    Emoji suggestions User & browser settingsand thenUser experienceand thenEmoji suggestions This policy enables Google Chrome to suggest emojis when users type text with their virtual or physical keyboards.
    URLs in the address bar User & browser settingsand thenUser experienceand thenURLs in the address bar This feature enables display of the full URL in the address bar.
    Audio sandbox User & browser settingsand thenSecurityand thenAudio sandbox This policy controls the audio process sandbox.
    Browser guest mode User & browser settingsand thenUser experienceand thenBrowser guest mode This policy controls guest logins.
    PIN auto-submit User & browser settingsand thenSecurityand thenPIN auto-submit

    The PIN auto-submit feature changes how PINs are entered in Chrome OS.

    Instead of showing the same textfield that is used for password input, this feature shows a special UI that clearly shows to the user how many digits are necessary for their PIN. As a consequence, the user's PIN length will be stored outside the user encrypted data. Only supports PINs that are between 6 and 12 digits long.

    Variations Device Settingsand thenDevice update settingsand thenVariations Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed Google Chrome OS device.
    Single sign-on verified access Device Settingsand thenSign-in settingsand thenSingle sign-on verified access This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.

 

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Single words will not be treated as intranet locations by default in Chrome 88

    By default, Chrome will improve user privacy and reduce load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change might interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

  • Chrome will introduce a new permission chip UI in Chrome 88

    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome will begin showing a less intrusive permissions chip in the address bar. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

    This change will be rolled out gradually throughout Chrome 88.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other which will restrict cookies using Same-Site. For additional information please see the Schemeful Same-Site explainer. We recommend testing critical sites using the testing instructions.

    You may revert to the previous legacy behavior by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. These policies will be available at least until Chrome 93. For more details, including availability, please see Cookie Legacy SameSite Policies.

  • Chrome 88 on Mac® will not support OS X 10.10 (Yosemite)

    Chrome 88 will not support OS X 10.10 (OS X Yosemite). Chrome on Mac® will require OS X 10.11 or later.

  • Popup on page unload policy will no longer be supported on Chrome 88

    The AllowPopupsDuringPageUnload enterprise policies will be removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 88.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 88

    Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it will be disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.

  • Chrome will treat an empty string as an unset policy on Android for some policies in Chrome 88

    To integrate better with mobile management UEMs, Chrome on Android will not set list or dictionary policies from empty strings.

  • Users will be able to search open tabs in Chrome 88

    Users will be able to search for open tabs across windows, as shown in this screenshot:

 

  • The address bar will show the domain rather than the full URL in Chrome 88

    To protect your users from some common phishing strategies, Chrome will show only the domain in the address bar. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change has been enabled for some users, with a full rollout planned for an upcoming release.

  • DTLS 1.0 will be removed in Chrome 88

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.

  • Chrome 88 will launch an origin trial for detecting idle state

    An early origin trial will allow websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device.

  • Chrome 89 will require SSE3 for Chrome on x86

    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 89

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

  • Chrome will maintain its own default root store as early as Chrome 90

    In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

  • SyncXHR policy will no longer be supported on Chrome 93

    The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features, enter your test domain and a contact email into this form.

 
Chrome 86

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 should use a HARMAN solution with Legacy Browser Support.

Chrome Browser updates

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88 
    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind computer warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.

  • New lookalikes policy and request flow

    Chrome is introducing a new "safety tip" for sites with URLs that look very similar to those of other sites. This UI, as well as the existing lookalike interstitial warning, uses client-side heuristics to warn users about sites that might be spoofing other sites (For example, goog0le.com spoofing google.com):


    Chrome is adding the LookalikeWarningAllowlistDomains enterprise policy to give you control of this behavior. This policy suppresses both the full-page interstitial warning and the smaller "safety tip" in the domains indicated.

    In addition, if you think a site is triggering a warning incorrectly, you can file a request here.
  • Improved resource consumption when a window is not visible

    To save on CPU and power consumption, Chrome detects when a window is covered by another window and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software, resulting in Chrome rendering blank white pages. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users have already seen this change since Chrome 85, however this feature is fully rolled out in Chrome 86.

  • User-Agent Client Hints is fully rolled out in Chrome 86

    As part of an ongoing effort to reduce the ability of bad actors to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additional change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard. If the addition of this header causes problems with servers that can't be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers.

    This is a temporary policy that will be removed in Chrome 88.

  • Chrome warns about mixed content forms

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome 86 shows an interstitial warning when the form is submitted, which stops any data transmission, and the user is able to choose whether to proceed or cancel the submission.

     

     You are able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

  • The address bar shows the domain rather than the full URL for some users

    To protect your users from some common phishing strategies, Chrome shows only the domain in the address bar. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you are now able to revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change is initially only rolled out to some users, however a full rollout is planned for a later release.

  • Chrome has a new way to show you it’s time to update your browser

    To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update," replacing the colored arrow that users see today.

     

 

  • Chrome extensions are not able to inject Flash content settings

    Extensions will not be able to inject content settings for Flash. If you're using an extension to control Flash behavior in Chrome, you should instead use PluginsAllowedForUrls. Otherwise, users will see the default Flash behavior, which will require them to allow Flash to run on each site.

  • The Chrome Browser Cloud Management - Reporting Companion extension no longer functions

    The Chrome Browser Cloud Management - Reporting Companion extension ID, oempjldejiginopiohodkdoklcjklbaa is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

  • The TLS13HardeningForLocalAnchorsEnabled enterprise policy no longer functions

    As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks. 

    The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

  • More inclusive policy names are introduced

    Chrome is moving to more inclusive policy names. The terms "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist". If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

    The following policies will be deprecated (but will still work), and equivalent policies will be introduced for each:

    Deprecated Policy Name New Policy Name Version
    NativeMessagingBlacklist NativeMessagingBlocklist 86
    NativeMessagingWhitelist NativeMessagingAllowlist 86
    AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist 86
    AuthServerWhitelist AuthServerAllowlist 86
    SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist 86
    AutoplayWhitelist AutoplayAllowlist 86
    SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains 86
    ExternalPrintServersWhitelist ExternalPrintServersAllowlist 86
    NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist 86
    PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist 86
    URLWhitelist URLAllowlist 86
    URLBlacklist URLBlocklist 86
    ExtensionInstallWhitelist ExtensionInstallAllowlist 86
    ExtensionInstallBlacklist ExtensionInstallBlocklist 86
    UserNativePrintersAllowed UserPrintersAllowed 86
    NativePrinters Printers 86
    NativePrintersBulkConfiguration PrintersBulkConfiguration 86
    NativePrintersBulkAccessMode PrintersBulkAccessMode 86
    NativePrintersBulkBlacklist PrintersBulkBlocklist 86
    NativePrintersBulkWhitelist PrintersBulkAllowlist 86
    DeviceNativePrintersBlacklist DevicePrintersBlocklist 87
    DeviceNativePrintersWhitelist DevicePrintersAllowlist 87
    DeviceNativePrintersAccessMode DevicePrintersAccessMode 87
    DeviceNativePrinters DevicePrinters 87
    UsbDetachableWhitelist UsbDetachableAllowlist 87
    QuickUnlockModeWhitelist QuickUnlockModeAllowlist 87
    AttestationExtensionWhitelist AttestationExtensionAllowlist 87
    DeviceUserWhitelist DeviceUserAllowlist 87

Chrome OS updates

  • Family Link and school account support for Android apps

    Enables Family Link users to sign in to Android apps like Google Classroom using a school account to do schoolwork under parent supervision.

  • Smartcard support on the login screen

    As an admin, you can enable users to sign in using smart cards on the managed Chrome devices in your organization. The solution builds upon SAML SSO identity providers (IdP) that supports smart cards. Learn more.

  • Guide Parents to Set Up Devices for Children during OOBE/Add Person flow

    Simplifies device setup for families that want to create parental controls for their kids on Chromebooks.

  • Redesigned Update Screen during OOBE

    The update page during OOBE has been redesigned to include time/battery estimates and a progress tracker so users don't have to sit in front of the computer while it updates. We have also included educational cards on the screen; users who choose to wait in front of the computer or choose to check in during the update will learn more about the unique values that Chrome OS offers.   

  • Option to view password/PIN on start screen and lock screen

    Have a long password that you often type incorrectly? Need to refer to a password manager on your phone to log into your Chromebook? This is now easier as the login screen has a new button to let you review your password/PIN. Simply click the eye-shaped icon to show password/PIN in clear text, review or compare with your password manager, and then submit. For security, we will turn the clear text into ***** after 5 seconds of inactivity and clear the entire input after 30 seconds of inactivity.

  • Display Identification on multi-monitor setups

    Managing multiple displays on Chrome OS has never been easier. We improved the ability for users to quickly identify which tab in the Display settings corresponds to a user's external display, and we've made it easier to align displays via a first-of-its-kind alignment overlay. These options are available for anyone using 2 or more displays.

  • Autocorrect UI improvements

    For users with autocorrect enabled, we have improved the user interface with visual indicators which let you know that autocorrects have happened, as well as a new visual way to undo them.

  • Linux upgrade flow to Debian 10

    If you have been using Linux (Beta) with Debian 9, you will now see an option to upgrade to Debian 10. You can start the upgrade at any time by going to Linux settings.

  • Virtual machine USB support beyond Android devices

    You can now use more types of devices with Linux (Beta), including Arduino and EdgeTPU. Attach a device to your Chromebook and share it through Linux settings.

Admin console updates

  • Website icons and names on the Apps & extensions configuration page

    Websites will now display their name and icon in addition to the URL in the Admin console.  Admins can search by either name or URL to find websites.  This change does not affect how website shortcuts display on the Chrome OS shelf.

  • Flash deprecation warnings

    Flash Player will no longer be supported after December 2020 (roadmap). The Admin console no longer allows the configuration of Flash using wildcards. There are also additional reminders about the upcoming deprecation.

  • Always-on VPN for Android

    Always-on VPN allows you to specify an Android VPN app that handles Android and Chrome OS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established.

  • Remotely factory reset a managed device

    You can now perform a full remote factory reset for managed devices, which can be useful for deprovisioning a device for RMA, clearing data on a disabled device that has been misplaced or stolen, and clearing data for troubleshooting purposes.  

    Note: After a device has been factory reset, it must go through the initial setup again.  For a lighter touch reset, you can clear a user’s profile instead.

  • Device-level system log export

    This feature extends existing kiosk functionality to any managed device, allowing you to remotely capture device-level system log files. Once the LogUploadEnabled policy is enabled, you can manually request and download logs directly from the device details page, and fetch them through the Chrome Directory API.

  • Additional policies in the Admin console

    Many new policies are available in the Admin console, including:

    Policy control Admin console location Description
    Metrics reporting User & browser settingsand thenOther settingsand thenMetrics reporting Controls anonymous reporting of usage and crash-related data about Google Chrome to Google.
    External extensions Apps & extensionsand thenAdditional application settingsand thenExternal extensions Controls installation of external extensions
    Chrome Cleanup User & browser settingsand thenSecurityand thenChrome Cleanup Controls whether Chrome Cleanup periodically scans the system for unwanted software on browsers enrolled with Chrome Browser Cloud Management on Windows.
    Disabled system features User & browser settingsand thenUser experienceand thenDisabled system features Controls whether users can access the camera, OS settings, and browser settings on Chrome OS devices
    Privacy screen on sign-in screen Device settingsand thenSign-in settingsand thenPrivacy screen on sign-in screen Controls whether the privacy screen is enabled on devices supporting an electronic privacy screen
    Disk cache size User & browser settingsand thenOther settingsand thenDisk cache size Controls the cache size used by Chrome browser
    PDF files User & browser settingsand thenContentand thenPDF files Controls whether PDF files open in Chrome or using the system default application
    Suggested content User & browser settingsand thenUser experienceand thenSuggested content Enables suggestions for new content to explore on Chrome OS. Includes apps, webpages, and more.  This policy is disabled by default for managed users
    Default browser check User & browser settingsand thenStartupand thenDefault browser check Controls whether Chrome checks if it is the default browser at startup
    Background mode User & browser settingsand thenOther settingsand thenBackground mode Controls whether Chrome keeps running when the last browser window is closed, allowing background apps to remain active
    Third party code User & browser settingsand thenSecurityand thenThird party code Controls whether third party software will be allowed to inject executable code into Chrome's processes on Windows
    Relaunch notification User & browser settingsand thenChrome updatesand thenRelaunch notification Controls the notifications shown to users reminding them to update Chrome

 

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • ITP will block third party cookies in Chrome on iOS14

    All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Single words will not be treated as intranet locations by default in Chrome 87 

    By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. This change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

  • Improved resource consumption for background tabs in Chrome 87

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • DTLS 1.0 will be removed in Chrome 87

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.

  • New PDF UI in Chrome 87

    Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations.

  • The CORB/CORS allowlist will be removed in Chrome 87

    Chrome will remove the CORB/CORS allowlist in Chrome 87. Please test Chrome extensions that your business depends on to make sure they work with the new behavior.

    Please test Chrome 87.0.4266.0 or later and run through critical workflows with your extension. Watch for fetches or XHRs that are initiated by content scripts and blocked by CORB or CORS. Typical error messages are shown below:

If the extension's content scripts create requests that don’t work when Chrome is launched with the chrome://flags listed above, then make sure you keep the extension updated so that it continues to work in Chrome 87 and above. In particular, the extensions must be updated to initiate cross-origin fetches from the extension background page (instead of from a content script).

For more details please see: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 88

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

  • Chrome will introduce a new permission chip UI in Chrome 88

    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other. We recommend testing critical sites using the testing instructions.

    You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. For more detail please see Cookie Legacy SameSite Policies.

  • Chrome 88 on Mac will not support OS X 10.10 (Yosemite)

    Chrome 88 will not support OS X 10.10 (OS X Yosemite). Chrome on Mac will require OS X 10.11 or later.

  • SyncXHR and Popup on page unload policies will no longer be supported on Chrome 88

    The AllowPopupsDuringPageUnload and AllowSyncXHRInPageDismissal enterprise policies will be removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 88.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 88

    Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it will be disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.

  • Chrome 89 will require SSE3 for Chrome on x86

    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
 
Chrome 85
 

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 should use a HARMAN solution with Legacy Browser Support.

Chrome Browser updates

  • User-Agent Client Hints will be introduced in Chrome 85 
    As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. This is a temporary policy that will be removed in Chrome 88.

    A full rollout of this change is planned in Chrome 85.

  • The default referrer policy will change in Chrome 85 
    The HTTP referrer header provides the full URL of the initiating document alongside many navigation and subresource requests. In practice, it can reveal users’ browsing habits or identities. Chrome will improve user privacy and security by switching to strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade. Web developers may specify a referrer policy on their documents if they need a different policy.

    The expected long-term fix is to update all web apps to preferably not depend on the full URL for the referrer, and where unavoidable, specify a referrer policy when they require something other than strict-origin-when-cross-origin. However, to help with the transition, enterprises will be able to use the ForceLegacyDefaultReferrerPolicy enterprise policy to revert to the old default behavior until Chrome 88. 

    See more info and best practices.

  • Chrome 64-bit on Windows will be installed in "Program Files" instead of "Program Files (x86)" 

    New installations of 64-bit Chrome will be installed in "%ProgramFiles%" on Windows instead of "%ProgramFiles(x86)%". Existing installations won't be impacted.

  • Improvements to user productivity in Chrome 85

    Chrome will be making several improvements to user productivity, including collapsible tab groups, tab previews, saving inputs in PDFs, and QR code sharing. You can read more about these improvements on the Keyword.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique called PGO (Profile-guided optimization) on Mac and Windows. Enterprises aren't expected to notice any changes, except how software interacts with Chrome in unexpected or unsupported ways. For example, code injection may not function as expected with this version of Chrome.

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Wildcards are no longer supported in PluginsAllowedForUrls in Chrome 85

    In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (For example, “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure that you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. 

    The Beta version of the extension (Extension ID ebojbgfomggiamdflnhekjfkmdbeblpb) will be removed in Chrome 85.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS. If extensions you depend on are affected, open a bug to add the affected extensions to a temporary allowlist which will exempt them from the change (the allowlist will be deprecated and removed in Chrome 87). The changes only affect fetches or XHRs for content types that are not blocked by CORB (such as images, JavaScript, and CSS) and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

  • Improved resource consumption when a window is not visible in Chrome 85

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users will see the change in Chrome 85, with a full rollout planned for Chrome 86.

  • Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

    The new AutoLaunchProtocolsFromOrigins policy allows you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

  • Chrome on MacOS has additional protections for sensitive enterprise policies in Chrome 85

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

  • Cross-Origin Resource Setting (CORS) enterprise policies are no longer available

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

  • The ForceNetworkInProcess policy is now deprecated

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ended in Chrome 84, and the policy is no longer available.

  • Certificates issued on or after September 01, 2020 must have a lifetime of 398 days or less in Chrome 85

    As part of our ongoing commitment to ensuring user security, Google is reducing the maximum allowed lifetimes of TLS certificates. More details here.

  • Chrome 85 uses the Windows-native spell checker for some users

    For Windows users that have the corresponding language packs installed on their system, Chrome will use the Windows-native spell checker. Users without the corresponding language pack will default to the Chrome spell checker.

    Some users will see this change in Chrome 85, with a full rollout planned in Chrome 86.

  • The Chrome Web Store tells users if an extension has been blocked by their admin in Chrome 85

    If you block an extension by policy, the Chrome Web Store extension listing will now show “Blocked by Admin” to the user.

  • Chrome-on-iOS enterprise policies in Chrome 85

    Chrome supports a limited set of policies on iOS, configurable with unified endpoint management systems.

Chrome OS updates

  • Separating Display Resolution and Refresh Rate for external monitors

    The "Displays" page in Settings has been updated to allow independent configuration of the resolution and the refresh rate for external monitors. This setting will be split automatically and users do not need to take any action.

     

  • Sync Wi-Fi settings between devices

    To help users avoid repeatedly joining the same set of networks and typing in the same difficult-to-remember passwords on each of their Chrome OS devices, Wi-Fi Sync helps keep known networks in sync between a user's devices. This can be controlled using the SyncTypesListDisabled policy.

  • Option for improved visuals for Select to Speak

    Select to speak lets users drag a box around a given area of text to have text in that area spoken aloud. We’ve now added the option to turn on screen shading behind the selected region of the screen. This screen shading will reduce distraction and help to enhance the user's focus on the core content being spoken aloud.

  • Improved gesture support for handwriting keyboard

    When entering text using the handwriting keyboard, you can now use familiar gestures to edit your handwriting. Drawing a strikethrough will delete text, and a caret will give you space to insert text.

  • Improved Print management UI

    Users can now manage their ongoing print jobs and view what has been completed.

     

  • PIN printing for Hewlett-Packard®, Ricoh®, and Sharp® printers

    Extended PIN printing is now available for all supported Hewlett-Packard®, Ricoh®, and Sharp® printers that require a PIN to release the print job to a printer.

     

 

Admin console updates

  • Updated Admin consoleand thenDevices hub page

    The Devices hub in the Admin console is refreshed with a new look and feel, faster load times, and a brand new navigation structure on the left side of the page.

  • View apps & extensions that are configured across all organizational units

    The apps & extensions page in the Admin console now supports “Include all organizational units.” Selecting this view will display all apps configured across all modes (User & browser, Devices, and Managed guest session) and all organizational units.

  • Expanded ability to block system features

    Admins can now block system features at a granular level directly, without URL blocking. The Camera app, Chrome browser settings and Chrome OS settings are all configurable through policy.

  • Connected devices policies for Android phones + Chrome OS devices

    User settingsand thenConnected devices is a suite of features that allows Android phones and Chrome devices to work together seamlessly. Education organizations can enable Smart Lock and Click to Call. In addition, Enterprise organizations can enable Instant Tethering and Messages.

  • Multi-select devices for clearing user profiles

    From the Chromeand thenDevices list, admins can now multi-select devices to clear user profiles from all devices at the same time.

  • Additional policies now available in the Admin console

    Many additional new policies are available in the Admin console, including:

    • PrintingMaxSheetsAllowed

      User settingsand thenPrintingand thenMaximum sheets - Set a maximum number of pages for a single print job.

    • PrintingMaxSheetsAllowed and PrintingPaperSizeDefault

      User settingsand thenPrintingand thenDefault printing page size - Set a default paper page size for print jobs. 

    • AppCacheForceEnabled

      User settingsand thenContentand thenAppCache - Allow websites to use the deprecated AppCache browser feature.

    • HardwareAccelerationModeEnabled

      User settingsand thenHardwareand thenGPU - Enable or disable GPU hardware acceleration

    • ScrollToTextFragmentEnabled

      User settingsand thenContentand thenScroll to text fragment - Allow sites to scroll directly to a text fragment via URL

    • HideWebStoreIcon

      Apps & extensionsand thenAdditional settingsand thenChrome Web Store app icon - Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AutoLaunchProtocolsFromOrigins Defines a list of protocols that can launch an external application from listed origins without prompting the user.
CloudExtensionRequestEnabled Enables Google Chrome extension installation requests.
DefaultSearchProviderContextMenuAccessAllowed Enables the use of a default search provider on the context menu.
EnableExperimentalPolicies Enables experimental policies.
IntensiveWakeUpThrottlingEnabled When enabled, the IntensiveWakeUpThrottling feature causes Javascript timers in the background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been in the background for 5 minutes or more.
UserAgentClientHintsEnabled Controls the User-Agent Client Hints feature.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • ITP will block third party cookies in Chrome on iOS14

    All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Single words will not be treated as intranet locations by default in Chrome 87 

    By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. However, this change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome via policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

  • Chrome will warn about mixed content forms in Chrome 86

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

    You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

  • The address bar will show the domain rather than the full URL for some users in Chrome 86

    To protect your users from some common phishing strategies, Chrome will begin showing only the domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

  • Improved resource consumption for background tabs in Chrome 86

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Chrome 86 will have a new way of indicating it should be updated

    To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update."

      

 

  • Chrome extensions will not be able to inject Flash content settings in Chrome 86

    Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.

  • The Chrome Cloud Management - Reporting Companion extension will cease functionality in Chrome 86

    The Chrome Cloud Management - Reporting Companion extension (ID oempjldejiginopiohodkdoklcjklbaa) is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

    The extension will no longer function in Chrome 86.

  • The TLS13HardeningForLocalAnchorsEnabled enterprise policy will no longer function in Chrome 86

    As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks.

    The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

  • More inclusive policy names will be introduced in Chrome 86 and 87

    Chrome will be moving to more inclusive policy names. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

Deprecated policy name New policy name Version
NativeMessagingBlacklist NativeMessagingBlocklist 86
NativeMessagingWhitelist NativeMessagingAllowlist 86
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist 86
AuthServerWhitelist AuthServerAllowlist 86
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist 86
AutoplayWhitelist AutoplayAllowlist 86
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains 86
ExternalPrintServersWhitelist ExternalPrintServersAllowlist 86
NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist 86
PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist 86
URLWhitelist URLAllowlist 86
URLBlacklist URLBlocklist 86
ExtensionInstallWhitelist ExtensionInstallAllowlist 86
ExtensionInstallBlacklist ExtensionInstallBlocklist 86
UserNativePrintersAllowed UserPrintersAllowed 86
DeviceNativePrintersBlacklist DevicePrintersBlocklist 87
DeviceNativePrintersWhitelist DevicePrintersAllowlist 87
DeviceNativePrintersAccessMode DevicePrintersAccessMode 87
DeviceNativePrinters DevicePrinters 87
NativePrinters Printers 86
NativePrintersBulkConfiguration PrintersBulkConfiguration 86
NativePrintersBulkAccessMode PrintersBulkAccessMode 86
NativePrintersBulkBlacklist PrintersBulkBlocklist 86
NativePrintersBulkWhitelist PrintersBulkAllowlist 86
UsbDetachableWhitelist UsbDetachableAllowlist 87
QuickUnlockModeWhitelist QuickUnlockModeAllowlist 87
AttestationExtensionWhitelist AttestationExtensionAllowlist 87
DeviceUserWhitelist DeviceUserAllowlist 87

 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  • DTLS 1.0 will be removed in Chrome 87

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/

    If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • Chrome will introduce a new permission chip UI in Chrome 87

    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

  • New PDF UI in Chrome 87

    Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations viewing.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
Chrome 84

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020, therefore Chrome will no longer support Flash content. You can read more about Adobe's plans to discontinue Flash player in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 can get set up with HARMAN and Legacy Browser Support.

Chrome Browser updates

  • Updates to cookies with SameSite

    Starting on July 14, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context must explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies until Chrome 91. You can specify domains accessing cookies that require legacy semantics using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

    This change started with Chrome 80, but was temporarily on hold in light of the COVID-19 pandemic. It’s being set in motion again, and will take effect in Chrome 80 and more recent versions of Chrome.

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:     

  • Executables—Users will be warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (e.g. pdfs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Improved resource consumption when window is not visible

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users will see this feature in Chrome 84, with a full release planned in Chrome 85.

  • Chrome remembers user preferences when launching external protocols

    As requested by IT admins, users are able to select "always allow for this site" when opening an external protocol in Chrome 84. The approval is scoped to the current origin, and is only available for secure origins.

  • The URLAllowlist policy only allows external protocols for domain joined devices

    A recent release of Chrome changed the behavior of the URLAllowlist policy which lets you allow external protocols such as “callto:” or “ms-calendar”. To improve security on Windows®, this policy only allows external protocols for devices joined to an Active Directory domain.

  • Deprecation of TLS 1.0 and TLS 1.1

    The Chrome team announced in October 2019, plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1). In Chrome 84, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to turn off the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Improvements to Chrome downgrades

    When a managed Chrome browser updates to the next version, it will retain a snapshot of User Data. This is useful for admins when Sync is turned off and they need to rollback to a previous version of Chrome. The number of snapshots can be controlled using the UserDataSnapshotRetentionLimit policy and Chrome can function as it did before by setting UserDataSnapshotRetentionLimit to 0. For more details, visit Downgrade your Chrome version.

  • Stronger consent for the search and new tab page

    Chrome will protect against extensions that attempt to change the user's preferences without their consent. After an extension changes the default search engine or the new tab page, Chrome will confirm the change with the user, and allow them to keep the change or revert back to the old settings.

    As an admin, you can control your employees' default search provider directly using the Default Search Provider and NewTabPageLocation policies. They will not trigger a confirmation dialog.

  • User-Agent Client Hints

    As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we are introducing User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. Although, this is a temporary policy that will be removed in Chrome 88.

    You can test your environment by enabling the "experimental web platform features" flag in Chrome. A wider rollout of this change is planned in Chrome 85.

  • Cross-Origin Resource Sharing (CORS) enterprise policies will no longer take effect

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

  • The ForceNetworkInProcess policy is now deprecated

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ends in Chrome 84, and the policy is no longer available.

Chrome OS updates

  • Camera app supports MP4 (H.264)

    Videos captured in the Chrome OS Camera app will now save as MP4 (H.264) videos. This makes it easier to use your recorded videos in other apps.

  • Window management improvements for multiple monitors and split screen

    When in Overview mode you can now drag a window to the left or right edge to quickly set up a split screen. If you use multiple monitors, you can drag windows to other displays while in Overview mode.

  • Adding search functionality to the ChromeVox menu

    For screen reader users, the ChromeVox menu is a one-stop-shop for learning about ChromeVox and accessing key information and commands. When ChromeVox is turned on, press Search + Period at any time to open the menu and explore options such as jump commands, speech options, and much more. As of Chrome 84, it's now possible to search within the ChromeVox menu to find what you are looking for even faster! Simply open the menu and your mouse cursor will automatically be placed in the Search field. You can either search for a given item, or use the arrow keys to navigate the menu options.

  • Sheet Limit Policy for Native Printing

    Many organizations would like to limit the amount of paper used when printing. With the PrintingMaxSheetsAllowed policy, admins can limit the number of sheets used in a single print job for their managed devices users. For example, placing a limit on printing excessively large documents such as an entire digital textbook, ebook, or accidental print requests, prevents ink and paper waste.

  • Chrome OS login/lock screen enterprise disclosure

    On the login screen, Chrome OS now shows an enterprise badge on managed profiles. This allows users to see at first glance whether their profile is managed or not.

  • Crostini mic permission

    You can now give Crostini access to your microphone through Settings. If you're developing an Android app, you can test the microphone feature using the Android emulator.

Admin console updates

  • Update controls are available for managed browsers

    In the Admin console, admins can now configure additional update policies for Chrome browsers that are managed by Chrome Browser Cloud Management. For example, you might want to allow or disable updates, pin a specific version of Chrome, roll back to a previous version of Chrome, set relaunch notifications, or control when Chrome checks for updates. The configuration details are further described in this help center article.

  • Network file shares policy

    Admins can now configure network file shares for users under Chrome managementand thenUser settingsand thenNetwork file shares. These policies include configuration of SMB settings for NetBIOS discovery, NTLM authentication, and preconfiguring file shares so users can see them within the Files app on Chrome OS.

  • Readable data in the devices export

    Timestamps in the device list’s CSV export file are now in a “human-readable” format. This format helps to make the timestamps easy for users to read. Previously, these columns contained the same value as reported through the Directory API.

  • Domain-restricted apps & extensions from the Chrome Web Store

    In the Google Admin console, admins can now add domain-restricted apps & extensions from the Chrome Web Store. These apps are available under Chrome managementand thenAppsand thenAdd from Chrome Web Storeand thenView private apps.

  • Device screen resolution

    Admins can now configure the screen resolution and UI scaling for displays.  These settings are available under Chrome managementand thenDevice settingsand thenScreen settings.

  • Dinosaur game policy

    When Chrome cannot connect to the internet it displays a “Dinosaur game” for users to play.  This game is disabled by default for domain-enrolled Chrome OS devices, but admins can enable it under Chrome managementand thenUser settingsand thenDinosaur game.

  • Ignore proxy on captive portals policy

    Chrome OS can open captive portal authentication pages in a separate window that ignores all policies for the current user, including proxy settings. This policy only takes effect if a proxy is configured through policy in chrome://settings or by extensions. This policy is available under Chrome managementand thenUser settingsand thenIgnore proxy on captive portals.

  • Display system info on the sign-in screen

    Your users can view system information such as serial numbers and OS versions on the sign-in screen by pressing Alt+V. Admins can allow or not allow access to this feature under Chrome managementand thenDevice settingsand thenSystem info on sign-in screen.

  • Device accessibility policies

    In addition to the launch of advanced accessibility controls for users, a similar set of controls for the login screen allows admins to enable accessibility features remotely or restrict them when necessary. For example, restricting dictation features in hospitals or blocking certain features in classrooms to prevent disruption. See the full list of features below:

    • Spoken feedback
    • Select to speak
    • High contrast
    • Screen magnifier
    • Sticky keys
    • Virtual keyboard
    • Dictation
    • Keyboard focus highlighting
    • Caret highlight
    • Auto-click enabled
    • Large cursor
    • Cursor highlight
    • Primary mouse button
    • Mono audio
    • Accessibility shortcuts

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AccessibilityImageLabelsEnabled Enables Get Image Descriptions from Google
AppCacheForceEnabled Allows the AppCache feature to be re-enabled even if it is turned off by default
AutoOpenAllowedForURLs List of URLs specifying which urls AutoOpenFileTypes will apply to
AutoOpenFileTypes List of file types that should be automatically opened on download

PrintRasterizationModeWindows only

Controls how Google Chrome prints on Windows

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 85

    In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (e.g., “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique on Mac and Windows in Chrome 85. Enterprises aren't expected to notice any changes, but software interacting with Chrome in unexpected or unsupported ways such as, code injection, may not function as expected with Chrome 85.

    To ensure compatibility, you can test your environment with the Chrome 85 beta channel, starting July 23, 2020.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. If you run into issues using the built-in LBS policies please file a new issue report at http://crbug.com/new.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS.  If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect  fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

  • Improved resource consumption for background tabs in Chrome 85

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

    The new AutoLaunchProtocolsFromOrigins policy will allow you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

  • The SafeBrowsingExtendedReportingOptInAllowed policy will no longer take effect in Chrome 85

    The support of SafeBrowsingExtendedReportingOptInAllowed policy will be removed in Chrome 85. Please use SafeBrowsingExtendedReportingEnabled policy instead. You can find the migration instructions on the deprecated policy page.

  • Chrome on MacOS will have additional protection for sensitive enterprise policies in Chrome 85

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

  • Single words will not be treated as intranet locations by default in Chrome 86

    By default, Chrome 86 will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar, which could theoretically be read by a malicious actor. However, this change to default behavior will likely interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome via policy. In addition to preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site), you can also set the intranet site as Chrome's first action.

  • Chrome will warn about mixed content forms in Chrome 86

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 will show a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

    You will be able to control this behavior using the DisableMixedFormsWarning enterprise policy.

  • The address bar will show the registrable domain rather than the full URL for some users in Chrome 86

    To protect your users from some common phishing strategies, Chrome will begin showing only the registrable domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://google-secure.example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

  • DTLS 1.0 will be removed in Chrome 86

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Chrome extensions will not be able to inject Flash content settings in Chrome 86

    Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.   

  • More inclusive policy names will be introduced in Chrome 86

    Chrome will be moving to more inclusive policy names in Chrome 86. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

Deprecated policy name New policy name
ExtensionInstallWhitelist ExtensionInstallAllowlist
ExtensionInstallBlacklist ExtensionInstallBlocklist
NativeMessagingBlacklist NativeMessagingBlocklist
URLBlacklist URLBlocklist
URLWhitelist URLAllowlist
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
AuthServerWhitelist AuthServerAllowlist
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
AutoplayWhitelist AutoplayAllowlist
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
DeviceNativePrintersWhitelist DeviceNativePrintersAllowlist
ExternalPrintServersWhitelist ExternalPrintServersAllowlist
NativePrintersBulkWhitelist NativePrintersBulkAllowlist

 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

  • The Chrome Browser Cloud Management reporting extension will cease functionality in Chrome 86

    The Chrome Browser Cloud Management reporting extension is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

    The extension will no longer function in Chrome 86.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
Chrome 83

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020, therefore Chrome will no longer support Flash content. You can read more about Adobe's plans to discontinue Flash player in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner to provide support for Flash Player in legacy browsers.

Chrome is designed to meet Chrome Enterprise customer needs, including integration with legacy web content. For companies that need to use a legacy browser to run Flash content after December 31, 2020, HARMAN and Legacy Browser Supportcan get you up and running.

Chrome Browser updates

  • Secure DNS

    The DNS requests of all users will autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available (based on a list of known DoH-capable servers). This change will roll out gradually throughout Chrome 83. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy with Group Policy or in the Google Admin Console. Setting it to off will ensure that your users are not affected by Secure DNS.

  • Flash Dialog Changes

    Chrome is adding the following warning text to the activation prompt for Flash Player, highlighting the industry wide end of support: "Flash Player will no longer be supported after December 2020." Users will see this prompt, even if Flash is enabled by policy. To learn more, please visit Saying goodbye to Flash in Chrome.

  • Legacy Browser Support improvements

    The Legacy Browser Support (LBS) functionality incorporates multiple improvements such as better Kerberos support, interoperability between the LBS extension and the LBS Cloud policies, and reducing the time it takes the user to switch between Chrome and the legacy browser.

  • Introduction of tab groups for all users

    Starting in Chrome 80, some users were able to organize their tabs by grouping them together on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. This has been rolled out to Chrome, Mac®, Windows®, and Linux® users throughout Chrome 83.

  • Changes to the ManagedBookmarks policy

    The ManagedBookmarks policy is subject to strict verification. In Chrome 83, if the name or URL fields are not populated in a string format as described by the policy, this policy might become invalid.

  • If your users have any issues viewing the managed bookmarks, check to see if the policy has an error in chrome://policy, or if you're using Chrome Browser Cloud Management, you can check for errors in the Google Admin console. If you do see an error, make sure the Managed Bookmarks policy is using the string types listed above.

  • Third-party cookies blocked by default for Incognito sessions

    Chrome now blocks third-party cookies by default during Incognito sessions, however you can enable third-party cookies on a site-by-site basis.

    You can control Chrome's behavior using the BlockThirdPartyCookies policy through Group Policy or the Google Admin console:

    • Not set—The user is able to control third-party cookies and they'll be blocked by default in Incognito sessions.
    • True —Third-party cookies blocked in both Incognito and standard sessions.
    • False—Third-party cookies will not be blocked, and the setting cannot be changed.
  • Users can check all of their saved passwords for leaks

    In Chrome 79 we started warning users if their credentials had been compromised in a data leak when they logged into a website. Chrome 83 builds on this feature, allowing users to check on all of their saved passwords at once. This feature uses the same privacy-preserving system introduced in Chrome 79; it does not send plain-text passwords to Google.

    If you wish, you can prevent your users from accessing this feature by preventing Chrome from saving passwords using the Password​Manager​Enabled policy through Group Policy or the Google Admin console.

  • Control over the variations framework

    Admins have more granular control over the update behaviors in Chrome 83. In addition to the version controls that exist today, Chrome 83 allows you to configure Chrome variations with the ChromeVariations (Mac®, Windows®, and Linux®) and DeviceChromeVariations (Chrome OS) policies. You can choose between:

    • Variations enabled—The default setting that allows all variations in Chrome.
    • Critical fixes only—Disables all experiments and progressive rollouts, but will still apply variations with immediate and important security or compatibility improvements.
    • Variations disabled—No changes will be deployed using the variations framework. Choosing this setting significantly increases the risk of security and compatibility issues, and is not recommended.
  • Updated form control elements

    HTML form controls provide the backbone for much of the web's interactivity, however one issue is inconsistency in the styling. Older controls were styled to match the user's operating system, while more the recent controls are designed to match the style most commonly used. This has led to inconsistent accessibility, touch, keyboard support and outdated controls.

    To address these gaps, Chrome 83 introduces a new set of default settings. These settings allow effortless ways for Developers to keep their controls looking great, consistent, and widely usable.

    If you encounter any incompatibility issues with this change, the UseLegacyFormControls policy will revert to the previous default settings.

  • Updated UI for extensions

    Chrome has improved the extension manager UI by making it easier for the user to control their installed extensions. The icons that represent the extensions are now listed underneath the extension menu and can also be pinned beside the address bar for quick access.

  • SameSite cookie changes were rolled back

    With the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies as an ongoing effort to improve privacy and security across the web. 

    However, in light of the extraordinary global circumstances due to COVID-19, we temporarily rolled back the implementation of SameSite cookie labeling. While most of the web ecosystem was prepared for this change, we want to be sure that websites which support our daily lives by providing essential services, like banking, grocery, government services, and healthcare are stable.

    We plan to resume implementation in Chrome 84. The SameSite Updates page will be updated regularly with the latest schedule.

  • New Trusted Tester sign up page available for Chrome Enterprise

    If you're interested in trying new Chrome Enterprise features before they're released and provide feedback, we have an updated sign up form for our Trusted Tester program, available here.

  • More intuitive privacy and security controls for end users in Chrome

    Chrome is launching new tools and a redesign of Chrome’s privacy and security settings on desktop to make them easier for users to understand and control. For details, see the Chrome blog post

  • CORS implementation is more secure for web views on mobile

    Chrome is modifying its Cross-Origin Resource Sharing (CORS) implementation to be more secure. The CORS changes which have already been launched on desktop computers and within Chrome for mobile, will now apply to WebView in Chrome 83.

    If you need extra time to adapt to this migration, the OOR-CORS Troubleshooting page will help with investigating incompatibility issues.

Chrome OS updates

  • Relaunch Notification for Chrome OS Updates

    In Chrome 83, relaunch notifications allow you to recommend or enforce Chrome OS to relaunch within a certain time period after an update has been downloaded.

  • Gesture Navigation & Education

    There are new gestures available for Chromebook tablet mode, that make it easy for users to navigate using touch. Users will now be shown tips on how to use gestures to go Home, Back, and see open apps. For those who need navigation buttons, they can be turned on through the Accessibility setting.

  • Virtual Desks Renaming and Restore

    In Chrome 78, we released Virtual Desks which allowed users to create up to four separate work spaces. This feature helps create boundaries between projects or activities, making it easier to multitask and stay organized.

    Now users are able to choose a unique name for each Virtual Desk, allowing them to choose names know what each desk is for. Also, the desks and their names, will not change after the device reboots or crashes. For more information, see Set up & manage Virtual Desks.

    To enable Virtual Desks, users can tap the overview key on the top of the keyboard or swipe down on the keypad using three fingers; “+ New desk” will appear in the top right hand corner.

  • Idle Settings Changes

    Users can now choose what their Chromebook does when it becomes idle while charging or on battery. Users can find these settings in the Settings app which is available through App Launcher or the cog icon in the Quick Settings menu under Device > Power.

  • Files media views available on all devices

    Media views such as recents, audio, images, videos are now located at the top of the Files app side navigation on all devices. These views allow users to more quickly access their recent files by category.

  • Get device hostname from enterprise.deviceAttributes Extension API

    The enterprise.deviceAttributes extension API has been updated with a new method (getDeviceHostname) to return the hostname that Chrome OS announces for itself in DHCP queries.

  • Improved APK caching (non-library direct installs, split APKS, postpone Play self-update, multiple versions)

    With  Chrome 83, users should see a significant increase in the install reliability of Android apps on Chrome OS. Especially, we released three major changes: (1) We significantly improved the reliability of force install & allow install policies on Chrome OS by the fast policy propagation feature (2) Due to delayed Play self-updates, Android apps get installed before eventual updates of the Play store. (3) By extending caching to allow-installed apps and split-APKs, apps will be installed much quicker for a user if they were already installed by another user before.

Admin console updates

  • Update blackout windows

    The DeviceAutoUpdateTimeRestrictions policy is now available in the Admin console. This policy allows you to create schedules specifying when automatic update checks are not to be performed. This policy only affects devices configured to auto-launch a kiosk app.

  • Manage accessibility settings for user sessions & managed guest sessions

    Advanced accessibility controls allow you to enable the accessibility features remotely or restrict them when necessary. For example, as an administrator, you can restrict dictation features in hospitals or block certain features in classrooms to prevent disruption.

  • Android app installations report

    The new Android app (ARC++) installation report page allows you to view the status and number of Android app installations, providing greater visibility into the app ecosystem health. The redesigned UI has stronger filtering capabilities, streamlined status descriptions, and layout updates such as app icons.     

  • Bulk reboot for devices

    You can now select multiple kiosk devices from the device list and reboot them in bulk. Previously reboot was available on a device-by-device basis only.

  • Deprecation of remote commands for Chrome OS devices running version Chrome 77 and earlier

    Due to a service upgrade, as of May 15, 2020 Chrome devices running Chrome 77 or earlier no longer receive remote commands. Remote commands are mainly used to monitor and control kiosk health, such as taking screenshots or rebooting devices. To continue using remote commands for devices in your organization, make sure that the devices are running Chrome version 78 or later. See Remote commands no longer supported on version 77 or earlier.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
ChromeVariations Configuring this policy allows you to specify which variations are allowed to be applied in Google Chrome
UserDataSnapshotRetentionLimit    Limits the number of user data snapshots retained for use in case of an emergency rollback (Chrome browser)
NativeWindowOcclusionEnabled Enables native window occlusion in Google Chrome (Windows only)
AllowNativeNotifications Configures whether Google Chrome on Linux will use native notifications (Linux only)
UseLegacyFormControls Use Legacy Form Controls until M84
AdvancedProtectionAllowed Enable additional protections for users enrolled in the Advanced Protection program
ScrollToTextFragmentEnabled Enable scrolling to text specified in URL fragments

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Deprecation of TLS 1.0 and TLS 1.1 in Chrome 84

    The Chrome team announced plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1) last October. In Chrome 84, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • DTLS 1.0 will be removed in Chrome 84

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • CORS enterprise policies will no longer work in Chrome 84

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies will be removed in Chrome 84, as previously communicated.

  • The URL Allowlist policy will not allow you to allowlist external protocols in Chrome 84

    A recent release of Chrome changed the behavior of the URLAllowlist policy to let you allowlist an external protocol. To improve security, this policy will be changed back to its original behavior. As a result, external protocols will not be allowlisted through the policy.

  • Chrome will be able to remember approval for launching external protocols in Chrome 84

    Users will be able to check "always allow for this site" when opening an external protocol in Chrome 84. The approval will be scoped to the current origin, and will only be available for secure origins.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique on Mac and Windows in Chrome 85. Enterprises aren't expected to notice any changes, but admins should test Chrome 85 Beta in their environment to confirm this change doesn't interfere with any software running in their environment. Software interacting with Chrome in unexpected or unsupported ways (e.g. code injection) may not function as expected with Chrome 85.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

  • Chrome on Mac will have additional protections for sensitive enterprise policies in Chrome 84

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore certain sensitive enterprise policies that may be set by malware, on Chrome 84.

  • Insecure downloads will be blocked from secure pages, with changes in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

   

  • Executables—Users will be warned in Chrome 84, and files will be blocked in Chrome 85
  • Archives—Users will be warned in Chrome 85, and files will be blocked in Chrome 86
  • Other non-safe types—Users will be warned in Chrome 86, and files will be blocked in Chrome 87 
  • Other files—Users will be warned in Chrome 87, and files will be blocked in Chrome 88

Warnings on Android will lag behind Desktop warnings by one release, for example Executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 85

    Also in preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define wildcards for PluginsAllowedForUrls policy in Chrome 85. If you're using wildcards in that policy, you will need to switch to specific allowlists for any sites that are still using Flash. This change is intended to help determine which sites still require updating, with time to adjust before support for Flash is removed completely in Dec 2020.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 85

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to disable this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS.  If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect  fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

    For more details please see: www.chromium.org.

  • Improved resource consumption when a window is not visible in Chrome 85

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from devices in Chrome 86. To continue using Legacy Browser Support, ensure you're using Chrome's built-in policies, documented here.  If you run into issues using the built-in LBS policies please file a new issue report at http://crbug.com/new.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 86

    Chrome 86 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing to print servers from Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in Admin Console. These features give increased visibility into the Chrome versions that are deployed in your organization and allow admins more detailed control of how Chrome Browser updates. If you would like to sign up to be a Trusted Tester for these features, please enter your test domain and a contact email into this form.

 
 
 
Chrome 81

Chrome Browser updates

  • Chrome’s consumer terms of service will be updated on March 31, 2020

    We are updating the Google Terms of Service effective March 31, 2020, and the improved Terms will now cover Chrome and Chrome OS. See a summary of the key changes and a preview of the new Terms and Additional Terms. Google users have been notified in-product of this change.

  • NTLM / Kerberos authentication disabled by default in Incognito mode and guest sessions

    Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.

  • TLS 1.3 hardening measure

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to noncompliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

    You can opt in to the new measure to test it and confirm if your proxy is affected using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need to upgrade affected proxies. This policy will be available until Chrome 86.

  • Changes to how HTTPS pages load subresources

    In Chrome 81, http:// audio and video resources on https:// pages started getting autoupgraded to https://, and Chrome blocked them by default if they failed to load over https://. Users can unblock affected audio and video resources by clicking on the lock icon in the address bar and selecting Site Settings. Also in Chrome 80, http:// images on https:// pages were still allowed to load, but users started seeing “Not Secure” in the address bar.

    In Chrome 81, http:// images on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

    You can control these changes using the StricterMixedContentTreatmentEnabled policy (Strict treatment for mixed content in the Admin console), which disables autoupgrades for audio and video and the warning for images. This policy is a temporary policy and will be removed in Chrome 84.

    The InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies will control the site setting described above. These policies will eventually be removed, but there is no timeframe for their removal yet.

    You should begin ensuring that resources in pages are fetched over HTTPS and manage exceptions using a policy. For more information, see the Chromium blog

  • FTP support removed

    FTP will no longer be directly supported in Chrome 81. Your users should use a native FTP client instead.

  • Known incompatibility with older versions of Carbon Black Protection (Bit9)

    Carbon Black Protection (previously known as Bit9) has a known incompatibility with Chrome 81, which causes multi-second delays to some page loads. Update to Carbon Black Protection 8.1.8 when it becomes available to fix the incompatibility. Carbon Black has more information about the issue here.

  • Introduction of tab groups for remaining users

    Starting in Chrome 80, some users were able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. This will be rolled out widely to Mac, Windows, and Linux users throughout Chrome 81.

  • Updated form control elements

    A small number of users will see a preview of new form control elements in Chrome 81. These will be launched more broadly with enterprise controls in Chrome 83. If any of your users are having trouble displaying form controls (text boxes, radio buttons, checkboxes, etc), please open a new issue at crbug.com.

  • Developer changes to Chrome Web Store

    The Chrome Web Store charges a $5.00 fee to register as a Chrome Web Store developer. This fee was previously required only before publishing an item to the public, but is now required for all Chrome Web Store developers. For more information, see this blog post.

Chrome OS updates

  • Use websites and Progressive Web Apps (PWAs) on Chrome OS Kiosk

    IT admins can now use the Google Admin console to install websites and Progressive Web Apps (PWAs) on managed Chrome devices in locked-down kiosk mode.

  • Linux (Beta) support for Android emulators

    Developers often need to run virtual machines, such as an Android developer who uses the Android emulator to test their app. While previously Linux for Chromebooks (aka Crostini) did not support virtual machines, this change allows Crostini to run virtual machines on specific boards.

  • Deploy Android apps to your Chromebook from Linux (Beta)

    Android developers using Linux for Chromebooks (aka Crostini) can now build apps with Android Studio and test them natively on their Chromebook using Chrome OS’s built-in Android runtime (ARC++). This feature can be turned on from Linux settings.

  • IP reporting for all managed devices

    Extend support for IP address reporting (LAN and WAN) under “System reporting and troubleshooting” under “Device Details” to include all managed devices with a signed-in, managed user, instead of just single app kiosk devices. This is enabled if “Device state reporting” is enabled under device policy.

  • Gestures in tablet mode

    Try new gesture navigation to to quickly switch between apps and interact with your Chromebook in tablet mode.

    • To get to the Home Screen at any time, swipe up from the bottom.

    • To see all pinned apps, small-swipe up from the bottom.

    • To return to the previous screen, swipe from the left.

    • To see all open windows, swipe up from the bottom and hold.

          

  • End to end support for printers via print servers

    Users are now able to connect to and save printers defined by print servers. IT admins can use this functionality to test print server setups for their organization.

  • Extended caching of Android apps

    So far, APK caching was only applied to force installed apps. From Q1 2020, APK caching is extended to Android apps in allow install mode.

    APK caching significantly reduces the installation time of Android apps if the same app was already installed on the device before. This especially applies to ephemeral sessions which require the re-installation of apps after every login.

    With the extension of APK caching to apps that are marked as "allow install" in the admin console, students and users of Chrome OS devices experience a significantly reduced installation time of their Android apps, helping them to spend more time on relevant tasks.

  • Android on Chrome OS kiosk mode deprecation

    In Chrome 81, you will no longer have access to set new policies for Android apps in kiosk mode. Existing policies for Android apps in kiosk mode will not be impacted and will be supported until June 2021. Websites and PWAs are the replacement technology for Kiosk, now supported in Chrome 81.

Admin console updates

  • Managed guest session settings redesign and idle settings

    The new redesigned settings page for managed guest sessions includes performance improvements, new search filters, and new settings. Admins can now set idle settings and lid close behavior for managed guest sessions.

  • Networks settings redesign

    The new redesigned Networks page for Chrome & mobile device management includes performance improvements and a fresh look.

  • Device list CSV export

    Admins can now export a CSV of the Chrome device list, including serial number, last policy sync time, OS version, latest user, and more. To export, go to the device list and click the download icon at the top right of the table.

  • Simultaneously manage Active Directory and Cloud devices

    Admins can now manage Chrome OS devices with Active Directory and Chrome OS devices with Cloud policy in the same admin console. A new set of enrollment policies support a mixed device environment along with a new Management Mode flag specifying whether the device is managed by cloud or Microsoft® Active Directory® on the device details page.

  • Remotely clear user profiles from device

    Admins can now clear all user profiles from a device remotely for use cases such as getting a device ready for a new user for the coming school year, supporting a rotating internship program and clearing data for troubleshooting without losing device settings.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
LocalDiscoveryEnabled Enable chrome://devices
ScreenCaptureAllowed Allow or deny screen capture

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • DNS-over-HTTPS in Chrome 83

    The DNS requests of some users are being autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available, but DoH is disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    In Chrome 83, DoH will launch by default for all remaining users. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to off will ensure your users are not affected by DoH.

  • Updated form control elements in Chrome 83

    HTML form controls provide the backbone for much of the web's interactivity. One issue, however, is inconsistency in their styling. Older controls were styled to match the user's operating system, while more recent controls were designed to match whatever style was popular at the time. This has led to controls that look mismatched and sometimes outdated. They've also suffered from inconsistent accessibility, touch, and keyboard support.

    To address these gaps, Chrome 83 will introduce a new set of defaults for form controls. Developers will have less work to do to keep their controls looking great, consistent, and broadly usable. 

    If you encounter any incompatibility issues with this change, the UseLegacyFormControls enterprise policy will revert to the old defaults.

  • Deprecation of TLS 1.0 and TLS 1.1 in Chrome 83

    The Chrome team announced plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1) last October. In Chrome 81, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure.

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Third party cookies will be blocked by default for Incognito sessions in Chrome 83

    Chrome 83 will block third-party cookies by default in Incognito sessions, with the ability to enable third party cookies on a site-by-site basis.

    You will be able to control Chrome's behavior with the existing BlockThirdPartyCookies policy:

    • Not set—the user will be able to control third party cookies, and they'll be blocked by default in Incognito sessions
    • True—third party cookies blocked in both Incognito and standard sessions
    • False—third party cookies will not be blocked, and the setting cannot be changed 
  • Changes to the ManagedBookmarks policy in Chrome 83

    The ManagedBookmarks policy will be subject to stricter verification in Chrome 83. This policy might become invalid if any of "name", "toplevel_name", or "url" fields are not of type "string" as described by the policy.

    If your users have any issues seeing managed bookmarks, check to see if the policy has an error in chrome://policy. If you see an error, make sure the ManagedBookmarks policy uses string types for the above fields.

  • CORS enterprise policies will no longer work in Chrome 84

    The CorsMitigationList and Cors Legacy Mode Enabled policies will be removed in Chrome 83, as previously communicated.

  • The URLAllowlist policy will not allow you to allowlist external protocols in Chrome 83

    A recent release of Chrome changed the behavior of the URLAllowlist policy to let you allowlist an external protocol. To improve security, this policy will be changed back to its original behavior. As a result, external protocols will not be allowlisted through the policy.

  • Users will be able to check all their saved passwords for leaks in Chrome 83

    Chrome 79 started warning users if their credentials had been compromised in a data leak when they logged into a website. Chrome 83 will build on this feature, allowing users to check on all their saved passwords at once. This feature uses the same privacy-preserving system introduced in Chrome 79; it does not send plain-text passwords to Google.

    If you wish, you can prevent your users from accessing this feature by preventing Chrome from saving passwords, using the Password Manager Enabled policy.

  • Control over the variations framework in Chrome 83

    Admins will have more granular control over update behavior in Chrome 83. In addition to the version controls that exist today, Chrome 83 will allow admins to configure Chrome variations with the ChromeVariations (Mac, Windows, and Linux) and DeviceChromeVariations (Chrome OS) policies. You will be able to pick between:

    • Variations enabled—this is the default, and allows all variations in Chrome.
    • Critical fixes only—this will disable all experiments and progressive rollouts.
    • Variations disabled—no changes will be deployed using the variations framework. Choosing this setting significantly increases the risk of security and compatibility issues, and is not recommended.
  • Flash Dialog Changes in Chrome 83

    Chrome will add warning text to the activation prompt for Flash Player, highlighting the industry wide end of support date (Dec 2020) with a link to learn more. It is not shown to users who have Flash enabled by policy.

  • Updated UI for extensions in Chrome 83

    Chrome 83 will have an improved extensions area in both the main browser and PWA windows, with an enhanced extensions menu.

  • Updated Tabstrip UI in Chrome 83

    Chrome 83 will feature a way to group related tabs, and will display preview images when hovering over tabs.

  • Improved resource consumption when a window is not visible in Chrome 83

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    This feature will roll out to some users in Chrome 83.

  • DTLS 1.0 will be removed in Chrome 83

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default in Chrome 83. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal. 

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 83

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). E.g., http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to disable this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 83

    Also in preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define wildcards for PluginsAllowedForUrls policy in Chrome 83. If you're using wildcards in that policy, you will need to switch to specific allowlists for any sites that are still using Flash. This change is intended to help determine which sites still require updating, with time to adjust before support for Flash is removed completely in Dec 2020.

  • Chrome apps deprecation in Chrome 83

    As announced in January, Chrome apps will be phased out and ultimately disabled by June 2022. Beginning in Chrome 81, new public Chrome apps will no longer be accepted by the Chrome Web Store. Beginning in Chrome 83, Chrome will no longer support Chrome apps on Microsoft® Windows®, Apple® Mac®, and Linux®. If your organization needs extra time to adjust, a policy will be available to extend support until Chrome 87.

  • Insecure downloads will be blocked from secure pages, with changes in Chrome 83 through Chrome 86

    By Chrome 86, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

    • Executables—users will be warned in Chrome 83, and files will be blocked in Chrome 84
    • Archives—users will be warned in Chrome 83, and files will be blocked in Chrome 84
    • Other non-safe types (e.g. pdfs)—users will be warned in Chrome 84, and files will be blocked in Chrome 85
    • Other files—users will be warned in Chrome 85, and files will be blocked in Chrome 86

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85, which will reach the stable channel around June 9th. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS. If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

    For more details please see: www.chromium.org

  • Factor in scheme when determining if a request is cross-site in Chrome 84

    Chrome 84 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will be considered cross-site to each other.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

 
Chrome 80

Chrome Browser updates

  • Updates to cookies with SameSite

    Starting in Chrome 80, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies until Chrome 88. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

  • Pop-ups and synchronous XHR requests not allowed on page unload

    Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 88:

  • Control data types in Chrome sync

    Chrome users have the ability to granularly enable or disable each type of data that’s synchronized in the advanced Data from Chrome sync settings. In Chrome 80, you can also control the data types synced using the SyncTypesListDisabled policy.

  • Changes to how HTTPS pages load secure subresources in Chrome 80 and 81

    In Chrome 80, http:// audio and video resources on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources by clicking on the lock icon on the address bar and selecting Site Settings. In Chrome 80, http:// images on https:// pages will still be allowed to load, but users will see  “Not Secure” on the address bar.

    In Chrome 81, http:// images on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

    You can control these changes using the StricterMixedContentTreatmentEnabled policy, which disables autoupgrades for audio and video and the warning for images. This policy is a temporary policy and will be removed in Chrome 84. The InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies will control the site setting described above. 

    You should begin ensuring that resources in pages are fetched over HTTPS and manage exceptions using a policy. For more information, see the Chromium blog.

  • Control if websites can check for user payment methods

    The PaymentMethodQueryEnabled policy allows you to control if websites can check for user payment methods. For details, see PaymentMethodQueryEnabled.

  • Web Components v0 removed

    The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. For more information, see the Web Components update.

    Until Chrome 85, you can use the WebComponentsV0Enabled policy to re-enable web components v0.

  • Introduction of tab groups for some users

    Starting in Chrome 80, some users will be able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. A wider rollout is planned for Chrome 81.

  • Block external extensions

    In Chrome 80, you can use the BlockExternalExtensions policy to stop the installation of external extensions on your devices. The policy will not block kiosk apps or extensions installed by policy.

  • Chrome Browser Cloud Management Reporting Companion no longer required

    The functionality previously provided by the Chrome Browser Cloud Management - Reporting Companion extension has been integrated directly into Chrome Browser. If you’re using Chrome Browser Cloud Management, users will no longer see the extension on their devices when reporting is turned on. No action is required from admins or users.

Chrome OS updates

  • Enable autorotate for tablet devices with connected external inputs

    Autorotation will stay enabled when you connect a mouse to a device in tablet mode. You can pair a mouse with a tablet in portrait mode or a convertible device in tent mode without having to manually rotate your screen.

  • Switch default Linux (Beta) container to Debian 10 (Buster)

    Developers who set up Linux (Beta) for the first time will now receive a container with Debian 10 (Buster). Previously, containers used Debian 9 (Stretch). Existing Debian 9 containers will be upgraded in the future.

  • Policy to show PIN pad on sign-in and lock screen for tablets

    In certain environments, such as K–6 education, you might assign numeric-only passwords when more complex passwords are too cumbersome or hard to remember. To make signing in easier on Chrome OS touchscreen devices, you can now show the PIN pad on the sign-in and lock screens by default. Users can still get to the virtual keyboard to enter a full alphanumeric password if needed. For details, see the DeviceShowNumericKeyboardForPassword policy.

  • New notification for Chromebook Enterprise enrollment

    In Chrome 80, you no longer need to press Ctrl+Alt+E to begin the device enrollment process. At the end of the onboarding process, you'll see a welcome page where you can start enrollment. This is only available for Chromebook Enterprise devices.

Admin console updates

  • Quick switch between pages

    Admins can now quickly switch between each of the Chrome pages in the Admin console. Click the current page name to navigate to the other pages.

 

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AmbientAuthenticationInPrivateModesEnabled Enables ambient authentication for profile types
DNSInterceptionChecksEnabled Enables DNS interception checks
NTPCustomBackgroundEnabled Allows users to customize the background on the New Tab page
PaymentMethodQueryEnabled Allows you to control if websites can check for user payment methods
PrinterTypeDenyList Disables printer types on the deny list
StricterMixedContentTreatmentEnabled Controls treatment for mixed content
SyncTypesListDisabled Controls data types that should be excluded from synchronization

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Known incompatibility with older versions of Carbon Black Protection (Bit9) in Chrome 81

    Carbon Black Protection (previously known as Bit9) has a known incompatibility with Chrome 81, which causes multisecond delays to some page loads. An upcoming version of Carbon Black Protection (8.1.8) will fix the incompatibility.

  • Improved resource consumption when window not visible in Chrome 81

    To save on CPU and power consumption, Chrome 81 will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  • Ambient authentication disabled by default in Incognito mode and guest sessions in Chrome 81

    Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.

  • TLS 1.3 hardening measure implemented in Chrome 81

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some noncompliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

    You can opt in to the new measure to test it and confirm if your proxy is affected using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need to upgrade affected proxies. This policy will be available until Chrome 86.

  • DNS-over-HTTPS in Chrome 81
    The DNS requests of some users are being autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available, but DoH is disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    In Chrome 81, DoH is expected to launch by default for all remaining users. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH

  • FTP support will be removed in Chrome 81
    FTP will no longer be directly supported in Chrome 81. Your users should use a native FTP client instead. 

  • New Chrome UI for legacy TLS versions in Chrome 81
    The Chrome team recently announced updated plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1). In Chrome 81, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Shared clipboard between computers and Android devices in Chrome 82
    Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync turned on. 

    The text is end-to-end encrypted, and Google can’t see the contents. You can control this feature using the SharedClipboardEnabled policy.

  • Changes to the ManagedBookmarks policy in Chrome 82
    The ManagedBookmarks policy will be subject to stricter verification in Chrome 82. On Android and Apple® macOS®, this policy might become invalid if any of "name", "toplevel_name", or "url" fields are not of type "string" as described by the policy.

  • Chrome apps deprecation in Chrome 83
    As announced in January, Chrome apps will be phased out and ultimately disabled by June 2022. Beginning in Chrome 81, new Chrome apps will no longer be accepted by the Chrome Web Store. Beginning in Chrome 83, Chrome will no longer support Chrome apps on Microsoft® Windows®, Apple® Mac®, and Linux®. If your organization needs extra time to adjust, a policy will be available to extend support until Chrome 87.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84
    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

  • Updates for USB devices with Linux

    From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

  • Chrome OS kiosk mode support for web apps

    In a future Chrome OS release, devices in kiosk mode will support Progressive Web Apps and websites. Support will include Auto-Launch App mode.

  • Android on Chrome OS kiosk mode
    In Chrome 81, you will no longer have access to set new policies for Android apps in kiosk mode. Existing policies for Android apps in kiosk mode will not be impacted and will be supported until June 2021.

 

Chrome 79

Chrome Browser updates

  • Drive integration in the address bar

    Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.

    This behavior is on by default and can be controlled from the G Suite admin console or by individual users in their Chrome settings. You can see more details in this G Suite announcement.

  • HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

    In Chrome 79, we’re introducing a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. End users can switch this setting by clicking the lock icon on any https:// page and clicking Site Settings

    In Chrome 80, mixed audio and video resources will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.

    In Chrome 81, mixed images will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://.

    The breaking changes coming in Chrome 80 and 81 will be controllable by enterprise policy.  Enterprise policies to control this feature will be StricterMixedContentTreatmentEnabled which disables autoupgrades for audio and video, and the warning for images, this one will be temporary and we'll remove it on Chrome 84. 

    InsecureContentAllowedForUrls/InsecureContentBlockedForUrls will control the setting described above. More information on these changes is available in the Chromium blog. Admins should begin ensuring that resources in pages under their control are fetched over HTTPS. Exceptions can be managed through policy. 

  • Better password and phishing protections in Chrome

    For more details on how these work, see this blog post.

    • Users warned if credentials are leaked: Starting in Chrome 79, we will notify users if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. You will be able to enable or disable this feature for your users using the PasswordLeakDetectionEnabled policy. 

    • Realtime phishing detection: We'll also be offering enhanced protection against quick-changing sites, by inspecting page URLs with Safe Browsing's servers in real-time, resulting in a 30% increase in protections. We will initially be rolling out this protection for users who have already opted into the ‘Make searches and browsing better’ option in Chrome. Enterprises administrators can manage this setting directly using the UrlKeyedAnonymizedDataCollectionEnabled policy.

    • Expanding predictive phishing protection: With this latest release, we’re also expanding Chrome Safe Browsing’s predictive phishing protections to everyone signed in to Chrome, even if you have not enabled Sync. In addition, this feature will now work for all the passwords you have stored in Chrome’s password manager. This protection will not be enabled if your users are not signed into Chrome and have not enabled Chrome Password Manager. You could also choose to disable Chrome Safe Browsing using the SafeBrowsingEnabled policy. We discourage doing this as it will disable all built-in anti-abuse protections in Chrome.

  • CORS implementation is more secure  

    Chrome is modifying its Cross-Origin Resource Sharing (CORS) implementation to be more secure. As a result, the following changes will be introduced incrementally, starting on January 6th, 2020. This gradual rollout will happen over the following several weeks:

    • Extensions’ webRequest API—Before this change, extensions that have the webRequest permission could modify any network request headers and they would be ignored by the CORS protocol. However, in Chrome 79, the CORS protocol inspects modified headers and will trigger a CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. If enterprise users are using a Chrome extension that’s affected by this change, the extension author will need to update the extension to specify ‘extraHeaders’ in opt_extraInfoSpec, or update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

    • Headers injected by Chrome—Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. However, in Chrome 79, this will trigger a CORS preflight request. Server implementations might need to be updated to handle CORS preflight requests.

    If you need extra time to adapt to this CORS migration, there are two enterprise policies available to you. These are temporary policies which will only be available until Chrome 82.

    • CorsLegacyModeEnabled—Enable the old CORS implementation, which is compatible with Chrome 78 and earlier versions. You can use this policy to opt-out of this gradual rollout.

    • CorsMitigationList—This policy sets the ‘extraHeaders’ in opt_extraInfoSpec internally so that any Extension that is not ready for this CORS migration can work without modifications. You can also specify customized headers that should be ignored by CORS checks.

    The OOR-CORS Troubleshooting page will help investigate incompatibility issues and customize these policies.

  • Trial of autoupgrade for DNS-over-HTTPS

    The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

  • Click-to-call

    Users are able to click on a phone number in Chrome to send it to their Android phone. To send the number, users need to have Chrome Browser installed and be signed in on both devices with the same account. The number is end-to-end encrypted and Google can’t see the contents. You can control this behavior with the ClickToCallEnabled enterprise policy.

  • Audio sandbox

    The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox using the AudioSandboxEnabled policy.

  • New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

    The Chrome team recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting in January 2020 in Chrome 79, we will mark sites that do not support TLS >=1.2 as "Not Secure" and no longer show the lock icon for them.

    In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure. 

    If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021. More details are available in our blog post.

  • New policy for controlling memory

    We’re introducing a new policy to give admins more control over Chrome's memory usage, which allows you to better manage shared virtual sessions. The TotalMemoryLimitMb policy configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it.

    If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that Chrome will always run under the limit—for example, the active tab is never discarded. Any value under 1,024 will be rounded up to 1,024. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

  • On Linux, server certificate verification will use the built-in certificate verifier instead of NSS

    Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79. The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change. However there are some cases where differences might occur:

  • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.

  • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.

  • The verifier can be toggled using the BuiltinCertificateVerifierEnabled policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.

  • Chrome Browser Cloud Management Reporting Companion is no longer required

    The functionality previously provided by the "Chrome Cloud Management - Reporting Companion" extension has been integrated directly into Chrome. If you're using Chrome Browser Cloud Management, some of your users will no longer see this extension on your fleet when you enable reporting. It will be completely removed for all users in Chrome 80. No action is required from you or your users.

  • Chrome Renderer Integrity protects users

    Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

    Chrome 78 enabled this feature, but it was rolled back due to unforeseen incompatibilities with other software. Those issues have been addressed, and this will be rolled out again in Chrome 79. Affected software and mitigations are listed in this support thread.

    To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

Chrome OS updates

  • Continued improvements to Virtual Desks

    With Chrome 79, we are rolling out new improvements for virtual desktops, which are called Virtual Desks in Chrome OS. One improvement is when you open a link, it will always open on your current desk. This helps you keep your workspaces separated.

  • New Overview mode for tablets
    When in tablet mode, there's an updated Overview mode. It makes it easy to scroll through your open windows, and works well on smaller screens. For split screen, just long press on a window to drag it to the left or right side to start split screen. The new Overview is available in tablet mode only on slates, convertibles, and detachables.
  • Lock Screen Media Controls

    We are adding media controls to the Chrome OS lock screen. This will allow users to see what is playing and control playback while the device is locked.

  • Unified App Management for end users in Settings

    Basic settings and permissions of apps in Chrome OS can now be managed from the new App Management feature, available in Settings. 

  • Broader Crostini support for arbitrary ports on localhost

    Previously, web developers using Linux Beta (aka Crostini) could only access local servers in Chrome if they were running on a small number of allowlisted ports. This restriction has been lifted, and now it no longer matters what port the local server is using.

  • General PPD Attribute Support in CUPS

    Advanced printing features are now supported in print preview for native printers under “Advanced Settings”. This includes advanced finishing features like stapling, hole punch, paper tray selection, and many more! Please note, specific printing features will vary based on printer compatibility and how the printer is configured.

  • Printing Metrics API

    New printingMetrics API is now available for forced installed extensions to see a managed user’s print history when printing to a native printer. To learn more about the API, please visit the developer API page.

  • SAML default on for Enterprise

    Currently, SAML SSO is deactivated for Chromebooks by default. This means that if you are using a SAML provider your users are able to access their accounts and their G Suite services on any device other than a Chromebook. From January 2020, we will activate SAML SSO for Chromebooks of new accounts, meaning your users will no longer be restricted to non-Chrome OS devices.

  • Simplifying the Out of Box experience for Android apps

    Currently, Google Play is deactivated by default. When activated, the Managed mode, which allows you to restrict the apps that users can install, is selected by default. Starting on December 2, 2019, we activated Google Play by default in All Access Mode (for all managed accounts, except Education users). This means that enterprise users will be granted full access to the managed Google Play store; allowing them to search and install any app on their Chrome devices, including apps you haven’t approved. 

Admin Console updates

  • New managed guest session settings page rolling out soon

    The new managed guest session settings page is rolling out and will be available for all customers soon. The new page features a redesigned search interface, more information about policy inheritance, and a few new policies. 

  • Remote configuration of driverless printers
    Driverless printers are now supported from the Printer Management page in the Admin console. Administrators can now remotely configure printers that rely on auto discovery (using IPP to query the printer and set job attributes for the print job) to connect. Previously, only PPD based printers could be configured from the admin console.

  • Initiate remote desktop connection for kiosk devices from Admin console
    IT admins can now remotely initiate a Chrome Remote Desktop connection into a kiosk device and take control of the device for support and troubleshooting from the Device Details page in the Admin console.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AudioSandboxEnabled
Browser Only
Allow the audio sandbox to run. If third-party software is interfering with Chrome's audio, setting this policy to false may resolve the issue.
ClickToCallEnabled Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in.
CorsLegacyModeEnabled Use the legacy CORS implementation rather than new CORS
CorsMitigationList Enable CORS check mitigations in the new CORS implementation
DefaultInsecureContentSetting Control use of insecure content exceptions
ExternalProtocolDialogShowAlwaysOpenCheckbox
Browser Only
Show an "Always open" checkbox in external protocol dialog
InsecureContentAllowedForUrls Allow insecure content on these sites
InsecureContentBlockedForUrls Block insecure content on these sites
LegacySameSiteCookieBehaviorEnabled Default legacy SameSite cookie behavior setting
LegacySameSiteCookieBehaviorEnabledForDomainList Revert to legacy SameSite behavior for cookies on these sites
SharedClipboardEnabled Enable the Shared Clipboard Feature
TLS13HardeningForLocalAnchorsEnabled Enable a TLS 1.3 security feature for local trust anchors
WebRtcLocalIpsAllowedUrls URLs for which local IPs are exposed in WebRTC ICE candidates

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • SyncTypesListDisabled policy in Chrome 80

    Chrome users have the ability to granularly enable or disable each type of sync data. In Chrome 80, this control will also be an enterprise policy, so that admins can control the sync types across their organization.

  • PaymentMethodQueryEnabled in Chrome 80

    We are working on an enterprise policy that allows you to set whether websites are allowed to check if your user has payment methods saved. If the setting is enabled or not set, then websites are allowed to check if the user has payment methods saved. If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.

  • Tab freezing on desktop in Chrome 80

    Chrome 80 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial. You will be able to disable this behavior with the TabFreezingEnabled policy.

  • Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

    Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82: