Set Chrome device policies

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can control settings that apply when people use a managed Chrome device, such as a Chromebook. Device-level settings apply for anyone who uses the device, even if they sign in as a guest or with a personal Gmail account.

Specify device settings

Before you begin: To make settings for a specific group of devices, put the devices in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devices.

    To see Devices, you might have to click More controls at the bottom.

  3. On the left, click Chrome management.
  4. Click Device settings.
  5. On the left, select the organizational unit where you want to configure settings.
    For all devices, select the top-level organization. Otherwise, select a child organization. Initially, an organizational unit inherits the settings of its parent.
  6. Make the settings you want. Learn about each setting.

    Tip: Quickly find a setting by typing in Search settings at the top.

    The Admin console marks whether a setting is Inherited or overridden (marked Locally applied).

  7. At the bottom, click Save.

    Settings typically take effect in minutes. But they might take up to 24 hours to apply for everyone.

Learn about each setting

Applies to managed Chromebooks and other devices that run Chrome OS.

  • If you see Device-specific setting Device-specific setting, this means the setting is only available with specific device types​. 
  • Some settings aren’t available for devices that are enrolled as single-app kiosks.

Enrollment and Access

Forced re-enrollment
This setting is set to Force device to re-enroll into this domain with user credentials after wiping by default. To turn this off, select Device is not forced to re-enroll after wiping. Once enabled, if you don't want a Chrome device to re-enroll in your domain, you need to deprovision the device. Learn more about forced re-enrollment.
Verified access

Verified access is a Chrome device setting that enables a web service to request proof that its client is running an unmodified Chrome OS that’s policy-compliant (running in verified mode if required by the administrator).

The Verified access setting includes the following controls:

Enable for content protection–Ensures that Chrome devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also with this feature enabled, Chromebooks can attest to content providers that they are running in Verified Boot mode.

Disable for content protection–If disabled, some premium content may be unavailable to your users. Learn more.

For more details and instructions, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Verified mode

Require verified mode boot for verified access–Device must be running in verified boot mode for device verification to succeed. Devices in dev mode will always fail the verified access check.

Skip boot mode check for verified access–Allows dev mode devices to pass the verified access check.

Service accounts which are allowed to receive user data–List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.

Service accounts which can verify users but do not receive user data–List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.

For instructions on using these settings with verified access, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Disabled device return instructions

This setting controls the custom text on the disabled device screen. We recommend you include a return address and contact phone number in your message so that users who see this screen are able to return the device to your organization.

Integrated FIDO second factor

Specifies whether users can use 2-Factor Authentication (2FA) on devices with a Titan M security chip.

Settings

Guest mode

Controls whether to allow guest browsing on managed Chrome devices. If you select Allow guest mode (the default), the main sign-in screen offers the option for a user to sign in as a guest. If you select Disable guest mode, a user must sign in using a Google Account or G Suite account. When a user signs in using guest mode, your organization's policies are not applied.

restriction

This setting enables you to control which users have permission to sign in to a managed Chrome device.

When the default Restrict sign-in to list of users is selected, and the textbox is left empty, any user with a Google Account or G Suite account can sign in, and the +Add user button is available on the sign-in screen.

However, if you include one or more user names in the text box, only the named users can sign in; other users will receive an error message. Enter user names in the form of their primary email addresses, with names separated by commas. The names can include the wildcard * (to match any set of characters). The +Add user button will be available as long as not all of the users in your list have been added to the device, or if you use a wildcard such as * If all of your specific users have been added to the device, then the +Add user button will be grayed out.

If you select Do not allow any user to sign in, no one will be able to sign in to the Chrome device with their Google Account or G Suite account. Also, the +Add user button will be grayed out on the sign-in screen. Note: This setting only works for Chrome devices on Chrome OS 28 and later. Users with prior versions of Chrome OS on their computer will still be able to sign in. This setting is commonly used on devices intended for use with managed guest sessions.

Users will be able to use the device regardless of which restriction setting you use if you have guest browsing or managed guest sessions enabled.

If you have enabled Android apps on supported Chrome devices in your organization, this policy alone will not control whether additional accounts may be added within Android settings in a user session. You can control that using Account Management.

Autocomplete domain

This setting lets you choose a domain name to present to users on their sign-in page. When you enable this setting, users don't need to type the part of their username during sign in.

This setting is off by default. To turn it on, from the drop-down list, select Use the domain name, set below, for autocomplete at sign-in and enter your domain name.

Note: You can override this setting by typing your full username when you sign in.

screen

Specifies whether the Chrome device's sign-in screen displays the names and pictures of users who have signed in to the device.

  • To let users choose their user account on the sign-in screen—Select Always show user names and photos.
  • To prevent user accounts from being displayed on the sign-in screen—Select Never show user names and photos. Users are prompted to enter their Google Account username and password each time they sign in to their Chrome device. If you have SAML single sign-on (SSO) for Chrome devices and send users directly to the SAML identity provider (IdP) page, Google redirects them to the SSO sign-in page without entering their email address.

If users are enrolled in 2-Step Verification, they’ll be prompted to perform their second verification step each time they sign in to their Chrome device.

Device off hours

Only available in the legacy Admin console.

Allows you to set a weekly schedule when the guest browsing and sign-in restriction settings don’t apply to managed devices running Chrome OS. 

For example, school admins can block guest browsing or only allow users with a username ending in to sign in during school hours. Outside of school hours, users can browse in guest mode or sign in to their device using an account other than their account.

Device wallpaper image

Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) up to a maximum size of 16 megabytes. Other file types are not supported. Note: This setting works only for Chrome devices on Chrome OS 61 and later.

User data

Specifies whether enrolled Chrome devices delete all locally-stored settings and user data every time a user signs out. Data the device syncs persists in the cloud but not on the device itself.

Single sign-on IdP redirection

Requirement for this setting: Have SAML SSO configured for Chrome devices

To allow your single sign-on users to navigate directly to your SAML Identity Provider (IdP) page instead of first having to type in their email address, you can enable single sign-on IdP Redirection. This setting is disabled by default.

Single sign-on cookie behavior

Requirement for this setting: Have SAML SSO configured for Chrome devices

To allow your single sign-on users to log in to internal websites and cloud services that rely on the same Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies. This setting is disabled by default.

SAML SSO cookies are always transferred on first login, but if you want to transfer cookies in subsequent logins, you need to enable this policy.

If you have enabled Android apps on supported Chrome devices in your organization, and have this policy enabled, cookies are not transferred to Android apps.

Single sign-on camera permissions

Requirement for this setting: Have SAML SSO configured for Chrome devices

To give third party applications or services direct access to the user’s camera during a SAML single sign-on flow, on behalf of your SSO users, you can enable single sign-on camera permissions. This setting can be used by a third party Identity Provider (IdP) to bring new forms of authentication flows to Chrome devices.

To add IdPs to the whitelist, enter the URL for each service on a separate line. This setting is disabled by default.

If you are using this setting to set up Clever Badges™ for your organization, refer to the Clever support site for more information.
By enabling this policy, the administrator grants third parties access to their users' cameras on their users' behalf. The administrator should ensure that they have proper consent forms in place for users as the system does not show end users any consent forms once camera permission is granted via this policy.
Single sign-on client certificates

Requirement for this setting: Have SAML SSO configured for Chrome devices.

Allows you to control client certificates for single sign-on (SSO) sites.

You enter a list of URL patterns as a JSON string. Then, if an SSO site matching a pattern requests a client certificate and a valid device-wide client certificate is installed, Chrome automatically selects a certificate for the site.

If the site requesting the certificate doesn’t match any of the patterns, Chrome doesn’t provide a certificate.

How to format the JSON string:

{"pattern":"","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The ISSUER/CN parameter (certificate issuer name above) specifies the common name of the Certificate Authority (CA) that client certificates must have as their issuer to be autoselected. If you want Chrome to select a certificate issued by any CA, leave this parameter blank by entering “filter”:{}.


{"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}

Accessibility Control

Allows you to control accessibility settings on the sign-in screen. Accessibility settings include large cursor, spoken feedback, and high contrast mode. Select Turn off accessibility settings on the sign-in screen upon sign-out to restore accessibility settings to the defaults when the login screen is shown or the user remains idle on the login screen for one minute. Select Allow user to control accessibility settings on the sign-in screen to restore the accessibility settings that users turned on or off on the sign-in screen, even if the device is restarted.

Language

Only available in the legacy Admin console.

Specifies what language the Chrome device’s sign-in screen displays. You can also allow users to choose what language the sign-in screen on their device is displayed in.

Keyboard

Specifies which keyboard layouts are allowed on the Chrome device’s sign-in screen.

Device update settings

Note: Before changing any of the auto-update settings below, read Manage updates on Chrome devices.

Auto update settings

Automatic updates

Specifies whether Chrome devices automatically update to new versions of Chrome OS as they are released. Allow auto-updates is strongly recommended. The last several versions of Chrome OS are listed.

To stop background downloading of updates before the device is enrolled and rebooted, press Ctrl+alt+E on the End User License Agreement screen. Otherwise, downloaded updates that should have been blocked by policy might be applied when the user reboots the device.
Software support is available only for the latest version of Chrome OS.

Restrict Google Chrome version to at most

Prevents Chrome devices from updating to versions of Chrome OS beyond the version number specified. Using this setting is recommended only if a later version of Chrome OS causes compatibility issues with tools in your domain that need to be resolved prior to updating the Chrome OS version.

You can configure one or more of your Chrome devices to use the development or beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see Chrome release best practices.

Software support is available only for the latest version of Chrome OS.

Randomly scatter auto-updates over

Specifies the approximate number of days over which managed Chrome devices in your organization download an update following its release. The downloads occur at various times during this period to avoid causing traffic spikes that can impact old or low-bandwidth networks. Devices that are offline during this period download the update when they go back online.

Set this policy to its default (none) or a low number unless you know your network can't handle traffic spikes. This lets users benefit from new Chrome enhancements and features quicker, minimizes the number of concurrent versions in your organization, and simplifies change management during the update period.

Auto reboot after updates

When Allow auto-reboots is selected, after a successful auto-update, the Chrome device will reboot when the user next signs out. Keeping Disallow auto-reboots selected will disable auto-reboots.

Currently, automatic reboots work only when the device is configured to be a managed guest session kiosk and when the sign-in screen is being shown.

Updates over cellular

Specifies the types of connections that Chrome devices can use when they automatically update to new versions of Chrome OS. By default, Chrome devices automatically check for and download updates when connected to Wi-Fi or Ethernet only. Select Allow automatic updates on all connections, including cellular to let Chrome devices automatically update when they’re connected to a mobile network.

Kiosk-controlled updates

You can allow a specific kiosk app to control the Chrome OS version of the device it’s running on. This prevents devices from updating to versions of Chrome beyond the version number specified by the app.

Clicking Select an app launches a dialog box where you can search for and select kiosk apps on the Chrome Web Store.


  • You can only specify one Chrome kiosk app at a time to control the Chrome OS version on a device.
  • In the manifest file, the app must include "kiosk_enabled": true and specify the required Chrome OS version, required_platform_version. It might take up to 24 hours for updates in the manifest file to take effect on devices. For information about how to configure settings in the app’s manifest file, see Let kiosk app control Chrome OS version.
  • You can’t allow a specific kiosk app and an autolaunched kiosk app to control the Chrome OS version of a device at the same time.
Release channel

With the Release channel setting, you can let users test the latest Chrome features by switching channels to more experimental versions. Chrome supports 3 release channels that are used to send updates to users. You can select a channel for users, or allow them to select a channel themselves:

The release channel can't be changed in the top level organization for your domain. It can only be changed by organizational unit.
  • Allow user to configure: Users can select a release channel to use. For users to select the development channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools.
  • Stable Channel: This channel is fully tested and is the best choice for users to avoid crashes and other problems. It's updated every 2-3 weeks for minor changes, and every 6 weeks for major changes.
  • Beta Channel: For users to see upcoming changes and improvements with low risk, use this channel. It's usually updated weekly, with major updates every 6 weeks (more than a month before the stable channel).
  • Dev Channel (may be unstable): Select this channel for users to see the latest Chrome features. The development channel is updated once or twice a week. This build is tested, but it might have bugs.

While most organizations like to use the stable channel or allow their users to select a channel, it's useful to keep some IT personnel and users on the beta and development channels to help your organization:

  • Become familiar with new features before they appear on the stable channel.
  • Prepare users for any interface changes before the update.
  • Understand if problems are specific to certain versions of Chrome when troubleshooting.
  • Provide feedback on upcoming Chrome updates.
  • Moving a user from an older version of Chrome to a newer version, such as from stable to beta, takes effect the next time the user reboots their device.
  • Moving from a newer version of Chrome to an older version, such as from development to stable, can take longer. In this scenario, the device stays on the current version of the development channel, until the stable channel catches up, which can take some weeks.
Inactive device notifications

Inactive device notification reports

This setting is off by default. When this setting is enabled, reports about inactive devices in your domain are emailed to the addresses you specify. The reports contain:

  • Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
  • The total number of inactive devices, including how many are newly  inactive, for each organizational unit.
  • A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.

Note: Some information in the reports might be delayed up to 1 day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.

Inactive Range (days)

If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than 1.

For example, if you want to mark all devices that haven’t synced in the last week as inactive, enter 7 in the field for Inactive Range (days).

Notification Cadence (days)

To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence  field.

Email addresses to receive notification reports

To specify the email addresses that will receive notification reports, enter the addresses (1 per line).

Kiosk settings

Before you can configure any kiosk settings, you need to enroll the device as a kiosk. Once it's enrolled, you can find the device in your Admin console by clicking Device management > Chrome devices.

The new apps & extensions page centralizes all app & extension provisioning:

  • Configure kiosk apps
  • Set an app to auto-launch
  • Configure additional settings on the auto-launched app, such as
    • Device health monitoring
    • Device system log upload
    • Screen rotation

For details, see View and configure apps and extensions and Set app and extension policies.

Managed guest sessions

Before you can configure a Chrome device as a managed guest session, you need to make sure managed guest session settings exist for the organization the device is assigned to. Then, to set the kiosk as a managed guest session kiosk, you select Allow managed guest sessions.

For information about creating managed guest session settings, see Managed guest session devices.

To automatically launch a managed guest session on a Chrome device, select Auto-launch managed guest sessions and set Auto-launch delay to 0.

Enable device health monitoring

Only available for managed guest sessions that automatically launch on Chrome devices.

Select Enable device health monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.

For more information, see Health monitoring status displays.

Enable device system log upload

Only available for managed guest sessions that automatically launch on Chrome devices.

Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—1 for each day for the past 5 days, 1 for 30 days ago, and 1 for 45 days ago.

For more information, see Monitor kiosk health.

Note: Before you enable logs to be uploaded, you must inform the users of managed kiosk devices that their activity may be monitored and data may be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.

Screen rotation (clockwise)

Only available for managed guest sessions that automatically launch on Chrome devices.

To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.

Kiosk device status alerting delivery

Check either Receive alerts via email and/or Receive alerts via SMS to receive alerts about your Chrome kiosk devices. You will receive an alert when the device goes from being on to off.

Kiosk device status alerting contact info

To receive status updates about your Chrome kiosk devices, insert one email per line in the field for Alerting emails.

To receive SMS updates about your Chrome kiosk devices, in the field Alerting mobile phones, insert one phone number per line.

User and device reporting

Device reporting

Device state reporting

This setting is on by default. Specifies whether Chrome devices enrolled in your domain report their current device state, including firmware, Chrome and platform version, and boot mode. In the Admin console, go to Device management > Chrome > Devices and click on the device's serial number to see the device details.

If you have enabled Android apps on supported Chrome devices in your organization, this policy has no effect on logging or reporting done by Android.

Device user tracking

This setting is on by default. You can track recent device users by clicking on the device in your Admin console under Device management > Chrome > Devices > device serial number > Recent Activity. Note that this setting does not take effect if the Erase all user info setting is enabled.

Anonymous metric reporting

Specifies whether the Chrome device sends Google usage statistics and crash reports whenever a system or browser process fails.

Usage statistics contain aggregated information such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time of the crash.

If you have enabled Android apps on supported Chrome devices in your organization, this policy also controls Android usage and diagnostic data collection.

Power and shutdown

Power management

This setting controls whether a Chrome device that is showing a sign-in screen (no user is logged-in) should go to sleep or shut down after some time, or if it should continuously stay awake. This feature is useful for Chrome devices used as kiosks to make sure they never shut down.

Scheduled Reboot

When you specify the Number of days before reboot, the device reboots after that given number of days. The reboot might not happen at the same time of day, but it might be postponed until the user next signs out. If a session is running, then a grace period of up to 24 hours applies. Currently, automatic reboots work only when the device is configured to be a kiosk and when the sign-in screen is being shown.

Google recommends that you configure kiosk apps to shut down at regular intervals to allow the Chrome OS to restart the app or entire device. For example, you can schedule the app to shut down every day at 2 AM.

Allow shutdown

Allow users to turn off the device using either the shut down icon or the physical power button is the default option. If you select Only allow users to turn off the device using the physical power button, they will not be able to turn off the device via the keyboard, mouse, or screen, but only by physically turning off the device.

This setting may be useful in specific deployment scenarios, such as if the Chrome device is being run as a kiosk or digital signage display.

Peak shift power management

Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.

Allows you to reduce the power consumption by automatically switching the Chromebook to battery power. 

If you enable Peak shift power management:

  1. Under Peak Shift Battery Threshold, enter a percentage value between 15 and 100. If the battery percentage is above the value that you specify, the device runs from the battery.
  2. To set a daily start and end time to run Peak shift power management:

    1. Under Peak shift day configuration, select a start and end time. During the times, unless the device reaches the threshold set above, the AC power will not be used 
    2. Under Charge start time, select a time to start charging the battery
Primary battery charge configuration

Device-specific setting Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices without a Dell Long Cycle Life battery

Allows you to configure the primary battery charge mode. Choose from:

  • Standard—Fully charges the battery at a standard rate
  • Adaptive—Battery adaptively optimized based on typical usage pattern
  • Express Charge—Battery charges over a shorter period
  • Primarily AC—Extends battery life by charging mainly from AC
  • Custom—Lets you enter a time to start and stop charging based on battery percentage

Note: You cannot use this setting at the same time as the Advanced Charge battery mode setting.

Advanced Charge battery mode

Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.

Allows you to prolong the usable life of a battery by charging to full capacity only once per day.  For the remainder of the day, batteries are in a lower charge state that’s better for storage, even when the system is plugged in to a direct power source. 

If you enable Advanced Charge battery mode, enter a daily start and end time.

Boot on AC
Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.
If you enable Boot on AC and a device shuts down, it will turn on when plugged in to an AC adapter. 

Note: If the device is connected to a Dell WD19 docking station that’s connected to power, the Chromebook will turn on even if the setting is disabled.

USB Powershare
Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.

Allows users to charge other devices, such as a mobile phone, through a special USB port if the Chromebook is turned off and connected to power. All USB ports charge devices when the Chromebook is in Sleep mode. 


Google Cloud Print

Only available in the legacy Admin console.

This feature allows any user of the Chrome device to print using Cloud Print. This setting is popular for Chrome devices configured for managed guest sessions.

  1. Next to Choose which Cloud printers to enable, click Manage.
  2. In the Cloud Print dialog that appears, search for and Add cloud printers for the devices in the organization you have selected.
  3. Click Save.

It can take up to 24 hours for printers to be shared with every Chrome device in the organization you selected. Any user on the device, including users using guest browsing or managed guest sessions, will be able to print from the cloud printers you've shared.

If there are printers that you don't own, which are shared with your domain, they will appear under an additional heading in the dialog box called Other printers. If a printer is no longer working or if it no there's no longer an owner in your domain, you can Remove it from the Other printers box.

Note: When printers are shared via device policy, they will appear under the "Local Destinations" section rather than the "Google Cloud Print" section.

Deployment notes:

  • You need to be the owner of the printer in Google Cloud Print to add it using the Admin console. We recommend domains with several printers to create a role account specifically to manage printers with Google Cloud Print. If your domain has this, sign in with that account to share the printers with your Chrome devices. If you don't want to give this role account Super Admin access to your domain, you can give it permission to only Manage Device Settings using delegated administrator roles in Chrome.
  • Depending on your environment and printers, you may be able to use Chrome's native printing.

Known issues:

  • Because printer ownership is tied to each G Suite account, if your domain has multiple domain admins, they may each have a different set of printers available.
  • An admin can delete/remove the printer shared by another domain admin. For example, if the printer owned by admin2 has been deleted by admin1, then admin1, cannot re-add it.
  • Currently, there isn't a way to tell if a printer in the Other printers section is active or deleted because of these known issues we're working to fix:
    • If an an admin deletes a printer in, even though it's no longer is available, it will appear under Other printers.
    • If the printer owner has been deleted, the orphaned printer will appear under Other printers.
Device network hostname template

The hostname that is passed to the DHCP server with DHCP requests.


System timezone

Specify the timezone to set for your users' devices from the drop-down list.

System timezone automatic detection

Choose one of the options to specify how a device detects and sets the current timezone:

  • Let users decide: Users control the timezone auto-detection policy using the standard Chrome OS Date and Time settings.
  • Never auto-detect timezone: Users must manually pick a timezone.
  • Always use coarse timezone detection: The device IP address is used to set the timezone.
  • Always send WiFi access-points to server while resolving timezone: The location of the WiFi access-point, that the device connects to, is used to set the timezone. This is the most accurate option.
  • Send all location information: Location information (such as WiFi access-points, reachable Cell Towers, GPS) is used to set the timezone.
Mobile data roaming

Specifies whether users on this Chrome device can go online using a mobile network maintained by a different carrier. With this setting, you fix the value of the Allow mobile data roaming check box on the Internet page in the Chrome device Settings.

If you allow data roaming, charges may apply.

USB detachable whitelist

This feature allows you to specify a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices such as keyboards, signature pads, printers and scanners, as well as other USB devices. If this policy is not configured, the list of a detachable USB devices is empty.

To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID), as a colon separated hexadecimal pair (VID:PID), for each device on a separate line. For example, to list a mouse with a VID of 046E and a PID of D626, and a signature pad with a VID of 0404 and PID of 6002, enter the following in the text box:


Note: You must enter the VID and PID in hexadecimal format only.


Choose one of the options to enable or disable bluetooth on a device:

  • Do not disable bluetooth - Bluetooth is enabled on the device.
  • Disable bluetooth - Bluetooth is disabled on the device.

If you change the policy from Disable bluetooth to Do not disable bluetooth, you must restart the device for the change to take effect.

If you change the policy from Do not disable bluetooth to Disable bluetooth, the change is immediate and you do not need to restart the device.

Throttle device bandwidth

Select Enable network throttling to control device-level bandwidth consumption on Chrome devices with Chrome 56 and later. After doing this, you should specify the download and upload speed in kbps. To ensure that devices get policy and Chrome OS updates without interruptions, the minimum speed you can specify is 513 kbps.

All network interfaces on a device are throttled, including WiFi, Ethernet, USB ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.

You can throttle bandwidth on Chrome devices in kiosk, managed guest session, or user mode.

TPM firmware update

By default, users can’t install a Trusted Platform Module (TPM) firmware update on devices. Select Allow users to perform TPM firmware updates to let users install a TPM firmware update that gives devices stronger security protections. For information about how users can install a firmware update, see Update your Chromebook’s security.

Note: Installing a TPM firmware update might erase a device and reset it to factory settings. Repeated failed update attempts might make a device unusable.

Virtual machines

Specifies whether users can run virtual machines on their devices running Chrome OS. Select Allow to let users install Linux apps and run Linux tools, editors, and integrated development environments (IDEs). For information about how users turn on Linux app support, see Set up Linux (Beta) on your Chromebook.

Plugin VM

Specifies whether users can use a Plugin VM on devices.

MAC address pass through

Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.

Allows you to choose the same MAC address that the docking station uses when it’s connected to the Chromebook. After you set the address, you need to restart the Chromebook for the address to take effect.

Dell SupportAssist

Device-specific setting  Currently available with Dell Latitude 5400 and 5300 2-in-1 Chromebook Enterprise devices.

Allows you to turn on and configure the Dell SupportAssist program. For information on Dell Support Assist, go to Dell support.

Chrome Management—Partner Access

Chrome Management—Partner Access

The Chrome Management—Partner Access device setting gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual Chrome devices. This means they no longer have to manage devices by Admin console organization structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same device using partner access and the Admin Console. Device level policies configured using partner access controls take precedence over organization level policies set in Admin console. To enforce policies on devices at organization level, you need to uncheck the Enable Chrome Management—Partner access box.

You can also use your EMM console to set user policies. However, if you subscribe only to the Chrome Kiosk service, you can only set device policies.

Note: Currently, this setting is not available for G Suite for Education domains.

Was this helpful?
How can we improve it?