Set Chrome device policies

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can control settings that apply when people use a managed Chrome device, such as a Chromebook. Device-level settings apply for anyone who uses the device, even if they sign in as a guest or with a personal Gmail account.

Specify device settings

Before you begin: To make settings for a specific group of devices, put the devices in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenDevice.
  4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Make the settings you want. Learn about each setting.

    Tip: Quickly find a setting by entering text in Search settings at the top.

    You see Inherited if a setting is inherited from a parent. Or, you see Locally applied if the setting is overridden for the child.

  6. Click Save.

    Settings typically take effect in minutes, but they might take up to 24 hours to apply for everyone.

Learn about each setting

For managed Chrome OS devices.

If you see Device-specific setting Device-specific setting, the setting is only available with specific device types​. Some settings aren’t available with single-app kiosks.

Most policies apply to both affiliated and unaffiliated users on Chrome OS. A user is affiliated if they are managed by the same domain that manages the Chrome OS device they are signed into. A user is unaffiliated if they are signed into their device as a managed user from a different domain, for example if signs into a device managed by or signs into an unmanaged device. The policies that apply only to either affiliated or unaffiliated users are clearly marked in the Admin console. 

Enrollment and Access

Forced re-enrollment

Specifies whether Chrome devices are forced to re-enroll into your account after they’ve been wiped. By default, wiped devices automatically re-enroll into your account without users having to enter their username and password.

To stop automatic re-enrollment becoming the default behavior for your wiped devices, choose an option:

  • Device is not forced to re-enroll after wiping—Users can use the device without re-enrolling it into your account.
  • Force device to re-enroll with user credentials after wiping—Users are prompted to to re-enroll the device into your account.

If forced re-enrollment is turned on and you don't want a specific Chrome device to re-enroll in your account, you need to deprovision the device.

For details on forced re-enrollment, see Force wiped Chrome devices to re-enroll.


Allows users to restore their Chromebook to its factory state if needed.

The default is Allow powerwash to be triggered.

If you select, Do not allow powerwash to be triggered, there is one exception where the user can still trigger a powerwash. This is when you have allowed users to install a Trusted Platform Module (TPM) firmware update on devices but it has not been updated yet. When the update is performed it might erase a device and reset it to factory settings. For details, see TPM firmware update.

Verified access

This setting enables a web service to request proof that its client is running an unmodified Chrome OS that’s policy-compliant (running in verified mode if required by the administrator). The setting includes the following controls:

  • Enable for content protection–Ensures that Chrome devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also ensures that Chromebooks can attest to content providers that they’re running in Verified Boot mode.
  • Disable for content protection–If this control is disabled, some premium content may be unavailable to your users.

For more details for admins, go to Enable Verified Access with Chrome devices. For developers, go to the Google Verified Access API Developer Guide.

Verified mode
  • Require verified mode boot for verified access–Devices must be running in verified boot mode for device verification to succeed. Devices in Dev mode will always fail the verified access check.
  • Skip boot mode check for verified access–Allows devices in Dev mode to pass the verified access check.
  • Services with full access–Lists email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.
  • Services with limited access–Lists email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.

For more details for admins, go to Enable Verified Access with Chrome devices. For developers, go to the Google Verified Access API Developer Guide.

Disabled device return instructions

This setting controls the custom text on the screen of a device that’s disabled because it was lost or stolen. We recommend that you include a return address and contact phone number in your message so that users who see this screen are able to return the device to your organization.

Integrated FIDO second factor

Specifies whether users can use 2-Factor Authentication (2FA) on devices with a Titan M security chip.

Settings

Guest mode

Controls whether to allow guest browsing on managed Chrome devices. If you select Allow guest mode (the default), the main sign-in screen offers the option for a user to sign in as a guest. If you select Disable guest mode, a user must sign in using a Google Account or Google Workspace account. When a user signs in using guest mode, your organization's policies are not applied.

restriction

Allows you to manage which users can sign in to devices running Chrome OS.

Note: If you allow guest browsing or managed guest sessions, users can use devices no matter which setting you choose.

Choose an option:

  • Restrict sign-in to a list of users—Only users that you designate can sign in to devices. Other users get an error message. Enter one pattern for each line for the users that you want to specify:
    • To let all your users sign in—Enter * The Add person button is always available on devices.
    • To only allow specific users to sign in—Enter When all the specified users have signed in to a device, the Add person button is no longer available.
  • Allow any user to sign in—Any user with a Google Account can sign in to devices. The Add person button is available on the sign-in screen.
  • Do not allow any user to sign in—Users can not sign in to devices with their Google Account. The Add person button is unavailable.
Autocomplete domain

Lets you choose a domain name to present to users on their sign-in page so that they don't need to enter the part of their username during sign-in.

To turn the setting on, from the list, select Use the domain name, set below, for autocomplete at sign-in and enter your domain name.

screen

Specifies whether the Chrome device's sign-in screen displays the names and pictures of users who have signed in to the device.

Displaying the names and pictures of users on the sign-in screen allows users to quickly start their sessions and works best for most deployments. We recommend you change this setting rarely and selectively to ensure the best user experience.

  • Always show user names and photos—Lets users choose their user account on the sign-in screen (default).
  • Never show user names and photos—Prevents user accounts from being displayed on the sign-in screen. Users must enter their Google Account username and password each time they sign in to their Chrome device. If you have SAML single sign-on (SSO) for Chrome devices and send users directly to the SAML identity provider (IdP) page, Google redirects them to the SSO sign-in page without entering their email address.

    Note: If users are enrolled in 2-Step Verification, they’re prompted to perform their second verification step each time they sign in to their Chrome device.

Device off hours

Allows you to set a weekly schedule when the guest browsing and sign-in restriction settings don’t apply to managed devices running Chrome OS. 

For example, school admins can block guest browsing or only allow users with a username ending in to sign in during school hours. Outside of school hours, users can browse in guest mode or sign in to their device using an account other than their account.

Device wallpaper image

Chrome version 61 and later

Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) that are up to a maximum size of 16 megabytes. Other file types are not supported.

User data

Specifies whether enrolled Chrome devices delete all locally-stored settings and user data every time a user signs out. Data the device synchronizes persists in the cloud but not on the device itself. If you set it to Erase all local user data, the storage available to the users is limited to half the RAM capacity of the device. If the policy is set together with a Managed Guest Session, it won't cache the session name or avatar.

Note: By default, Chrome devices encrypt all user data and automatically clean up disk space when shared by multiple users. This default behavior works best for most deployments and ensures data security and an optimal user experience. We recommend you enable Erase all local user data rarely and selectively.

Single sign-on IdP redirection

Devices must have SAML SSO. See Configure SAML single sign-on for Chrome devices.

To allow your single sign-on (SSO) users to navigate directly to your SAML identity provider (IdP) page instead of first having to enter their email address, you can enable the Single sign-on IdP redirection setting.

Single sign-on cookie behavior

Devices must have SAML SSO. See Configure SAML single sign-on for Chrome devices.

To allow your single sign-on (SSO) users to sign in to internal websites and cloud services that rely on the same identity provider (IdP) on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies. 

SAML SSO cookies are always transferred on first sign-in, but if you want to transfer cookies in subsequent sign-ins, you need to enable this policy.

If you have enabled Android apps on supported Chrome devices in your organization and have this policy enabled, cookies are not transferred to Android apps.

Single sign-on camera permissions

Devices must have SAML SSO. See Configure SAML single sign-on for Chrome devices.

Important: If you enable this policy, you grant third parties access to their users' cameras on their users' behalf. Ensure that you have proper consent forms in place for users—the system does not show end users any consent forms if permission is granted using this policy.

To give third-party apps or services direct access to the user’s camera during a SAML single sign-on (SSO) flow, on behalf of your SSO users, you can enable SSO camera permissions. This setting can be used by a third-party identity provider (IdP) to bring new forms of authentication flows to Chrome devices.

To add IdPs to the allowlist, enter the URL for each service on a separate line. 

If you are using this setting to set up Clever Badges™ for your organization, refer to the Clever support site for more information.

Single sign-on client certificates

Devices must have SAML SSO. See Configure SAML single sign-on for Chrome devices.

Allows you to control client certificates for single sign-on (SSO) sites.

You enter a list of URL patterns as a JSON string. Then, if an SSO site matching a pattern requests a client certificate and a valid device-wide client certificate is installed, Chrome automatically selects a certificate for the site.

If the site requesting the certificate doesn’t match any of the patterns, Chrome doesn’t provide a certificate.

How to format the JSON string:

{"pattern":"","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The ISSUER/CN parameter (certificate issuer name above) specifies the common name of the Certificate Authority (CA) that client certificates must have as their issuer to be autoselected. If you want Chrome to select a certificate issued by any CA, leave this parameter blank by entering “filter”:{}.


{"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}, {"pattern":"https://[*.]","filter":{}}

Accessibility Control

Allows you to control accessibility settings on the sign-in screen. Accessibility settings include large cursor, spoken feedback, and high-contrast mode. 

  • Turn off accessibility settings on the sign-in screen upon sign-out—Restores accessibility settings to the defaults when the sign-in screen is shown or the user remains idle on the sign-in screen for one minute.
  • Allow user to control accessibility settings on the sign-in screen—Restores the accessibility settings that users turned on or off on the sign-in screen, even if the device is restarted.
Language

Specifies what language the Chrome device’s sign-in screen displays. You can also allow users to choose the language.

Keyboard

Specifies which keyboard layouts are allowed on the Chrome device’s sign-in screen.

Specifies whether users can choose to display the device system information, for example Chrome OS version or device serial number, on the sign-in screen or if the system information is always displayed by default.

The default is Allow users to display system information on the sign-in screen by pressing Alt+V.

Only for Chrome devices with an integrated electronic privacy screen.

Specifies whether the privacy screen is always turned on or off on the sign-in screen. You can enable or disable the privacy screen on the sign-in screen, or let users choose.

Show numeric keyboard for password

Specifies whether the sign-in and lock screens on Chrome devices with a touchscreen display a numeric keyboard where users can enter their password. If you select Default to a numeric keyboard for password input, users can still switch to a standard keyboard if they have an alphanumeric password.

screen accessibility

By default, accessibility settings are turned off on devices' sign-in screens. If you use the Admin console to turn on or off accessibility features, users can’t change or override them. If you select Allow the user to decide, users can user turn on or off accessibility features as needed. For details, see Turn on Chromebook accessibility settings and Chromebook keyboard shortcuts.

Note: Turning off accessibility features can make devices less inclusive.

Lets Chrome devices read aloud text that is on the sign-in screen. If needed, users can also connect and set up braille devices. For details, see Use the built-in screen reader and Use a braille device with your Chromebook.

Lets users select items on the sign-in screen to hear specific text read aloud. While Chrome OS reads the selected words aloud, each word is highlighted visually. For details, see Hear text read aloud.

Changes the font and background color scheme to make the sign-in screen easier to read.

Lets users magnify all (full-screen magnifier) or part (docked magnifier) of the sign-in screen. For details, see Zoom in or magnify your Chromebook screen.

Lets users type shortcut key combinations one key at a time in sequence, instead of having to hold down multiple keys at once. For example, to paste an item, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V. For details, see Use keyboard shortcuts one key at a time.

Lets users input characters without using physical keys. On-screen keyboards are typically used on devices with a touchscreen interface, but users can also use a touchpad, mouse, or connected joystick. For details, see Use the on-screen keyboard.

Lets users enter text on the sign-in screen using their voice instead of a keyboard. For details, see Type text with your voice.

Highlights objects on the sign-in screen as users navigate through them using the keyboard. It helps users identify where they are on the screen.

While editing text, the area around the text caret, or cursor, on the sign-in screen is highlighted.

The mouse cursor automatically clicks where it stops on the sign-in screen, without users physically pressing mouse or touchpad buttons. For details, see Automatically click objects on your Chromebook.

Increases the size of the mouse cursor so that it's more visible on the sign-in screen.

Creates a colored focus ring around the mouse cursor so that it's more visible on the sign-in screen.

Allows you to reverse the function of the right and left mouse buttons on the sign-in screen. By default, the left mouse button is the primary button.

Plays the same sound through all speakers so that users don’t miss content in stereo sound.

Lets users use accessibility keyboard shortcuts on the sign-in screen. For details, see Chromebook keyboard shortcuts.

Device update settings

Important: Before changing any of the auto-update settings below, review Manage updates on Chrome devices.

Auto-update settings

Device updates

Software support is available only for the latest version of Chrome OS.

You can allow Chrome devices to automatically update to new versions of Chrome OS as they're released and let users check for updates themselves. Allow updates is strongly recommended.

To stop updates before a device is enrolled and restarted: 

  • On the End User License Agreement screen, press Ctrl+Alt+E. If you don’t, downloaded updates that should have been blocked by a policy might be applied when the user restarts the device.

Restrict Google Chrome version to at most

Software support is available only for the latest version of Chrome OS.

Prevents Chrome devices from updating to versions of Chrome OS beyond the version number specified. This setting is only recommended if you need to resolve compatibility issues before updating the Chrome OS version. The last few versions of Chrome OS are listed.

You can configure one or more of your Chrome devices to use the Dev or Beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see Chrome OS release best practices.

Rollout plan

Specifies how you want to roll out updates to managed Chrome devices. 

Choose one of these options:

  • Default (devices should update as soon as a new version is available)—Chrome devices automatically update to new versions of Chrome OS as they are released.
  • Rollout updates over a specific schedule—Only initially update a percentage of Chrome devices, which you can increase over time. You use the Staging Schedule setting to specify the rollout schedule.
  • Scatter updates—If you have network bandwidth restrictions, you can scatter updates over a period of days, up to 2 weeks. You can use the Randomly scatter auto-updates over setting to specify the number of days.

Staging Schedule

Only available if you choose to roll out updates over a specific schedule

Specifies the rollout schedule for updating devices to new versions of Chrome OS.  You can use this setting to limit new versions of Chrome OS to a specific percentage of devices over time. The date that some devices update might be after the release date. You can gradually add devices until they’re all updated.

Randomly scatter auto-updates over

Only available if you choose to scatter updates

Specifies the approximate number of days that managed Chrome devices download an update after its release. You can use this setting to avoid causing traffic spikes in old or low-bandwidth networks. Devices that are offline during this period download the update when they're online again.

Unless you know that your network can't handle traffic spikes, you should select Do not scatter auto-updates or select a low number. When scattered updates are turned off, your users benefit from new Chrome enhancements and features quicker. You also minimize the number of concurrent versions, which simplifies change management during the update period.

Additional blackout windows

Specifies the days and times when Chrome temporarily stops automatic checks for updates. If the device is in the middle of an update, Chrome will temporarily pause the update. You can set as many blackout windows as you need. Manual update checks that users or admins initiate during a blackout window are not blocked.

Note: Setting this policy might affect the staging schedule, as devices cannot download auto-updates during blackout windows.

Auto reboot after updates

Specifies whether the device restarts automatically after an update. If the device is configured as a kiosk, restarts happen immediately. Otherwise, for user sessions or managed guest sessions, the automatic restart happens after the user next signs out.

  • Allow auto-reboots—After a successful auto-update, the Chrome device restarts when the user next signs out. 
  • Disallow auto-reboots—Disables autorestarts.

Note: For user sessions, we recommend you also set the relaunch notification user policy, so that users are notified to restart their device to get the latest update. For details, see Relaunch notification.

Updates over cellular

Specifies the types of connections that Chrome devices can use when they automatically update to new versions of Chrome OS. By default, Chrome devices automatically check for and download updates only when connected to Wi-Fi or Ethernet. Select Allow automatic updates on all connections, including cellular to let Chrome devices automatically update when they’re connected to a mobile network.

App-controlled updates

You can allow a specific app to control the Chrome OS version on a device. This allows you to prevent devices from updating to versions of Chrome beyond the version number specified by the app.

If you click Select an app, you can search for and select apps in the Chrome Web store.

Kiosk-controlled updates

Cannot be used if you’re using an autolaunched kiosk app to control the Chrome OS version on a device

You can allow one specific kiosk app to control the Chrome OS version on a device to prevent devices from updating to versions of Chrome beyond the version number specified by the app. In the manifest file, the app must include "kiosk_enabled": true and specify the required Chrome OS version, required_platform_version. It can take up to 24 hours for updates in the manifest file to take effect on devices. For information on configuring settings in the app’s manifest file, see Let kiosk app control Chrome OS version.

If you click Select an app, you can search for and select kiosk apps in the Chrome Web store.

Release channel

Cannot be set for the top-level organizational unit. You must set by organizational unit.

Lets users test the latest Chrome features by letting them switch the release channel. You can select a channel for users. To allow users to select a channel themselves, select  Allow user to configure. For users to select the Dev channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools. For details see Chrome Browser release channels and Developer tools.

Update downloads

Specifies whether Chrome devices download Chrome OS updates over HTTP or HTTPS.

Scheduled updates
Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Specifies the day and time when devices check for updates, even if they're in sleep mode. Devices don't check for updates when they're powered off.

Kiosk settings

Before you can configure any kiosk settings, you need to enroll the device as a kiosk.

Related topics: Enroll Chrome devices, View Chrome OS device details, View and configure apps and extensions, and Set app and extension policies

Managed guest session

Before you can configure a Chrome device as a managed guest session, you need to make sure managed guest session settings exist for the organizational unit that the device is assigned to. Then, to set the kiosk as a managed guest session kiosk, you select Allow managed guest sessions.

For information about creating managed guest session settings, see Managed guest session devices.

To automatically launch a managed guest session on a Chrome device, select Auto-launch managed guest session and set Auto-launch delay to 0.

Enable device health monitoring

Only available for managed guest sessions that automatically launch on Chrome devices

Select Enable device health monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.

For more information, see Monitor kiosk health

Enable device system log upload

Only available for managed guest sessions that automatically launch on Chrome devices

Important: Before using this setting, you must inform the users of managed kiosk devices that their activity might be monitored and data might be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.

Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—one for each day for the past 5 days, one for 30 days ago, and one for 45 days ago.

For more information, see Monitor kiosk health.

Screen rotation (clockwise)

Only available for managed guest sessions that automatically launch on Chrome devices

To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.

Kiosk device status alerting delivery

To get alerts when a Chrome kiosk device is turned off, check the Receive alerts via email box or the Receive alerts via SMS box, or both boxes.

Kiosk device status alerting contact info

Get status updates about your Chrome kiosk devices. 

  • Get updates by email—Next to Alerting emails, enter one email per line.
  • Get updates by SMS—Next to Alerting mobile phones, enter one phone number per line.
URL blocking

Blocked URLs

Prevents Chrome Browser users from accessing specific URLs.

To configure this setting, enter up to 1,000 URLs on separate lines.

Blocked URLs exceptions

Specifies exceptions to the URL blocklist.

To configure the setting, enter up to 1,000 URLs on separate lines.

URL syntax

Each URL must have a valid hostname (such as, an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1 to 65,535
  • The path to the resource
  • Query parameters


  • To disable subdomain matching, put an extra period before the host.
  • You cannot use user:pass fields, such as Instead, enter
  • When both Blocked URLs and Blocked URLs exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • You cannot use a wildcard at the end of a URL, such as* and*.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by '&'.
  • The key-value tokens are separated by '='.
  • A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.


Blocked URLs entry Result Blocks all requests to,, and Blocks all HTTP requests to and any of its subdomains, but allows HTTPS and FTP requests
https://* Blocks all HTTPS requests to any domain Blocks requests to but not to or Blocks but not its subdomains, like Blocks but not its subdomains
* Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as,, and chrome://policy.
*:8080 Blocks all requests to port 8080
*/html/crosh.html Blocks Chrome Secure Shell (Also known as Crosh Shell)



Blocks all requests to chrome://os-settings Blocks all requests to and its subdomains Blocks requests to Blocks youtube video with id V1

User and device reporting

Device reporting

Device state reporting

This setting is on by default. Specifies whether Chrome devices enrolled in your domain report their current device state, including firmware, Chrome and platform version, and boot mode. 

If you enabled Android apps on supported Chrome devices in your organization, this policy has no effect on logging or reporting done by Android.

Related topics: View Chrome OS device details, Use Android apps on Chrome devices

Device user tracking

This setting is on by default, but does not take effect if the User data setting, which erases all user info on a device when a user signs out, is enabled.

Related topic: View Chrome OS device details

Inactive device notifications

Inactive device notification reports

Get email reports about inactive devices in your domain. The reports contain:

  • Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
  • The total number of inactive devices, including how many are recently inactive, for each organizational unit.
  • A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.

Note: Some information in the reports might be delayed up to one day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.

Inactive Range (days)

If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than one.

For example, if you want to mark all devices that haven’t synced in the last week as inactive, next to Inactive Range (days), enter 7.

Notification Cadence (days)

To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence field.

Email addresses to receive notification reports

To specify email addresses that get notification reports, enter the addresses (one per line).

Anonymous metric reporting

Specifies whether the Chrome device sends Google usage statistics and crash reports whenever a system or browser process fails.

Usage statistics contain aggregated information, such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash and might contain webpage URLs or personal information, depending on what was happening at the time of the crash.

If you have enabled Android apps on supported Chrome devices in your organization, this policy also controls Android usage and diagnostic data collection.

Device system log upload

If this setting is enabled, devices will send system logs to the management server and you can monitor those logs.

The default is Disable device system log upload.

Device status report upload frequency

Specifies how often Chrome OS sends device status uploads, in minutes. The minimum allowed frequency is 60 minutes. You can find uploaded status information on the device details page. See View Chrome device details.

Display settings

Screen settings

Sets the display resolution and scale factor for the device display.

External display settings apply to connected displays and don’t apply to displays that don’t support the specified resolution or scale.

The default is to allow users to overwrite predefined display settings and is recommended. Users can change the resolution and scale factor of their display, but the settings revert back to the default at the next reboot. You can prevent users from changing the display settings if required.

If you select Always use native resolution, any values entered in the External display width and External display height are ignored and external displays are set to their native resolution. 

If you select Use custom resolution, the custom resolution is applied to all external monitors. If the resolution is not supported, it will revert to native resolution.

Power and shutdown

Power management

Controls whether a Chrome device that is showing a sign-in screen (no user is signed-in) should go to sleep or shut down after some time or if it should continuously stay awake. This setting is useful for Chrome devices that are used as kiosks to make sure they never shut down.

Scheduled Reboot

Currently only works with kiosk devices with a sign-in screen showing

Allows you to specify the number of days after which a device restarts. Sometimes, the device might not restart at the same time of day or the restart might be postponed until the next time a user signs out. If a session is running, then a grace period of up to 24 hours applies.

Google recommends that you configure kiosk apps to shut down at regular intervals to allow the app or device to restart. For example, you can schedule the app to shut down every day at 2 AM.

Allow shutdown

You can select:

  • Allow users to turn off the device using either the shut down icon or the physical power button (Default)—Users can turn off the device using the button on the device, keyboard, mouse, or screen.
  • Only allow users to turn off the device using the physical power button—Users turn off the device using the button on the device and cannot turn off the device using the keyboard, mouse, or screen.

This setting might be useful in specific deployment scenarios, such as if the Chrome device is being run as a kiosk or digital sign.

Peak shift power management

Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to reduce the power consumption by automatically switching the Chromebook to battery power. 

If you enable Peak shift power management:

  1. Under Peak Shift Battery Threshold, enter a percentage value between 15 and 100. If the battery percentage is above the value that you specify, the device runs from the battery.
  2. To set a daily start and end time to run Peak shift power management:

    1. Under Peak shift day configuration, select a start and end time. During the times, unless the device reaches the threshold set above, the AC power will not be used.
    2. Under Charge start time, select a time to start charging the battery.
Primary battery charge configuration

Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to configure the primary battery charge mode. Choose from:

  • Standard—Fully charges the battery at a standard rate
  • Adaptive—Battery adaptively optimized based on typical usage pattern
  • Express Charge—Battery charges over a shorter period
  • Primarily AC—Extends battery life by charging mainly from AC
  • Custom—Lets you enter a time to start and stop charging based on battery percentage

Note: You cannot use this setting at the same time as the Advanced Charge battery mode setting.

Advanced Charge battery mode

Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to prolong the usable life of a battery by charging to full capacity only once per day. For the remainder of the day, batteries are in a lower charge state that’s better for storage, even when the system is plugged in to a direct power source. 

If you enable Advanced Charge battery mode, enter a daily start and end time.

Note: Within the last 1.5 hours of the end time, the device might prevent the battery from charging to reach a lower charge state.

Boot on AC
Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.
If you enable Boot on AC and a device shuts down, it will turn on when plugged in to an AC adapter. 

Note: If the device is connected to a Dell WD19 docking station that’s connected to power, the Chromebook will turn on even if the setting is disabled.

USB Powershare
Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows users to charge other devices, such as a mobile phone, through a special USB port if the Chromebook is turned off and connected to power. All USB ports charge devices when the Chromebook is in Sleep mode. 

Other settings

Device network hostname template

Allows you to specify the host name that is passed to the DHCP server with DHCP requests.

If this policy is set to a nonempty string, that string will be used as the device host name during the DHCP request.

The string can contain the ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}, and ${LOCATION} variables. These variables will be replaced with values found on the device. The resulting substitution should be a valid host name per RFC 1035, section 3.1.

If this policy is not set or if the value after substitution is not a valid host name, no host name will be used in the DHCP request.


System timezone

Specifies the time zone to set for your users' devices.

System timezone automatic detection

Choose one of the options to specify how a device detects and sets the current time zone:

  • Let users decide—Users control the time zone using the standard Chrome date and time settings.
  • Never auto-detect timezone—Users must manually pick a time zone.
  • Always use coarse timezone detection—Uses device IP address to set the time zone.
  • Always send WiFi access-points to server while resolving timezone—Uses location of the WiFi access-point that the device connects to to set the time zone (most accurate).
  • Send all location information—Uses location information, such as WiFi access-points and GPS, to set the time zone.
Mobile data roaming

Specifies whether users on the Chrome device can go online using a mobile network maintained by a different carrier (charge may apply). With this setting, users need to allow mobile data roaming on the device.

Related topic: Connect to a mobile data network

USB detachable allowlist

Allows you to specify a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices, such as keyboards, signature pads, printers and scanners, as well as other USB devices. If this policy is not configured, the list of a detachable USB devices is empty.

To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID) as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line. For example, to list a mouse with a VID of 046E and a PID of D626 and a signature pad with a VID of 0404 and PID of 6002, you enter:



Allows you to enable or disable Bluetooth® on a device.

  • To enable Bluetooth, select Do not disable bluetooth.
  • To disable Bluetooth, select Disable bluetooth.

If you change the policy from Disable bluetooth to Do not disable bluetooth, you must restart the device for the change to take effect.

If you change the policy from Do not disable bluetooth to Disable bluetooth, the change is immediate and you do not need to restart the device.

Throttle device bandwidth

Devices in kiosk, managed guest session, or user mode with Chrome version 56 and later

Controls device-level bandwidth consumption. All network interfaces on a device are throttled, including WiFi, Ethernet, USB Ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.

To enable the setting:

  1. Select Enable network throttling.
  2. Specify the download and upload speed in kbps. The minimum speed that you can specify is 513 kbps.
TPM firmware update

Installing TPM firmware updates might erase a device and reset it to factory settings and repeated failed update attempts might make a device unusable.

To let users install a Trusted Platform Module (TPM) firmware update on devices, select Allow users to perform TPM firmware updates. For information about how users can install a firmware update, see Update your Chromebook’s security.

Virtual machines

Specifies whether users can run virtual machines on their devices running Chrome OS. To let users install Linux apps and run Linux tools, editors, and integrated development environments (IDEs), select Allow usage for virtual machines needed to support Linux apps. For information about how users turn on Linux app support, see Set up Linux (Beta) on your Chromebook.

Authenticated Proxy Traffic

Specifies whether system traffic can go through an Internet proxy server with authentication. 

The default is to block system traffic from going through a proxy server with authentication. 

If you select Allow system traffic to go through a proxy with authentication, proxy servers will require authentication with service account credentials, a username and password, to access the Internet. These credentials are only used for system traffic, browser traffic still requires the user to authenticate to the proxy with their own credentials.

MAC address pass through

Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to choose the MAC address that the docking station uses when it’s connected to the Chromebook. 

Dell SupportAssist

Device-specific settingApplies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to turn on and configure the Dell SupportAssist program. For information on Dell Support Assist, go to Dell support.

Specifies whether users can sign in to Chrome devices by tapping their badge, instead of having to enter their username and password. For details about how to set it up, see Use Chrome devices with Imprivata OneSign.

System clock format

Specifies the clock format displayed on the sign-in screen and for managed guest sessions on Chrome devices.

The default is Automatic, based on current language. You can also set the clock to a 12 hour or 24 hour clock format. Users can always change the clock format for their account.

Apps and extensions cache size

Specifies the size in bytes used for caching apps and extensions for installation by multiple users of a single device. This means that each app and extension does not need to redownload for every user.

If you set it to lower than 1 MB or leave it unset, Chrome OS uses the default size of 256 MiB.

Hardware profiles

Specifies whether hardware profiles, including ICC display profiles used to improve the display quality of attached monitors, can be downloaded from Google servers.

The default is to allow hardware profiles to be downloaded.

Redeem offers through Chrome OS registration

You can allow or prevent enterprise device users from redeeming offers through Chrome OS Registration.

The default is Allow users to redeem offers through Chrome OS registration.

Low disk space notification

You can enable or disable notifications when disk space is low. This applies to all users on the device.

The default is Do not show notification when disk space is low.

  • If the device is unmanaged or there is only one user, the policy is ignored and the notification is always displayed.
  • If there are multiple user accounts on a managed device, the notification is only shown if you select Show notification when disk space is low.

Chrome management—partner access

Allow EMM partners access to device management

Currently not available for the Education edition

Gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual Chrome devices, which means they no longer have to manage devices by Admin console organizational-unit structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same device using partner access and the Admin console. Device-level policies configured using partner access controls take precedence over policies set in the Admin console. To enforce policies on devices at organizational-unit level, you need to select Disable Chrome management—partner access.

Related topic: Manage Chrome devices with EMM console

Was this helpful?
How can we improve it?