Manage Chrome device settings
This article is for Chrome for business and education administrators only.
You can configure certain Chrome device settings in the Google Admin console to control devices, regardless of who signs in to them. Some settings aren’t available for devices that are enrolled as single-app kiosks. At this time, only users under the same domain that a device is enrolled in are shown.
Android apps can run on Chrome only on supported device models only. We're constantly adding support for new devices so check back if you don't see a device listed. To allow your users to run Android apps, you must enable Android apps on supported Chrome devices in your organization.
Manage device settings
- Sign in to the Google Admin console.
- Click Device management.
- On the left, click Chrome management.
- Click Device settings.
On the left, select the organization that contains the devices whose settings you want to change.
Note: By default, an organization inherits the settings of its parent in the organizational tree. However, you can override an inherited setting by changing the setting for the child organizational unit. The new setting applies to devices in the child organizational unit as well as any children of the organization. Learn more about the organizational structure.
- Configure any settings. See setting details below.
- At the bottom, click Save. Settings typically take effect within minutes, but it might take up to an hour to propagate through your organization.
Tip: To quickly find a setting in the Admin console, use the Search settings box at the top.Forced Re-enrollment
Verified Access is a Chrome device setting that enables a web service to request proof that its client is running an unmodified Chrome OS that’s policy-compliant (running in Verified Mode if required by the administrator).
The Verified Access setting includes the following controls:
Enable for Content Protection–Ensures that Chrome devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also with this feature enabled, Chromebooks can attest to content providers that they are running in Verified Boot mode.
Disable for Content Protection–If disabled, some premium content may be unavailable to your users. Learn more.
Enable for Enterprise extensions–Enables Verified Access for the devices in this organizational unit. If enabled, Chrome extensions can interact with the Trusted Platform Module on the device.
Disable for Enterprise extensions–If disabled, Chrome extensions attempting to perform Verified Access will receive a permissions error.
Require verified mode boot for Verified Access–Device must be running in verified boot mode for device verification to succeed. Devices in dev mode will always fail the Verified Access check.
Skip boot mode check for Verified Access–Allows dev mode devices to pass the Verified Access check.
Service accounts which are allowed to receive device ID–List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Developers Console.
Service accounts which can verify devices but do not receive device ID–List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Developers Console.
This setting controls the custom text on the disabled device screen. We recommend you include a return address and contact phone number in your message so that users who see this screen are able to return the device to your organization.
Controls whether to allow guest browsing on managed Chrome devices. If you select Allow guest mode (the default), the main sign-in screen offers the option for a user to sign in as a guest. If you select Do not allow guest mode, a user must sign in using a Google Account or G Suite account. When a user signs in using guest mode, your organization's policies are not applied.
This setting enables you to control which users have permission to sign in to a managed Chrome device.
When the default Restrict Sign-in to list of users is selected, and the textbox is left empty, any user with a Google Account or G Suite account can sign in, and the +Add user button is available on the sign-in screen.
However, if you include one or more user names in the text box, only the named users can sign in; other users will receive an error message. Enter user names in the form of their primary email addresses, with names separated by commas. The names can include the wildcard * (to match any set of characters). The +Add user button will be available as long as not all of the users in your list have been added to the device, or if you use a wildcard such as *@yourdomain.com. If all of your specific users have been added to the device, then the +Add user button will be grayed out.
If you select Do not allow any user to Sign-in, no one will be able to sign in to the Chrome device with their Google Account or G Suite account. Also, the +Add user button will be grayed out on the sign-in screen. Note: This setting only works for Chrome devices on Chrome OS 28 and later. Users with prior versions of Chrome OS on their computer will still be able to sign in. This setting is commonly used on devices intended for use with Public Sessions.
If you have enabled Android apps on supported Chrome devices in your organization, this policy alone will not control whether additional accounts may be added within Android settings in a user session. You can control that using Account Management.
The Domain name autocomplete at sign in setting enables you to choose a domain name to present to users on their sign-in page. When you enable this setting, users don't need to type the @domain.com part of their username during sign in.
This setting is off by default. To turn it on, from the drop-down list, select Use the domain name, set below, for autocomplete and enter your domain name.
Note: You can override this setting by typing your full username when you sign in.
Specifies whether the Chrome device's sign-in screen displays the names and pictures of users who have signed in to the device.
Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) up to a maximum size of 16 megabytes. Other file types are not supported. Note: This setting works only for Chrome devices on Chrome OS 61 and later.
Specifies whether enrolled Chrome devices delete all locally-stored settings and user data every time a user signs out. Data the device syncs persists in the cloud but not on the device itself.
Requirement for this setting: Have SAML SSO configured for Chrome devices
To allow your Single Sign-On users to navigate directly to your SAML Identity Provider (IdP) page instead of first having to type in their email address, you can enable Single Sign-On IdP Redirection. This setting is disabled by default.
Requirement for this setting: Have SAML SSO configured for Chrome devices
To allow your Single Sign-On users to log in to internal websites and cloud services that rely on the same Identity Provider on subsequent sign-ins to their Chrome device, you can enable SAML SSO cookies. This setting is disabled by default.
SAML SSO cookies are always transferred on first login, but if you want to transfer cookies in subsequent logins, you need to enable this policy.
If you have enabled Android apps on supported Chrome devices in your organization, and have this policy enabled, cookies are not transferred to Android apps.
Requirement for this setting: Have SAML SSO configured for Chrome devices
To give third party applications or services direct access to the user’s camera during a SAML Single Sign-on flow, on behalf of your SSO users, you can enable single sign-on camera permissions. This setting can be used by a third party Identity Provider (IdP) to bring new forms of authentication flows to Chrome devices.
To add IdPs to the whitelist, enter the URL for each service on a separate line. This setting is disabled by default.
When the checkbox Turn off accessibility settings on sign-in screen upon logout is checked then accessibility settings (Large cursor, Spoken feedback, High contrast mode, Screen magnifier type) are restored to the defaults whenever the login screen is shown or the user remains idle on the login screen for one minute.
When the checkbox is unchecked then the accessibility settings enabled/disabled by users will be remembered and restored whenever the sign-in screen is shown, even if the device is restarted.
Note: Before changing any of the auto-update settings below, read How to deploy auto-updates for Chrome devices.Auto Update Settings
Specifies whether Chrome devices automatically update to new versions of Chrome OS as they are released. Allow auto-updates is strongly recommended. The last several versions of Chrome OS are listed.
Restrict Google Chrome version to at most
Prevents Chrome devices from updating to versions of Chrome OS beyond the version number specified. Using this setting is recommended only if a later version of Chrome OS causes compatibility issues with tools in your domain that need to be resolved prior to updating the Chrome OS version.
You can configure one or more of your Chrome devices to use the development or beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see Chrome release best practices.
Randomly scatter auto updates over
Specifies the approximate number of days over which managed Chrome devices in your organization download an update following its release. The downloads occur at various times during this period to avoid causing traffic spikes that can impact old or low-bandwidth networks. Devices that are offline during this period download the update when they go back online.
Set this policy to its default (none) or a low number unless you know your network can't handle traffic spikes. This lets users benefit from new Chrome enhancements and features quicker, minimizes the number of concurrent versions in your organization, and simplifies change management during the update period.
Auto reboot after updates
When Allow auto-reboots is selected, after a successful auto update, the Chrome device will reboot when the user next signs out. Keeping Disallow auto-reboots selected will disable auto-reboots.
With the Release channel setting, you can let users test the latest Chrome features by switching channels to more experimental versions. Chrome supports 3 release channels that are used to send updates to users. You can select a channel for users, or allow them to select a channel themselves:
- Allow user to configure: Users can select a release channel to use. For users to select the development channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools.
- Move to Stable Channel: This channel is fully tested and is the best choice for users to avoid crashes and other problems. It's updated every 2-3 weeks for minor changes, and every 6 weeks for major changes.
- Move to Beta Channel: For users to see upcoming changes and improvements with low risk, use this channel. It's usually updated weekly, with major updates every 6 weeks (more than a month before the stable channel).
- Move to Development Channel: Select this channel for users to see the latest Chrome features. The development channel is updated once or twice a week. This build is tested, but it might have bugs.
While most organizations like to use the stable channel or allow their users to select a channel, it's useful to keep some IT personnel and users on the beta and development channels to help your organization:
- Become familiar with new features before they appear on the stable channel.
- Prepare users for any interface changes before the update.
- Understand if problems are specific to certain versions of Chrome when troubleshooting.
- Provide feedback on upcoming Chrome updates.
- Moving a user from an older version of Chrome to a newer version, such as from stable to beta, takes effect the next time the user reboots their device.
- Moving from a newer version of Chrome to an older version, such as from development to stable, can take longer. In this scenario, the device stays on the current version of the development channel, until the stable channel catches up, which can take some weeks.
Before you can configure a Chrome device as a public-session kiosk, you need to make sure public-session settings exist for the organization the device is assigned to. Then, to set the kiosk as a public-session kiosk, you select Allow Public Session Kiosk. If public-session settings already exist for the organization, you can click Manage Public Session settings to edit them.
For information about creating public-session settings, see Manage public session devices.
Auto-launch public session
To automatically launch a public-session kiosk on a Chrome device, select Yes and set Number of seconds before delaying auto-login to 0.
Auto-launch a kiosk app
To automatically launch a Chrome device as a single-app kiosk, select the kiosk app from the list. When the device starts up the next time, the selected app will automatically launch in full-screen mode.
You can only specify one kiosk app at a time for a device. If the kiosk app isn’t in the list, click Manage Kiosk Applications in the Kiosk Apps section to specify one.
Enable device health monitoring
Select Enable device health monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.
For more information, see Health monitoring status displays.
Enable device system log upload
Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—1 for each day for the past 5 days, 1 for 30 days ago, and 1 for 45 days ago.
For more information, see Chrome kiosk health monitoring.
Screen rotation (clockwise)
To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.
Note: This policy is only available for devices that are configured to auto-launch a public session or kiosk app.
Allow a kiosk app to control OS version
This feature allows an auto-launched kiosk app to control the Chrome OS version of the device it’s running on. This prevents devices running in kiosk mode from updating to versions of Chrome beyond the version number specified by the app, and can improve stability of your kiosk if the app, or certain features in the app, are not compatible with the latest Chrome OS release.
To enable an auto-launched app to control the Chrome OS version on a device, select Allow Kiosk App to Control OS Version.
- The policy is only available if a kiosk app is configured to be auto-launched in the organizational unit you select.
- The app must specify a required Chrome OS version in the manifest file. For more information, see Create a Chrome kiosk app.
- To enable this policy, the Auto Update policy in Device Update Settings must be set to Stop auto-updates. The policy is not available if you’ve opted to allow auto-updates. If you want to enable auto-updates, turn off the Allow kiosk App to control OS version policy.
Clicking Manage Kiosk Applications launches a dialog box where you can search for and select kiosk apps on the Chrome Web Store. You can also specify a custom app by entering the ID and URL. If you select multiple apps, you can select which one you want to launch on the Chrome device using the drop-down under Auto-Launch Kiosk App. You need to reboot the Chrome device to make this change go into effect.
When searching the Chrome Web Store for apps, only kiosk-enabled apps will show up in the dialog box.
Alternatively, you can add any Chrome web app by entering the app ID, which is the string of characters at the end of the app URL. For example, the URL for Chrome Remote Desktop is https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp and the app ID is gbchcmhmhahfdphkhkmpfmihenigjmpp.
- You can configure a device as both a public-session kiosk and a single-app kiosk, but you can only auto-launch one type of session or app at a time. For example, if you select Auto-Launch Public Session, you will not be able to also have that same device Auto-Launch a Kiosk App.
Check either Receive alert via email and/or Receive alert via SMS to receive alerts about your Chrome kiosk devices. Insert your email addresses and/or phone numbers in the fields above. You will receive an alert when the device goes from being on to off.
To receive status updates about your Chrome kiosk devices, insert emails and separate them by commas in the field for Kiosk Device Status Alerting Emails.
To receive SMS updates about your Chrome kiosk devices, in the field Kiosk Device Status Alerting Mobile Phones, insert phone numbers in a comma-delimited list, for example: +1XXXYYYZZZZ, +1AAABBBCCCC. You will receive an alert when the device goes from being on to off.
Device state reporting
This setting is on by default. Specifies whether Chrome devices enrolled in your domain report their current device state, including firmware, Chrome and platform version, and boot mode. In the Admin console, go to Device management > Chrome > Devices and click on the device's serial number to see the device details.
If you have enabled Android apps on supported Chrome devices in your organization, this policy has no effect on logging or reporting done by Android.
Device user tracking
This setting is on by default. You can track recent device users by clicking on the device in your Admin console under Device management > Chrome > Devices > device serial number > Recent Activity. Note that this setting does not take effect if the Erase all user info setting is enabled.
Inactive device notification reports
This setting is off by default. When this setting is enabled, reports about inactive devices in your domain are emailed to the addresses you specify. The reports contain:
- Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
- The total number of inactive devices, including how many are newly inactive, for each organizational unit.
- A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.
Note: Some information in the reports might be delayed up to 1 day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.
Inactive Range (days)
If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than 1.
For example, if you want to mark all devices that haven’t synced in the last week as inactive, enter 7 in the field for Inactive Range (days).
To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence field.
Email addresses to receive notification reports
To specify the email addresses that will receive notification reports, enter the addresses (1 per line).
Specifies whether the Chrome device sends Google usage statistics and crash reports whenever a system or browser process fails.
Usage statistics contain aggregated information such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time of the crash.
If you have enabled Android apps on supported Chrome devices in your organization, this policy also controls Android usage and diagnostic data collection.
This setting controls whether a Chrome device that is showing a sign-in screen (no user is logged-in) should go to sleep or shut down after some time, or if it should continuously stay awake. This feature is useful for Chrome devices used as kiosks to make sure they never shut down.
When you specify the Number of days before reboot, the device will be rebooted after that given number of days. The reboot may not happen at the same time of day, but it may be postponed until the user next signs out.
Allow users to turn off the device via the Shut down icon on the screen, or the physical power button is the default option. If you select Only allow users to turn off the device using the physical power button, they will not be able to turn off the device via the keyboard, mouse, or screen, but only by physically turning off the device.
This setting may be useful in specific deployment scenarios, such as if the Chrome device is being run as a kiosk or digital signage display.
This feature allows any user of the Chrome device to print using Cloud Print. This setting is popular for Chrome devices configured for Public Sessions.
- Sign in to your G Suite Admin console, if you’re not already signed in.
- Go to Device management > Chrome management > Device settings > Cloud Print.
- Next to Choose which Cloud printers to enable click Manage.
- In the Cloud Print dialog that appears, search for and Add cloud printers for the devices in the org units you have selected.
- Click Save. This shares these printers with every Chrome devices in the org units you selected. Any user on the device, including users using Guest Mode or Public Sessions, will be able to print from the cloud printers you've shared.
If there are printers that you don't own, which are shared with your domain, they will appear under an additional heading in the dialog box called Other printers. If a printer is no longer working or if it no there's no longer an owner in your domain, you can Remove it from the Other printers box.
Note: When printers are shared via device policy, they will appear under the "Local Destinations" section rather than the "Google Cloud Print" section.
- You need to be the owner of the printer in Google Cloud Print to add it using the Admin console. We recommend domains with several printers to create a role account specifically to manage printers with Google Cloud Print. If your domain has this, sign in with that account to share the printers with your Chrome devices. If you don't want to give this role account Super Admin access to your domain, you can give it permission to only Manage Device Settings using delegated administrator roles in Chrome.
- Chrome devices can only print to printers configured with Google Cloud Print. If you're trying to print from a printer that's not Cloud Ready, see Connect your classic printers with Google Cloud Print.
- Because printer ownership is tied to each G Suite account, if your domain has multiple domain admins, they may each have a different set of printers available.
- An admin can delete/remove the printer shared by another domain admin. For example, if the printer owned by admin2 has been deleted by admin1, then admin1, cannot re-add it.
- Currently, there isn't a way to tell if a printer in the Other printers section is active or deleted because of these known issues we're working to fix:
- If an an admin deletes a printer in https://www.google.com/cloudprint/#printers, even though it's no longer is available, it will appear under Other printers.
- If the printer owner has been deleted, the orphaned printer will appear under Other printers.
Specify the timezone to set for your users' devices from the drop-down list.
System timezone automatic detection
Choose one of the options to specify how a device detects and sets the current timezone:
- No policy set (default = Let users decide): If no policy is set, users decide whether to enable or disable timezone auto-detection using Chrome OS Date and Time settings.
- Let users decide: Users control the timezone auto-detection policy using the standard Chrome OS Date and Time settings.
- Never auto-detect timezone: Users must manually pick a timezone.
- Always use coarse timezone detection: The device IP address is used to set the timezone.
- Always send WiFi access-points to server while resolving timezone: The location of the WiFi access-point, that the device connects to, is used to set the timezone. This is the most accurate option.
Specifies whether users on this Chrome device can go online using a mobile network maintained by a different carrier. With this setting, you fix the value of the Allow mobile data roaming check box on the Internet page in the Chrome device Settings.
If you allow data roaming, charges may apply.
This feature allows you to specify a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices such as keyboards, signature pads, printers and scanners, as well as other USB devices. If this policy is not configured, the list of a detachable USB devices is empty.
To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID), as a colon separated hexadecimal pair (VID:PID), for each device on a separate line. For example, to list a mouse with a VID of
046E and a PID of
D626, and a signature pad with a VID of
0404 and PID of
6002, enter the following in the text box:
Choose one of the options to enable or disable bluetooth on a device:
- No policy set (default = Do not disable bluetooth) - If no policy is set, bluetooth is enabled on the device.
- Do not disable bluetooth - Bluetooth is enabled on the device.
- Disable bluetooth - Bluetooth is disabled on the device.
If you change the policy from Disable bluetooth to Do not disable bluetooth or No policy set, you must restart the device for the change to take effect.
If you change the policy from Do not disable bluetooth or No policy set to Disable bluetooth, the change is immediate and you do not need to restart the device.
Select Enable network throttling to control device-level bandwidth consumption on Chrome devices with Chrome 56 and later. After doing this, you should specify the download and upload speed in kbps. To ensure that devices get policy and Chrome OS updates without interruptions, the minimum speed you can specify is 513 kbps.
All network interfaces on a device are throttled, including WiFi, Ethernet, USB ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.
You can throttle bandwidth on Chrome devices in kiosk, public session, or user mode.
By default, users can’t install a Trusted Platform Module (TPM) firmware update on devices. Select Allow users to perform TPM firmware updates to let users install a TPM firmware update that gives devices stronger security protections. For information about how users can install a firmware update, see Update your Chromebook’s security.
Note: Installing a TPM firmware update might erase a device and reset it to factory settings. Repeated failed update attempts might make a device unusable.
Chrome Management—Partner AccessChrome Management—Partner Access
The Chrome Management—Partner Access device setting gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.
When partner access is turned on, your EMM partner can manage individual Chrome devices. This means they no longer have to manage devices by Admin console organization structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same device using partner access and the Admin Console. Device level policies configured using partner access controls take precedence over organization level policies set in Admin console. To enforce policies on devices at organization level, you need to uncheck the Enable Chrome Management—Partner access box.
You can also let your EMM Partner set user policies. However, if you only have Single app Chrome kiosk device management licenses in your domain, you can only set device policies.
Note: Currently, this setting is not available for G Suite for Education domains.