Set Chrome user policies

For administrators who manage Chrome policies from the Google Admin console.

Not available for Chrome devices enrolled with a single-app kiosk license.

As a Chrome Enterprise admin, you can make user-level settings to enforce Chrome policies that apply when users sign in to a managed Google Account on any device. You can also sync users' work apps and preferences with their personal devices.

Before you begin

Turn on Chrome Browser management (required)

This step only applies if you're managing Chrome Browsers.

For Chrome user-level policies that you set in the Admin console to work on Windows®, Mac®, and Linux® computers, you need to turn on Managed Chrome Browser.​

Note: You don't need to turn on Managed Chrome Browser to apply policies to Chromebooks or other Chrome devices managed from your Admin console. User-level policies apply to Chrome devices, even if Chrome Management is turned off.

Understand when user-level policies apply

User-level Chrome policies apply when users are signed in to a managed Google Account on:

Policies do not apply to users signed in as guests or with a Google Account outside your organization (such as a personal Gmail account).

Specify User settings

Before you begin: To make settings for a specific group of users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device management.

    To see Device management, you might have to click More controls at the bottom.

  3. On the left, click Chrome management.
  4. Click User settings
  5. On the left, select the organization that contains the users you want to make settings for.

    For all users, select the top-level organization. Otherwise, select a child organization. Learn more

    Important: To apply policies for Chrome Browser users on Windows, Mac, or Linux computers, make sure Chrome Management is turned on for this organization.

  6. Make the settings you want. Learn about each setting.

    Tip: Quickly find a setting by using the Search bar at the top.

    Some settings don't apply to all devices. Click lightbulb next to a setting for details.

    Settings you make for an organization are inherited by users in child organizations, unless overridden at a lower level. The Admin console marks whether a setting is Inherited or overridden (marked Locally applied).

  7. At the bottom, click Save.

    Settings typically take effect in minutes. But they might take up to an hour to apply for everyone.

Learn about each setting

Settings apply when users sign in to a managed Google Account on Chrome Browser or a Chrome device.

Many settings provide the option to either enforce a policy user's cannot change, or set a default users can change. For example, you can specify a homepage everyone must use, or let people set their own home page.

Mobile

Chrome Mobile

Warning: This is an experimental feature. Please inform your users before changing this policy. Provide feedback or report issues here.

If you're a Google Play for Education customer, the 'Apply supported user settings to Chrome on Android' box will be checked by default.

This setting allows you to select if supported policies should apply to Chrome on mobile devices. Chrome Management needs to be turned on before enabling this setting. Once Chrome Management and this setting are enabled, users who are signed in to Chrome on Android with your organization's account will begin receiving the user settings you set. To see if a policy is supported on Android check the lightbulb next to each policy in the Admin console. When a user signs out of a managed account, the policy stops applying, and the local profile of Chrome on the device is deleted.

General

Avatar
Replaces the default avatar with a custom avatar. You can upload images in JPG format (.jpg or .jpeg files) and no larger than 512 KB. Other file types are not supported.
Custom Wallpaper

Replaces the default wallpaper with your own custom wallpaper. You can upload images in JPG format (.jpg or .jpeg files) up to a size of 16 megabytes. Other file types are not supported.

Smart Lock for Chrome

Allows your users to unlock their Chrome device without a password using your Android phone. As long as your users and their Android device are nearby and you've enabled this setting, they no longer need to type a password to unlock their Chrome device. Requirements: Android device with version 5.0+ and a Chrome device with Chrome 40+.

Enrollment Controls

Device Enrollment

Selecting Keep Chrome device in current location means that when you enroll the Chrome device, it will stay in the top-level organization for your domain and will pull device settings from there accordingly.

Selecting Place Chrome device in user organization means that when you enroll the Chrome device, the device will be placed in the organizational unit that the enrolling user is in. The settings you've applied for that user's organizational unit will be applied to the device.

Place Chrome device in user organization is a useful setting if you need to manually enroll many devices. The device settings unique to the user's organization will be automatically added to the device, instead of requiring an additional step of manually moving each device into a specific organization after enrollment.

Note: This policy will only take effect if the device is being enrolled into the domain for the first time or the device was previously deprovisioned.

Asset Identifier During Enrollment

The Asset Identifier During Enrollment setting controls whether users can add an asset ID and location for a device when they enroll it:

  • If you select Do not allow for users in this organization (default), users don't have the option to enter the asset ID and location.
  • If you select Users in this organization can provide asset ID and location during enrollment, users can enter the asset ID and location of the device.

If you choose to allow users to enter the asset ID and location, the Device information screen is shown either with pre-existing data for these fields, or blank if no data already exists. The user can edit or enter the device details before they complete enrollment. This populates the asset ID and location fields in the Admin console and at chrome://policy.

Enrollment Permissions

By default, users in this organization are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes a license. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new license because the device is still managed.

Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime a license would be consumed).

Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.

Apps and Extensions

Allowed Types of Apps and Extensions

By default, users can download any type of Chrome web app or extension they want. This setting allows you to block users from installing certain types of apps by unchecking the type of allowed app.

Type of App
(click links to learn more about each type of app)

App and Extension Install Sources

Allows you to specify which URLs are allowed to install extensions, apps, and themes. For example, if a URL where you have a .crx file matches the list, a Chrome installation prompt will appear if the user clicks on the URL. Put one URL pattern on each line. For examples, see the Chrome developer site.

This policy has no effect on Android apps running on Chrome OS. To set policies for Android apps on Chrome devices that support them, see Manage Android apps on Chrome.

Force-installed Apps and Extensions

Choose which apps and extensions to automatically install on the users’ Chrome Browsers or devices that run Chrome OS. The apps appear when users sign in to their managed account. Users can’t remove force-installed apps. The items also bypass any list of blocked apps and extensions.

Click Manage force-installed apps to select apps and extensions to force-install.

Most of the apps and extensions you need are in the Chrome Web Store, but you can also install third-party apps and extensions. To select items to force install, you must have the Chrome Web Store service turned on for your organization.

For details, see Automatically install apps and extensions.

Force installing an app or extension gives it permission to access information on the device it's installed on. For example, an app might access a user's bookmarks or use their location. It can also access a device’s Directory API ID through an extension API, and use the Chrome enterprise.platformKey API without requesting permission. To change the Directory API ID for a device and stay enrolled in your domain, contact support.

This policy has no effect on Android apps running on Chrome OS. To set policies for Android apps on Chrome devices that support them, see Manage Android apps on Chrome.

Allow or Block All Apps and Extensions

Select whether you want to allow or block users from installing all apps and extensions. Based on the setting you choose, you can then make exceptions using the Allowed Apps and Extensions setting (below).  

For details, see Allow or block apps and extensions.

This policy has no effect on Android apps running on Chrome OS. To set policies for Android apps on Chrome devices that support them, see Manage Android apps on Chrome.

Allowed Apps and Extensions

Select apps or extensions to either allow or block users from installing, depending on the Allow or Block All Apps and Extensions setting you make above. Click Manage to open a list of apps. 

For details, see Allow or block apps and extensions.

This policy has no effect on Android apps running on Chrome OS. To set policies for Android apps on Chrome devices that support them, see Manage Android apps on Chrome.

Block extensions by permission

You can use this setting in two ways:

Block installing types of apps

Prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. Select whether to allow or block apps that request specific permissions. Then check the permissions to allow or block.

For details, see Prevent users from running apps based on permissions.  

Prevent apps from altering company webpages

Control whether apps or extensions in general can alter web pages you specify.

For details, see Prevent Chrome extensions from altering webpages.

  • Blocked URLs—URLs to pages that you want to prevent apps from altering.
  • Allowed URLs—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.

URL syntax

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

 

Pinned Apps and Extensions

This setting pins the apps and extensions pinned to the app launcher that your users see when signed in to their Chrome device.

This policy has no effect on Android apps running on Chrome OS. For information on force installing Android apps on Chrome devices that support them, see Enable Android Apps on Chrome OS

Task Manager

This setting allows you to block users from ending processes with the Chrome task manager. By default, users can end processes using the task manager.

Select Allow users to end processes with the Chrome task manager to allow users to end processes using the task manager.

If you select Block users from ending processes with the Chrome task manager it means users can't end processes using the task manager. If you choose this setting, users can still open the task manager, but can’t use it to end a process because the End process button is disabled (greyed out).

Site isolation

Manage Site Isolation

Turn on site isolation for managed Chrome Browser users. Isolate websites and origins that you specify.

  • Site isolation not enabled—Users can choose whether to turn on site isolation.
  • Turn on site isolation for all websites (SitePerProcess)—Every site runs in a dedicated rendering process. All sites are isolated from each other. 

    Optionally enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

  • Turn on site isolation for specific websites, set below (IsolateOrigins). Sites you specify run in a separate process. Enter the list of websites, separated by commas, that you want to isolate. Each entry runs in a dedicated rendering process. You can include sites that users sign in to as well as other sites that contain sensitive information, such as productivity sites or intranet sites.

For details, see Protect your data with site isolation.

Chrome Web Store

Chrome Web Store Homepage

You can change the Chrome Web Store Homepage to a custom homepage for your users when they're signed in. You can also recommend apps and extensions for your domain in a custom collection named after your domain in the Chrome Web Store.

Chrome Web Store Permissions

Checking Allow users to publish private apps that are restricted to your domain on Chrome Web Store, allows users to publish private apps that are restricted to your domain on the Chrome Web Store. Learn more about how to create a private Chrome app collection and how to publish a private Chrome app.

Checking Allow users to skip verification for websites not owned, allows user to publish apps restricted to your domain without requiring them to verify that they own the domain they're linking to. This feature is useful for creating private bookmark apps for your organization. Note that this only applies to private apps restricted to your domain.

Android applications

Android applications on Chrome Devices

By default, users in this organization are not allowed to install Google Play and Android Apps on devices. Selecting Allow will give users access to the approved apps in the Google Play Store on their Chrome devices.

File System Migration

This setting is for older Chromebooks that you want to run Android apps. You need to complete the file system migration before you can enable Android applications for older Chrome devices. Before enabling this setting, read the article Use Android apps on older Chromebooks.

This setting only works on Chrome devices running Chrome OS version 61 and later.

Access to Android applications

By default, users in this organization can only install approved Android applications on their Chrome devices. Selecting Allow lets users search and install all applications in Google Play.

Note: The Access to Android applications setting is not available for G Suite for Education domains.

Account Management

By default, users can add a secondary account (for example, their personal gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. To stop users adding a second Google account, select the Google account checkbox.

Certificate Synchronization

By default, Google Chrome OS CA certificates are not synchronized to Android apps. To make Google Chrome OS available to Android apps, select Enable usage of Chrome OS CA certificates in Android apps.

Security

Password Manager

Corresponds to the paired radio button options Offer to save passwords and Never save passwords, on the Personal Stuff page of the Chrome Settings.

When you enable Password Manager, users can have Google Chrome remember passwords and provide them automatically the next time they log in to a site. If you disable Password Manager, users cannot save new passwords but they can still use passwords that were previously saved. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Lock Screen

Select to turn on or off the lock screen on a user’s device. If you disable the lock screen (Do not allow locking screen), the system logs out the user in cases where the lock screen would normally have activated. Idle settings that lead to the lock screen (for example, Lock screen on sleep) will also log the user out.

Idle Settings

Idle time in minutes

To specify the amount of idle time before a user’s device goes to sleep or signs them out, enter a value in minutes. To use the system default, which varies by device, leave the box empty.

Action on idle

Select if you want a user’s device to go to sleep or sign them out after the idle time expires.

Action on lid close

Select if you want a user's device to go to sleep or sign them out when they close the device lid.

Lock screen on sleep

Select to lock a user’s screen when the device goes to sleep, or let the user decide. If you select Allow user to configure, users configure the option in their device settings.

Incognito Mode

Specifies whether users can browse in incognito mode.

Setting this policy to Disallow Incognito Mode prevents users from opening new incognito windows. But it does not close incognito windows that are already open, nor does it prevent users from opening new tabs in those windows.
Browser History

Controls whether the browser saves the user's browsing history.

Clear Browser History

Specifies whether users can clear browser data, including their browsing and download history.

Note: Preventing users from clearing browser data doesn't guarantee that browser and download history will be kept. For example, if a user deletes their profile, their browsing history is cleared.

Force Ephemeral Mode

Specifies whether users browse in ephemeral mode or not.

Ephemeral mode enables your employees to work from their personal laptop or a shared device that they trust, while reducing the the chances of any browsing information being left behind on their device.

Note: If you use this setting, we recommend that you do not disable Google Chrome Sync in the Admin console.

Online Revocation Checks

Advanced feature: Selecting Perform online OCSP/CRL checks, Chrome devices will perform online revocation checks of HTTPS certificates.

Safe Browsing

Specifies whether Google Safe Browsing is turned on for users.

Safe Browsing in Chrome helps protect users from websites that may contain malware or phishing content. The default setting is Allow user to decide whether to use Safe Browsing. Alternatively, you can choose to Always enable Safe Browsing or Always disable Safe Browsing.

Malicious Sites

Configure whether or not you want your users to be able to navigate to a potentially malicious site from a warning page.

Geolocation

Sets whether websites are allowed to track the user's physical location.

In the case of Chrome, this policy corresponds to the user options in the user's Chrome Settings under Privacy and security > Content settings > Location. Tracking the physical location can be allowed by default, denied by default, or the user can be asked each time a website requests the physical location.

In the case of Android apps running on Chrome, if this policy is set to denied by default, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.

Single Sign-On Online Login Frequency

Sets the frequency of forced online login flows for SAML-based Single Sign-On accounts. 

When you apply this policy, each time users sign out after the set frequency period, they must go through the online login flow for SAML-based Single Sign-On accounts.

Important: Before using this policy, see all requirements in Set up SAML SSO for Chrome devices.

Single Sign-On

Allows you to enable or disable SAML-based Single Sign-On for Chrome Devices.

Important: Before using this policy, see all requirements in Set up SAML SSO for Chrome devices.

Remote access clients

Configures the required domain name for remote access clients, and prevents users from changing this setting. Only clients from the specified domain can connect to the host device. If this setting is disabled, or not set, the host allows connections from authorized users from any domain.

Session Settings

Show Logout Button in Tray

Select to show the sign out button explicitly in the shelf. This is useful for users where the sign out button needs to be emphasized for easier and faster signing out from a Chrome device. By default, the sign out button will remain accessible only from within the tray menu.

Network

Proxy mode

Specifies how Google Chrome connects to the Internet.

If you leave the setting at its default Allow user to configure, the user can change the proxy configuration in their Chrome Settings. If you choose any of the other Proxy Mode options, the user can't change the configuration.

Never use a proxy means that the Chrome device always establishes a direct connection to the Internet without passing through a proxy server. A direct connection is also the default configuration for Chrome devices, if you do not set a policy and the user doesn't change the configuration.

Always auto detect the proxy instructs the Chrome device to to determine which proxy server to connect to using the Web Proxy Autodiscovery Protocol (WPAD).

Always use the proxy specified below sets a specific proxy server for handling requests from this user. If you select this option, you need to enter the URL of the proxy server in the Proxy Server URL text box below. Format the Proxy Server URL as 'IP address:port', such as '192.168.1.1:3128'. Leave it empty for any other Proxy Mode setting.

If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the Proxy Bypass List text box. If you include multiple URLs, separate them by putting one URL per line.

Always use the proxy auto-config specified below. For the Proxy Server Auto Configuration File URL, insert the URL of the .pac file that should be used for network connections.

Android apps running on Chrome OS

If you have Enabled Android Apps on supported Chrome devices, a subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor (typically apps using Android System WebView or the in-built network stack will do so):

If you choose never use a proxy server, Android apps are informed that no proxy is configured.

If you choose use system proxy settings or fixed server proxy, Android apps are provided with the http proxy server address and port.

If you choose auto detect proxy server, the script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy auto-detection protocol is used.

If you choose .pac proxy script, the script URL is provided to Android apps.

SSL Record Splitting

Advanced feature: Enabling this setting will allow SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies. This is supported only on Chrome devices.

Data Compression Proxy

Data Compression Proxy can reduce cellular data usage and speed up mobile web browsing by using proxy servers hosted at Google to optimize website content.

You can choose to Always enable data compression proxy or Always disable data compression proxy. The default setting is to Allow user to decide whether to use data compression proxy.

QUIC Protocol

This setting allows Quick UDP Internet Connections (QUIC) protocol to be used in Chrome. QUIC is a new transport protocol that reduces latency compared to Transmission Control Protocol (TCP). Learn more about QUIC protocol.

WebRTC UDP Ports

This setting allows you to specify a UDP port range to use for WebRTC connections from the user. The port range is (1024-65535) and the maximum should be greater than or equal to the minimum.

Startup

Home Button

Specifies whether a home button appears in the toolbar. For Chrome, this policy corresponds to the user setting Show Home button under Appearance in the user's Chrome Settings .

Homepage

Controls whether the homepage is the new tab page, or if your users can configure this for themselves. The homepage is the URL that your users see when they click the Home Button mentioned above.

The default is to Allow user to configure their new homepage in their Chrome menu Menu. If you don't want to allow the user to change the homepage, you can specify that the Homepage is always the new tab page or that the Home page is always the Homepage URL, set below.

If you select Homepage is always the Homepage URL, set below, enter the URL for the homepage in the text box. With this option, users can't change their homepage in Chrome.

Pages to Load on Startup

Enables you to specify URLs for pages that should load when the user starts the Chrome device. The specified home page appears on the active tab; any pages you list here appear on additional tabs.

Content

Safe Search and Restricted Mode

The following Google SafeSearch and YouTube Restricted Mode policies apply to Chrome devices on Chrome 41 and later:

Google Safe Search for Google Web Search queries

  • Do not enforce Safe Search for Google Web Search queries - Default setting.
  • Always use Safe Search for Google Web Search queries - Selecting this option will make your selected users use SafeSearch.

Restricted Mode for YouTube

  • Do not enforce Restricted Mode on YouTube - Default setting.
  • Enforce at least Moderate Restricted Mode on YouTube - Selecting this option will make your selected users use Restricted Mode. It algorithmically limits which videos are viewable based on their content.

  • Enforce Strict Restricted Mode for YouTube - Selecting this option will make your selected users use Strict Restricted Mode. This further limits available videos.

Warning for domains with devices running previous versions of Chrome

  • Selecting Always use Safe Search for Google Web Search queries will also turn on YouTube Restricted Mode for Chrome devices running Chrome version 40 and prior.
  • The Enforce at least Moderate Restricted Mode on YouTube setting will not work on devices running Chrome version 40 and prior.
  • The Enforce Strict Restricted Mode for YouTube setting will not work on devices running Chrome version 55 and prior.

We recommend you update your devices to the latest stable version of Chrome to be able to set restrictions on YouTube.

Screenshot

Controls whether users in your organization can take screenshots on Chrome devices. The policy applies to screenshots taken by any means, including the keyboard shortcut, and apps and extensions that use the Chrome API to capture screenshots.

If you have enabled Android apps on supported Chrome devices in your organization, screenshot policies also apply to those devices.

Automatically Select Client Certificate for These Sites

This setting allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome should automatically select client certificates. If this is configured, Chrome will skip the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy isn’t set, auto-selection won’t be done for websites that request certificates.

The ISSUER/CN parameter specifies the common name of the certification authority that client certificates to be auto-selected must have as their issuer.

How to format JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

Example JSON string:

{"pattern": "https://[*.]ext.example.com", "filter": {}},
{"pattern": "https://[*.]corp.example.com", "filter": {}},
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}

3D Content

Controls whether the browser allows web pages to use the WebGL API and plugins. WebGL (Web-based Graphics Library) is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Cookies

Default Cookie Setting sets whether websites are allowed to store browsing information, such as your site preferences or profile information.

This setting corresponds to the user options in the Cookies section of Chrome Settings. You can allow the user to configure the option, or you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.

Allow Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Block Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Allow Session-Only Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". The cookies after these sessions will be deleted. If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Third-Party Cookie Blocking

"Allow users to decide whether to allow third-party cookies" is the default. If you select "Allow third-party cookies," third-party cookies will be allowed on Chrome. If you disable this setting, they will be blocked.

Images

Sets whether websites are allowed to display images. For Show Images on These Sites and Block Images on These Sites, put one URL pattern on each line.

JavaScript

Sets whether websites are allowed to run JavaScript. JavaScript is commonly used by web developers to make their sites more interactive. If you disable JavaScript, some sites won't work properly.

Note about Google Calendar notifications: To enable notifications, follow the instructions below.
Notifications

Sets whether websites are allowed to display desktop notifications. Desktop notifications can be allowed by default, denied by default, or the user can be asked each time a website wants to show desktop notifications.

Note: With Chrome 64 and later, Javascript alerts are no longer allowed to interrupt users. Apps that previously used alerts, such as Google Calendar, can send notifications instead. To allow this, add the URL "calendar.google.com" into the text box Allow These Sites to Show Desktop Notifications.

Plug-ins

Sets whether websites are allowed to run plug-ins. Plug-ins are used by websites to enable certain types of web content (such as Flash) that Chrome can't inherently process.

There are important changes to how the Adobe Flash plug-in works on Chrome versions 54 and later. To learn more, see Changes to Flash in Chrome 54 and later.

Enabled and Disabled Plug-ins

Enabled Plug-ins specifies a list of plugins that are always enabled in Chrome, such as Java and Shockwave Flash, and prevents users from changing this setting. Names of plugins are case-sensitive and put one plugin per line.

List the plugins as a list of quoted names separated by commas. The names can include wildcards. The symbol '*' matches an arbitrary number of characters while '?' specifies an optional single character. The escape character is '\', so to match actual '*', '?', or '\' characters, put a '\' in front of them.

For example, enter "Chrome PDF Viewer","*Gears*" on separate lines to enable the Chrome PDF Viewer plug-in and anything with "Gears" in its name. Note: This setting is ignored if you Block all plug-ins in the Plug-ins setting.

Disabled Plug-ins specifies a list of plugins to block from running.

Exceptions to Disabled Plug-ins specifies a list of plugins that users can enable or disable in Chrome, even if they also match one or more entries in the Disabled Plug-ins list.

Plugin Finder

Enabling this setting allows Chrome to automatically search and install missing plugins on your users’ Chrome devices.

Plugin Authorization

The default setting is that users will be asked for permission to run plugins that could compromise security. If you change it to "Always run plugins that require authorization," plugins that are not outdated or disabled can run in Chrome without first asking the user for permission.

Outdated Plugins

"Ask user for permission to run outdate plugins" is the default setting. Selecting "Disallow outdated plugins" will block them from running in Chrome. "Allow outdated plugins to be used as normal plugins" means that the outdated plugins will be allowed to run as normal plugins.

Pop-ups

Sets whether websites are allowed to show pop-ups. Whenever the browser blocks pop-ups for a site, the blocked pop-up alert icon appears in the address bar. The user can click the icon to see the pop-ups that have been blocked.

URL Blacklist

Prevents Chrome users from accessing specific URLs.

To configure this policy, enter up to 1,000 URLs on separate lines.

URL syntax

Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1 to 65,535
  • The path to the resource
  • Query parameters

Note the following:

  • To optionally disable subdomain matching, put an extra period before the host.
  • You cannot use user:pass fields, such as http://user:pass@ftp.example.com/pub/bigfile.iso. Instead, enter http://ftp.example.com/pub/bigfile.iso.
  • When both blacklist and blacklist exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by '&'.
  • The key-value tokens are separated by '='.
  • A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.

Examples

URL blacklist entry Result
example.com Blocks all requests to example.com, www.example.com, and sub.www.example.com
http://example.com Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS and FTP requests.
https://* Blocks all HTTPS requests to any domain.
mail.example.com Blocks requests to mail.example.com but not to www.example.com or example.com
.example.com Blocks example.com but not its subdomains, like example.com/docs.
.www.example.com Blocks www.example.com but not its subdomains.
* Blocks all requests except for those to blacklist exception URLs. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy.
*:8080 Blocks all requests to port 8080.
*/html/crosh.html Blocks Chrome Secure Shell (Also known as "Crosh Shell")
chrome://settings-frame Blocks all requests to chrome://settings.
example.com/stuff Blocks all requests to example.com/stuff and its subdomains.
192.168.1.2 Blocks requests to 192.168.1.2.
youtube.com/watch?v=V1 Blocks youtube video with id V1

Using blacklists with Android apps

If you enable Android apps on supported Chrome devices in your organization, the URL blacklist isn't honored by apps that use Android System WebView. To enforce a blacklist on these apps, define (see below) the blacklisted URLs in a text file. Then, apply the blacklist to the Android apps on an app-by-app basis.

The following example shows how to define a blacklisted URL:

{ "com.android.browser:URLBlacklist": "[\"www.solamora.com\"]" }

For apps that don’t use Android System WebView, consult the app documentation for information on how to restrict access in a similar way.

URL blacklist exception

Specifies exceptions to the URL blacklist.

To configure the policy, enter up to 1000 URLs on separate lines.

URL syntax

Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1 to 65,535
  • The path to the resource
  • Query parameters

Note the following:

  • To optionally disable subdomain matching, put an extra period before the host.
  • You cannot use user:pass fields, such as http://user:pass@ftp.example.com/pub/bigfile.iso. Instead, enter http://ftp.example.com/pub/bigfile.iso.
  • When both blacklist and blacklist exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by '&'.
  • The key-value tokens are separated by '='.
  • A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.

Examples

URL blacklist entry URL blacklist exception entry Result
*

mail.example.com
wikipedia.org
google.com
chrome:

The asterisk (*) in the blacklist field blocks all results.

The URLs entered in the exception field indicate the specific sites to allow. "chrome://*" grants exception to all Chrome system pages.

example.com https://mail.example.com
.example.com
.www.example.com
Blocks all access to the domain example.com, except to the mail server using HTTPS and to the main page.
youtube.com youtube.com/watch?v=V1
youtube.com/watch?v=V2
Blocks all access to youtube, except for selected videos (V1 and V2).

Using blacklists with Android apps

If you have enabled Android apps on supported Chrome devices in your organization, this blacklist exception will typically be honored by Android apps that use Android System WebView. Other apps may or may not respect the blacklist. As an administrator, you may choose to not whitelist these apps.

Google Drive Syncing

Lets administrators configure whether or not users can sync with Google Drive on their Chrome device. Administrators can enable or disable Drive syncing, or let users choose in their local Chrome settings.

This policy has no effect on the Google Drive Android app on Chrome OS. To completely disable any syncing to Google Drive, configure this policy and do not allow the Google Drive Android app to be installed on supported Chrome devices.

Google Drive Syncing over Cellular

Lets administrators configure whether or not users can sync with Google Drive over a cellular connection (like a 3G connection) on their Chrome device. Administrators can enable or disable Drive syncing over cellular connections.

This policy has no effect on the Google Drive Android app on Chrome OS.

Cast

Allow users to cast from Chrome

Decide if users can use a Chromecast device to cast from a Chrome tab.

Show Cast icon in the toolbar

This controls whether Cast Cast appears on the browser toolbar in Chrome. If you select Always show the Cast icon in the toolbar, it always appears on the toolbar or overflow menu and users can't remove it.

If you don't let users cast, you can't configure this policy. The Cast icon doesn't appear on the toolbar.

Printing

Printing

You can enable or disable printing. When printing is disabled, a user won’t be able to print from the Chrome menu, extensions, JavaScript applications, etc. 

This policy has no effect on Android apps running on Chrome OS.

Print Preview

Selecting Allow using print preview allows your users to see a print preview with Google Cloud Print. Selecting Always use the system print dialog instead of print preview will use the computer’s print dialog window and not Cloud Print when printing.

Google Cloud Print Submission

This setting allows or blocks users from signing in to Cloud Print service to print. On Windows, Mac and Linux, turning this setting off, users will still be able to print using their system print dialog. Users won’t be able to print from Chrome OS if this setting is disabled.

Google Cloud Print Proxy

Enabling this setting allows your user’s Chrome browser on their Windows, Mac, or Linux computer to act as a proxy between Google Cloud Print and the printers connected to their device. Your users can set up Google Cloud Print by going to https://www.google.com/cloudprint and signing in with their Google account.

Selecting disallow will block Chrome from sharing your device’s printers with Google Cloud Print.

Print Preview Default

Note: This policy is also available for public sessions.

Default printer selection

To use the default system printer as the default printer for Chrome, select Use default print behavior.

To define a default printer for users, select Define the default printer. When a user prints, Chrome tries to find a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.

This policy has no effect on Android apps running on Chrome OS.

Printer Types

Select the type of printer to search for and use as the default printer. To search for all types, select Cloud & Local printers.

Printer Matching

Select if you want to search for printers by name or ID.

Default Printer

Specify a regular expression that matches the name or ID of the printer you want to use as the default printer. The expression is case-sensitive. Printing defaults to the first printer that matches the name. For example:

  • To match a printer named Solarmora Lobby, type Solarmora Lobby.
  • To match a printer in solarmora-lobby-1 or solarmora-lobby-2, type solarmora-lobby-.$.
  • To match a printer in solarmora-lobby-guest or solarmora-partner-guest, type solarmora-.*-guest.

This policy has no effect on Android apps running on Chrome OS.

Native Chrome OS Printing

Allows you to set up printing to local and network printers so that users can print without setting up Google Cloud Print. When you add a printer, it automatically appears in your users’ list of Chrome printers. For information about setting up native printing, see Manage local and network printers.

Native printers management

This setting gives you an on/off switch to allow or block your users from adding native printers to their Chrome devices.

The default is to Allow users to add new printers. To block your users from adding printers, select Do not allow users to add new printers.

This setting works for Chrome devices running Chrome OS version 67 and later. For information about setting up native printing, see Manage local and network printers.

User Experience

Managed Bookmarks

Allows you to push a list of bookmarks for the convenience of users on Chrome on all platforms including mobile devices. On Chrome Devices and Chrome on Desktop, the bookmarks will appear in a folder on Chrome's bookmark bar. The user cannot modify the contents of this folder, but can choose to hide it from the bookmark bar. On Chrome Mobile, this also appears as a folder within Bookmarks.

Bookmark Bar

"Allow user to decide whether to enable bookmark" is the default setting. You can enable or disable this setting to determine whether or not Chrome will show a bookmark bar.

Bookmark Editing

Bookmark editing allows users to add, edit or remove items from their Chrome bookmarks bar. Administrators can enable or disable this setting.

Set download location

Sets the default download location on Chrome devices and specifies whether a user is allowed to modify that location. The download location policy choices are:

  • Set Google Drive as default, but allow user to change
  • Local Downloads folder, but allow user to change
  • Force Google Drive

If the user has already explicitly chosen a download location before you select one of the first two policies - Set Google Drive as default, but allow user to change or Local Downloads folder, but allow user to change, the user's original choice is respected. If the user has not already chosen a download location before you select one of these two policies, the default is set but the user can change it later.

If you select Force Google Drive (regardless of prior user choice), Google Drive is forced to be the download folder and a user is not allowed to change this setting. However, the user can still move files between local folders and Google Drive using the Files app.

This policy has no effect on Android apps running on Chrome OS. Android apps usually download to a download folder mapped to the Chrome OS downloads folder, however they may download to other locations as well.

Spell Check Service

Lets administrators configure whether or not spell checking web service is enabled on Chrome. Administrators can enable or disable the spell checking web service, or let users choose in their local Chrome settings.

Google Translate

Lets administrators configure whether Chrome uses Google Translate, which offers content translation for web pages in languages not specified in the Language settings on a user's Chrome device. Administrators can configure Chrome to always offer translation, never offer translation, or let users choose in their local Chrome settings.

Alternate Error Pages

Controls whether Google Chrome shows suggestions for the page you were trying to reach when it is unable to connect to a web address. The user sees suggestions to navigate to other parts of the website or to search for the page with Google.

Corresponds to the user option Use a web service to help resolve navigation errors, in their Chrome Settings. You can allow the user to configure the option, or you can specify that it is always on or always off.

Developer Tools

Controls whether the Developer tools option appears on the Tools menu. The Developer tools allow web developers and programmers deep access into the internals of the browser and their web applications. See the Developer Tools Overview for more information about the tools.

The default for G Suite Enterprise customers is to Allow use of built-in developer tools except for force-installed extensions. This means all keyboard shortcuts, menu entries, and context menu entries that open the Developer tools or JavaScript Console are enabled in general, but are disabled within extensions that are force-installed using enterprise policy.

The default for unmanaged users is to Always allow use of built-in developer tools. To disable developer tools in all contexts, select Never allow use of built-in developer tools.

If you have enabled Android apps on supported Chrome devices in your organization, this policy will also control access to Android Developer Options. If you set this policy to Never allow use of built-in developer tools, users can’t access Developer Options. If you set this policy to any other value, or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.

Form Auto-fill

Specifies whether the user can use the autofill feature to simplify the completion of online forms. The first time a user fills out a form, Google Chrome automatically saves the entered information, like the name, address, phone number, or email address, as an Autofill entry.

Corresponds to the user option Enable Autofill on the Personal Stuff page. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

DNS Pre-fetching

When DNS (Domain Name System) pre-fetching is enabled, Google Chrome looks up the IP addresses of all links on a displayed web page, so links the user clicks will load faster.

Corresponds to the user option Predict network actions to improve page performance, in their Chrome Settings. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Network prediction

Decide with this setting whether Chrome predicts network actions. You might want Chrome to use a prediction service so it loads pages faster or helps complete searches and URLs that users type in the address bar.

As an administrator, you can disable or require network prediction. Or, if you select Allow user to configure, this turns the setting on for Chrome. Users can then change their own prediction service settings.

Multiple Sign-In Access

Please read Manage Multiple Sign-in Access before enabling this feature.

In the case of Android apps running on Chrome, even if you set this policy to Unrestricted user access, only the primary user can use Android apps. If the policy has been set to Managed user must be the primary user (secondary users are allowed), then if the device supports Android apps and you have enabled them in your organization, Android apps can be used in the primary user.

Sign-in Within the Browser

After signing in to their device, allows users to switch between accounts in their browser window.

  1. Choose an option:
    • To allow users to sign in to any Google Account within the browser, select Allow users to sign in to any Google account within the browser. Learn more about types of Google Accounts.
    • To block users from signing in or out of Google Accounts within the browser, select Block users from signing in or out of Google accounts within the browser.
    • To allow users to access Google services using an account only from a list of specified G Suite domains, select Allow users to sign-in only to the G Suite domains set below.
  2. If you allow users to sign in only to specific G Suite domains:
    1. Make sure you list all of our organization’s domains. If you don’t, your users might not have access to Google services. To see a list of your domains, click organization’s domains under the domain list box.
    2. To include consumer Google Accounts, such as @gmail.com and @googlemail.com, enter consumer_accounts in the list. You can also allow access to certain accounts by blocking access to others. Learn more about blocking consumer accounts.
  3. If you allow users to sign in only to specific G Suite domains or block users from signing in or out in the browser, you should also:
    1. Set a sign-in restriction so that only users in your organization can sign in to devices running Chrome OS. For details, see Sign-in Restriction.
    2. Turn off guest browsing on devices. For details, see Guest mode.
    3. Prevent users from browsing in Incognito mode. See Incognito Mode.
Unified Desktop

Note: This policy is also available for public sessions and kiosk apps.

To let users span a window across multiple monitors or TVs, you can select Make Unified Desktop mode available to user. By default, this feature is turned off. Users can disable unified desktop and still use 2 external displays, but individual windows will be in one display or the other, even if the desktop is extended across both.

  • Up to 2 external displays are supported.
  • Unified desktop is intended to work across monitors of the same resolution.
  • When enabled, unified desktop is the default mode when a user connects a monitor to their device.

Omnibox Search Provider

Search Suggest

When the user types in the address bar, Google Chrome can use a prediction service to help complete the web addresses or search terms. For example, typing new york in the address bar could bring up http://www.nytimes.com as a predicted site or [ new york city ] as a predicted search. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Corresponds to the user option Use a prediction service to help complete searches and URLs typed in the address bar, in their Chrome Settings.

Omnibox search provider

This setting specifies the name of the default search provider. If you select Lock the Omnibox Search Provider settings to the values below, a series of text boxes will appear below that you can customize.

Omnibox search provider name

Enter a name you want to use for the Omnibox. If you don't provide one, Chrome uses the host name from the Omnibox search provider search URL.

Omnibox search provider keyword

Specifies the keyword used as the shortcut to trigger the search.

Omnibox search provider search URL

Specifies the URL of the search engine.

The URL must contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for; for example, "http://search.my.company/search?q={searchTerms}"

To use Google as your search engine, enter:

{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}

Omnibox search provider suggest URL

Specifies the URL of the search engine used to provide search suggestions.

The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

To use Google as the search engine that provides search suggestions, enter:

{google:baseURL}complete/search?output=chrome&q={searchTerms}

Omnibox search provider instant URL

Specifies the URL of the search engine used to provide instant results.

The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

Omnibox search provider icon URL

Specifies the icon URL of the search provider. Note: You need to access your search provider site at least once so that the icon file will be retrieved and cached before you enable Lock the Omnibox Search Provider settings to the values below.

Omnibox search provider encodings

Specifies the character encodings supported by the search provider.

Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. The default is UTF-8.

Hardware

External Storage Devices

Controls whether users in your organization can use Chrome devices to mount external drives, including USB flash drives, external hard drives, optical storage, Secure Digital (SD) cards, and other memory cards. If you set this policy to disallow external storage and a user attempts to mount an external drive, Chrome notifies the user that the policy is in effect.

When the device administrator configures the policy to “Allow external storage devices (read-only)”, users can read files from external devices but cannot write to them. Formatting of devices is also disallowed.

This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Audio Input

Controls whether users in your organization can let websites access audio input from the built-in microphone on a Chrome device.

This policy does not affect input from external audio input devices, such as microphones that users connect to the USB port. When a user connects an external audio input device, the audio on the Chrome device unmutes immediately.

Changing the capture channel in the Google Talk settings unmutes the audio input of the built-in microphone regardless of this policy.

If you have enabled Android apps on supported Chrome devices in your organization, and have this policy disabled, the microphone input is disabled for all Android apps without exceptions.

Audio Output

Controls whether users in your organization can play sound on their Chrome devices. The policy applies to all audio outputs on Chrome devices, including built-in speakers, headphone jacks, and external devices attached to HDMI and USB ports.

If you configure the policy to disable audio, Chrome still shows its audio controls but users can't change them. Also, a mute icon appears.

This policy has no effect on the Google Drive Android app on Chrome OS.

Video Input

Specifies whether websites can access the built-in Chrome device web cam.

Disabling video input does not disable the web cam for Google voice and video chat. To disable the web cam for Google voice and video chat, use the Allowed Apps and Extensions setting in User settings to block the following extension: hfhhnacclhffhdffklopdkcgdhifgngh

If you have enabled Android apps on supported Chrome devices in your organization, this policy affects the built-in camera and can be disabled so that no Android app can access the built-in camera.

Keyboard

Determines the behavior of the top row of keys on the keyboard. If this policy is unset or set to media keys, the keyboard's top row of keys will act as media keys. If the policy is set for function keys, then the keys will act as function keys (e.g. F1, F2). In both scenarios, users will be able to change the behavior. Also, users can turn a media key to a function key (and vice versa) by holding down the search key.

Verified Access

Verified Access

Enable for Enterprise extensions–Controls whether Verified Access is enabled for the user. If enabled, Chrome extensions in the user sessions can interact with the Trusted Platform Module.

Disable for Enterprise extensions–Verified Access won't work for these users, not even when the device policy applies. This is because it's not possible to run a Chrome extension outside of the user session (Verified Access in public sessions is explicitly disabled by design). If the user policy is enabled but the device policy is not, Verified Access will work, but only for the user verification.

For more details and instructions, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

User Verification

Verified Mode

Require verified mode boot for Verified Access–User sessions on the devices in dev mode will always fail the Verified Access check.

Skip boot mode check for Verified Access–Allows user sessions on the devices in dev mode to work.

Service accounts which are allowed to receive user data–List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in Google Developer Console.

Service accounts which can verify users but do not receive user data–List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in Google Developer Console.

For instructions on using these settings with Verified Access, admins should see Enable Verified Access with Chrome devices. Developers should see the Google Verified Access API Developer Guide.

Chrome Management—Partner Access

Chrome Management—Partner Access

The Chrome Management—Partner Access user setting gives EMM partners programmatic access to manage user policies for Chrome and Chrome devices. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual user policies that determine your users' experience on Chrome and Chrome devices. This means that EMM partners no longer have to manage user policies by Admin console organization structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same user using partner access and the Admin Console. User level policies configured using partner access controls take precedence over organization level policies set in Admin console. To enforce policies on users at organization level, you need to uncheck the Enable Chrome Management—Partner access box.

You can also use your EMM console to set device policies. If you subscribe only to the Chrome Kiosk service, you can only set device policies.

Note: Currently, this setting is not available for G Suite for Education domains.

Related topics 

 

Was this article helpful?
How can we improve it?