Manage device settings

This article is for Chrome for Business and Education administrators only.

The Chrome device settings in the Admin console configure your organization's Chrome devices regardless of who signs in. To manage device settings:

  1. Sign in to the Admin console.
  2. Click Device management > Chrome management > Device settings.
  3. Select the organizational unit to which you want the settings to apply.
  4. Configure the policies on the page.
  5. Click Save changes at the bottom of the screen. Settings typically take effect within minutes but might take up to an hour to propagate through your organization.

The device policies are as follows.

Read the descriptions of every setting below to understand the available configuration options and how to optimize your organization's Chrome experience.
Enroll devices automatically

Specifies whether Chrome devices that have been deprovisioned, wiped, and moved to pending can be enrolled in your domain automatically when a user in your domain logs in for the first time. If this setting is disabled, an administrator must re-enroll each Chrome device manually using the steps described in Enroll Chrome devices.

Automatic enrollment only works for devices already listed under the Devices page in the Admin console. Also, automatic enrollment requires Chrome version 18 or higher.
Place device in user organization during auto enrollment

Keeping the default Do not place device in user organization selected, the Chrome device will be in the organizational unit you set for the device in Device Settings.

If you select Place device in user organization, the device will be placed in the organizational unit of the first user who signs in to auto enroll the device.

Deployment tip: Keeping the default setting, if you want to enforce different policies on different devices in your organization, you’ll likely need to manually move the devices to the correct org unit in Chrome devices. Selecting Place device in user organization eliminates this step and will place the Chrome device into the org unit of the first user who auto enrolls the device.
Verified Access

Keeping Enable for Content Protection set, Chrome devices in your organization will verify their identity to content providers using a unique key (Trusted Platform Module). Also with this feature enabled, Chromebooks can attest to content providers that they are running in Verified Boot mode.

Selecting Disable for Content Protection may make some premium content unavailable to your users. Learn more.

Cloud Print

This feature allows any user of the Chrome device to print using Cloud Print. This setting is popular for Chrome devices configured for Public Sessions.

This feature works only for Chrome devices enrolled in your domain on Chrome OS version 29 and later. If you enrolled the Chrome device with a prior version of Chrome OS, you need to wipe and re-enroll the device for this feature to work.
  1. Sign in to your Google Apps Admin console, if you’re not already signed in.
  2. Go to Device management > Chrome management > Device settings > Cloud Print.
  3. Next to Choose which Cloud printers to enable click Manage.
  4. In the Cloud Print dialog that appears, search for and Add cloud printers for the devices in the org units you have selected.
  5. Click Save. This shares these printers with every Chrome devices in the org units you selected. Any user on the device, including users using Guest Mode or Public Sessions, will be able to print from the cloud printers you've shared.

If there are printers that you don't own, which are shared with your domain, they will appear under an additional heading in the dialog box called Other printers. If a printer is no longer working or if it no there's no longer an owner in your domain, you can Remove it from the Other printers box.

Deployment notes:

  • You need to be the owner of the printer in Google Cloud Print to add it using the Admin console. We recommend domains with several printers to create a role account specifically to manage printers with Google Cloud Print. If your domain has this, sign in with that account to share the printers with your Chrome devices. If you don't want to give this role account Super Admin access to your domain, you can give it permission to only Manage Device Settings using delegated administrator roles in Chrome.
  • Chrome devices can only print to printers configured with Google Cloud Print. If you're trying to print from a printer that's not Cloud Ready, see Connect your classic printers with Google Cloud Print.

Known issues:

  • Because printer ownership is tied to each Google Apps account, if your domain has multiple domain admins, they may each have a different set of printers available.
  • An admin can delete/remove the printer shared by another domain admin. For example, if the printer owned by admin2 has been deleted by admin1, then admin1, cannot re-add it.
  • Currently, there isn't a way to tell if a printer in the Other printers section is active or deleted because of these known issues we're working to fix:
    • If an an admin deletes a printer in, even though it's no longer is available, it will appear under Other printers.
    • If the printer owner has been deleted, the orphaned printer will appear under Other printers.
Allow Guest mode

Controls whether to allow guest browsing on managed Chrome devices. If you select Allow guest mode (the default), the main sign-in screen offers the option for a user to sign in as a guest. If you select Do not allow guest mode, a user must sign in using a Google Account or Google Apps account. When a user signs in using guest mode, your organization's policies are not applied.

Restrict sign-in

This setting enables you to control which users have permission to sign in to a managed Chrome device.

When the default Restrict Sign-in to list of users is selected, and the textbox is left empty, any user with a Google Account or Google Apps account can sign in, and the +Add user button is available on the sign-in screen.

However, if you include one or more user names in the text box, only the named users can sign in; other users will receive an error message. Enter user names in the form of their primary email addresses, with names separated by commas. The names can include the wildcard * (to match any set of characters). The +Add user button will be available as long as not all of the users in your list have been added to the device, or if you use a wildcard such as * If all of your specific users have been added to the device, then the +Add user button will be grayed out.

If you select Do not allow any user to Sign-in, no one will be able to sign in to the Chrome device with their Google Account or Google Apps account. Also, the +Add user button will be grayed out on the sign-in screen. Note: This setting only works for Chrome devices on Chrome OS 28 and later. Users with prior versions of Chrome OS on their computer will still be able to sign in. This setting is commonly used on devices intended for use with Public Sessions.

Users will be able to use the device regardless of which restriction setting you use if you have Guest Mode or Public Sessions enabled.
Erase all user info, settings, and state after each sign-out

Specifies whether enrolled Chrome devices delete all locally-stored settings and user data every time a user signs out. Data the device syncs persists in the cloud but not on the device itself.

Power management on sign-in screen

This setting controls whether a Chrome device that is showing a sign-in screen (no user is logged-in) should go to sleep or shut down after some time, or if it should continuously stay awake. This feature is useful for Chrome devices used as kiosks to make sure they never shut down.

Show user names and photos on the sign-in screen

Specifies whether the Chrome device's sign-in screen displays the names and pictures of users who have signed in to the device.

Kiosk Settings
You need to first enroll the device you want to use as a kiosk in your domain. Once successfully enrolled, the device will show up in the Admin console under Chrome devices.

Public Session Kiosk

If you haven't yet created a Public Session for your domain, you need to specify at least one Public Session for Allow Public Session Kiosk to be enabled. In your Admin console under Chrome Management > Public session settings enter a name for Session Display Name.

Public Session Kiosk (also called Public Sessions) specifies whether you will allow or not allow Chrome devices in the organizational unit selected to be configured for Public Sessions. To have the device be a Public Session Kiosk when the user is on the sign-in screen, set Auto-Login to Public Session to Yes and enter “0” into the field Number of seconds before delaying auto-login.

Single App Kiosk

Single App Kiosk specifies whether or not Chrome devices in the organizational unit will be run in single-app mode, such as for a lobby kiosk or a student assessment device. Selecting Allow Single App Kiosk gives you the options to Manage Kiosk Applications and Auto-Login to Kiosk App.

Clicking Manage Kiosk Applications launches a dialog box where you can search for and select kiosk apps on the Chrome Web Store. You can also specify a custom app by entering the ID and URL. If you select multiple apps, you can select which one you want to launch on the Chrome device using the drop-down under Auto-Login to Kiosk App. You need to reboot the Chrome device to make this change go into effect.


  • You can configure a device as both a Public Session Kiosk and a Single App Kiosk, but you can only Auto-Login to one type of session or app at a time. For example, if you select Auto-Login to Public Session, you will not be able to also have that same device Auto-Login to a Kiosk App.


Scheduled reboot

When you specify the Number of days before reboot, the device will be rebooted after that given number of days. The reboot may not happen at the same time of day, but it may be postponed until the user next signs out.

Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown.

Before changing any of the 4 Chrome update settings below, read How to deploy auto-updates for Chrome devices.

Auto update

Specifies whether Chrome devices automatically update to new versions of Chrome OS as they are released. Allow auto-updates is strongly recommended.

Software support is available only for the latest version of Chrome OS.
Restrict Google Chrome version to at most

Prevents Chrome devices from updating to versions of Chrome OS beyond the version number specified. Using this setting is recommended only if a later version of Chrome OS causes compatibility issues with tools in your domain that need to be resolved prior to updating.

You can configure one or more of your Chrome devices to use the development or beta channel to help identify compatibility issues in upcoming versions of Chrome OS.

Software support is available only for the latest version of Chrome OS.
Randomly scatter auto updates over

Specifies the approximate number of days over which managed Chrome devices in your organization download an update following its release. The downloads occur at various times during this period to avoid causing traffic spikes that can impact old or low-bandwidth networks. Devices that are offline during this period download the update when they go back online.

Set this policy to its default (none) or a low number unless you know your network can't handle traffic spikes. This lets users benefit from new Chrome enhancements and features quicker, minimizes the number of concurrent versions in your organization, and simplifies change management during the update period.

Auto reboot after updates

When Allow auto-reboots is selected, after a successful auto update, the Chrome device will reboot when the user next signs out. Keeping Disallow auto-reboots selected will disable auto-reboots.

Currently, automatic reboots work only when the device is configured to be a Public Session kiosk and when the sign-in screen is being shown.
Release channel

Specifies the release channel for the device. You can leave the default option to Allow user to configure the release channel, or you can specify release channels by org unit. Most organizations keep their users on the Stable Channel or Allow user to configure. We recommend you keep some IT personnel and end-users on the Beta and Development Channels to help your organization:

  • Become familiar with new Chrome OS features before they appear on the Stable Channel.
  • Prepare users for any user interface changes prior to the update.
  • Understand if problems are specific to certain versions of Chrome when troubleshooting.
  • Provide feedback on upcoming Chrome updates.

Select an organizational unit to be able to do the following:

  • Move to Stable Channel
  • Move to Beta Channel
  • Move to Development Channel

Changing a user from an older version of Chrome to a newer version (such as going from Stable to Beta) will take effect the next time the user reboots their computer.

However, changing from a newer version of Chrome to an older version (such as going from Development to Stable) can take longer. In this scenario, the device will stay on the current version of the Development channel, until the Stable channel catches up, which can take some weeks.

Also note that the release channel cannot be changed in the top level organization for your domain, but by organizational units.

Mobile data roaming

Specifies whether users on this Chrome device can go online using a mobile network maintained by a different carrier. With this setting, you fix the value of the Allow mobile data roaming check box on the Internet page in the Chrome device Settings.

If you allow data roaming, charges may apply.

Anonymous metric reporting

Specifies whether the Chrome device sends Google usage statistics and crash reports whenever a system or browser process fails.

Usage statistics contain aggregated information such as preferences, button clicks, and memory usage. They don't include web page URLs or any personal information. Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time of the crash.

Device state reporting

Specifies whether Chrome devices enrolled in your domain report their current device state, including firmware, Chrome and platform version, and boot mode. If this setting is enabled, you can view a Chrome device's current device state. In the Admin console, go to Device management > Chrome > Devices and click on the device's serial number to see the device details.

Device user tracking

This setting is off by default. If you enable it, you can track recent device users by clicking on the device in your Admin console under Device management > Chrome > Devices > device serial number > Recent Activity. Note that this setting does not take effect if the Erase all user info setting is enabled.

Time Zone
Specify the timezone to set for your users' devices from the drop-down list.