For administrators who enroll Windows, Mac, or Linux computers in Chrome Browser Cloud Management.
Chrome browser version 95 and later
As a Chrome Enterprise admin, you can force users to set up a separate profile when they sign in to Chrome browser using their managed Google Account on an unmanaged device. Creating different Chrome profiles lets users switch between their managed account and their other Google accounts, such as personal or test accounts, without signing out each time. No data or content is shared between profiles.
Your user-level Chrome policies and settings in the Google Admin console are applied only to the managed profile, not to their other profiles. You can manage and monitor managed profiles, including:
- Install your organizations Chrome extensions
- Block installation of certain unapproved extensions
- Track which extensions are installed on managed profiles
- Delete a managed profile, such as when a user leaves an organization
- Enforce certain browser settings in the managed profile
- Enable a secure browser session to access corporate data using Google BeyondCorp
Note: When users create their new managed profile on their personal device, they acknowledge the disclaimer that they are managed.
Security consideration
Users can still use a browser other than Chrome to sign into their managed Google Account. Use BeyondCorp Enterprise to restrict users’ access to corporate resources only from Chrome profiles that you manage and have threat and data protections enabled. For details, see Protect Chrome users with BeyondCorp Threat and Data Protection.
Step 1: Review policies
| Policy | Description |
|---|---|
|
Controls whether Chrome browser offers to create or switch profiles when users sign in to a Google Account that’s different to the account that they’re currently using. Unset: Users aren’t prompted to create separate profiles. |
|
|
Use it with SigninInterceptionEnabled to require users to create a separate profile when users sign in to their managed Google Account on an unmanaged device. When some users sign in to a profile that's different from the one that they’re currently signed in to, they’ll see a link prompting them to open Chrome browser in guest mode. Unset: Users can use their managed Google Account without having to create a separate profile. |
Step 2: Set the policies
Admin consoleCan apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Devices
Chrome
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Go to the Sign-in settings section.
- For Signin interception, select Enable signin interception.
- For Separate profile for managed Google Identity, force users to create a separate profile for their managed account. Choose an option:
- Force separate profile—The managed account is the primary account. The profile might also have secondary accounts.
- Force separate profile and forbid secondary managed accounts—The managed account is the primary account. The profile has no secondary accounts.
- Click Save.
Applies to Windows users who sign in to a managed account on Chrome browser.
Using Group Policy
In your Microsoft Windows Group Policy Editor (Computer or User Configuration folder):
- Go to Policies
- Locate and enable Enable signin interception.
Tip: If you don't see this policy, download the latest policy template. - For Add restrictions on managed accounts, choose an option:
- primary_account
- primary_account_strict
Leaving this policy Not configured uses the Unset behavior described above
- Deploy the update to your users.
In your Chrome configuration profile, add or update the following keys. Then, deploy the change to your users.
- Set the SigninInterceptionEnabled key to true.
- Set the ManagedAccountsSigninRestriction key to primary_account or primary_account_strict.
Using your preferred JSON file editor:
- Go to your /etc/opt/chrome/policies/managed folder.
- Create or update a JSON file.
- Apply settings:
- Set SigninInterceptionEnabled to 1.
- Set ManagedAccountsSigninRestriction to primary_account or primary_account_strict.
- 222larabrown@gmail.com is a personal Google Account
- lara@examplepetstore.com is a managed Google Account
- lara@altostrat.com is another managed Google Account
Example 1
Scenario
In the Admin console, configure the settings:
- Signin Interception—Enable signin interception
- Separate profile for managed Google Identity—Force separate profile
Result
- User is signed in to Chrome browser with their personal Google Account, 222larabrown@gmail.com. User tries to sign in to a website using their managed Google Account, lara@examplepetstore.com. User is prompted to create a separate profile for lara@examplepetstore.com and separation is enforced.
- User is signed into Chrome browser with their managed Google Account, lara@examplepetstore.com. User tries to sign in to a website using their personal Google Account, 222larabrown@gmail.com or another managed Google Account, lara@altostrat.com. User is allowed to sign in only to the content area, or website, but not the browser itself. User is prompted to create a separate profile, but separation is not enforced.
Example 2
Scenario
In the Admin console, configure the settings:
- Signin Interception—Enable signin interception
- Separate profile for managed Google Identity—Force separate profile and forbid secondary managed accounts
Result
- User is signed into Chrome browser with their personal Google Account, 222larabrown@gmail.com. In Gmail, user tries to switch accounts to their managed Google Account, lara@examplepetstore.com. User is prompted to create a separate profile for lara@examplepetstore.com and separation is enforced.
- User is signed into Chrome browser with their managed Google Account, lara@examplepetstore.com. In Gmail, user tries to switch accounts to their personal account, 222larabrown@gmail.com. User is allowed to switch without creating a new profile. User might be prompted to create a separate profile, but separation is not enforced.
- User is signed into Chrome browser with their managed Google Account, lara@examplepetstore.com. In Gmail, user tries to switch accounts to another managed account, lara@altostrat.com. User is prompted to create a separate profile for lara@altostrat.com and separation is enforced, regardless of the policies that may be set in the altostrat.com domain. That way, for users with managed Google Accounts for more than one organization, data and content are not shared between profiles.
Step 3: Verify policies are applied
After you apply any Chrome policies, users need to restart Chrome for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.
- On a user’s device, go to chrome://policy.
- Click Reload policies.
- Check the Show policies with no value set box.
- For the policies that you set, make sure that Status is set to OK:
- ManagedAccountsSigninRestriction
- SigninInterceptionEnabled
- For the policies that you set, make sure that the policy values match what you set in the policy.
- ManagedAccountsSigninRestriction—none, primary_account, or primary_account_strict
- SigninInterceptionEnabled—true or false
On a user's device, to view information about how Chrome profiles are being managed, go to chrome://management.
Known issue
For devices with Chrome browser 98 or earlier, users with Sync turned on are prompted to link their Chrome data to the account while they’re creating their new profile. To continue, users should click Create a new profile.