Set ChromeOS device policies

Allows users to restore their Chromebook to its factory state if needed.

The default is Allow powerwash to be triggered.

If you select, Do not allow powerwash to be triggered, there is one exception where the user can still trigger a powerwash. This is when you have allowed users to install a Trusted Platform Module (TPM) firmware update on devices but it has not been updated yet. When the update is performed it might erase a device and reset it to factory settings. For details, see TPM firmware update.

This setting enables a web service to request proof that its client is running an unmodified ChromeOS device that’s policy-compliant (running in secure mode if required by the administrator). The setting includes the following controls:

• Enable for content protection–Ensures that ChromeOS devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also ensures that Chromebooks can attest to content providers that they’re running in Verified Boot mode.
• Disable for content protection–If this control is disabled, some premium content may be unavailable to your users.

For more details for admins, go to Enable Verified Access with ChromeOS devices. For developers, go to the Google Verified Access API Developer Guide.

• Require verified mode boot for verified access–Devices must be running in verified boot mode for device verification to succeed. Devices in Dev mode will always fail the verified access check.
• Skip boot mode check for verified access–Allows devices in Dev mode to pass the verified access check.
• Services with full access–Lists email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.
• Services with limited access–Lists email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Cloud Platform Console.

For more details for admins, go to Enable Verified Access with ChromeOS devices. For developers, go to the Google Verified Access API Developer Guide.

Controls the screen's custom text on devices that are disabled because they're lost or stolen. We recommend that you include a return address and contact phone number in your message. Then, anyone who sees the screen can return the device to your organization.

Specifies whether users can use 2-Factor Authentication (2FA) on devices with a Titan M security chip.

Controls whether to allow guest browsing on managed ChromeOS devices. If you select Allow guest mode, the main sign-in screen offers the option for a user to sign in as a guest. If you select Disable guest mode, a user must sign in using a Google Account or Google Workspace account. When a user signs in using guest mode, your organization's policies are not applied.

For K-12 EDU domains, the default is Disable guest mode.

For all other domains, the default is Allow guest mode.

Allows you to manage which users can sign in to ChromeOS devices.

Note: If you allow guest browsing or managed guest sessions, users can use devices no matter which setting you choose.

Choose an option:

• Restrict sign-in to a list of users—Only users that you designate can sign in to devices. Other users get an error message. Enter one pattern for each line for the users that you want to specify:
  • To let all your users sign in—Enter *@example.com. The Add person button is always available on devices.
  • To only allow specific users to sign in—Enter user-id@example.com. When all the specified users have signed in to a device, the Add person button is no longer available.
• Allow any user to sign in—Any user with a Google Account can sign in to devices. The Add person button is available on the sign-in screen.
• Do not allow any user to sign in—Users can not sign in to devices with their Google Account. The Add person button is unavailable.

Lets you choose a domain name to present to users on their sign-in page so that they don't need to enter the @domain.com part of their username during sign-in.

To turn the setting on, from the list, select Use the domain name, set below, for autocomplete at sign-in and enter your domain name.

Specifies whether the ChromeOS device's sign-in screen displays the names and pictures of users who have signed in to the device.

Displaying the names and pictures of users on the sign-in screen allows users to quickly start their sessions and works best for most deployments. We recommend you change this setting rarely and selectively to ensure the best user experience.

• Always show user names and photos—Lets users choose their user account on the sign-in screen (default).

• Never show user names and photos—Prevents user accounts from being displayed on the sign-in screen. Users must enter their Google Account username and password each time they sign in to their device. If you have SAML single sign-on (SSO) for devices and send users directly to the SAML identity provider (IdP) page, Google redirects them to the SSO sign-in page without entering their email address.

  Note: If users are enrolled in 2-Step Verification, they’re prompted to perform their second verification step each time they sign in to their device.

Sets a weekly schedule of when guest browsing and sign-in restriction settings don’t apply to managed ChromeOS devices.

For example, school admins can block guest browsing or only allow users with a username ending in @schooldomain.edu to sign in during school hours. Outside of school hours, users can browse in guest mode or sign in to their device using an account other than their @schooldomain.edu account.

Replaces the default wallpaper with your own custom wallpaper on the sign-in screen. You can upload images in JPG format (.jpg or .jpeg files) that are up to a maximum size of 16 megabytes. Other file types are not supported.

Specifies whether enrolled ChromeOS devices delete all locally-stored settings and user data every time a user signs out. Data the device synchronizes persists in the cloud but not on the device itself. If you set it to Erase all local user data, the storage available to the users is limited to half the RAM capacity of the device. If the policy is set together with a managed guest session, it won't cache the session name or avatar.

Note: By default, ChromeOS devices encrypt all user data and automatically clean up disk space when shared by multiple users. This default behavior works best for most deployments and ensures data security and an optimal user experience. We recommend you enable Erase all local user data rarely and selectively.

Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.

Specifies whether single sign-on (SSO) users can navigate directly to your SAML identity provider (IdP) page instead of first having to enter their email address. By default, Take users to the default Google login page is selected.

Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.

Specifies whether single sign-on (SSO) users can sign in to internal websites and cloud services that rely on the same identity provider (IdP) on subsequent device sign-ins. SAML SSO cookies are always transferred on first sign-in.

To transfer cookies in subsequent sign-ins, select Enable transfer of SAML SSO Cookies into user session during sign-in. If you've also enabled Android apps on supported devices in your organization, cookies are not transferred to Android apps.

Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.

Important: If you enable this policy, you grant third parties access to their users' cameras on their users' behalf. Ensure that you have proper consent forms in place for users—the system does not show end users any consent forms if permission is granted using this policy.

Specifies third-party apps or services that are allowed to have direct access to users' cameras during SAML single sign-on (SSO) flow. Configuring this setting lets third-party identity providers(IdPs) bring new forms of authentication flows to ChromeOS devices.

To add IdPs to the allowlist, enter the URL for each service on a separate line.

For information about setting up Clever Badges for your organization, go Clever support site.

Devices need to have SAML SSO. See Configure SAML single sign-on for ChromeOS devices.

Allows you to control client certificates for single sign-on (SSO) sites.

You enter a list of URL patterns as a JSON string. Then, if an SSO site matching a pattern requests a client certificate and a valid device-wide client certificate is installed, Chrome automatically selects a certificate for the site.

If the site requesting the certificate doesn’t match any of the patterns, Chrome doesn’t provide a certificate.

How to format the JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The ISSUER/CN parameter (certificate issuer name above) specifies the common name of the Certificate Authority (CA) that client certificates must have as their issuer to be autoselected. If you want Chrome to select a certificate issued by any CA, leave this parameter blank by entering “filter”:{}.

Examples:

{"pattern":"https://[*.]ext.example.com","filter":{}}, {"pattern":"https://[*.]corp.example.com","filter":{}}, {"pattern":"https://[*.]intranet.usercontent.com","filter":{}}

Allows you to control accessibility settings on the sign-in screen. Accessibility settings include large cursor, spoken feedback, and high-contrast mode.

• Turn off accessibility settings on the sign-in screen upon sign-out—Restores accessibility settings to the defaults when the sign-in screen is shown or the user remains idle on the sign-in screen for one minute.
• Allow user to control accessibility settings on the sign-in screen—Restores the accessibility settings that users turned on or off on the sign-in screen, even if the device is restarted.

Specifies what language the ChromeOS device’s sign-in screen displays. You can also allow users to choose the language.

Specifies which keyboard layouts are allowed on the ChromeOS device’s sign-in screen.

Specifies which URLs that are granted access to perform verified access checks on devices during SAML authentication on the sign-in screen.

Specifically, if a URL matches one of the patterns entered here, it is allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.

If you do not add an URLs in the Allowed IdP redirect URLs field, no URL is allowed to use remote attestation on the sign-in screen.

URLs must have HTTPS scheme, for example, https://example.com.

For information about valid url patterns, see Enterprise policy URL pattern format.

Specifies whether users can choose to display the device system information, for example ChromeOS version or device serial number, on the sign-in screen or if the system information is always displayed by default.

The default is Allow users to display system information on the sign-in screen by pressing Alt+V.

Only for ChromeOS devices with an integrated electronic privacy screen.

Specifies whether the privacy screen is always turned on or off on the sign-in screen. You can turn on or off the privacy screen on the sign-in screen, or let users choose.

Specifies whether the sign-in and lock screens on ChromeOS devices with a touchscreen display a numeric keyboard where users can enter their password. If you select Default to a numeric keyboard for password input, users can still switch to a standard keyboard if they have an alphanumeric password.

Manifest v2 extensions support will be deprecated in the future. All extensions need to be migrated to Manifest v3 according to the Manifest V2 support timeline.

Specifies if users can access Manifest v2 extensions on the sign-in screen of their device.

Every extension for Chrome has a JSON-formatted manifest file, called manifest.json. The manifest file is the blueprint of your extension, and must be located in the extension's root directory.

The information in the manifest file includes the following:

• Extension title
• Extension version number
• Permissions needed for the extension to run

For more details, see Manifest file format.

Choose one of these options:

• Default device behavior (default)—Users can access Manifest v2 extensions based on their default device settings and the Manifest V2 support timeline.
• Disable manifest v2 extensions on the sign-in screen—Users can’t install Manifest v2 extensions, and their existing extensions are disabled.
• Enable manifest v2 extensions on the sign-in screen—Users can install Manifest v2 extensions.
• Enable force-installed manifest v2 extensions on the sign-in screen—Users can access force-installed Manifest v2 extensions only. This includes extensions that are force-installed using the Apps & Extensions page in the Google Admin console. All other Manifest v2 extensions are disabled. This option is always available, regardless of the migration stage.

Note: Extensions availability is controlled by other policies as well. For example, a v2 extension allowed by the Manifest policy changes to blocked if it’s listed as blocked by the Permissions and URLs setting on the Apps & Extensions page in your Admin console.

You can control the available content on users' sign-in and lock screens when SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals.

Blocked URLs

Prevents the user from trying to access specific URLs on the sign-in and lock screens.

To configure this setting, enter up to 1,000 URLs on separate lines.

Examples

Blocked URLs entry	Result
example.com	Blocks all requests to example.com, www.example.com, and sub.www.example.com
http://example.com	Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS requests
https://*	Blocks all HTTPS requests to any domain
mail.example.com	Blocks requests to mail.example.com but not to www.example.com or example.com
.example.com	Blocks example.com but not its subdomains, like example.com/docs
.www.example.com	Blocks www.example.com but not its subdomains
*	Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy.
*:8080	Blocks all requests to port 8080
*/html/crosh.html	Blocks Chrome Secure Shell (Also known as Crosh Shell)
chrome://settings chrome://os-settings	Blocks all requests to chrome://os-settings
example.com/stuff	Blocks all requests to example.com/stuff and its subdomains
192.168.1.2	Blocks requests to 192.168.1.2
youtube.com/watch?v=V1	Blocks youtube video with id V1

You can control the available content on users' sign-in and lock screens when SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals.

Blocked URLs exceptions

Specifies exceptions to the URL blocklist specified in the Blocked URLs on the sign-in / lock screens setting.

To configure the setting, enter up to 1,000 URLs on separate lines.

Examples

Allowed URLs entry	Result
example.com	Allows all requests to example.com, www.example.com, and sub.www.example.com
https://*	Allows all HTTPS requests to any domain
*:8080	Allows all requests to port 8080
*/html/crosh.html	Allows Chrome Secure Shell (Also known as Crosh Shell)
chrome://settings chrome://os-settings	Allows all requests to chrome://os-settings
example.com/stuff	Allows all requests to example.com/stuff and its subdomains
192.168.1.2	Allows requests to 192.168.1.2

Lets ChromeOS devices read aloud text that is on the sign-in screen. If needed, users can also connect and set up braille devices. For details, see Use the built-in screen reader and Use a braille device with your Chromebook.

Lets users select items on the sign-in screen to hear specific text read aloud. While ChromeOS reads the selected words aloud, each word is highlighted visually. For details, see Hear text read aloud.

Changes the font and background color scheme to make the sign-in screen easier to read.

Lets users magnify all (full-screen magnifier) or part (docked magnifier) of the sign-in screen. For details, see Zoom in or magnify your Chromebook screen.

Lets users type shortcut key combinations one key at a time in sequence, instead of having to hold down multiple keys at once. For example, to paste an item, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V. For details, see Use keyboard shortcuts one key at a time.

Lets users input characters without using physical keys. On-screen keyboards are typically used on devices with a touchscreen interface, but users can also use a touchpad, mouse, or connected joystick. For details, see Use the on-screen keyboard.

Lets users enter text on the sign-in screen using their voice instead of a keyboard. For details, see Type text with your voice.

Highlights objects on the sign-in screen as users navigate through them using the keyboard. It helps users identify where they are on the screen.

While editing text, the area around the text caret, or cursor, on the sign-in screen is highlighted.

The mouse cursor automatically clicks where it stops on the sign-in screen, without users physically pressing mouse or touchpad buttons. For details, see Automatically click objects on your Chromebook.

Increases the size of the mouse cursor so that it's more visible on the sign-in screen.

Creates a colored focus ring around the mouse cursor so that it's more visible on the sign-in screen.

Allows you to reverse the function of the right and left mouse buttons on the sign-in screen. By default, the left mouse button is the primary button.

Plays the same sound through all speakers so that users don’t miss content in stereo sound.

Lets users use accessibility keyboard shortcuts on the sign-in screen. For details, see Chromebook keyboard shortcuts.

Allow devices to automatically update OS version

Software support is available only for the latest version of ChromeOS.

You can allow ChromeOS devices to automatically update to new versions of ChromeOS as they're released and let users check for updates themselves. Allow updates is strongly recommended.

To stop updates before a device is enrolled and restarted:

• On the End User License Agreement screen, press Ctrl+Alt+E. If you don’t, downloaded updates that should have been blocked by a policy might be applied when the user restarts the device.

Target version

Software support is available only for the latest version of ChromeOS.

Specifies the most recent ChromeOS version that devices can update to. Devices do not update to versions of ChromeOS beyond the number that you select. The last few versions of ChromeOS are listed. You should only prevent ChromeOS from updating beyond a specific version if you need to resolve compatibility issues before updating the ChromeOS version. Or, if you need to pin ChromeOS updates to a specific version before switching devices to the Long-term support (LTS) channel. For details about switching to long-term support, see Long-term support on ChromeOS.

Select Use latest available version to let ChromeOS update to the newest version when it becomes available.

Roll back to target version

Specifies whether devices should roll back to the version that you specify in Target version, if they're already running a later version.

For details, see Roll back ChromeOS to a previous version.

Release channel

Cannot be set for the top-level organizational unit. You must set by organizational unit.

By default, ChromeOS follows updates on the Stable channel. Alternatively, you can choose the Long-term support (LTS), LTS candidate (LTC), Beta, or Dev channels. 

You can configure one or more of your devices to use the Dev or Beta channel to help identify compatibility issues in upcoming versions of Chrome. For more information, see ChromeOS release best practices. For information to help you decide which channel to have your users on, go to ChromeOS release best practices.

Starting in Chrome version 96, you can switch to the LTC channel to help increase stability. It has a slower release cadence than the Stable channel. Devices still continue to receive frequent security fixes, but they only get feature updates every 6 months. For details, see Long-term support (LTS) on ChromeOS.

To allow users to select a channel themselves, select Allow user to configure. This lets users test the latest Chrome features by letting them switch the release channel. For details on how users do this on their ChromeOS device, see Switch between stable, beta & dev software.

For users to select the Dev channel, you must set the Developer Tools user policy to Always allow use of built-in developer tools. For details, see Developer tools.

Rollout plan

Specifies how you want to roll out updates to managed ChromeOS devices.

Choose one of these options:

• Default (devices should update as soon as a new version is available)—Devices automatically update to new versions of ChromeOS as they are released.
• Rollout updates over a specific schedule—Only initially update a percentage of devices, which you can increase over time. You use the Staging Schedule setting to specify the rollout schedule.
• Scatter updates—If you have network bandwidth restrictions, you can scatter updates over a period of days, up to 2 weeks. You can use the Randomly scatter auto-updates over setting to specify the number of days.

Staging Schedule

Only available if you choose to roll out updates over a specific schedule

Specifies the rollout schedule for updating devices to new versions of ChromeOS. You can use this setting to limit new versions of ChromeOS to a specific percentage of devices over time. The date that some devices update might be after the release date. You can gradually add devices until they’re all updated.

Randomly scatter auto-updates over

Only available if you choose to scatter updates

Specifies the approximate number of days that managed devices download an update after its release. You can use this setting to avoid causing traffic spikes in old or low-bandwidth networks. Devices that are offline during this period download the update when they're online again.

Unless you know that your network can't handle traffic spikes, you should select Do not scatter auto-updates or select a low number. When scattered updates are turned off, your users benefit from new Chrome enhancements and features quicker. You also minimize the number of concurrent versions, which simplifies change management during the update period.

Additional blackout windows

Specifies the days and times when Chrome temporarily stops automatic checks for updates. If the device is in the middle of an update, Chrome will temporarily pause the update. You can set as many blackout windows as you need. Manual update checks that users or admins initiate during a blackout window are not blocked.

Note: Setting this policy might affect the staging schedule, as devices cannot download auto-updates during blackout windows.

Auto reboot after updates

Specifies whether the device restarts automatically after an update. If the device is configured as a kiosk, restarts happen immediately. Otherwise, for user sessions or managed guest sessions, the automatic restart happens after the user next signs out.

• Allow auto-reboots—After a successful auto-update, the ChromeOS device restarts when the user next signs out.
• Disallow auto-reboots—Disables auto-restarts.

Note: For user sessions, we recommend you also set the relaunch notification user policy, so that users are notified to restart their device to get the latest update. For details, see Relaunch notification.

Updates over cellular

Specifies the types of connections that ChromeOS devices can use when they automatically update to new versions of ChromeOS. By default, devices automatically check for and download updates only when connected to Wi-Fi or Ethernet. Select Allow automatic updates on all connections, including cellular to let devices automatically update when they’re connected to a mobile network.

Peer to peer

Specifies whether peer to peer is used for ChromeOS update payloads. If you select Allow peer to peer auto update downloads, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device falls back to downloading from an update server.

Enforce updates

For devices with ChromeOS version 86 and later.

• Block devices & user sessions after—For devices that have a version of ChromeOS that is older than the one you specify. Sets the length of time after which users are signed out of devices. Choose a value between 1 and 6 weeks. To immediately sign out users until the device is updated, choose No warning.
• if they are not running at least version—Specifies the oldest ChromeOS version that you allow on users’ devices.

• Extend this period where devices which are not receiving automatic updates are not yet blocked to—For devices that no longer receive automatic updates and have a version of ChromeOS that is older than the one you specify. Sets the length of time after automatic updates stop that users are signed out of devices. Choose a value between 1 and 12 weeks. To immediately sign out users, choose No warning.

• Final automatic update message—Specifies the message that users see on devices that no longer receive automatic updates and have a ChromeOS version that is older than the one you specify. Use plain text with no formatting. No markup is allowed. Left empty, users see the default message.
  For details about automatic device updates, see Auto Update policy.
  How users see this message on their devices depends on whether the length of time that you specified in Block devices & user sessions after has passed:
  • Until devices reach the time you specified—Users see the message on the Chrome management page after they sign in.
  • After devices reach the time you specified— Users see the message on the sign-in screen. The device is blocked and users can’t sign in.

Update downloads

Specifies whether ChromeOS devices download ChromeOS updates over HTTP or HTTPS.

Prevents devices from updating to versions of Chrome beyond the version number specified by the app that you choose.

Clicking Select an app opens the Chrome Web store, where you can search for and select app the app that you want.

Only available for auto-launched kiosk apps

Lets an autolaunched kiosk app control the ChromeOS version, preventing devices from updating to versions of Chrome beyond the version number specified by the app.

In the manifest file, the app must include "kiosk_enabled": true and specify the required ChromeOS version, required_platform_version. It can take up to 24 hours for updates in the manifest file to take effect on devices. For information on configuring settings in the app’s manifest file, see Let a kiosk app control the Chrome version.

Controls whether Chrome variations are fully enabled, enabled for critical fixes only, or disabled on devices.

By using variations, modifications to Google Chrome can be offered without shipping a new version of the browser by selectively enabling or disabling already existing features.

Note: We do not recommend disabling variations as this can potentially prevent the Google Chrome developers from providing critical security fixes in a timely manner.

For more details, see Manage the Chrome variations framework.

To get alerts when a Chrome kiosk device is turned off, check the Receive alerts via email box or the Receive alerts via SMS box, or both boxes.

Get status updates about your Chrome kiosk devices.

• Get updates by email—Next to Alerting emails, enter one email per line.
• Get updates by SMS—Next to Alerting mobile phones, enter one phone number per line.

Blocked URLs

Prevents Chrome browser users from accessing specific URLs.

To configure this setting, enter up to 1,000 URLs on separate lines.

Blocked URLs exceptions

Specifies exceptions to the URL blocklist.

To configure the setting, enter up to 1,000 URLs on separate lines.

Examples

Blocked URLs entry	Result
example.com	Blocks all requests to example.com, www.example.com, and sub.www.example.com
http://example.com	Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS requests
https://*	Blocks all HTTPS requests to any domain
mail.example.com	Blocks requests to mail.example.com but not to www.example.com or example.com
.example.com	Blocks example.com but not its subdomains, like example.com/docs
.www.example.com	Blocks www.example.com but not its subdomains
*	Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy.
*:8080	Blocks all requests to port 8080
*/html/crosh.html	Blocks Chrome Secure Shell (Also known as Crosh Shell)
chrome://settings chrome://os-settings	Blocks all requests to chrome://os-settings
example.com/stuff	Blocks all requests to example.com/stuff and its subdomains
192.168.1.2	Blocks requests to 192.168.1.2
youtube.com/watch?v=V1	Blocks youtube video with id V1

Applies to Progressive Web Applications (PWA) in kiosk mode.

Specifies which virtual keyboard features are turned on. Check the boxes to select the features you want users to have:

• Auto suggest—Corrects words automatically using autocorrect or spell check, and shows suggested words as you type.
• Handwriting recognition—Reads users’ handwriting. Users can write directly on their screen instead of using their virtual keyboard.
• Voice input—Converts voice to text. Users can speak to enter text in most places where they usually type.

For details about how users can use their on-screen keyboard, see Use the on-screen keyboard.

Note: Before you configure the Kiosk virtual keyboard features setting, make sure that the on-screen keyboard is not turned off. For details, read about the Kiosk on-screen keyboard setting.

We do not recommend turning on troubleshooting tools in production devices. If you want to turn on the tools, create a child organizational unit for the required devices and apply the setting there. Make sure you disable this setting before deploying devices in production.

You can control whether users can access kiosk troubleshooting tools in a kiosk session.

For more details, see Troubleshoot ChromeOS kiosk devices.

You can specify whether URL-keyed anonymized data collection is performed for kiosk sessions.

If you turn the setting on for ChromeOS kiosk, URL-keyed metrics are collected for kiosk apps. If it is not set, it is active by default and the user cannot change it.

You can specify whether admins can upload and download files from Kiosk devices in Chrome Remote Desktop sessions. This allows admins to download logs from devices and upload any data needed to devices during troubleshooting.

File transfer is not allowed by default.

Specifies whether devices go to sleep, shut down, or do nothing when users close the device lid.

Applies to kiosk devices using AC power

Idle timeout in minutes

Specifies the amount of idle time before kiosk device go to sleep, sign users out, or shut down. Enter a value in minutes.

To use the system default, which varies by device, leave the box empty. To prevent any action while idle, under Action on idle, select Do nothing.

Idle warning timeout in minutes

Specifies the amount of idle time before a warning is displayed notifying the current user that their device is going to sign them out or shut down. Enter a value in minutes.

To never show an idle warning, do one of the following:

• In the Idle warning timeout in minutes field, enter 0
• Under Action on idle, select Sleep
• Under Action on idle, select Do nothing

To use the system default, which varies by device, leave the Idle warning timeout in minutes box empty.

Action on idle

Select what you want devices to do after the idle time expires:

• Sleep—Go into Sleep mode
• Logout—End the current kiosk session
• Shutdown—Shut down the kiosk device
• Do nothing—Take no action

Screen dim timeout in minutes

Specifies the amount of idle time before device screens dim. Enter a value in minutes. To never dim the screen, enter 0. To use the system default, which varies by device, leave the box empty.

Screen off timeout in minutes

Specifies the amount of idle time before device screens turn off. Enter a value in minutes. To never turn off the screen, enter 0. To use the system default, which varies by device, leave the box empty.

Applies to kiosk devices using a battery

Idle timeout in minutes

Specifies the amount of idle time before kiosk device go to sleep, sign users out, or shut down. Enter a value in minutes.

To use the system default, which varies by device, leave the box empty. To prevent any action while idle, under Action on idle, select Do nothing.

Idle warning timeout in minutes

Specifies the amount of idle time before a warning is displayed notifying the current user that their device is going to sign them out or shut down. Enter a value in minutes.

To never show an idle warning, do one of the following:

• In the Idle warning timeout in minutes field, enter 0
• Under Action on idle, select Sleep
• Under Action on idle, select Do nothing

To use the system default, which varies by device, leave the Idle warning timeout in minutes box empty.

Action on idle

Select what you want the device to do after the idle time expires:

• Sleep—Go into Sleep mode
• Logout—End the current kiosk session
• Shutdown—Shut down the kiosk device
• Do nothing—Take no action

Screen dim timeout in minutes

Specifies the amount of idle time before device screens dim. Enter a value in minutes. To never dim the screen, enter 0. To use the system default, which varies by device, leave the box empty.

Screen off timeout in minutes

Specifies the amount of idle time before device screens turn off. Enter a value in minutes. To never turn off the screen, enter 0. To use the system default, which varies by device, leave the box empty.

By default, the accessibility menu is hidden on devices running Chrome kiosk apps. If you choose Show the floating accessibility menu in kiosk mode, the accessibility menu is always visible on devices. The menu appears at the bottom right corner of the screen. To prevent the menu from blocking app components, such as buttons, users can move it to any screen corner.

Even if Do not show the floating accessibility menu in kiosk mode is selected, users can still enable accessibility features using shortcuts—as long as you have not used the Admin console to turn off the individual accessibility setting and a shortcut exists for it. For details, see Chromebook keyboard shortcuts.

Note: Ordinarily, the Shift + Alt + L shortcuts focus on the launcher button and items on the shelf. However, on devices running Chrome kiosk apps, they focus on the accessibility menu instead.

Lets kiosk devices read aloud text that’s on the screen. If needed, users can also connect and set up braille devices. For details, see Use the built-in screen reader and Use a braille device with your Chromebook.

Lets users select items on the screen to hear specific text read aloud. While ChromeOS reads the selected words aloud, each word is highlighted visually. For details, see Hear text read aloud.

Changes the font and background color scheme to make the screen easier to read.

Lets users type shortcut key combinations one key at a time in sequence, instead of having to hold down multiple keys at once. For example, to paste an item, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V. For details, see Use keyboard shortcuts one key at a time.

Lets users input characters without using physical keys. On-screen keyboards are typically used on devices with a touchscreen interface, but users can also use a touchpad, mouse, or connected joystick. For details, see Use the on-screen keyboard.

Lets users enter text using their voice instead of a keyboard. For details, see Type text with your voice.

Highlights objects on the screen as users navigate through them using the keyboard. It helps users identify where they are on the screen.

While editing text, the area around the text caret, or cursor, on the screen is highlighted.

The mouse cursor automatically clicks where it stops on the screen, without users physically pressing mouse or touchpad buttons. For details, see Automatically click objects on your Chromebook.

Increases the size of the mouse cursor so that it's more visible on the screen.

Creates a colored focus ring around the mouse cursor so that it's more visible on the screen.

Allows you to reverse the function of the right and left mouse buttons on kiosks. By default, the left mouse button is the primary button.

Plays the same sound through all speakers so that users don’t miss content in stereo sound.

Lets users use accessibility keyboard shortcuts. For details, see Chromebook keyboard shortcuts.

Lets users magnify all (full-screen magnifier) or part (docked magnifier) of the screen. For details, see Zoom in or magnify your Chromebook screen.

Specifies whether the enrolled ChromeOS devices report their current OS state information such as OS version, boot mode, and update status.

You can enable or disable all OS information reporting, or select Customize to choose what information is reported.

If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.

Specifies whether enrolled ChromeOS devices report their current hardware information such as vital product data, system information, and timezone status.

You can enable or disable all hardware information reporting, or select Customize to choose what information is reported.

If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.

The Hardware status and Network interface options only apply to devices with ChromeOS version 95 or earlier.

Specifies whether enrolled ChromeOS devices report device telemetry about the status of key components such as CPU, memory, storage, and graphics.

You can enable or disable all telemetry information reporting, or select Customize to choose what information is reported.

If you have enabled Android apps on supported devices in your organization, this setting has no effect on Android logging or reporting.

Specifies whether recent users of a device are tracked.

By default, Enable tracking recent users is selected. In addition, if the User data setting is set to Erase all local user data—erasing all user data on a device when a user signs out—this setting is ignored. See User data.

Specifies whether enrolled ChromeOS devices in kiosk mode report their session status.

Specifies whether enrolled ChromeOS devices in kiosk mode report information about the kiosk application.

Specifies whether enrolled ChromeOS devices track print jobs and print usage.

For details, see View print reports.

Specifies, in minutes, how often ChromeOS sends device status uploads. The minimum allowed frequency is 60 minutes.

Inactive device notification reports

Get email reports about inactive devices in your domain. The reports contain:

• Information on all inactive devices in your domain (devices that haven’t synced since the time specified in Inactive Range)
• The total number of inactive devices, including how many are recently inactive, for each organizational unit.
• A link to detailed information on each device, such as the organizational unit, serial number, asset ID, and last sync date if there are less than 30 devices that are newly inactive.

Note: Some information in the reports might be delayed up to one day. For example, if a device synced in the last 24 hours but was previously inactive, it might still appear on the inactive list, even though it is now active.

Inactive Range (days)

If a device doesn't check in to the management server for longer than the number of days you specify, then that device is considered inactive. You can set the number of days to any integer greater than one.

For example, if you want to mark all devices that haven’t synced in the last week as inactive, next to Inactive Range (days), enter 7.

Notification Cadence (days)

To specify how often inactive notification reports are sent, enter the number of days in the Notification Cadence field.

Email addresses to receive notification reports

To specify email addresses that get notification reports, enter the addresses (one per line).

Specifies whether the ChromeOS device sends Google usage statistics and crash reports whenever a system or browser process fails.

Usage statistics contain aggregated information, such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash and might contain webpage URLs or personal information, depending on what was happening at the time of the crash.

If you have enabled Android apps on supported devices in your organization, this policy also controls Android usage and diagnostic data collection.

If you select Enable device system log upload, devices send system logs to the management server and you can monitor those logs.

The default is Disable device system log upload.

Specifies whether users can collect a system-wide performance trace using the system tracing service.

The default is to prevent users from collecting a system-wide trace. This setting only disables system-wide trace collection; browser trace collection is not affected.

XDR events are not displayed in the Admin console. To make sure XDR events are reported to your provider, set up the XDR provider configuration before you turn on this setting. For more details, see Set up XDR for ChromeOS devices.

Specifies whether ChromeOS devices send XDR events.

Extended detection and response (XDR) systems can help to identify suspicious series of activities in your fleet of managed devices by monitoring processes, network and other security related events.

If you select Report information about extended detection and response (XDR) events, enrolled devices report information related to XDR events to your provider.

Sets the display resolution and scale factor for the device display.

External display settings apply to connected displays and don’t apply to displays that don’t support the specified resolution or scale.

Allow user changes

By default, Allow users to overwrite predefined display settings (recommended) is selected—Users can change the resolution and scale factor of their display, but the settings revert back to the default at the next reboot. To prevent users from changing the display settings, select Do not allow user changes for predefined display settings.

External resolution

By default, Always use native resolution is selected—Values entered for External display width and External display height are ignored and external displays are set to their native resolution.

If you select Use custom resolution, the custom resolution is applied to all external monitors. If the resolution is not supported, it reverts to native resolution.

External display scale (percentage)

Specifies the display scale for external monitors that are connected to ChromeOS devices.

Internal display scale (percentage)

Specifies the internal display scale for ChromeOS devices.

Controls whether a ChromeOS device that is showing a sign-in screen (no user is signed-in) should go to sleep or shut down after some time or if it should continuously stay awake. This setting is useful for devices that are used as kiosks to make sure they never shut down.

Currently only works with kiosk devices with a sign-in screen showing.

Specifies the number of days after which a device restarts. Sometimes, devices might not restart at the same time of day or the restart might be postponed until the next time a user signs out. If a session is running, a grace period of up to 24 hours applies.

Google recommends that you configure kiosk apps to shut down at regular intervals to allow the app or device to restart.

You can select:

• Allow users to turn off the device using either the shut down icon or the physical power button (Default)—Users can turn off the device using the button on the device, keyboard, mouse, or screen.
• Only allow users to turn off the device using the physical power button—Users turn off the device using the button on the device and cannot turn off the device using the keyboard, mouse, or screen.

This setting might be useful in specific deployment scenarios, such as if the ChromeOS device is being run as a kiosk or digital sign.

Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to configure the primary battery charge mode. Choose from:

• Standard—Fully charges the battery at a standard rate
• Adaptive—Battery adaptively optimized based on typical usage pattern
• Express Charge—Battery charges over a shorter period
• Primarily AC—Extends battery life by charging mainly from AC
• Custom—Lets you enter a time to start and stop charging based on battery percentage

Note: You cannot use this setting at the same time as the Advanced Charge battery mode setting.

Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to prolong the usable life of a battery by charging to full capacity only once per day. For the remainder of the day, batteries are in a lower charge state that’s better for storage, even when the system is plugged in to a direct power source.

If you enable Advanced Charge battery mode, enter a daily start and end time.

Note: Within the last 1.5 hours of the end time, the device might prevent the battery from charging to reach a lower charge state.

If you enable Boot on AC and a device shuts down, it will turn on when plugged in to an AC adapter.

Note: If the device is connected to a Dell WD19 docking station that’s connected to power, the Chromebook will turn on even if the setting is disabled.

Allows users to charge other devices, such as a mobile phone, through a special USB port if the Chromebook is turned off and connected to power. All USB ports charge devices when the Chromebook is in Sleep mode.

Applies to unaffiliated users only.

Specifies whether devices are forced to reboot when users sign out. By default, Do not reboot on user sign-out is selected.

Specifies the time of day, frequency (daily, weekly, or monthly), and day of the week or month that devices restart. The schedule is based on the timezone setting of the device.

For user sessions or managed guest sessions:

• Users are notified that the restart will occur 1 hour before the scheduled time. They have an option to restart then or wait for the scheduled reboot. The scheduled reboot cannot be deferred.
• There is a 1 hour grace period after the device is booted. Scheduled reboots are skipped during this period and rescheduled for the next day, week, or month, depending on the setting.

By default, Disable scheduled reboots is selected.

Google recommends that you configure apps to shut down at regular intervals to allow the app or device to restart. For example, you can schedule the device to shut down every Monday at 2 AM.

Currently not available for kiosk devices.

Specifies whether an idle ChromeOS device displays a screen saver on the sign-in screen. The default is to not display a screen saver when idle.

If you select Display screen saver when idle, do the following:

Screen saver image URLs

Add the image URls you want to display. The following applies:

• Add one URL per line. Each item must be a URL referencing an image file and begin with https://. Google does not verify whether an image is available under the specified URLs.
• Images must be .jpg or .jpeg files and the file size must not exceed 8MB.
• At least 2 valid images are required before the screen saver is activated.
• Invalid URLs and unsupported images are ignored.
• The number of images is limited to 25. Only the first 25 URL entries from the list are used.
• The ChromeOS device downloads the images and stores them in a local cache. If an image for the specified URL changes after the image is cached, it might not be updated.

Activation

Enter the time in seconds that the device remains idle before showing the screen saver on the sign-in screen.

Valid values range from 1 second to 9999 seconds. If you leave the field empty, the default value of 7 seconds is used.

Refresh

Enter the interval in seconds to change the displayed image..

Valid values range from 1 second to 9999 seconds. If you leave the field empty, the default value of 60 seconds is used.

Allows you to control whether unaffiliated users can use virtual machines to support Linux apps. The setting is applied to starting new Linux containers, not to those already running.

The default is Block usage for virtual machines needed to support Linux apps for unaffiliated users and unaffiliated users can't use virtual machines to support Linux apps.

If you select Allow usage for virtual machines needed to support Linux apps for unaffiliated users, all unaffiliated users can use Linux virtual machines.

To enable it for affiliated users, select Allow usage for virtual machines needed to support Linux apps for users in the Users & browsers page. For details, see Linux virtual machines for unaffiliated users (BETA).

Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users.

Allows you to control the use of Android apps from untrusted sources for individual ChromeOS devices. It does not apply to Google Play.

• Prevent users of this device from using ADB sideloading—The default is to prevent the device from using Android apps from untrusted sources. This does not force users to restore their Chromebook to its factory state.
• Prevent users of this device from using ADB sideloading and force a device powerwash if sideloading was enabled before—Prevents the device from using Android apps from untrusted sources and forces users to restore their Chromebook to its factory state if sideloading was enabled before.
• Allow affiliated users of this device to use ADB sideloading—Allow affiliated users of this device to use Android apps from untrusted sources. You must also enable the Android apps from untrusted sources user setting. For details, see Android apps from untrusted sources.

Specifies the host name that is passed to the DHCP server with DHCP requests.

If this policy is set to a nonempty string, that string is used as the device host name during the DHCP request.

The string can contain the ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}, and ${LOCATION} variables. These variables are replaced with values found on the device. The resulting substitution should be a valid host name per RFC 1035, section 3.1.

Left blank or if the value after substitution is not a valid host name, no host name is used in the DHCP request.

Only takes effect when the connection to the printer is secure (ipps:// URI scheme) and the user submitting the print job is affiliated. Only applies to printers that support client-info.

You can set the client-name value to pass to the Internet Printing Protocol (IPP) print destinations in print jobs.

When you add a template for the client-name attribute, an additional client-info value is sent to print jobs submitted to IPP printers. The client-type member of the client-info value that you added is set to other. The client-name member of the added client-info value is set to the value of the policy after the substitution of placeholder variables.

Supported placeholder variables are:

• ${DEVICE_DIRECTORY_API_ID}
• ${DEVICE_SERIAL_NUMBER}
• ${DEVICE_ASSET_ID}
• ${DEVICE_ANNOTATED_LOCATION}

Unsupported placeholder variables are not substituted. The client-name value must be no longer than 127 characters

Valid values are:

• lowercase and uppercase letters of the English alphabet
• digits
• dashes (-)
• dots (.)
• underscores (_)

If the policy is left empty or an invalid value is added, an additional client-info value is not added to print job requests.

For more details, see View ChromeOS device details.

System timezone

Specifies the time zone to set for your users' devices.

System timezone automatic detection

Choose one of the options to specify how a device detects and sets the current time zone:

• Let users decide—Users control the time zone using the standard Chrome date and time settings.
• Never auto-detect timezone—Users must manually pick a time zone.
• Always use coarse timezone detection—Uses device IP address to set the time zone.
• Always send WiFi access-points to server while resolving timezone—Uses location of the WiFi access-point that the device connects to to set the time zone (most accurate).
• Send all location information—Uses location information, such as WiFi access-points and GPS, to set the time zone.

Specifies whether users on the ChromeOS device can go online using a mobile network maintained by a different carrier (charge may apply). With this setting, users need to allow mobile data roaming on the device.

Related topic: Connect to a mobile data network

Specifies a list of USB devices that can be accessed directly by applications, such as Citrix Receiver. You can list devices, such as keyboards, signature pads, printers and scanners, as well as other USB devices.

To add devices to the list, enter the USB vendor identifier (VID) and product identifier (PID) as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line. For example, to list a mouse with a VID of 046E and a PID of D626 and a signature pad with a VID of 0404 and PID of 6002, you enter:

046E:D626
0404:6002

Some peripherals, including certain Thunderbolt or USB4 docks, displays, and connector cables, require users to disable data access protection for them to work properly or at full performance.

By default, data access protection for peripherals is turned on for enrolled ChromeOS devices, limiting peripheral performance. Selecting Disable data access protection can help peripherals to perform better, but might expose personal data through unauthorized usage.

Specifies whether Bluetooth is disabled devices.

If you change the policy from Disable bluetooth to Do not disable bluetooth, yo'll need to restart the device for the change to take effect.

If you change the policy from Do not disable bluetooth to Disable bluetooth, the change is immediate and you do not need to restart the device.

Lists the Bluetooth services that ChromeOS devices are allowed to connect to. Left empty, users can connect to any Bluetooth service.

Devices in kiosk, managed guest session, or user mode with Chrome version 56 and later

Controls device-level bandwidth consumption.

1. Select Enable network throttling.
2. Specify the download and upload speed in kbps. The minimum speed that you can specify is 513 kbps.

All network interfaces on a device are throttled, including WiFi, Ethernet, USB Ethernet adapter, USB cellular dongle, and USB wireless card. All network traffic is throttled, including OS updates.

Installing TPM firmware updates might erase a device and reset it to factory settings and repeated failed update attempts might make a device unusable.

To let users install a Trusted Platform Module (TPM) firmware update on devices, select Allow users to perform TPM firmware updates. For information about how users can install a firmware update, see Update your Chromebook’s security.

Specifies whether system traffic can go through an Internet proxy server with authentication.

The default is to block system traffic from going through a proxy server with authentication.

If you select Allow system traffic to go through a proxy with authentication, proxy servers will require authentication with service account credentials, a username and password, to access the Internet. These credentials are only used for system traffic, browser traffic still requires the user to authenticate to the proxy with their own credentials.

Note: Only HTTPS system traffic can be sent through the authenticated proxy. This can impact users who rely on HTTP for ChromeOS updates. If your network cannot support ChromeOS updates over HTTPS, make sure to set Update downloads to allow updates over HTTP. These updates will not go through the proxy. For details, see Update downloads.

Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to choose the MAC address that the docking station uses when it’s connected to the Chromebook.

Applies to Dell Latitude 5300 2-in-1, 5400, 7410, and 7410 2-in-1 Chromebook Enterprise devices.

Allows you to turn on and configure the Dell SupportAssist program. For information on Dell Support Assist, go to Dell support.

Specifies the clock format displayed on the sign-in screen and for managed guest sessions on ChromeOS devices.

The default is Automatic, based on current language. You can also set the clock to a 12 hour or 24 hour clock format. Users can always change the clock format for their account.

Specifies the cache size, in bytes, used for caching apps and extensions for installation by multiple users of a single device. This means that each app and extension does not need to redownload for every user.

If you set it to lower than 1 MB or leave it unset, ChromeOS uses the default size of 256 MiB.

Specifies whether hardware profiles, including ICC display profiles used to improve the display quality of attached monitors, can be downloaded from Google servers.

The default is to allow hardware profiles to be downloaded.

You can enable or disable notifications when disk space is low. This applies to all users on the device.

The default is Do not show notification when disk space is low.

• If the device is unmanaged or there is only one user, the policy is ignored and the notification is always displayed.
• If there are multiple user accounts on a managed device, the notification is only shown if you select Show notification when disk space is low.

Allows or prevents enterprise device users from redeeming offers through ChromeOS Registration.

Specifies whether or not users can capture Internet Protocol (IP) packets on their device for review or analysis.

Specifies whether users are prompted to select a client certificate on the sign-in screen when more than one certificate matches.

If you choose to prompt users and have entered a list of URL patterns in the Single sign-on client certificates setting, whenever the auto-selection policy matches multiple certificates the user is asked to select the client certificate. For details, see Single sign-on client certificates.

If PIV cards are used, you can set the DriveLock Smart Card Middleware (CSSI) app parameter filter_auth_cert to automatically filter authentication certificates. For details, see Auto-select certificates during sign-in.

Note: Users might have limited knowledge of certificate selection,. We only recommend using the Prompt when multiple certificates match on the sign-in screen setting for testing purposes or if you cannot properly configure the filter in the Single sign-on client certificates setting.

Turns on or off international keyboard shortcut mapping. The default is International keyboard shortcuts are mapped to the location of the keys in the keyboard instead of the glyph of the key. Keyboard shortcuts work consistently with international keyboard layouts and deprecated legacy shortcuts.

Note: This policy will be deprecated after customized keyboard shortcuts are available.

By default, unaffiliated users can use Android apps on managed ChromeOS devices.

Changes to this setting are only applied on managed ChromeOS devices while Android apps are not running. For example, while starting ChromeOS.

For information about how to install Android apps on ChromeOS devices, see Deploy Android apps to managed users on ChromeOS devices.

Specifies the default keyboard backlight color set for users’ devices.

Specifies whether a device plays an audible notification when the battery level or the remaining time drops below a threshold.

If not plugged in, the device plays warning sounds when:

• Remaining usage time drops to 15 minutes.
• Remaining usage time drops to 5 minutes.

Note: If connected to a low-power charger, the device plays a warning sound when the battery drops to 10%, then again at 5%.

Choose one of these options:

• Enable low battery sound—The device plays an audible notification when the battery is low. If you turn this policy on, users can’t turn it off.
• Disable low battery sound—The device doesn’t play an audible notification for the low battery warning. If you turn this policy off, users can’t turn it on.
• Allow the user to decide—Initially, the low battery sound is turned off for existing users and turned on for new users, but any user can turn the sound on or off at any time.

Specifies whether a device plays battery-charging sounds when connected to a wall-power outlet. Slightly different sounds play when the battery level reaches these thresholds:

• 0-15% for low
• 16-79% for medium
• 80-100% for high

Choose one of these options:

• Enable charging sounds—The device plays an audible notification when the charger is connected to a wall-power outlet. If you turn this policy on, users can’t turn it off.
• Disable charging sounds—The device doesn't play an audible notification when the charger is connected to a wall-power outlet. If you turn this policy off, users can’t turn it on.
• Allow the user to decide—Initially, the charging sound is turned off on the device, but users can turn the sound on or off at any time.

Controls whether ChromeOS Flex devices send additional hardware data to Google.

This hardware data is used for overall improvements to ChromeOS and ChromeOS Flex. For example, we might analyze the impact of a crash based on the central processing unit (CPU), or prioritize a bug fix based on how many devices share a component.

When you turn on this setting, ChromeOS Flex devices share additional hardware details. If you turn this setting off, devices only share standard hardware data.

Not supported on Active Directory managed ChromeOS devices.

Control whether videos are decoded by using hardware acceleration.

Hardware acceleration offloads video decoding from the central processing unit (CPU) to the graphics processing unit (GPU), delivering faster and more efficient video processing with reduced power consumption.

By default, the setting is turned on, meaning that video decoding is hardware-accelerated, where available. If you turn off this setting, video decoding can never be hardware-accelerated.

Note: We don’t recommend turning off this setting, because it results in a higher CPU load. This, in turn, negatively affects device performance and battery consumption.

You can control whether users can change the behavior of function keys by using the launcher or search keys.

Choose an option:

• Allow the user to decide—Lets users choose if they want to allow or prevent the launcher or search key to change the behavior of function keys.
• Allow the launcher/search key to change the behavior of function keys—The behavior of function keys can be changed by using the launcher or search key. Users can’t change this.
• Prevent the launcher/search key from changing the behavior of function keys—The behavior of function keys can't be changed by using the launcher or search key. Users can’t change this.

Currently not available for the Education edition

Gives EMM partners programmatic access to manage device policies, get device information, and issue remote commands. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual ChromeOS devices, which means they no longer have to manage devices by Admin console organizational-unit structure. Instead, they can use the structure configured in their EMM console.

You can’t simultaneously set the same policy for the same device using partner access and the Admin console. Device-level policies configured using partner access controls take precedence over policies set in the Admin console. To enforce policies on devices at organizational-unit level, you need to select Disable Chrome management—partner access.

Related topic: Manage ChromeOS devices with EMM console

By default, Disable shared kiosk mode is selected.

Read Use ChromeOS devices with Imprivata OneSign.

Lists the apps and extensions that should not be cleared and re-launched between users.

Read Use ChromeOS devices with Imprivata OneSign.