Set Chrome device policies

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can control settings that apply when people use a managed Chrome device, such as a Chromebook. Device-level settings apply for anyone who uses the device, even if they sign in as a guest or with a personal Gmail account.

Specify device settings

Before you begin: To make settings for a specific group of devices, put the devices in an organizational unit.​

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Chrome management.
  4. Click Device settings.
  5. On the left, select the organization that contains the devices you want to make settings for.

    For all devices, select the top-level organization. Otherwise, select a child organization. Learn more 

  6. Make the settings you want. Learn about each setting.

    Tip: Quickly find a setting by typing in Search settings at the top.

    Policies you set for an organization are inherited by devices in child organizations, unless overridden at a lower level. The Admin console marks whether a setting is Inherited or overridden (marked Locally applied).

  7. At the bottom, click Save.

    Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.

Learn about each setting

Applies to managed Chromebooks and other devices that run Chrome OS.

Some settings aren’t available for devices that are enrolled as single-app kiosks.

Enrollment and Access

Forced Re-enrollment
This setting is set to Force device to re-enroll into this domain after wiping by default. To turn this off, select Device is not forced to re-enroll after wiping. Once enabled, if you don't want a Chrome device to re-enroll in your domain, you need to deprovision the device. Learn more about forced re-enrollment.
Verified Access

Verified Access is a Chrome device setting that enables a web service to request proof that its client is running an unmodified Chrome OS that’s policy-compliant (running in Verified Mode if required by the administrator).

The Verified Access setting includes the following controls:

Enable for Content Protection–Ensures that Chrome devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also with this feature enabled, Chromebooks can attest to content providers that they are running in Verified Boot mode.

Disable for Content Protection–If disabled, some premium content may be unavailable to your users. Learn more.

Enable for Enterprise extensions–Enables Verified Access for the devices in this organizational unit. If enabled, Chrome extensions can interact with the Trusted Platform Module on the device.

Disable for Enterprise extensions–If disabled, Chrome extensions attempting to perform Verified Access will receive a permissions error.

For more details and instructions, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Verified Mode

Require verified mode boot for Verified Access–Device must be running in verified boot mode for device verification to succeed. Devices in dev mode will always fail the Verified Access check.

Skip boot mode check for Verified Access–Allows dev mode devices to pass the Verified Access check.

Service accounts which are allowed to receive device ID–List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Developers Console.

Service accounts which can verify devices but do not receive device ID–List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Developers Console.

For instructions on using these settings with Verified Access, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Disabled device return instructions

This setting controls the custom text on the disabled device screen. We recommend you include a return address and contact phone number in your message so that users who see this screen are able to return the device to your organization.

Settings

Guest mode

Controls whether to allow guest browsing on managed Chrome devices. If you select Allow guest mode (the default), the main sign-in screen offers the option for a user to sign in as a guest. If you select Do not allow guest mode, a user must sign in using a Google Account or G Suite account. When a user signs in using guest mode, your organization's policies are not applied.

Restriction

This setting enables you to control which users have permission to sign in to a managed Chrome device.

When the default Restrict Sign-in to list of users is selected, and the textbox is left empty, any user with a Google Account or G Suite account can sign in, and the +Add user button is available on the sign-in screen.

However, if you include one or more user names in the text box, only the named users can sign in; other users will receive an error message. Enter user names in the form of their primary email addresses, with names separated by commas. The names can include the wildcard * (to match any set of characters). The +Add user button will be available as long as not all of the users in your list have been added to the device, or if you use a wildcard such as * If all of your specific users have been added to the device, then the +Add user button will be grayed out.

If you select Do not allow any user to Sign-in, no one will be able to sign in to the Chrome device with their Google Account or G Suite account. Also, the +Add user button will be grayed out on the sign-in screen. Note: This setting only works for Chrome devices on Chrome OS 28 and later. Users with prior versions of Chrome OS on their computer will still be able to sign in. This setting is commonly used on devices intended for use with Public Sessions.

Users will be able to use the device regardless of which restriction setting you use if you have Guest Mode or Public Sessions enabled.

If you have enabled Android apps on supported Chrome devices in your organization, this policy alone will not control whether additional accounts may be added within Android settings in a user session. You can control that using Account Management.

Autocomplete Domain

The Domain name autocomplete at sign in setting enables you to choose a domain name to present to users on their sign-in page. When you enable this setting, users don't need to type the part of their username during sign in.

This setting is off by default. To turn it on, from the drop-down list, select Use the domain name, set below, for autocomplete and enter your domain name.

Note: You can override this setting by typing your full username when you sign in.

screen

Specifies whether the Chrome device's sign-in screen displays the names and pictures of users who have signed in to the device.

  • For Chrome devices with public sessions set up—Users can only start a public session. They can’t sign in to devices.
  • To let users choose their user account on the sign-in screen—Select Always show user names and photos.
  • To prevent user accounts from being displayed on the sign-in screen—Select Never show user names and photos. Users are prompted to enter their Google Account username and password each time they sign in to their Chrome device. If you have SAML single sign-on (SSO) for Chrome devices and send users directly to the SAML identity provider (IdP) page, Google redirects them to the SSO sign-in page without entering their email address.

If users are enrolled in 2-Step Verification, they’ll be prompted to perform their second verification step each time they sign in to their Chrome device.

Off Hours

Allows you to set a weekly schedule when the guest browsing and sign-in restriction settings don’t apply to managed devices running Chrome OS. 

For example, school admins can block guest browsing or only allow users with a username ending in to sign in during school hours. Outside of school hours, users can browse in guest mode or sign in to their device using an account other than their account.


Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) up to a maximum size of 16 megabytes. Other file types are not supported. Note: This setting works only for Chrome devices on Chrome OS 61 and later.

User Data

Specifies whether enrolled Chrome devices delete all locally-stored settings and user data every time a user signs out. Data the device syncs persists in the cloud but not on the device itself.

Single Sign-On IdP Redirection

Requirement for this setting: Have SAML SSO configured for Chrome devices

To allow your Single Sign-On users to navigate directly to your SAML Identity Provider (IdP) page instead of first having to type in their email address, you can enable Single Sign-On IdP Redirection. This setting is disabled by default.

Single Sign-On Cookie Behavior

Requirement for this setting: Have SAML SSO configured for Chrome devices

To allow your Single Sign-On users to log in to internal websites and cloud services that rely on the same Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies. This setting is disabled by default.

SAML SSO cookies are always transferred on first login, but if you want to transfer cookies in subsequent logins, you need to enable this policy.

If you have enabled Android apps on supported Chrome devices in your organization, and have this policy enabled, cookies are not transferred to Android apps.

Single Sign-On Camera Permissions

Requirement for this setting: Have SAML SSO configured for Chrome devices

To give third party applications or services direct access to the user’s camera during a SAML Single Sign-on flow, on behalf of your SSO users, you can enable single sign-on camera permissions. This setting can be used by a third party Identity Provider (IdP) to bring new forms of authentication flows to Chrome devices.

To add IdPs to the whitelist, enter the URL for each service on a separate line. This setting is disabled by default.

If you are using this setting to set up Clever Badges™ for your organization, refer to the Clever support site for more information.
By enabling this policy, the administrator grants third parties access to their users' cameras on their users' behalf. The administrator should ensure that they have proper consent forms in place for users as the system does not show end users any consent forms once camera permission is granted via this policy.
Single Sign-On Client Certificates

Requirement for this setting: Have SAML SSO configured for Chrome devices.

Allows you to control client certificates for Single Sign-On (SSO) sites.

You enter a list of URL patterns as a JSON string. Then, if an SSO site matching a pattern requests a client certificate and a valid device-wide client certificate is installed, Chrome automatically selects a certificate for the site.

If the site requesting the certificate doesn’t match any of the patterns, Chrome doesn’t provide a certificate.

How to format the JSON string:

{"pattern":"","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The ISSUER/CN parameter (certificate issuer name above) specifies the common name of the Certificate Authority (CA) that client certificates must have as their issuer to be autoselected. If you want Chrome to select a certificate issued by any CA, leave this parameter blank by entering “filter”:{}.


{"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}

Accessibility Control

When the checkbox Turn off accessibility settings on sign-in screen upon logout is checked then accessibility settings (Large cursor, Spoken feedback, High contrast mode, Screen magnifier type) are restored to the defaults whenever the login screen is shown or the user remains idle on the login screen for one minute.

When the checkbox is unchecked then the accessibility settings enabled/disabled by users will be remembered and restored whenever the sign-in screen is shown, even if the device is restarted.

Language

Specifies what language the Chrome device’s sign-in screen displays. You can also allow users to choose what language the sign-in screen on their device is displayed in.

Keyboard

Specifies which keyboard layouts are allowed on the Chrome device’s sign-in screen.

Device Update Settings

Note: Before changing any of the auto-update settings below, read How to deploy auto-updates for Chrome devices.

Auto Update Settings

Auto update

Specifies whether Chrome devices automatically update to new versions of Chrome OS as they are released. Allow auto-updates is strongly recommended. The last several versions of Chrome OS are listed.

To stop background downloading of updates before the device is enrolled and rebooted, press Ctrl+alt+E on the End User License Agreement screen. Otherwise, downloaded updates that should have been blocked by policy might be applied when the user reboots the device.
Software support is available only for the latest version of Chrome OS.

Restrict Google Chrome version to at most

Prevents Chrome devices from updating to versions of Chrome OS beyond the version number specified. Using this setting is recommended only if a later version of Chrome OS causes compatibility issues with tools in your domain that need to be resolved prior to updating the Chrome OS version.

You can configure one or more of your Chrome devices to use the development or beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see Chrome release best practices.

Software support is available only for the latest version of Chrome OS.

Randomly scatter auto updates over

Specifies the approximate number of days over which managed Chrome devices in your organization download an update following its release. The downloads occur at various times during this period to avoid causing traffic spikes that can impact old or low-bandwidth networks. Devices that are offline during this period download the update when they go back online.

Set this policy to its default (none) or a low number unless you know your network can't handle traffic spikes. This lets users benefit from new Chrome enhancements and features quicker, minimizes the number of concurrent versions in your organization, and simplifies change management during the update period.

Auto reboot after updates

When Allow auto-reboots is selected, after a successful auto update, the Chrome device will reboot when the user next signs out. Keeping Disallow auto-reboots selected will disable auto-reboots.

Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown.

Updates over cellular

Specifies the types of connections that Chrome devices can use when they automatically update to new versions of Chrome OS. By default, Chrome devices automatically check for and download updates when connected to Wi-Fi or Ethernet only. Select Allow automatic updates on all connections, including cellular to let Chrome devices automatically update when they’re connected to a mobile network.

App-controlled updates

You can allow a specific kiosk app to control the Chrome OS version of the device it’s running on. This prevents devices from updating to versions of Chrome beyond the version number specified by the app.

Clicking Select an app launches a dialog box where you can search for and select kiosk apps on the Chrome Web Store.


  • You can only specify one Chrome kiosk app at a time to control the Chrome OS version on a device.
  • In the manifest file, the app must include "kiosk_enabled": true and specify the required Chrome OS version, required_platform_version. It might take up to 24 hours for updates in the manifest file to take effect on devices. For information about how to configure settings in the app’s manifest file, see Allow your app to control the Chrome OS version.
  • You can’t allow a specific kiosk app and an auto-launched kiosk app to control the Chrome OS version of a device at the same time.
Release channel

With the Release channel setting, you can let users test the latest Chrome features by switching channels to more experimental versions. Chrome supports 3 release channels that are used to send updates to users. You can select a channel for users, or allow them to select a channel themselves:

The release channel can't be changed in the top level organization for your domain. It can only be changed by organizational unit.
  • Allow user to configure: Users can select a release channel to use. For users to select the development channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools.
  • Move to Stable Channel: This channel is fully tested and is the best choice for users to avoid crashes and other problems. It's updated every 2-3 weeks for minor changes, and every 6 weeks for major changes.
  • Move to Beta Channel: For users to see upcoming changes and improvements with low risk, use this channel. It's usually updated weekly, with major updates every 6 weeks (more than a month before the stable channel).
  • Move to Development Channel: Select this channel for users to see the latest Chrome features. The development channel is updated once or twice a week. This build is tested, but it might have bugs.

While most organizations like to use the stable channel or allow their users to select a channel, it's useful to keep some IT personnel and users on the beta and development channels to help your organization:

  • Become familiar with new features before they appear on the stable channel.
  • Prepare users for any interface changes before the update.
  • Understand if problems are specific to certain versions of Chrome when troubleshooting.
  • Provide feedback on upcoming Chrome updates.
  • Moving a user from an older version of Chrome to a newer version, such as from stable to beta, takes effect the next time the user reboots their device.
  • Moving from a newer version of Chrome to an older version, such as from development to stable, can take longer. In this scenario, the device stays on the current version of the development channel, until the stable channel catches up, which can take some weeks.

Kiosk Settings

Kiosk settings
Before you can configure any kiosk settings, you need to enroll the device as a kiosk. Once it's enrolled, you can find the device in your Admin console by clicking Device management > Chrome devices.

Public-session kiosk

Before you can configure a Chrome device as a public-session kiosk, you need to make sure public-session settings exist for the organization the device is assigned to. Then, to set the kiosk as a public-session kiosk, you select Allow Public Session Kiosk. If public-session settings already exist for the organization, you can click Manage Public Session settings to edit them.

For information about creating public-session settings, see Manage public session devices.

Auto-launch public session

To automatically launch a public-session kiosk on a Chrome device, select Yes and set Number of seconds before delaying auto-login to 0.

Auto-launch a kiosk app

To automatically launch a Chrome device as a single-app kiosk, select the kiosk app from the list. When the device starts up the next time, the selected app will automatically launch in full-screen mode.

You can only specify one kiosk app at a time for a device. If the kiosk app isn’t in the list, click Manage Kiosk Applications in the Kiosk Apps section to specify one.

Enable device health monitoring

Select Enable device health monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.

For more information, see Health monitoring status displays.

Enable device system log upload

Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—1 for each day for the past 5 days, 1 for 30 days ago, and 1 for 45 days ago.

For more information, see Monitor kiosk health.

Before you enable logs to be uploaded, you must inform the users of managed kiosk devices that their activity may be monitored and data may be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.

Screen rotation (clockwise)

To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.

Note: This policy is only available for devices that are configured to auto-launch a public session or kiosk app.

Allow a kiosk app to control OS version

This feature allows an auto-launched kiosk app to control the Chrome OS version of the device it’s running on. This prevents devices running in kiosk mode from updating to versions of Chrome beyond the version number specified by the app, and can improve stability of your kiosk if the app, or certain features in the app, are not compatible with the latest Chrome OS release.

To enable an auto-launched app to control the Chrome OS version on a device, select Allow Kiosk App to Control OS Version.


  • The policy is only available if a kiosk app is configured to be auto-launched in the organizational unit you select.
  • The app must specify a required Chrome OS version in the manifest file. For more information, see Create a Chrome kiosk app.
  • To enable this policy, the Auto Update Settings policy in Device Update Settings must be set to Stop auto-updates. The policy is not available if you’ve opted to allow auto-updates. If you want to enable auto-updates, turn off the Allow kiosk App to control OS version policy.
Kiosk apps

Clicking Manage Kiosk Applications launches a dialog box where you can search for and select kiosk apps on the Chrome Web Store. You can also specify a custom app by entering the ID and URL. If you select multiple apps, you can select which one you want to launch on the Chrome device using the drop-down under Auto-Launch Kiosk App. You need to reboot the Chrome device to make this change go into effect.

When searching the Chrome Web Store for apps, only kiosk-enabled apps will show up in the dialog box.

Dialog box to add Chrome kiosk app

Alternatively, you can add any Chrome web app by entering the app ID, which is the string of characters at the end of the app URL. For example, the URL for Chrome Remote Desktop is and the app ID is gbchcmhmhahfdphkhkmpfmihenigjmpp.


  • You can configure a device as both a public-session kiosk and a single-app kiosk, but you can only auto-launch one type of session or app at a time. For example, if you select Auto-Launch Public Session, you will not be able to also have that same device Auto-Launch a Kiosk App.


Kiosk Device Status Alerting Delivery

Check either Receive alert via email and/or Receive alert via SMS to receive alerts about your Chrome kiosk devices. Insert your email addresses and/or phone numbers in the fields above. You will receive an alert when the device goes from being on to off.

Kiosk Device Status Alerting Contact Info

To receive status updates about your Chrome kiosk devices, insert emails and separate them by commas in the field for Kiosk Device Status Alerting Emails.

To receive SMS updates about your Chrome kiosk devices, in the field Kiosk Device Status Alerting Mobile Phones, insert phone numbers in a comma-delimited list, for example: +1XXXYYYZZZZ, +1AAABBBCCCC. You will receive an alert when the device goes from being on to off.

User and device reporting

Device reporting

Device state reporting

This setting is on by default. Specifies whether Chrome devices enrolled in your domain report their current device state, including firmware, Chrome and platform version, and boot mode. In the Admin console, go to Device management > Chrome > Devices and click on the device's serial number to see the device details.

If you have enabled Android apps on supported Chrome devices in your organization, this policy has no effect on logging or reporting done by Android.

Device user tracking

This setting is on by default. You can track recent device users by clicking on the device in your Admin console under Device management > Chrome > Devices > device serial number > Recent Activity. Note that this setting does not take effect if the Erase all user info setting is enabled.

Inactive device notifications

Inactive device notification reports

This setting is off by default. When this setting is enabled, reports about inactive devices in your domain are emailed to the addresses you specify. The reports contain:

  • Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
  • The total number of inactive devices, including how many are newly  inactive, for each organizational unit.
  • A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.

Note: Some information in the reports might be delayed up to 1 day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.

Inactive Range (days)

If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than 1.

For example, if you want to mark all devices that haven’t synced in the last week as inactive, enter 7 in the field for Inactive Range (days).

Notification Cadence

To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence  field.

Email addresses to receive notification reports

To specify the email addresses that will receive notification reports, enter the addresses (1 per line).

Anonymous metric reporting

Specifies whether the Chrome device sends Google usage statistics and crash reports whenever a system or browser process fails.

Usage statistics contain aggregated information such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time of the crash.

If you have enabled Android apps on supported Chrome devices in your organization, this policy also controls Android usage and diagnostic data collection.

Power and Shutdown

Power management

This setting controls whether a Chrome device that is showing a sign-in screen (no user is logged-in) should go to sleep or shut down after some time, or if it should continuously stay awake. This feature is useful for Chrome devices used as kiosks to make sure they never shut down.

Scheduled Reboot

When you specify the Number of days before reboot, the device will be rebooted after that given number of days. The reboot may not happen at the same time of day, but it may be postponed until the user next signs out. Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown.

Shut down

Allow users to turn off the device via the Shut down icon on the screen, or the physical power button is the default option. If you select Only allow users to turn off the device using the physical power button, they will not be able to turn off the device via the keyboard, mouse, or screen, but only by physically turning off the device.

This setting may be useful in specific deployment scenarios, such as if the Chrome device is being run as a kiosk or digital signage display.


Cloud Print

This feature allows any user of the Chrome device to print using Cloud Print. This setting is popular for Chrome devices configured for Public Sessions.

  1. Next to Choose which Cloud printers to enable click Manage.
  2. In the Cloud Print dialog that appears, search for and Add cloud printers for the devices in the organization you have selected.
  3. Click Save.

It can take up to 24 hours for printers to be shared with every Chrome device in the organization you selected. Any user on the device, including users using Guest Mode or Public Sessions, will be able to print from the cloud printers you've shared.

If there are printers that you don't own, which are shared with your domain, they will appear under an additional heading in the dialog box called Other printers. If a printer is no longer working or if it no there's no longer an owner in your domain, you can Remove it from the Other printers box.

Note: When printers are shared via device policy, they will appear under the "Local Destinations" section rather than the "Google Cloud Print" section.

Deployment notes:

  • You need to be the owner of the printer in Google Cloud Print to add it using the Admin console. We recommend domains with several printers to create a role account specifically to manage printers with Google Cloud Print. If your domain has this, sign in with that account to share the printers with your Chrome devices. If you don't want to give this role account Super Admin access to your domain, you can give it permission to only Manage Device Settings using delegated administrator roles in Chrome.
  • Depending on your environment and printers, you may be able to use Chrome's native printing.

Known issues:

  • Because printer ownership is tied to each G Suite account, if your domain has multiple domain admins, they may each have a different set of printers available.
  • An admin can delete/remove the printer shared by another domain admin. For example, if the printer owned by admin2 has been deleted by admin1, then admin1, cannot re-add it.
  • Currently, there isn't a way to tell if a printer in the Other printers section is active or deleted because of these known issues we're working to fix:
    • If an an admin deletes a printer in, even though it's no longer is available, it will appear under Other printers.
    • If the printer owner has been deleted, the orphaned printer will appear under Other printers.
Time Zone

System timezone

Specify the timezone to set for your users' devices from the drop-down list.

System timezone automatic detection

Choose one of the options to specify how a device detects and sets the current timezone:

  • No policy set (default = Let users decide): If no policy is set, users decide whether to enable or disable timezone auto-detection using Chrome OS Date and Time settings.
  • Let users decide: Users control the timezone auto-detection policy using the standard Chrome OS Date and Time settings.
  • Never auto-detect timezone: Users must manually pick a timezone.
  • Always use coarse timezone detection: The device IP address is used to set the timezone.
  • Always send WiFi access-points to server while resolving timezone: The location of the WiFi access-point, that the device connects to, is used to set the timezone. This is the most accurate option.
Mobile data roaming

Specifies whether users on this Chrome device can go online using a mobile network maintained by a different carrier. With this setting, you fix the value of the Allow mobile data roaming check box on the Internet page in the Chrome device Settings.

If you allow data roaming, charges may apply.

USB Detachable Whitelist

This feature allows you to specify a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices such as keyboards, signature pads, printers and scanners, as well as other USB devices. If this policy is not configured, the list of a detachable USB devices is empty.

To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID), as a colon separated hexadecimal pair (VID:PID), for each device on a separate line. For example, to list a mouse with a VID of 046E and a PID of D626, and a signature pad with a VID of 0404 and PID of 6002, enter the following in the text box:


Note: You must enter the VID and PID in hexadecimal format only.

Choose one of the options to enable or disable bluetooth on a device:

  • No policy set (default = Do not disable bluetooth) - If no policy is set, bluetooth is enabled on the device.
  • Do not disable bluetooth - Bluetooth is enabled on the device.
  • Disable bluetooth - Bluetooth is disabled on the device.

If you change the policy from Disable bluetooth to Do not disable bluetooth or No policy set, you must restart the device for the change to take effect.

If you change the policy from Do not disable bluetooth or No policy set to Disable bluetooth, the change is immediate and you do not need to restart the device.

Throttle Device Bandwidth

Select Enable network throttling to control device-level bandwidth consumption on Chrome devices with Chrome 56 and later. After doing this, you should specify the download and upload speed in kbps. To ensure that devices get policy and Chrome OS updates without interruptions, the minimum speed you can specify is 513 kbps.

All network interfaces on a device are throttled, including WiFi, Ethernet, USB ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.

You can throttle bandwidth on Chrome devices in kiosk, public session, or user mode.

TPM Firmware Update

By default, users can’t install a Trusted Platform Module (TPM) firmware update on devices. Select Allow users to perform TPM firmware updates to let users install a TPM firmware update that gives devices stronger security protections. For information about how users can install a firmware update, see Update your Chromebook’s security.

Note: Installing a TPM firmware update might erase a device and reset it to factory settings. Repeated failed update attempts might make a device unusable.

Chrome Management—Partner Access

Chrome Management—Partner Access

The Chrome Management—Partner Access device setting gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual Chrome devices. This means they no longer have to manage devices by Admin console organization structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same device using partner access and the Admin Console. Device level policies configured using partner access controls take precedence over organization level policies set in Admin console. To enforce policies on devices at organization level, you need to uncheck the Enable Chrome Management—Partner access box.

You can also use your EMM console to set user policies. However, if you subscribe only to the Chrome Kiosk service, you can only set device policies.

Note: Currently, this setting is not available for G Suite for Education domains.

Was this article helpful?
How can we improve it?