Set Chrome policies for users

This article is for Chrome for Business and Education administrators only.

In the Google Admin console, you can configure policies for your organization's Chrome devices according to who signs in. These cloud-managed settings also apply to users who sign in to a Chrome browser with their Google Apps account from non-corporate-managed computers (such as personal and public computers). To set device-level policies on your corporate-managed Windows, Mac, and Linux computers, see Set Chrome policies for devices.

If a setting applies only to a Chrome device or a specific operating system, there will be a lightbulb next to the setting in the Admin console indicating its restriction, such as "Supported only on: Chrome devices."

Enable Chrome Management

Chrome Management needs to be turned on in the Admin console under Other Google Services for these cloud policies to work with the org unit you specify for Chrome on Windows, Mac, or Linux computers. If you turn off this setting, cloud policies will not work on a user's Windows, Mac, or Linux computer. However, if you also purchased Chrome device management licenses, turning off Chrome Management will not turn off cloud policies when your users sign in to a managed Chrome device. Learn more about turning settings on/off in the Admin console.

To manage user settings:

  1. Sign in to the Admin console.
  2. Click Device management > Chrome > User Settings.
  3. Select the organizational unit to which you want the settings to apply.
  4. Configure the settings on the page.
  5. Click Save changes at the bottom of the screen. Settings typically take effect within minutes but might take up to an hour to propagate through your organization.

General

Policy Refresh Rate

Specifies how often the Chrome device checks for updates to the organization policy settings. The default value is 120 minutes (2 hours). The minimum value is 30 minutes; the maximum value is 1440 minutes (one day).

The setting controls how often a running Chrome device checks for changes to the settings. Each time a Chrome device starts up, it checks for policy updates regardless of the value here.

Apps and Extensions

Allowed Types of Apps and Extensions

By default, users can download any type of Chrome web app or extension they want. This setting allows you to block users from installing certain types of apps by unchecking the type of allowed app.

Type of App
(click links to learn more about each type of app)

App and Extension Install Sources

Allows you to specify which URLs are allowed to install extensions, apps, and themes. For example, if a URL where you have a .crx file matches the list, a Chrome installation prompt will appear if the user clicks on the URL. Put one URL pattern on each line. For examples, see the Chrome developer site.

Pre-installed Apps and Extensions

This setting allows you to choose which apps or extensions to automatically install on users' version of Chrome. Click Manage pre-installed apps to launch the Pre-installed Apps and Extensions dialog box. Learn more about how to manage apps and extensions with Chrome.

Allowed Apps and Extensions

You can allow or block apps by clicking Manage to launch the Blocked apps and extensions dialog box. Learn more about how to manage apps and extensions with Chrome.

Pinned Apps and Extensions

This setting pins the apps and extensions pinned to the app launcher that your users see when signed in to their Chrome device.

Chrome Web Store Homepage

You can change the Chrome Web Store Homepage to a custom homepage for your users when they're signed in. You can also recommend apps and extensions for your domain in a custom collection named after your domain in the Chrome Web Store.

Chrome Web Store Permissions

Checking Allow users to publish private apps that are restricted to your domain on Chrome Web Store, allows users to publish private apps that are restricted to your domain on the Chrome Web Store. Learn more about how to create a private Chrome app collection and how to publish a private Chrome app.

Checking Allow users to skip verification for websites not owned, allows user to publish apps restricted to your domain without requiring them to verify that they own the domain they're linking to. This feature is useful for creating private bookmark apps for your organization. Note that this only applies to private apps restricted to your domain.

Security

Password Manager

Corresponds to the paired radio button options Offer to save passwords and Never save passwords, on the Personal Stuff page of the Chrome Settings.

When you enable Password Manager, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable Password Manager, users are not able to save passwords or use previously saved passwords. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

"Show Password" Button

Corresponds to the Managed saved passwords button just below the radio buttons Offer to save passwords and Never save passwords on the Personal Stuff page.

If you allow this feature, users can view their passwords in clear text in the Password Manager. If you do not allow it, the Password Manager won't show stored passwords in clear text.

Screen Lock

Specifies whether the Chrome device requires the user to enter his or her password to "wake up" the device after it goes idle.

By default, the user can configure this option using the Require password to wake from sleep check box on the Personal Stuff page in the Chrome Settings.

You also have the option to Always automatically lock screen on idle or Never automatically lock screen on idle. In either case, the user can't change the setting.

Incognito Mode

Specifies whether Chrome lets users browse in incognito mode.

Setting this policy to Disallow Incognito Mode prevents users from opening new incognito windows, but it does not close incognito windows that are already open, nor does it prevent users from opening new tabs in those windows.
Browser History

Controls whether the browser saves the user's browsing history.

Force Ephemeral Mode

Specifies whether users browse in ephemeral mode or not.

Ephemeral mode enables your employees to work from their personal laptop or a shared device that they trust, while reducing the the chances of any browsing information being left behind on their device.

Note: If you use this setting, we recommend that you do not disable Google Chrome Sync in the Admin console.

Online Revocation Checks

Advanced feature: Selecting Perform online OCSP/CRL checks, Chrome devices will perform online revocation checks of HTTPS certificates.

Safe Browsing

Specifies whether or not Safe Browsing is turned on for users.

Safe Browsing in Chrome helps protect users from websites that may contain malware or phishing content. The default setting is Allow user to decide to use Safe Browsing. Alternatively, you can choose to Always enable Safe Browsing or Always disable Safe Browsing.

Malicious Sites

Configure whether or not you want your users to be able to navigate to a potentially malicious site from a warning page.

Geolocation

Sets whether websites are allowed to track the user's physical location.

Corresponds to the user options in the user's Chrome Settings under Privacy > Content settings > Location. Tracking the physical location can be allowed by default, denied by default, or the user can be asked each time a website requests the physical location.

Network

Proxy mode

Specifies how Google Chrome connects to the Internet.

If you leave the setting at its default Allow user to configure, the user can change the proxy configuration in their Chrome Settings. If you choose any of the other Proxy Mode options, the user can't change the configuration.

Never use a proxy means that the Chrome device always establishes a direct connection to the Internet without passing through a proxy server. A direct connection is also the default configuration for Chrome devices, if you do not set a policy and the user doesn't change the configuration.

Always auto detect the proxy instructs the Chrome device to use the JavaScript function in a proxy auto configuration (PAC) file to determine which proxy server to use for each user request. If you select this option, you need to enter the URL for the PAC file in the Proxy Server Auto Configuration File URL text box below.

Always use the proxy specified below sets a specific proxy server for handling requests from this user. If you select this option, you need to enter the URL of the proxy server in the Proxy Server URL text box below. Format the Proxy Server URL as 'IP address:port', such as '192.168.1.1:3128'. Leave it empty for any other Proxy Mode setting.

If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the Proxy Bypass List text box. If you include multiple URLs, separate them by putting one URL per line.

Always use the proxy auto-config specified below. For the Proxy Server Auto Configuration File URL, insert the URL of the .pac file that should be used for network connections.

SSL Record Splitting

Advanced feature: Enabling this setting will allow SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies. This is supported only on Chrome devices.

Startup

Home Button

Specifies whether a home button appears in the toolbar. Corresponds to the user setting Show Home button, on the Basics page.

Homepage

Specifies the home page that displays when the user first starts Google Chrome or opens a new tab.

The default is to Allow user to configure their new home page in the Chrome Settings. If you don't want to allow the user to change the home page, you can specify that the Home page is always the new tab page or that the Home page is always the Home Page Url, set below. If you choose the latter, you must enter the URL for the home page in the Home Page URL text box.

If you select Home Page is always the Home Page Url, set below, enter the URL for the home page in the text box. With this option, users can't change their home page in Google Chrome.

Pages to Load on Startup

Enables you to specify URLs for pages that should load when the user starts the Chrome device. The specified home page appears on the active tab; any pages you list here appear on additional tabs.

Content

Safe Search

Controls whether users in your organization can disable Google SafeSearch. This policy is only available for Chrome version 25 or later.

Screenshot

Controls whether users in your organization can take screenshots on Chrome devices. The policy applies to screenshots taken by any means, including the keyboard shortcut, and apps and extensions that use the Chrome API to capture screenshots.

Automatically Select Client Certificate for These Sites

This setting allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome should automatically select client certificates. If this is configured, Chrome will skip the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy isn’t set, auto-selection won’t be done for websites that request certificates.

The ISSUER/CN parameter specifies the common name of the certification authority that client certificates to be auto-selected must have as their issuer.

How to format JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

Example JSON string:

{"pattern": "https://[*.]ext.example.com", "filter": {}},
{"pattern": "https://[*.]corp.example.com", "filter": {}},
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}

3D Content

Controls whether the browser allows web pages to use the WebGL API and plugins. WebGL (Web-based Graphics Library) is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Cookies

Default Cookie Setting sets whether websites are allowed to store browsing information, such as your site preferences or profile information.

This setting corresponds to the user options in the Cookies section of Chrome Settings. You can allow the user to configure the option, or you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.

Allow Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Block Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Allow Session-Only Cookies for URL Patterns

Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. For example, you can put URLs in either of the following formats on separate lines: "http://www.example.com" and "[*.]example.edu". The cookies after these sessions will be deleted. If this policy is not set, what you specify under Default Cookie Setting will be the global default, or a user can set their own configuration.

Third-Party Cookie Blocking

"Allow users to decide whether to allow third-party cookies" is the default. If you select "Allow third-party cookies," third-party cookies will be allowed on Chrome. If you disable this setting, they will be blocked.

Images

Sets whether websites are allowed to display images. For Show Images on These Sites and Block Images on These Sites, put one URL pattern on each line.

JavaScript

Sets whether websites are allowed to run JavaScript. JavaScript is commonly used by web developers to make their sites more interactive. If you disable JavaScript, some sites won't work properly.

Notifications

Sets whether websites are allowed to display desktop notifications. Desktop notifications can be allowed by default, denied by default, or the user can be asked each time a website wants to show desktop notifications.

Plug-ins

Sets whether websites are allowed to run plugins. Plug-ins are used by websites to enable certain types of web content (such as Flash or Windows Media files) that Chrome can't inherently process.

Enabled and Disabled Plug-ins

Enabled Plug-ins specifies a list of plugins that are always enabled in Chrome, such as Java and Shockwave Flash, and prevents users from changing this setting. Names of plugins are case-sensitive and put one plugin per line.

List the plugins as a list of quoted names separated by commas. The names can include wildcards. The symbol '*' matches an arbitrary number of characters while '?' specifies an optional single character. The escape character is '\', so to match actual '*', '?', or '\' characters, put a '\' in front of them.

For example, enter "Chrome PDF Viewer","*Gears*" on separate lines to enable the Chrome PDF Viewer plug-in and anything with "Gears" in its name. Note: This setting is ignored if you Block all plug-ins in the Plug-ins setting.

Disabled Plug-ins specifies a list of plugins to block from running.

Exceptions to Disabled Plug-ins specifies a list of plugins that users can enable or disable in Chrome, even if they also match one or more entries in the Disabled Plug-ins list.

Plugin Finder

Enabling this setting allows Chrome to automatically search and install missing plugins on your users’ Chrome devices.

Plugin Authorization

The default setting is that users will be asked for permission to run plugins that could compromise security. If you change it to "Always run plugins that require authorization," plugins that are not outdated or disabled can run in Chrome without first asking the user for permission.

Outdated Plugins

"Ask user for permission to run outdate plugins" is the default setting. Selecting "Disallow outdated plugins" will block them from running in Chrome. "Allow outdated plugins to be used as normal plugins" means that the outdated plugins will be allowed to run as normal plugins.

Pop-ups

Sets whether websites are allowed to show pop-ups. Whenever the browser blocks pop-ups for a site, the blocked pop-up alert icon appears in the address bar. The user can click the icon to see the pop-ups that have been blocked.

URL Blacklist

Prevents Chrome devices from accessing specific URLs.

To configure the policy, enter up to 100 URLs on separate lines. Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://.
  • A valid port value from 1 to 65535.
  • The path to the resource.

Note the following:

  • To optionally disable subdomain matching, put an extra period before the host.
  • You cannot use user:pass fields, such as http://user:pass@ftp.example.com/pub/bigfile.iso. Instead, enter http://ftp.example.com/pub/bigfile.iso.
  • The policy ignores URL parameters.
  • When both blacklist and blacklist exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • The policy searches wildcards (*) last.

URL blacklist examples

URL blacklist entry Result
example.com Blocks all requests to example.com, www.example.com, and sub.www.example.com
http://example.com Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS and FTP requests.
https://* Blocks all HTTPS requests to any domain.
mail.example.com Blocks requests to mail.example.com but not to www.example.com or example.com
.example.com Blocks example.com but not its subdomains, like example.com/docs.
.www.example.com Blocks www.example.com but not its subdomains.
* Blocks all requests except for those to blacklist exception URLs. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy.
*:8080 Blocks all requests to port 8080.
chrome://settings-frame Blocks all requests to chrome://settings.
example.com/stuff Blocks all requests to example.com/stuff and its subdomains.
192.168.1.2 Blocks requests to 192.168.1.2.
URL blacklist exception

Specifies exceptions to the URL blacklist.

To configure the policy, enter up to 100 URLs on separate lines. URLs must have a valid hostname (such as google.com) or IP address. They can include an asterisk (*) as a wildcard.

URLs can also include:

  • The URL scheme, which is http, https, or ftp, followed by ://.
  • A valid port value from 1 to 65535.
  • The path to the resource.

Note the following:

  • To optionally disable subdomain matching, put an extra period beforeore the host.
  • You cannot use user:pass fields, such as http://user:pass@ftp.example.com/pub/bigfile.iso. Instead, enter http://ftp.example.com/pub/bigfile.iso.
  • The policy ignores URL parameters.
  • When both blacklist and blacklist exception filters apply (with the same path length), the exception filter takes precedence.
  • If an extra period precedes the host, the policy filters exact host matches only.

URL blacklist exception examples

URL blacklist entry URL blacklist exception entry Result
*

mail.example.com
wikipedia.org
google.com
chrome://*

The asterisk (*) in the blacklist field blocks all results.

The URLs entered in the exception field indicate the specific sites to allow. "chrome://*" grants exception to all Chrome system pages.

example.com https://mail.example.com
.example.com
.www.example.com
Blocks all access to the domain example.com, except to the mail server using HTTPS and to the main page.
Google Drive Syncing

Lets administrators configure whether or not users can sync with Google Drive on their Chrome device. Administrators can enable or disable Drive syncing, or let users choose in their local Chrome settings.

Google Drive Syncing over Cellular

Lets administrators configure whether or not users can sync with Google Drive over a cellular connection (like a 3G connection) on their Chrome device. Administrators can enable or disable Drive syncing over cellular connections.

Printing

Printing

You can enable or disable printing. When printing is disabled, a user won’t be able to print from the Chrome menu, extensions, JavaScript applications, etc.

Print Preview

Selecting Allow using print preview allows your users to see a print preview with Google Cloud Print. Selecting Always use the system print dialog instead of print preview will use the computer’s print dialog window and not Cloud Print when printing.

Google Cloud Print Submission

This setting allows or blocks users from signing in to Cloud Print service to print. On Windows, Mac and Linux, turning this setting off, users will still be able to print using their system print dialog. Users won’t be able to print from Chrome OS if this setting is disabled.

Google Cloud Print Proxy

Enabling this setting allows your user’s Chrome browser on their Windows, Mac, or Linux computer to act as a proxy between Google Cloud Print and the printers connected to their device. Your users can set up Google Cloud Print by going to https://www.google.com/cloudprint and signing in with their Google account.

Selecting disallow will block Chrome from sharing your device’s printers with Google Cloud Print.

User Experience

Bookmark Bar

"Allow user to decide whether to enable bookmark" is the default setting. You can enable or disable this setting to determine whether or not Chrome will show a bookmark bar.

Bookmark Editing

Bookmark editing allows users to add, edit or remove items from their Chrome bookmarks bar. Administrators can enable or disable this setting.

Spell Check Service

Lets administrators configure whether or not spell checking web service is enabled on Chrome. Administrators can enable or disable the spell checking web service, or let users choose in their local Chrome settings.

Google Translate

Lets administrators configure whether Chrome uses Google Translate, which offers content translation for web pages in languages not specified in the Language settings on a user's Chrome device. Administrators can configure Chrome to always offer translation, never offer translation, or let users choose in their local Chrome settings.

Alternate Error Pages

Controls whether Google Chrome shows suggestions for the page you were trying to reach when it is unable to connect to a web address. The user sees suggestions to navigate to other parts of the website or to search for the page with Google.

Corresponds to the user option Use a web service to help resolve navigation errors, in their Chrome Settings. You can allow the user to configure the option, or you can specify that it is always on or always off.

Developer Tools

Controls whether the Developer tools option appears on the Tools menu. The Developer tools allow web developers and programmers deep access into the internals of the browser and their web applications. See the Developer Tools Overview for more information about the tools.

The default is to Always allow use of built-in developer tools. If you disable the Developer tools, all keyboard shortcuts, menu entries, and context menu entries that open the Developer tools or JavaScript Console are disabled.

Form Auto-fill

Specifies whether the user can use the autofill feature to simplify the completion of online forms. The first time a user fills out a form, Google Chrome automatically saves the entered information, like the name, address, phone number, or email address, as an Autofill entry.

Corresponds to the user option Enable Autofill on the Personal Stuff page. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

DNS Pre-fetching

When DNS (Domain Name System) pre-fetching is enabled, Google Chrome looks up the IP addresses of all links on a displayed web page, so links the user clicks will load faster.

Corresponds to the user option Predict network actions to improve page performance, in their Chrome Settings. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Omnibox Search Provider

Search Suggest

When the user types in the address bar, Google Chrome can use a prediction service to help complete the web addresses or search terms. For example, typing new york in the address bar could bring up http://www.nytimes.com as a predicted site or [ new york city ] as a predicted search. You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Corresponds to the user option Use a prediction service to help complete searches and URLs typed in the address bar, in their Chrome Settings.

Omnibox search provider

This setting specifies the name of the default search provider. If you select Lock the Omnibox Search Provider settings to the values below, a series of text boxes will appear below that you can customize.

Omnibox search provider name

Enter a name you want to use for the Omnibox. If you don't provide one, Chrome uses the host name from the Omnibox search provider search URL.

Omnibox search provider keyword

Specifies the keyword used as the shortcut to trigger the search.

Omnibox search provider search URL

Specifies the URL of the search engine.

The URL must contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for; for example, "http://search.my.company/search?q={searchTerms}"

Omnibox search provider suggest URL

Specifies the URL of the search engine used to provide search suggestions.

The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

Omnibox search provider instant URL

Specifies the URL of the search engine used to provide instant results.

The URL should contain the string '{searchTerms}', which will be replaced at query time by the text the user has entered so far.

Omnibox search provider icon URL

Specifies the icon URL of the search provider.

Omnibox search provider encodings

Specifies the character encodings supported by the search provider.

Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. The default is UTF-8.

Hardware

External Storage Devices

Controls whether users in your organization can use Chrome devices to mount external drives, including USB flash drives, external hard drives, optical storage, Secure Digital (SD) cards, and other memory cards. If you set this policy to disallow external storage and a user attempts to mount an external drive, Chrome notifies the user that the policy is in effect.

This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Audio Input

Controls whether users in your organization can let websites access audio input from the built-in microphone on a Chrome device.

This policy does not affect input from external audio input devices, such as microphones that users connect to the USB port. When a user connects an external audio input device, the audio on the Chrome device unmutes immediately.

Changing the capture channel in the Google Talk settings unmutes the audio input of the built-in microphone regardless of this policy.

Audio Output

Controls whether users in your organization can play sound on their Chrome devices. The policy applies to all audio outputs on Chrome devices, including built-in speakers, headphone jacks, and external devices attached to HDMI and USB ports.

If you configure the policy to disable audio, Chrome still shows its audio controls but users can't change them. Also, a mute icon appears.

Video Input

Specifies whether websites can access the built-in Chrome device web cam.

Disabling video input does not disable the web cam for Google voice and video chat. To disable the web cam for Google voice and video chat, use the Allowed Apps and Extensions setting in User Settings to block the following extension: hfhhnacclhffhdffklopdkcgdhifgngh