For administrators who manage Chrome policies from the Google Admin console.
You can enforce Chrome policies from your Admin console that apply to:
- User accounts to sync policies and preferences across a user's devices. Settings apply whenever the user signs in to Chrome browser with their managed account on any device.
- Enrolled browsers to enforce policies when users open Chrome browser on managed Microsoft Windows, Apple Mac, or Linux computers. Signing in is not required.
Step 1: Understand when settings apply
Exactly when your Chrome policies are enforced depends on whether you set them for user accounts or enrolled browsers.
Policies set for users
Apply when users sign in with a managed Google Account on any device:
- Chrome browser on any Windows, Mac, Linux, Android, or iOS device
Note: In this instance, you can only apply policies to user accounts that are part of a domain-verified account. If you are using an email-verified account, you have to verify your domain to unlock this feature. - Chromebook or other ChromeOS devices
- Android apps that run on supported ChromeOS devices
Don't apply when users:
- Sign in to a Google Account outside of your organization, such as a personal Gmail account
- Sign in to a Chromebook as a guest
Best for work settings and preferences that should sync across devices (work apps, home tabs, themes, and so on.)
Get started: Set up Chrome browser user-level management
Policies set for enrolled browsers
- Apply when users open Chrome browser on a computer where the browser is enrolled (Windows, Mac, or Linux).
- Signing in is not required.
- Best for policies that you want to enforce at the device level (security settings, blocked apps, and so on.).
Get started: Set up Chrome Enterprise Core
Step 2: Configure settings in your Admin console
Before you begin: If needed, learn how to apply the setting to a department or group.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- Click the setting you want to configure. Learn about each setting.
Tip: Quickly find a setting by entering text in the search box at the top.
You see Inherited if a setting is inherited from a parent. Or, you see Locally applied if the setting is overridden for the child.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Settings typically take effect in minutes, but can take up to 24 hours to apply for everyone.
Learn about each setting
Many settings allow you to enforce a policy that users cannot change or set a default that users can change. For example, you can specify a homepage that everyone must use or let people set their own homepage.
Most policies apply to both affiliated and unaffiliated users on ChromeOS. A user is affiliated if they are managed by the same domain that manages the ChromeOS device they are signed into. A user is unaffiliated if they are signed into their device as a managed user from a different domain, for example if user@domainA.com signs into a device managed by domainB.com or signs into an unmanaged device. The policies that apply only to either affiliated or unaffiliated users are clearly marked in the Admin console.
Tip: Many admins leave the default settings and only configure settings, such as startup pages, new tab pages, apps and extensions, and themes.
General
Maximum user session lengthControls how long user sessions last. The remaining session time is shown on a countdown timer in the user's system tray. After the specified time, users are automatically signed out and the session ends.
Enter a value between 1 and 1440 minutes (24 hours). For unlimited sessions, do not enter a value.
You can upload a custom Terms of Service agreement, .txt or .text file, that users must accept before they can sign in to start a session.
Replaces the default avatar with a custom avatar. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 512 KB. Other file types are not supported.
Replaces the default wallpaper with a custom wallpaper. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 16 MB. Other file types are not supported.
Specifies the Chrome browser theme color and users can’t change it. Enter the color into the text field in #RRGGBB hexadecimal format.
Left blank, users can change their browser theme color.
Turns on or off QR Code Generator in Chrome.
Sign-in settings
Browser sign-in settingsSpecifies whether users can sign in to Chrome browser and sync browser information to their Google Account.
Choose one of these options:
- Disable browser sign-in—Users can’t sign in to Chrome browser or sync browser information to their Google Account.
- Enable browser sign-in—Users can sign in to Chrome browser and sync browser information to their Google Account. Chrome browser automatically signs in users when they sign in to a Google service, such as Gmail.
- Force users to sign-in to use the browser—Forces users to sign in to Chrome browser before they can use it. To prevent secondary users from signing in, use the Separate profile for managed Google Identity setting.
Specifies a regular expression that determines which Google Accounts can be set as browser primary accounts in Chrome browser. For example, the value .*@example\.com restricts sign in to accounts in the example.com domain.
If users try to set a browser primary account with a username that doesn't match your specified pattern, an error is displayed.
Left blank, users can set any Google Account as a browser primary account in Chrome browser.
By default, Enable signin interception is selected. The signin interception dialog is displayed when a Google Account is added on the web, and the user would benefit from moving this account to another new or existing profile.
Specifies whether users are required to create a separate profile when they sign in to their managed Google Account.
Choose from one of the following options:
- Force separate profile—The managed account is the primary account. The newly created profile might also have secondary accounts. When the profile is created, importing existing browsing data is allowed.
- Force separate profile and forbid secondary managed accounts—The managed account is the primary account. The profile has no secondary accounts. When the profile is created, importing existing browsing data is allowed.
- Do not force separate profile—This is the default. There is no restriction on managed accounts. Users can use their managed Google Account without having to create a separate profile.
- Let users choose to have a separate profile—The managed account is the primary account. The profile might also have secondary accounts. When the profile is being created, users see a checkbox where they can choose to keep local browsing data and associate it with the managed account. Local browsing data includes bookmarks, history, password, autofill data, open tabs, cookies, cache, web storage, extensions, and so on.
- Users check the box—The existing profile data is associated with the managed account. All existing browsing data is present in the new profile.
- User don’t check the box—The existing profile continues to exist. No data is lost. A new profile is created.
- Let users choose to have a separate profile but forbid secondary managed accounts—Behaves the same as Let users choose to have a separate profile, except the newly created profile has no secondary accounts.
Not available for Education domains.
Specifies whether the user can add an account as a secondary account to a session. For more details, see Sign-in to secondary accounts.
Choose from one of the following options:
- All usages of managed accounts are allowed (default)—No restrictions, the user can add the account as secondary account on the sign-in screen and in-session.
- Block addition of a managed account as secondary account (in-session)—The user cannot add the account as secondary account in-session.
If you select Block addition of a managed account as secondary account (in-session), it only applies to ChromeOS. Users can still add accounts on other platforms and devices, including Chrome browser on different platforms. It also doesn’t apply to browsers other than Chrome. Both permanent single sign-on and sync to Android are also blocked for the user account.
Select Show the display password button on the login and lock screen to let users make their password visible on ChromeOS devices. Users can click the Show password icon at the end of the password field to reveal the currently typed password. If you select Do not show the display password button on the login and lock screen, users don't see the icon.
For Chrome version 111 and later.
Supported on Microsoft Windows 10 and later.
Specifies whether Chrome users can automatically sign in to web apps using Microsoft Entra ID.
If you select Enable Azure cloud authentication, users that sign in to their computer with an account backed by an Azure identity provider can automatically authenticate on web resources that are secured by Azure providers. In addition, you can enforce Azure Conditional Access policies
Supported providers include:
- Microsoft Entra ID
- The consumer Microsoft account identity provider
- Work or school accounts added to Microsoft Windows
Optional—Set up Cloud Identity
Google offers two Cloud Identity editions: Cloud Identity Free edition and Cloud Identity Premium edition. Read Cloud Identity Overview.
With Cloud Identity, you can turn on Chrome Sync so your users can save and sync info. You can set dynamic policies that change based on users instead of devices. Users can have the same Chrome browser experience across devices, as long as they sign in to the browser. Read Understand Chrome policy management.
For details about how to let Azure automatically provision accounts in the Admin console and act as the single-sign-on (SSO) provider, go to the Cloud Architecture Center.Lets users choose a Google Photos image as wallpaper on their ChromeOS devices.
For details, see Change background wallpaper and screen saver.
You can choose to display the touchpad scroll direction screen for your users during sign-in.
The default is not to display the touchpad scroll direction screen.
Controls if the display size setting shows on the user's screen during their first sign-in.
The display setting helps users to change display size and make items on their screen smaller or larger. By default, the setting doesn’t display on their first sign-in. To turn this on, select Display the display size setting screen during sign-in.
Controls whether the introduction screen for in-session AI features is displayed during the sign-in flow.
By default, Use the default Chrome behavior is selected—The AI introduction screen is skipped for enterprise-managed users and displayed for unmanaged users.
Controls whether the introduction screen for Gemini is displayed during the sign-in flow.
By default, Use the default Chrome behavior is selected—The Gemini introduction screen is skipped for enterprise-managed users and displayed for unmanaged users.
Mobile
Chrome on AndroidSpecifies whether supported policies are applied to Chrome browser on Android devices. By default,Do not apply supported user settings to Chrome on Android is selected.
Before you select Apply supported user settings to Chrome on Android, you need to turn on Chrome browser management using the Chrome management for signed-in users setting. For details, see Turn on Chrome browser management (Android and iOS).
If you select Apply supported user settings to Chrome on Android, the policies that you set are applied to users who sign in to their managed account in Chrome browser on Android devices. When users sign out of their managed account, policies stop being applied and the local profile on the device is deleted.
Specifies whether supported policies are applied to Chrome browser on iOS devices. By default, Do not apply supported user settings to Chrome on iOS is selected.
Before you select Apply supported user settings to Chrome on iOS, you need to turn on Chrome browser management using the Chrome management for signed-in users setting. For details, see Turn on Chrome browser management (Android and iOS).
If you select Apply supported user settings to Chrome on iOS, the policies that you set are applied to users who sign in to their managed account in Chrome browser on iOS devices. When users sign out of their managed account, policies stop being applied and the local profile on the device is deleted.
Enrollment controls
Device enrollmentOnly takes effect if the device is being enrolled into the domain for the first time or if the device was previously deprovisioned
Selecting Keep Chrome device in current location means that when you enroll the Chrome OS device, it stays in the top-level organizational unit for your domain and pulls device settings from there.
Selecting Place Chrome device in user organization means that when you enroll the Chrome OS device, the device is placed in the organizational unit that the enrolling user is in. The settings you've applied for that user's organizational unit are applied to the device.
Place Chrome device in user organization is a useful setting if you need to manually enroll many devices. The device settings unique to the user's organizational unit are automatically added to the device, instead of requiring an additional step of manually moving each device into a specific organizational unit after enrollment.
Controls whether users can add an asset ID and location for a device when they enroll it.
- Do not allow for users in this organization—Users don't have the option to enter the asset ID and location.
- Users in this organization can provide asset ID and location during enrollment—Users can enter the asset ID and location of the device.
If you choose to allow users to enter the asset ID and location, the Device information page is shown with pre-existing data for the fields. If no data exists, the fields are blank. Users can edit or enter the device details before they complete enrollment. The information that users enter populates the asset ID and location fields in the Admin console and at chrome://policy.
By default, users in this organizational unit are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes an upgrade. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new upgrade because the device is still managed.
Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime an upgrade would be consumed).
Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.
Controls whether managed users are required to enroll unowned devices.
Select one of the following options;
- Don't require users to enroll device (default)—Managed users in the organizational unit the policy is assigned to can always sign in without enrolling their devices.
- Require users to enroll device—Managed users in the organizational unit the policy is assigned to are required to enroll their devices. If a user misses the enrollment step and performs their first sign-in on the device, a pop-up is displayed asking the user to either switch to the enrollment flow or use another account for signing in. This prevents the managed user from signing in without enrollment. This setting requires the following:
- This is the first user signing into the device. For example, the device is new or just been reset to factory settings.
- The user has the permission required to enroll devices. For more details, see Enrollment permissions.
Apps and extensions
The apps and extensions page centralizes all app and extension provisioning. For details, go to View and configure apps and extensions.
- Allow and block apps
- Force-install apps
- Pin apps to the taskbar
- Allowed app types
- Block extensions by permission
- Chrome Web Store homepage and permissions
By default, Allow users to end processes with the Chrome task manager is selected.
If you select Block users from ending processes with the Chrome task manager, users can still open the task manager, but can’t use it to end a process because the End process button is dimmed.
Manifest v2 extensions support will be deprecated in the future. All extensions need to be migrated to Manifest v3 according to the Manifest V2 support timeline.
Specifies if users can access Manifest v2 extensions on their Chrome browser.
Every extension for Chrome has a JSON-formatted manifest file, called manifest.json
. The manifest file is the blueprint of your extension, and must be located in the extension's root directory.
The information in the manifest file includes the following:
- Extension title
- Extension version number
- Permissions needed for the extension to run
For more details, see Manifest file format.
Choose one of these options:
- Default device behavior (default)—Users can access Manifest v2 extensions based on their default browser settings and the Manifest V2 support timeline.
- Disable manifest v2 extensions—Users can’t install Manifest v2 extensions, and their existing extensions are disabled.
- Enable manifest v2 extensions—Users can install Manifest v2 extensions.
- Enable force-installed manifest v2 extensions—Users can access force-installed Manifest v2 extensions only. This includes extensions that are force-installed using the Apps & Extensions page in the Google Admin console. All other Manifest v2 extensions are disabled. This option is always available, regardless of the migration stage.
Note: Extensions availability is controlled by other policies as well. For example, a v2 extension allowed by the Manifest policy changes to blocked if it’s listed as blocked by the Permissions and URLs setting on the Apps & Extensions page in your Admin console.
Site isolation
Site isolationTurns on site isolation for managed Chrome browser users on ChromeOS devices. Isolate websites and origins that you specify.
- Enable site isolation for all websites and any origins below, but allow users to opt out—Every site runs in a dedicated rendering process and all sites are isolated from each other but the user can choose to change this behavior. (Default setting if you don't specify anything).
- Require site isolation for all websites, as well as any origins below—Every site runs in a dedicated rendering process. All sites are isolated from each other.
You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.
For details, see Protect your data with site isolation.
Turn on site isolation for managed Chrome browser users on Android devices. Isolate websites and origins that you specify.
- Turn on site isolation only for login sites, as well as any origins below—Only login sites run in a separate process as well as any origins you specify. Each entry runs in a dedicated rendering process.
- Allow user to choose to enable site isolation—The user can choose whether to turn on site isolation.
- Turn on site isolation for all websites, as well as any origins below—Every site runs in a dedicated rendering process. All sites are isolated from each other.
You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.
Security
Password managerWhen you select Always allow use of password manager, users can have Chrome browser remember passwords and provide them automatically the next time they sign in to a site. If you select Never allow use of password manager, users cannot save new passwords but they can still use passwords that were previously saved. Select Allow the user to decide to let users configure password manager.
Controls whether the built-in password manager can delete passwords that can’t be decrypted from its database. Users can’t change it. Undecryptable password values do not become decryptable by themselves—And even if there is a way to fix them, it often requires complex steps that users have to take.
By default, Enable deleting undecryptable passwords is selected. Users with undecryptable passwords saved to the built-in password manager permanently lose them. Passwords that are still working are left alone.
If you select Disable deleting undecryptable passwords , the password manager might not work properly for users.
You can specify how local data recovery is managed on ChromeOS devices.
Choose one of the following options:
- Defer activation of account recovery until migration phase (see help center)—(Default) Maintains user data recovery in the default option. At the moment, that default option is Deactivate account recovery. However, the default will change in the future to the Activate account recovery option. Google will notify your IT Admin by email before this happens.
- Activate account recovery—Activates user data recovery and the user is not allowed to change it.
- Activate account recovery and allow users to override—Activates user data recovery, but the user is allowed to change it.
- Deactivate account recovery—Deactivates user data recovery and the user is not allowed to change it.
Turns on or off the lock screen on users devices. If you select Do not allow locking screen, the system signs out the user in cases where the lock screen normally activates. Idle settings that lead to the lock screen, such as Lock screen on sleep, also sign the user out.
Specifies whether users can use quick unlock modes, including PIN and fingerprint, to unlock the lock screen on their ChromeOS device.
If you choose PIN and turn off ephemeral mode, users can use their PIN instead of their Google Account password to sign in to ChromeOS devices with the Google H1 security chip. Users can create a PIN during Out Of Box Experience (OOBE) setup or in Security and Privacy settings on their device. Sometimes, users might still be prompted to enter their password. For example, if users repeatedly enter the wrong PIN or if you force users to change their password.
We recommend that you don’t let users unlock with PIN if they use shared devices.
For details, see Lock or unlock your screen.
Controls PIN settings for user lock screens.
Select one of the following:
- Allow users to set a weak PIN, but show a warning (default)
- Allow users to set a weak PIN
- Do not allow users to set a weak PIN—Users can't set weak, easy-to-guess PINs and receive an error on PIN entry.
You can set the minimum and maximum length of user PINs. If you do not enter any minimum value, the default value of 6 digits is used. If you do not enter any maximum value or set the value to 0, the PIN length is unlimited.
Examples of weak PINs
- Only one digit, for example 1111
- Digits increase by 1, for example 1234
- Digits decrease by 1, for example 4321
- Common PINs
Specifies whether users can use PIN or fingerprint to sign in to websites that support WebAuthn, a secure web authentication protocol.
This policy is temporary and will be removed in future versions of Google Chrome. You can turn on the setting to test for issues, and turn it off while issues are being resolved.
Specifies if Google Chrome offers a post-quantum key agreement algorithm in Transport Layer Security (TLS). Depending on the Chrome version, the algorithm is either ML-KEM, which is a NIST post-quantum standard, or Kyber, which is an earlier draft iteration of the standard. Post-quantum key agreement in TLS connections lets supporting servers protect user traffic from decryption by quantum computers.
Kyber is backwards-compatible, meaning that existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
Note: TLS must be implemented correctly. Otherwise, devices can malfunction when offered the new option. For example, they might disconnect in response to unrecognized options or the resulting larger messages. Such devices aren’t post-quantum-ready and might interfere with an enterprise's post-quantum transition. Admins dealing with this scenario should contact their vendor for a solution.
Choose one of these options:
- Use the default Chrome settings—This is the default. Chrome follows the default rollout process for offering a post-quantum key agreement in TLS connections.
- Allow post-quantum key agreement in TLS connections—Chrome offers a post-quantum key agreement in TLS connections. User traffic is protected from quantum computer decrypting.
- Do not allow post-quantum key agreement in TLS connections—Chrome doesn’t offer a post-quantum key agreement in TLS connections. User traffic isn’t protected from quantum computer decrypting.
Note: If set, the Post-quantum TLS setting on the Device settings page takes precedence over this setting.
Allows you to enable the PIN auto-submit feature on the lock and login screen. The feature changes how PIN numbers are entered in ChromeOS. Similar to the text field that is used for password input, it shows users how many numerals are necessary to enter their PIN. Currently the range is from 6 to 12 digits.
Specifies whether users can play media while devices are locked.
If playback is supported, when a user locks their device, they can control their media from the lock screen while media is playing. The controls display on the lock screen and allow the user to quickly skip to the next track or pause content without unlocking the device.
Specifies whether users can browse in Incognito mode.
Choose Disallow incognito mode to prevent users from opening new Incognito windows. Chrome browser does not close Incognito windows that are already open or prevent users from opening new tabs in those windows.
For K-12 EDU domains, the default is Disallow incognito mode.
For all other domains, the default is Allow incognito mode.
Force incognito mode is not available on Android.
Controls whether Chrome browser saves the user's browsing history.
Specifies whether users can clear browser data, including their browsing and download history.
Note: Preventing users from clearing browser data doesn't guarantee that browser and download history is kept. For example, if a user deletes their profile, their browsing history is cleared.
Specifies whether users browse in Ephemeral mode or not.
Ephemeral mode lets your employees to work from their personal laptop or a shared device that they trust, while reducing the chances of any browsing information being left behind on their device.
Note: If you use this setting, we recommend that you do not disable Chrome sync in the Admin console.
Controls how long Chrome keeps browser data, such as history, cookies, and passwords. This setting is useful for users that work with sensitive data.
Warning: Setting this policy can impact and permanently remove local personal data. We recommend testing your settings before deploying to prevent the accidental deletion of personal data. Sync is disabled for the respective data types if the SyncDisabled or the BrowserSignin policies are not disabled.
Chrome deletes expired data 15 seconds after the browser starts, and then every hour while the browser is running. Browser data that is older than the length of time that you specify is automatically deleted. The minimum value that you can specify is 1 hour. Left blank, Chrome never automatically deletes certain types of browsing data.
The browser data types that you can delete are:
- Browsing history
- Download history
- Cookies and other site data
- Cached images and files
- Passwords and other sign-in data
- Autofill form data
- Site settings
- Data cache for hosted apps
If you select Perform online OCSP/CRL checks, ChromeOS devices performs online revocation checks of HTTPS certificates.
Specifies whether websites are allowed to track the user's physical location.
For Chrome browser, this policy corresponds to the user options in their Chrome settings. Tracking the physical location can be allowed by default, denied by default, or the user can be asked each time a website requests the physical location.
For Android apps running on ChromeOS, if you select Do not allow sites to detect users' geolocation, Android apps cannot access location information. Otherwise, users are asked to consent when an Android app wants to access location information.
Sets the frequency of forced online sign-ins on the login screen for users signing into their ChromeOS device without SAML single sign-on (SSO).
Each time users sign out after the set frequency period, they must go through the online sign-in flow.
When users sign in online, they use the Google identity service. By forcing users to regularly sign in, you provide additional security for organizations that require 2-Factor Authentication or Multi-Factor Authentication.
Enter a value, in days:
- 0—Users are always required to use online sign-in.
- 1-365—After the set frequency period, users are required to use online sign-in the next time they start a session.
Left empty, users are not required to regularly use online sign-in.
For users with SAML SSO, configure the SAML single sign-on login frequency setting.
Important: This setting does not provide additional at-rest protection of user data stored on the ChromeOS devices, including authentication tokens for online services. At-rest user data encryption is based on offline authentication factors, such as password or smart card.
Sets the frequency of forced online sign-in on the lock screen for users signing into their ChromeOS device without SAML single sign-on (SSO).
Each time users lock their session after the set frequency period, they must go through the online sign-in flow.
When users sign in online, they use the Google identity service. By forcing users to regularly sign in, you provide additional security for organizations that require 2-Factor Authentication or Multi-Factor Authentication.
Enter a value, in days:
- 0—Users are always required to use online sign-in on their lock screen.
- 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen.
Left empty, users are not required to regularly use online sign-in to unlock their lock screen.
For users with SAML SSO, configure the SAML single sign-on unlock frequency setting.
Turns on or off SAML-based single sign-on for ChromeOS devices.
Important: Before using this policy, review the requirements in Configure SAML single sign-on for ChromeOS devices.
Sets the frequency of forced online sign-in flows for SAML-based single sign-on (SSO) accounts on the login screen.
Each time users sign out after the set frequency period, they must go through the online sign-in flow for SAML-based SSO accounts.
When users are signing in online, they use your configured SAML SSO service. By forcing users to regularly sign, you provide additional security for organizations that require 2-Factor Authentication or Multi Factor Authentication and confirm that the user account is still valid.
Sign-on frequency options:
- Every day
- Every 3 days
- Every week
- Every 2 weeks
- Every 3 weeks
- Every 4 weeks
- Every time
- Never
Important: Before using this policy, review the requirements in Configure SAML single sign-on for ChromeOS devices. This setting does not provide additional at-rest protection of user data stored on the ChromeOS devices, including authentication tokens for online services. At-rest user data encryption is based on offline authentication factors, such as password or smart card.
For users without SAML SSO, configure the Google online login frequency setting.
Sets the frequency of forced online sign-in for users with SAML on their lock screen.
Each time users lock their session after the set frequency period, they must go through the online sign-in flow.
When users are signing in online, they use your configured SAML SSO service. By forcing users to regularly sign, you provide additional security for organizations that require 2-Factor Authentication or Multi Factor Authentication and confirm that the user account is still valid.
Enter a value, in days:
- 0—Users are always required to use online sign-in on their lock screen.
- 1-365—After the set frequency period, users are required to use online sign-in the next time they unlock their lock screen.
Left empty, users are not required to regularly use online sign-in to unlock their lock screen.
For users without SAML SSO, configure the Google online unlock frequency setting.
Only applies if the SAML single sign-on password synchronization setting is configured.
If users’ SAML SSO password changes, specifies whether they are prompted to change their ChromeOS device local password on the login screen only, or on both the lock and login screen. By default, Only enforce online logins on the login screen is selected.
Additional information:
For ChromeOS devices with SAML SSO. For details, see Configure SAML single sign-on for ChromeOS devices.
By default, authentication flows are not triggered when users’ SSO SAML passwords are updated.
To keep your users informed of upcoming password changes on their ChromeOS devices, select Trigger authentication flows to synchronize passwords with SSO providers.
Additional information:
For ChromeOS devices with SAML SSO. For details, see Configure SAML single sign-on for ChromeOS devices.
By default, authentication flows are not triggered when users’ SSO SAML passwords are updated.
To keep your users informed of upcoming password changes on their ChromeOS devices, select Trigger authentication flows to synchronize passwords with SSO providers.
Additional information:
Determines the user experience when lock screen online reauthentication occurs.
As an admin, you can set up lock screen reauthentication triggers:
- For Google Identity users at specified frequency—Go to Google online unlock frequency.
- For SAML identity provider users at specified frequency—Go to SAML single sign-on unlock frequency.
- Upon demand for SAML identity provider users—Go to SAML single sign-on password synchronization flows.
By default, Show users interstitial screens prior to online reauthentication is selected and is recommended for password authentication flows. For passwordless authentication flows, such as badge authentication, select Show users the online reauthentication screen to ensure devices are instantly ready.
Temporarily turns on or off Rivest Cipher 4 (RC4) cipher suite in TLS if certain legacy servers need it.
Note: RC4 is not secure. We recommend that you reconfigure servers to support AES encryption.
Local anchors common name fallback
Controls whether to allow or block certificates issued by local trust anchors that are missing the subjectAlternativeName extension. If Allow is selected, Chrome browser will use the commonName of a server certificate to match a host name if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificate.
Note: Selecting Allow is not recommended—It might allow bypassing the nameConstraints extension that restricts the host names for a given authorized certificate.
Symantec Corporation's legacy PKI infrastructure
Allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate. For non-ChromeOS systems, this policy depends on the operating system still recognizing certificates from Symantec's legacy infrastructure. If an OS update changes the OS handling of certificates, this policy no longer has an effect. This policy is intended as a temporary workaround to give enterprises more time to transition away from legacy Symantec certificates.
Specifies URLs where certificate-transparency requirements are not enforced on certificates. In turn, Chrome browser can use certificates that were issued by the Certificate Authority (CA) and not publicly disclosed. If the CA issues illegitimate certificates for a specified URL, they might not be detected.
Only the host name portion of the URL is matched. Wildcard host names are not supported. For URL syntax, see URL blocklist filter format.
If a certificate chain contains certificates with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Therefore, Chrome browser can use certificates that were issued by the Certificate Authority (CA) to an organization but were not publicly disclosed.
For details on specifying a subjectPublicKeyInfo hash, see the CertificateTransparencyEnforcementDisabledForCas policy.
If a certificate chain contains certificates issued by a legacy Certificate Authority (CA) with a specified subjectPublicKeyInfo hash, certificate transparency requirements are not enforced on certificates. Legacy CAs are trusted by some operating systems that run Chrome browser, but not ChromeOS or Android. Chrome browser can use certificates that were issued to an organization but were not publicly disclosed.
For details on specifying subjectPublicKeyInfo hashes, see the CertificateTransparencyEnforcementDisabledForLegacyCas policy.
Controls whether users can import, edit, and remove Certificate Authority (CA) certificates using Certificate Manager. Choose an option:
- Allow users to manage all certificates—This is the default. Users can edit trust settings for all CA certificates, remove user-imported certificates, and import certificates.
- Allow users to manage user certificates—Users can manage only user-imported certificates, but they can’t change trust settings for built-in certificates.
- Disallow users from managing certificates—Users can view CA certificates, but they can’t manage them.
Controls whether users can manage client certificates. Choose an option:
- Allow users to manage all certificates—This is the default. Users can manage all certificates.
- Allow users to manage user certificates—Users can manage only user certificates, not device-wide certificates.
- Disallow users from managing certificates—Users can view certificates, but they can’t manage them.
This policy is temporary. Support for the platform-supplied certificate verifier will be removed and the Chrome Root Store will always be used.
Specifies whether the Chrome Root Store and built-in certificate verifier is used to verify server certificates.
The default Chrome Root Store may be used ensures that either the Chrome Root Store or system-provided roots can be used.
If you select Use the Chrome Root Store, Chrome performs verification of server certificates using the built-in certificate verifier with the Chrome Root Store as the source of public trust.
If you select Do not use the Chrome Root Store, Chrome uses the system certificate verifier and system root certificates.
For up to date information about the Chrome milestones that support this policy, see the Chrome Enterprise policy list.
Specifies whether Intel Hyper-Threading Technology is optimized for stability or performance. Hyper-Threading Technology uses processor resources more efficiently and increases processor throughput.
(Recommended) You can enable the Renderer App Container configuration on supported platforms.
Important: If you disable the Renderer App Container configuration, the sandbox that renderer processes use weakens. This adversely affects the security and stability of Google Chrome. We recommend that you only disable the setting if there are compatibility issues with third-party software that must run inside renderer processesBy default, Renderer code integrity enabled is selected. Chrome browser prevents unknown and potentially hostile code from loading inside Chrome browser renderer processes.
Unless you have compatibility issues with third-party software that must run inside Chrome browser renderer processes, we do not recommend turning off this setting. If you select Renderer code integrity disabled, Chrome browser security and stability might be impacted.
Controls whether Chrome checks for leaked usernames and passwords.
This setting has no effect if Safe Browsing is not turned on. To make sure that Safe Browsing is turned on and users can’t change it, configure the Safe Browsing Protection Level setting.
By default, No policy set is selected. So, ambient authentication is enabled only in regular sessions, and not in incognito or guest sessions.
Specifies whether the Chrome Cleanup tool can periodically scan the system for unwanted software.
The Chrome Cleanup tool removes harmful malware and reverts any hijacked settings. If something suspicious is discovered, the user is given the option to remove it.
If Allow Chrome Cleanup to periodically scan the system and allow manual scans is selected, you can specify whether to share the results from Chrome Cleanup with Google.
Users can also manually trigger Chrome Cleanup from chrome://settings if they experience issues such as:
- Excessive pop-up ads and unexpected web pages
- Search engine or homepage redirecting to unrecognized services or sites
If you select Prevent Chrome Cleanup from periodical scans and disallow manual scans, Chrome Cleanup does not periodically scan and users cannot manually trigger a cleanup.
On Microsoft Windows, Chrome Cleanup is only available if Chrome browser is:
- Joined to a Microsoft Active Directory domain
- Running on Windows 10 Pro
- Enrolled in Chrome Enterprise Core
Specifies whether third-party software can inject executable code into Chrome's processes.
If you select Prevent third party code from being injected into Chrome, third-party software cannot inject executable code into Chrome's processes.
For devices joined to a Microsoft Active Directory domain, Chrome browser does not block third-party software from injecting executable code into its processes regardless of the policy setting.
Specifies whether the audio process is sandboxed by isolating it from critical system resources and other programs. Sandboxing this process can increase system security.
A sandbox restricts the resources available to the audio process to what it needs.
The default is Use the default configuration for the audio sandbox and that might differ per platform. If you use security software setups that interfere with the sandbox, select Never sandbox the audio process.
Allows or blocks the warning that appears to users who are running Chrome on an unsupported computer or operating system.
Specifies whether users enrolled in the Advanced Protection program are protected from online attacks, including unauthorized access to their account or harmful downloads. Some features might involve sharing data with Google. For example, Advanced Protection users can send their downloads to Google for a more stringent malware scan before downloading.
By default, Users enrolled in the Advanced Protection program will receive extra protections is selected.
Select Users enrolled in the Advanced Protection program will only receive standard consumer protections to prevent extra protections for users enrolled in the Advanced Protection program.
Specifies origins (URLs) or hostname patterns for which restrictions on insecure origins do not apply. It also prevents the URL from being labeled Not Secure in the address bar.
You can specify URLs for legacy applications that can't deploy Transport Layer Security (TLS) or set up a staging server for internal web development. Developers can then test features requiring secure contexts without having to deploy TLS on the staging server.
Specifying a list of URLs in this setting is the same as setting the command-line unsafely-treat-insecure-origin-as-secure
to a comma-separated list of the same URLs.
For more details on secure contexts, see Secure Contexts.
Controls whether users see security warnings when Chrome launches with potentially dangerous command-line flags.
For Microsoft Windows, machines need to be joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Enterprise Core.
For macOS, machines need to be managed using MDM or joined to a domain with MCX.
Specifies whether pop-ups opened with a target of _blank are allowed to interact with the page that opened the pop-up.
- Block popups opened with a target of _blank from interacting with the page that opened the pop-up—Only pop-ups opened with a target of _blank are allowed to interact with the page that opened the pop-up if the opener page explicitly opts-in to the interaction.
- Allow pop-ups opened with a target of _blank to interact with the page that opened the pop-up—All pop-ups opened with a target of _blank are allowed to interact with the page that requested to open the pop-up unless the opener page explicitly opts-out of the interaction.
The Smart Card Connector app and smart card CSSI middleware app must be installed in-session for the user. See Deploy smart cards on ChromeOS.
Specifies what action is taken if a user removes their security token. Currently, this setting only impacts user sessions when you configure sign-in using smart cards. For details, see Set up sign-in using smart cards on managed ChromeOS devices.
The options are:
- Nothing—No action is taken.
- Log the user out—The user is signed out of their session and must sign back in again.
- Lock the current session—The user's session is locked until they re-authenticate using their security token.
If you select Log the user out or Lock the current session, the Removal notification duration (seconds) field is displayed. You can enter the number of seconds that the notification, informing the user of the impending action, is displayed. The action is then carried out after this notification expires if the user does not re-insert their security token. If you enter 0, no notification is displayed and the action is carried out immediately.
By default, Allow system notifications to be used is selected. So, Chrome browser on Linux is allowed to use system notifications.
Select Do not allow system notifications to be used to prevent Chrome browser from using system notifications. Instead, the browser uses Chrome’s message center.
Specifies the initial screen brightness on ChromeOS devices. Select Set initial screen brightness and enter a screen brightness percentage value between 15 and 100 for AC and battery power sources. Users can change it.
This policy will be removed after Chrome version 100.
For Chrome version 94 or later, specifies whether non-allowlisted embedded resources, such as iframes, can request that users share their screen. Web designers use the display-capture permissions policy to control whether embedded resources can call getDisplayMedia() to capture a screen or application window, including audio.
Choose an option:
- Deny insecure requests to access display—This is the default. Code running in cross-origin child browsing contexts can only request that users share their screen if web designers have allowlisted them.
- Allow requests to access display from non-allowlisted contexts—Code running in cross-origin child browsing contexts can request that users share their screen, even when not allowlisted.
Note: Other restrictions might apply and users might not be able to share their screen.
Controls whether users can use remote debugging. By default, Allow use of the remote debugging is selected. Users can use remote debugging by specifying --remote-debugging-port
and --remote-debugging-pipe
command line switches.
Supported on Chrome version 96 to 100 inclusive
In Chrome version 97 to 100, WebSQL in third-party contexts is turned off by default. In Chrome version 101 and later, WebSQL in third-party contexts is completely removed.
By default, Do not allow WebSQL in third-party contexts is selected and WebSQL in third party contexts stays turned off.
Select Allow WebSQL in third-party contexts to force WebSQL in third-party contexts to be turned on again.
You can force WebSQL to be enabled in non-secure contexts.
WebSQL will be disabled by default in non-secure contexts from Chrome version 109 but you can enable it using this policy.
If you select Enable WebSQL in non-secure contexts, WebSQL cannot be disabled in non-secure contexts.
You can prevent users from turning off WebSQL.
From Chrome version 101, WebSQL is on by default, but you can turn it off using chrome://flags. If you select Force WebSQL to be enabled, WebSQL cannot be turned off.
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Cipher suites are sets of instructions on how to secure a network through TLS and they provide essential information on how to communicate secure data when using HTTPS, SMTP, and other network protocols.
3DES only provides an effective security of 112 bits. You can use this policy to temporarily retain compatibility with an outdated server by enabling 3DES cipher suites in TLS. This is a stopgap measure only and the server must be reconfigured.
The default is Use the default setting for 3DES cipher suites in TLS.
Supported on Chrome browser version 96 to 103 inclusive.
By default, Apply default settings for U2F API deprecation. is selected. The default behavior for U2F Security Key API applies. In Chrome browser version 98 to 103, U2F Security Key API is disabled by default. In Chrome version 104 and later, U2F Security Key API is completely removed.
Select Allow use of the deprecated U2F Security Key API. to continue using the U2F Security Key API in Chrome browser version 96 to 103.
You can specify whether the user can dismiss any compromised password alerts they receive after entering their username and password. They can restore the warning at any time. For more details on how this affects the user, see Change unsafe passwords in your Google Account.
The default is, Allow dismissing compromised password alerts.
Before you configure this setting, make sure you confirm all local privacy and data protection requirements with your legal team
Controls whether specific web applications are allowed to automatically capture multiple screens at once.
Sites that match the origin (URL) patterns that you specify in the Configuration field, are allowed to automatically capture all screen surfaces without requiring explicit user permission.
If you leave the Configuration field empty, no web applications are allowed to automatically capture multiple screens at once.
Enter the list of origin values, one per line. For example:
https://www.example.com
[*.]example.edu
Encrypted ClientHello (ECH) is an extension to TLS to encrypt sensitive fields of ClientHello messages and improve privacy. It allows websites to opt-in and avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record.
As ECH is an evolving protocol, Chrome's implementation is subject to change. This temporary policy controls the initial experimental implementation. It will be replaced with final controls as the protocol is finalized.
If you select the default Enable the TLS Encrypted ClientHello experiment, Chrome browser follows the default rollout process for ECH.
When the TLS Encrypted ClientHello experiment is enabled, whether Chrome uses ECH depends on server support, availability of the HTTPS DNS record, or the rollout status.
You can enable strict MIME type checking for worker scripts.
Choose an option:
- Require a JavaScript MIME type for worker scripts—Worker scripts use strict MIME type checking for JavaScript and worker scripts with legacy MIME types are rejected. (Default setting if you don't specify anything).
- Use lax MIME type checking for worker scripts—Worker scripts use lax MIME type checking and worker scripts with legacy MIME types, such as text or plain, continue to be loaded and executed.
You can control your users’ experience of Chrome’s ad privacy settings.
If you select Allow Google Chrome to determine whether to show the Privacy Sandbox prompt, your users see a box that explains their options and allows them to set their preferences.
If you select Do not show the Privacy Sandbox prompt to users, you can turn off, or control whether users can turn on or off, the following settings:
- Ad topics
- Site-suggested ads
- Ad measurement
Turns on or off the Less Privileged AppContainer (LPAC) sandbox for printing services , if supported by the system configuration.
By default, Run printing services in LPAC sandbox when available is selected.
Only select Run printing services in a less secure sandbox if you’re having trouble with third-party software that’s preventing printing services from working properly inside the LPAC sandbox. But be careful—Chrome browser is less secure because services used for printing might run in a weaker sandbox configuration
This policy is temporary and will be removed in a future version of Chrome.
You can force Chrome to not enforce constraints encoded into trust anchors loaded from the platform trust store.
Currently, X.509 certificates might encode constraints, such as Name Constraints, in extensions in the certificate. In Chrome, such constraints in certificates loaded from the platform certificate store are enforced.
If you have issues with the constraints encoded in your private root, this setting gives you time to fix these issues by temporarily disabling enforcement of the constraints while correcting the certificate issues.
You can decide whether or not to show users the Credential Provider Extension promo.
On iOS devices, users can choose a participating third-party app as a credential provider for password autofill or extensions settings.
For more details, see Credential provider extensions.
You can specify whether a document is isolated in an origin-keyed agent cluster or in a site-keyed agent cluster. Documents are isolated in an origin-keyed agent cluster by default.
This gives the browser more flexibility in implementation technologies. In particular, Chrome will use this as a hint to put the origin in its own process, subject to resource or platform limitations.
When you choose to isolate documents by origin, you can no longer set the document.domain accessor.
When you choose to isolate documents by key, you can set the document.domain accessor. This matches the legacy behavior.
For more details, see this same-origin policy blog.
You can specify origins (URLs) or hostname patterns for file or directory picker APIs that can be called without a prior action by the user.
Enter one pattern on each line and prefix domains with [*.] to include all subdomains. You can only enter a maximum of 1000 URLs.
If you do not enter any URLs, all origins need a prior action by the user to call these APIs.
For details on valid URL patterns, see Enterprise policy URL pattern format.
You can specify origins (URLs) or hostname patterns that display the media picker for a screen capture without a prior action by the user.
Enter one pattern on each line and prefix domains with [*]. to include all subdomains. You can only enter a maximum of 1000 URLs.
If you do not enter any URLs, all origins need a prior action by the user to display the media picker for a screen capture.
For details on valid URL patterns, see Enterprise policy URL pattern format.
Specifies if users can store pages with Cache-Control: no-store
(CCNS) header in the back/forward cache (or bfcache).
Bfcache is a browser optimization that enables instant back and forward navigation. It significantly improves the browsing experience for users—especially those with slower networks or devices.
Documents with a CCNS header are blocked from entering bfcache on all browsers, because they could contain sensitive content that was accessible at first, but which should be inaccessible afterwards. This is especially important on shared devices. To unblock the bfcaching of the majority of CCNS pages—without compromising sensitive information—Chrome browser stores pages in bfcache, except for the ones with sensitive information (Github).
If the policy is turned on, the page with a CCNS header can be restored from bfcache, unless the cache eviction is triggered; for example, when there is HTTP-only cookie change to the site. If the policy is turned off, the page with a CCNS header will not be stored in bfcache.
The Device Bound Session Credentials feature is being gradually rolled out to users.
Specifies whether Google authentication cookies are protected from theft by using credentials that are cryptographically bound to the device. Authentication cookies allow Google websites to know your identity and provide personalized features.
By default, Use the default Chrome setting is selected. Chrome browser uses the Device Bound Session Credentials feature if it’s available, depending on the current stage of the feature launch process.
To protect Google authentication cookies from theft ahead of the launch schedule, select Enable Device Bound Session Credentials. Then, Chrome browser regularly provides cryptographic proof of device possession to Google servers.
Specifies whether to bind encryption keys that are used for local data storage to Chrome browser, when possible. By default, Enable application bound encryption is selected.
Selecting Disable application bound encryption reduces Chrome's security. Unknown and potentially hostile apps can retrieve encryption keys that are used to secure data.
Only select Disable application bound encryption if there are compatibility issues, such as:
- Other apps need legitimate access to Chrome data.
- Encrypted user data is expected to be fully transferable between computers.
- Integrity and location of Chrome executable files are inconsistent.
Control the dynamic code settings for Chrome browser on Windows.
Dynamic code creation allows attackers to inject their own malicious code on another computer or within another software environment, without user awareness or permission.
By default, Chrome browser allows dynamic code creation. Turning off this setting prevents Chrome browser from creating dynamic code by switching on Arbitrary Code Guard (ACG) for the browser process, thus improving security. Potentially hostile dynamic code and third-party code can’t make changes to browser behavior.
Note: This might cause compatibility issues with third-party software that must run in the browser process. For more information, see Process mitigation policies.
Remote access
Remote access clientsConfigures the required domain name for remote access clients and prevents users from changing the setting. Only clients from the specified domain can connect to the host device. Left blank, the host allows connections from authorized users from any domain.
Specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts that are registered on one of the specified domain names. Left blank, hosts can be shared using any user account.
You can enable the use of Session Traversal Utilities for NAT (STUN) and Relay (TURN) servers when remote clients are trying to establish a connection to the user’s device.
If you select Enable firewall traversal, remote clients can discover and connect to the user’s device even if they are separated by a firewall. The use of relay servers is enabled by default but you can choose to disable them. Relay servers allow a connection to other peers and transfer data without the need for a direct connection when a firewall is in place. To restrict the UDP port range used by the remote access host in the user’s device, in the UDP port range field, enter the range from minimum to maximum. Left blank, any port can be used.
If you select Disable firewall traversal and outgoing UDP connections are filtered by the firewall, the user’s device only allows connections with client machines within the local network.
Specifies whether remote support connections are allowed on the user's device.
If you select Prevent remote support connections, the remote support host cannot be started or configured to accept incoming connections.
This policy does not affect remote access scenarios and does not prevent admins from connecting to managed ChromeOS devices.
You can specify the maximum size, in bytes, that can be transferred between the client and host using clipboard sync. This affects both remote access and remote support scenarios.
You can add a value to the Maximum size in bytes field and the following applies:
- Any clipboard data sent to and from the host is limited to the value you entered.
- If you enter a value of 0, clipboard sync is not allowed.
- If you leave the field empty, the setting has no effect.
- If you add a value that is not within the minimum (0) or maximum (2147483647) range, the host might not start.
Specifies whether enterprise admins can open a remote support connection to a managed ChromeOS device from the Admin console.
If you select Prevent remote support connections from enterprise admins, the remote support host cannot be started or configured to accept incoming connections from the Admin console. For more details on Chrome Remote Desktop sessions, see Access ChromeOS devices remotely.
This policy does not affect remote access scenarios.
Session settings
Show sign-out button in traySelect Show sign-out button in tray to show the sign-out button explicitly in the shelf. This setting is useful for users who might need to quickly sign out of a ChromeOS device.
Kerberos
Kerberos ticketsSelect Enable Kerberos to use Kerberos tickets on ChromeOS devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. For details, go to Configure Kerberos single sign-on for ChromeOS devices.
Specifies whether users can allow Chrome to remember Kerberos passwords, so that they don’t have to enter them again. By default, Allow users to remember Kerberos passwords is selected. Chrome automatically fetches Kerberos tickets unless additional authentication, such as 2-Factor Authentication is required.
Choose Do not allow users to remember Kerberos passwords to never let Chrome remember passwords and remove all previously stored passwords. Users have to enter their password every time they need to authenticate with the Kerberos system.
Determines whether users can add Kerberos accounts. By default, Allow users to add Kerberos accounts is selected. Users have full control over the accounts that they add. So, they can modify or remove them.
Selecting Do not allow users to add Kerberos accounts allows you to add accounts only using policy.
Specifies the domain used to autocomplete the Kerberos username dialog when a user is manually adding a new Kerberos ticket on their device.
If you enter a domain in the Kerberos domain field, the Kerberos username is prefilled with the domain. When the user enters their username, it is concatenated with the prefilled domain. If the user's input contains "@", the prefilled domain is not shown and does not affect the input.
If you leave the Kerberos domain field empty, no prefilled domain is shown or used to autocomplete the username field.Specifies the suggested Kerberos configuration properties (krb5 configuration) for new manually created tickets.
Choose one of the following options:
- Customize Kerberos configuration—The custom configuration you enter in the Custom configuration field is applied as the suggested configuration and shown in the Advanced section of the Kerberos authentication dialog. If you leave the Custom configuration field empty, the recommended ChromeOS configuration is deleted.
- Use recommended Kerberos configuration—The recommended ChromeOS configuration is applied and shown in the Advanced section of the Kerberos authentication dialog.
Network
Proxy modeSpecifies how ChromeOS connects to the internet.
If you leave the setting at its default Allow user to configure, a direct connection is the default configuration for ChromeOS devices and users can change the proxy configuration in their Chrome settings. If you choose any of the other Proxy mode options, users can't change the configuration.
- Never use a proxy—ChromeOS devices always establish a direct connection to the internet without passing through a proxy server.
- Always auto detect the proxy—Instructs ChromeOS devices to determine which proxy server to connect to using the Web Proxy Autodiscovery Protocol (WPAD).
- Always use the proxy specified below—Sets a specific proxy server for handling requests from users. You'll need to enter the URL of the proxy server in the Proxy server URL field that appears. Format the Proxy Server URL as IP address:port, such as 192.168.1.1:3128.
If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the URLs which bypass the proxy, one per line field. If you include multiple URLs, separate them by putting one URL per line. - Always use the proxy auto-config specified below—Inserts the URL of the .pac file that should be used for network connections for the Proxy Server Auto Configuration File URL.
How ChromeOS handles bad proxies
PROXY (foo) is how one names a proxy server in Proxy autoconfiguration scripts. If your first proxy doesn’t work, Chrome will try the second, marking the first as a bad proxy.
Currently, when applying a proxy list resolved through PAC, Chrome can rearrange the proxy choices based on the past availability of the proxy. For instance, when applying "PROXY foo1; PROXY foo2;" Chrome might start by trying foo2 if foo1 timed out the last time it was tried (within the past 5 minutes).
If foo2 succeeds, then Chrome will mark foo1 as a bad proxy and redo the priority of the proxy list by putting foo2 first for every other subsequent request.
For ChromeOS devices, the management URLs require a direct path to the internet. Filtering through proxy can cause unexpected functionality.
Android apps running on ChromeOS
If you have enabled Android Apps on supported ChromeOS devices, a subset of proxy settings is made available to Android apps, which they might voluntarily choose to honor. Typically, apps using Android System WebView or the in-built network stack will do so). If you choose:
- Never use a proxy server—Android apps are informed that no proxy is configured.
- Use system proxy settings or fixed server proxy—Android apps are provided with the http proxy server address and port.
- Auto detect proxy server—The script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy autodetection protocol is used.
- .pac proxy script—The script URL is provided to Android apps.
Specifies whether ChromeOS can bypass a configured proxy server for captive portal authentication. For example, captive portal pages such as landing or sign-in pages where users are prompted to accept terms or sign in before Chrome detects a successful internet connection.
A configured proxy server can be set:
- In the Admin console using the Proxy mode setting
- By users on their ChromeOS device in chrome://settings
- By apps or extensions that are allowed to set or modify a proxy
When you set this policy to Ignore policies for captive portal pages, Chrome opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user. When you set it to Keep policies for captive portal pages, Chrome opens captive portal pages in a new browser tab and applies the current user’s policies and restrictions.
Specifies which HTTP authentication schemes are supported. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is selected. You can override the default behavior by disabling specific authentication schemes.
- Basic—Most insecure method with authentication handled without any encryption.
- Digest—A challenge-response scheme that is more secure than basic authentication.
- NTLM—(NT LAN Manager) A more advanced challenge-response scheme that is more secure than digest.
- Negotiate—The most secure option. We recommend this option if available. Otherwise, we recommend NTLM.
By default, Chrome browser allows Basic authentication challenges over non-secure HTTP connections. If you select HTTPS is required to use Basic authentication scheme, Chrome browser allows Basic authentication challenges over HTTPS only.
Note: If Basic is not specified under Supported authentication schemes, this setting is ignored.
By default, NTLMv2 authentication is turned on. Unless you have backward compatibility issues, we do not recommend turning off this setting. Selecting Disable NTLMv2 authentication reduces the security of authentication.
Selecting Enable SSL record splitting allows SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies.
Specifies the minimum version of Transport Layer Security (TLS) allowed for your users.
Specifies whether users can bypass SSL warnings and proceed to the page.
Allows you to enter the list of domain names where a user can bypass SSL warnings. Users can bypass SSL warnings only on origin domains that are on this list.
Enter a list of URL values, one per line. For example:
https://www.example.com
[*.]example.edu
For details, see Enterprise policy URL pattern format.
Note: If SSL error override is enabled, this policy is ignored.
Specifies whether data compression is always turned on or off. Select Always enable data compression proxy to reduce cellular data usage and speed up mobile web browsing by using proxy servers hosted at Google to optimize website content.
By default, Allow the user to decide is selected. Users can turn on or off data compression.
Allows you to specify a UDP port range to use for WebRTC connections from the user. The port range is 1024–65535 and the maximum should be greater than or equal to the minimum.
Allows you to add URLs for Web Real-Time Communication Interactive Connectivity Establishment (WebRTC ICE) candidates for local IPs.
Google services call the Chrome API to collect the WebRTC events for customers who have opted in. WebRTC transports data over User Datagram Protocol (UDP).
You must put each URL in a new line. The wildcard character * is allowed.
Patterns you add to this list are matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in WebRTC ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.
Allows the Quick UDP Internet Connections (QUIC) protocol to be used in Chrome. QUIC is a transport protocol that reduces latency compared to Transmission Control Protocol (TCP). For details, see Chromium.
Determines which IP addresses and interfaces WebRTC uses when attempting to find the best available connection. See details about specific modes of WebRTC behavior.
By default, WebRTC will use all available interfaces when searching for the best path is selected.
Controls the default mode of the remote Domain Name System (DNS) resolution via the HTTPS protocol for each query. DNS-over-HTTPS (DoH) helps to improve safety and privacy while users are browsing the web. For example, attackers are prevented from observing what sites you visit or sending you to phishing websites.
Choose an option:
- Disable DNS-over-HTTPS—Chrome never sends DoH queries to DNS servers.
- Enable DNS-over-HTTPS with insecure fallback—If a DNS server that supports DoH is available, Chrome first sends a DNS-over-HTTPS query. If an error is received or a server that supports DoH isn’t available, Chrome just sends a DNS query to the server instead.
- Enable DNS-over-HTTPS without insecure fallback—Chrome sends DoH queries only to DNS servers.
If you enable DoH, you can add a list of the URI templates of DoH resolvers that you want to make available to your users.
The default setting is Enable DNS-over-HTTPS with insecure fallback. However, sometimes it reverts to Disable DNS-over-HTTPS and users can’t change it. This happens if Chrome detects parental controls or enterprise policies. Chrome detects enterprise policies if:
- You manage Chrome browser on domain-joined computers.
- You have set at least one active policy for Chrome browser.
You can specify URI templates for a DNS-over-HTTPS resolver with identity information and the salt value to be used.
This policy is very similar to the DNS-over-HTTPS policy, it supports specifying identifying information, and it overrides the DNS-over-HTTPS policy if it is set.
Under Configuration, do the following:
- In the DNS-over-HTTPS templates with identifiers field, add the URI template.
- The identifiers should be preceded by the dollar sign and enclosed in curly brackets, ${...}. Below is a list of valid identifiers:
- USER_EMAIL
- USER_EMAIL_DOMAIN
- USER_EMAIL_NAME
- DEVICE_DIRECTORY_ID
- DEVICE_SERIAL_NUMBER
- DEVICE_ASSET_ID
- DEVICE_ANNOTATED_LOCATION
- To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
- If the DNS-over-HTTPS policy is set to Enable DNS-over-HTTPS without insecure fallback, then either this policy or the list of templates in the DNS-over-HTTPS policy must not be empty.
- If the DNS-over-HTTPS policy is set to Enable DNS-over-HTTPS with insecure fallback, and this policy is set, the URI templates specified are used. If this policy is left empty, the list of templates in the DNS-over-HTTPS policy are used. If no template URI are specified in either policies, DNS resolution fallbacks to insecure queries.
- If the URI template contains a DNS variable, requests to the resolver use GET. If not, requests use POST.
- The identifiers should be preceded by the dollar sign and enclosed in curly brackets, ${...}. Below is a list of valid identifiers:
- In the Salt for hashing identifiers in the URI templates field, add the salt value to use when hashing identity information included in the DNS-over-HTTPS templates with identifiers field.
- The salt must be a string between 8 and 32 characters.
- In Chrome version 114 and later, this field is optional if you added DNS-over-HTTPS templates with identifiers.
- If you do not add any salt value, the identifiers in the template URIs you added are hashed without a salt.
Lists the domains to be resolved with and without using DNS over HTTPS (DoH). Domains that you add must be either fully qualified domain names (FQDN) or domain suffixes using a wildcard prefix, *.
If both DNS over HTTPS included domains and DNS over HTTPS excluded domains are set, a more specific domain is preferred. Specificity refers to the number of dots ('.') in the domain.
Note: This policy is ignored if DoH is disabled.
Tip: Avoid adding the same domain in the DNS over HTTPS included domains and DNS over HTTPS excluded domains list. Otherwise, you'll get an error message.
- DNS over HTTPS included domains—Only domains that you add to the list are resolved using DoH. Left empty, all domains are resolved using DoH.
- DNS over HTTPS excluded domains—List of domains that are not resolved using DoH.
Specifies whether the built-in DNS client is used in Chrome browser.
The built-in DNS client is enabled by default on macOS, Android and ChromeOS and users can change the setting.
This policy has no effect on DNS-over-HTTPS. To change the DNS-over-HTTPS behavior, see the DNS-over-HTTPS setting.
Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.
For Chrome browser and ChromeOS devices with version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.
Specifies whether Chrome browser can use the legacy CORS protocol, which is less secure and strict than Out-Of-Renderer CORS.
Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.
For Chrome browser and devices ChromeOS with version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.
To make Chrome extensions and specific HTTP headers exempt from CORS inspection, select Enable mitigations.
This setting is temporary and will be removed in a future version of Chrome.
You can control whether request methods are uppercased when matching with Access-Control-Allow-Methods response headers in CORS preflight.
The default option ensures that request methods are not uppercased, unless matching case-insensitively with DELETE, GET, HEAD, OPTIONS, POST, or PUT.
Example
- The response header fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" is rejected.
- The response header fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo" is accepted.
Specifies the Android VPN app that handles Android and ChromeOS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic, such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established. Choose from the list of Android VPN apps that are automatically installed on users’ devices.
Select Do not allow user to disconnect from a VPN manually to prevent users from manually disconnecting from the VPN.
For details, read Set up virtual private networks (Android VPN app).
Specifies which servers are allowed for Integrated Windows Authentication (IWA). When Chrome gets an authentication challenge from a proxy or from a server that is part of this allowed list, integrated authentication is then turned on.
You must separate multiple server names with commas. Wildcards * and , are allowed.
Left blank, Chrome tries to detect if a server is on the intranet. If it is, Chrome will respond to IWA requests. If Chrome detects that a server is on the internet, IWA requests from it are ignored.
Specifies which servers Chrome can delegate to for Integrated Windows Authentication (IWA).
You must separate multiple server names with commas. Wildcards * and , are allowed.
Left blank, Chrome doesn't delegate user credentials, even if a server is detected as on the intranet.
Specifies whether to respect Key Distribution Center (KDC) policy to delegate Kerberos tickets.
Specifies the source of the name used to generate the Kerberos service principal name (SPN).
Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.
Specifies whether third-party sub-content on a page is allowed to pop up an HTTP basic authentication dialog box.
Specifies whether websites that are not cross-origin isolated can use SharedArrayBuffers. Chrome version 91 and later requires cross-origin isolation when using SharedArrayBuffers for Web Compatibility reasons.
For details, see SharedArrayBuffer updates.
Specifies the Chrome default referrer policy. A referrer policy controls how much referrer information is included with network requests.
If you select Use Chrome’s default referrer policy, the strict-origin-when-cross-origin policy is used. This policy:
- sends the origin, path, and querystring when performing a same-origin request
- only sends the origin when the protocol security level stays the same while performing a cross-origin request, HTTPS to HTTPS
- sends no header to less secure destinations, HTTPS to HTTP
If you select Set Chrome’s default referrer policy to the legacy referrer policy, the legacy no-referrer-when-downgrade policy is used for network requests. This policy:
- sends the origin, path, and querystring of the URL as a referrer when the protocol security level stays the same, HTTP to HTTP or HTTPS to HTTPS, or improves HTTP to HTTPS
- sends no header to less secure destinations, HTTPS to HTTP
Specifies whether the Chrome browser can actively make requests that include information about the user's browser and environment. Servers can then enable analytics and customize the response. By default, Allow User-Agent client hints is selected.
These granular request headers might break some websites that restrict the characters included in some requests.
This setting is temporarily available and will be removed from the Admin console in the future.
By default, Allow the updated User-Agent GREASE algorithm to be run is selected. Chrome browser chooses which User-Agent GREASE algorithm to use. The User-Agent GREASE algorithm aligns with the latest spec. The updated spec might break some websites that restrict the characters that requests can contain. For details, see W3C documentation.
By default, Accept web contents served as Signed HTTP Exchanges is selected to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution.
Configures a single global per profile cache with HTTP server authentication credentials.
- (Default) HTTP authentication credentials are scoped to top-level sites—For version 80 and later, Chrome scopes HTTP server authentication credentials by top-level site. If two sites use resources from the same authenticating domain, credentials need to be provided independently in the context of both sites and cached proxy credentials are reused across sites.
- HTTP authentication credentials entered in the context of one site will automatically be used in the context of another—This can leave sites open to some types of cross-site attacks. It also allows users to be tracked across sites, even without cookies, by adding entries to the HTTP authentication cache using credentials embedded in URLs.
This policy is intended to give organizations depending on the legacy behavior a chance to update their sign-in procedures, and will be removed in the future.
Specifies whether Chrome always performs revocation checks for successfully validated server certificates signed by locally installed CA certificates. If Chrome can't get any revocation status information, it treats these certificates as revoked.
The default is Use existing online revocation-checking settings.
Some proxy servers can't handle a high number of concurrent connections per client. Specify the maximum number of concurrent connections to the proxy server. The value should be lower than 100 but higher than 6. Some web apps are known to consume many connections with hanging GETs. The default value is 32. Setting a value below 32 might cause the browser network to freeze if there are too many web apps already open with hanging connections.
Specifies which GSSAPI (Generic Security Service Application Program Interface) library Chrome should use for HTTP authentication. Set the policy to either a library name or a full path such as GSSAPILibraryName or libgssapi_krb5.so.2. Left blank, Chrome uses a default library name.
Specifies a list of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy check. The HSTS policy forces web browsers to interact with websites only via secure HTTPS connections and never HTTP connections.
Only enter single-label hostnames; one per line. Hostnames must be canonicalized, any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the hostnames specified, and not to subdomains of those hostnames.
Specifies the type of accounts that are provided by the Android authentication app which supports HTTP Negotiate authentication. Authentication apps generate security codes for signing into sites that require a high level of security. For example, Kerberos authentication. This information should be provided by the supplier of the authentication app. For details, see The Chromium Projects.
By default, Perform DNS interception checks is selected. DNS interception checks perform a check on the browser to see if it is behind a proxy that redirects unknown host names.
When users enter a single word in the Chrome address bar and press Enter, Chrome sends a search to the default search provider. If the single word matches the name of an intranet host, users might have intended to navigate to it instead.
When intranet redirection is allowed, Chrome issues a DNS request for single-word hostnames and then shows users an infobar asking them if they want to go to the site if it is resolvable. For example, calendar matches intranet host http://calendar/. Users who enter calendar in the search bar are asked Did you mean to go to http://calendar/?.
Using intranet redirection, Chrome ensures that DNS interception is not occurring. DNS interception means every single DNS request for any single-word host is resolvable even if no actual host exists.
If your network environment resolves every DNS request for a single-word host, you should allow DNS interception checks. That way, the infobar isn’t shown after each single-word search.
By default, Use default browser behavior is selected. For Chrome version 88 or later, DNS interception checks and intranet redirect suggestions are enabled by default. However, they will be disabled by default in a future release.
While you can use the DNS interception checks enabled setting to disable DNS interception checks, the Intranet Redirection Behavior setting is more flexible because it lets you separately control intranet redirection infobars.
This policy is temporary and will be removed in a future version of Chrome.
Allows legacy TLS (Transport Layer Security) and Datagram Transport Layer Security (DTLS) downgrades in Web Real-Time Communications (WebRTC).
By default, Disable WebRTC peer connections downgrading to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols is selected. So, these TLS/DTLS versions are disabled.
Turn on or off WPAD (Web Proxy Auto-Discovery) optimization in Chrome.
WPAD allows a client, such as Chrome browser, to automatically locate and interface with cache services in a network. Information can then be delivered more quickly to the user.
The default is Enable Web Proxy Auto-Discovery (WPAD) optimization. If you select Disable Web Proxy Auto-Discovery (WPAD) optimization, Chrome must wait longer for DNS-based WPAD servers.
Users cannot change the WPAD optimization setting.
Specifies whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.
If you choose Use login credentials for network authentication to a managed proxy case, and authentication fails, users are prompted to enter their username and password.
Permits bypassing the list of restricted ports built into Google Chrome by selecting one or more ports that outgoing connections are permitted on.
Ports are restricted to prevent Google Chrome being used as a vector to exploit network vulnerabilities. Setting this policy can expose your network to attacks. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.
If you do not not set this policy, all restricted ports are blocked. If there are both valid and invalid values selected, the valid ones values are applied.
This policy overrides the --explicitly-allowed-ports command-line option.
Specifies if Chrome follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS).
CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on users' devices.
CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. You can disable CECPQ2 while networking issues are being resolved.
Controls whether Chrome is allowed to query additional DNS record types when making insecure DNS requests.
This setting has no effect on DNS queries made via Secure DNS, which can always query additional DNS types.
Choose one of the options:
- Allow additional DNS query types—This is the default. Additional DNS record types can be queried, including HTTPS (DNS type 65), A (DNS type 1), and AAAA (DNS type 28).
- Prevent additional DNS query types—DNS is queried only for A (DNS type 1) and AAAA (DNS type 28).
This policy is temporary and will be removed in a future version of Chrome. Then, Chrome will always be able to query additional DNS types.
Specifies whether the network service process runs sandboxed.
By default, Default network service sandbox configuration is selected. The default configuration for the network sandbox might vary, depending on Chrome release, currently running field trials, and platform.
Organizations that use third-party software that interferes with the network service sandbox can select Disable the network sandbox to run the network service process unsandboxed.
Cross-Origin Resource Sharing (CORS) is a web standard protocol that lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.
A CORS non-wildcard request header is an HTTP request header that is not covered by the wildcard symbol (*) in the access-control-allow-headers header. authorization is the only member of CORS non-wildcard request-header.
If you select Support CORS non-wildcard request headers, when scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. This means that the wildcard symbol (*) doesn't cover the Authorization header.
If you select Do not support CORS non-wildcard request headers, Chrome allows the wildcard symbol (*) in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
Google plans to gradually reduce, in a phased manner, the granularity of available information in the User-Agent header field. Use this setting to help with website testing and compatibility. You can turn on or off reduction for all origins. Or, you can let reduction be controlled via field trials and origin trials.
For details about User-Agent Reduction and its timeline, read the Chromium blog.
When ChromeOS or Chrome browser’s major version contains a 3-digit User Agent string, instead of 2 digits, some apps and websites might stop working. For Chrome version 100 or later, forcing Chrome to keep 99 as the major version in the User-Agent string might prevent User-Agent issues.
Choose an option:
- Default to browser settings for User-Agent string—(Default) Users can choose whether to freeze the major version in the User-Agent string.
- Do not freeze the major version—Chrome never freezes the major version in the User-Agent string.
- Freeze the major version as 99—Sets the Chrome major version to 99 in the User-Agent string, and forces the actual major version number to the minor version position.
So, instead of Chrome reporting User Agent string, <major_version>.<minor_version>.<build_number>.<patch_number>, it reports 99.<major_version>.<build_number>.<patch_number>, where the minor version is omitted.
Example, Chrome version 100.0.1234.56 reports as 99.100.1234.56.
System Domain Name Server (DNS) resolution cannot run while sandboxed on Android and Linux platforms. For this reason, system DNS resolution is moving out of the network service and into the unsandboxed browser process. You can use this policy to control how the system DNS resolution (getaddrinfo()) is run for the network service.
Choose one of the following:
- Run system DNS resolution in, out of, or partially in and partially out of the network process—The system DNS resolution runs in the network service, outside the network service, or partially inside and partially outside, depending on system configuration and feature flags.
- Run system DNS resolution in the network process—The system DNS resolution runs in the network process, not the browser process. This might force the network service sandbox to be disabled, degrading the security of Google Chrome.
- Run system DNS resolution in or out of the network process—The system DNS resolution possibly runs outside of the network process, depending on system configuration and feature flags.
Specifies a list of URLs or URL patterns that are not upgraded to HTTPS and do not show an error if HttpsOnlyMode is turned on.
You can use this setting to maintain access to servers that do not support HTTPS, without needing to turn off the Automatic HTTPS upgrades or the Allow HTTPS-Only Mode to be enabled settings.
For the list of URLs, the following applies;
- Hostnames must be canonicalized.
- Any IDNs must be converted to their A-label format.
- All ASCII letters must be lowercase.
Blanket host wildcards, such as * or [*] are not allowed. HttpsOnlyMode and HTTPS Upgrades must be turned off using their specific policies.
For details on valid URL patterns, see Enterprise policy URL pattern format.Google Chrome upgrades some navigations from HTTP to HTTPS, when possible. Automatic HTTPS upgrades are allowed by default but you can choose to not allow them.
You can also use the Allowed HTTP URLs setting to exclude specific hostnames or hostname patterns from being automatically upgraded to HTTPS.
Android apps
Control Android backup and restore serviceAllows users to back up content, data, and settings from Android apps to their Google Account. When users sign in to another ChromeOS device, they can restore their Android app data.
Specifies whether Android apps on ChromeOS devices are allowed to use Google location services to search the device location and send anonymous location data to Google during initial setup. After initial setup, users can turn on or off location services.
Choose one of the options:
- Disable location services during initial setup for Android apps on ChromeOS—This is the default. Android apps cannot use location services during initial setup.
- Allow the user to decide whether to use location services for Android apps on ChromeOS during initial setup—Users are prompted to allow Android apps to use location services during initial setup.
Note: The Google location services setting has no effect if Geolocation is set to Do not allow sites to detect users’ geolocation. Read about the Geolocation setting
Deprecated. Chrome version 75 and earlier.
By default, users can add a secondary account (for example, their personal Gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. To stop users from adding a second Google Account, check the Google account box.
By default, ChromeOS Certificate Authority (CA) certificates are not synchronized to Android apps. To make them available to Android apps, select Enable usage of ChromeOS CA certificates in Android apps.
By default, ChromeOS lets Android apps use Android’s built-in sharing system to share text and files to supported web apps. Metadata for installed web apps is sent to Google to generate and install a shim Android app on the ChromeOS device. To prevent this, select Disable Android to Web Apps sharing.
This policy only applies to ARM devices migrating to ARCVM.
You can specify the action to take when a user's ARC data directory was created with virtio-fs. Unless virtio-fs data is migrated to virtio-blk, Android apps might run slower on ARCVM.
ARCVM is a new system to launch Android apps on ChromeOS.
Choose one of the following:
- Do not allow users to manually update Android apps—(Default) Users are not prompted to go through the migration flow.
- Allow users to manually update Android apps—At sign-in, users are prompted to go through the data migration flow. This can take up to 10 minutes. Users are required to update within 30 days before the update is enforced. If not updated, users might experience performance issues when running their Android application.
Startup
Home buttonSpecifies whether the Home button appears on the toolbar. This policy corresponds to the user setting Show Home button in their Chrome Settings.
Controls what users see when they click the Home button on the toolbar. You can select Allow user to configure (default), Homepage is always the new tab page, or Homepage is always the URL set below.
To set a URL, enter the URL in the Homepage URL field.
Specifies a URL for the new tab page and users can't change it. Left blank, the browser’s default page is used.
By default, Show content suggestions on the New Tab page is selected. So, Chrome displays automatically generated content suggestions on the New Tab page, based on user browsing history, interests, or location.
By default, users can customize the background on the New Tab page.
Selecting Do not allow users to customize the background on the New Tab page prevents users from customizing the New Tab page background. Existing custom backgrounds are permanently removed, even if you later revert to Allow users to customize the background on the New Tab page.
Specifies whether the Google Lens button is shown in the search box on the new tab page if supported.
Specifies what pages to load when users start their ChromeOS devices.
You can select from the following options:
- Allow the user to decide—Default. Users can set any of the options below in Google Chrome. For details, see Set your homepage and startup page.
- Open New Tab page—Opens the new tab page set by the New tab page policy. If this policy is not set, the browser’s default page is used. Users can not change this.
- Restore the last session—Opens all tabs and windows that were loaded before the device restarted. Users can not change this.
- Open a list of URLs—You can add the page URLs that load on restart. The pages you list here appear on additional tabs and users can not add more URLs to their device. If you do not add any page URLs, users can add URLs to the list themselves. For details, see Set your homepage and startup page.
- Open a list of URLs and restore the last session—Opens all tabs and windows that were loaded before the device restarted and the list of URLs you add. The URLs are opened in a separate browser window.
Note: For this setting to be properly applied, you must make sure that the Restore apps on startup setting for ChromeOS is set to Only restore Chrome browser. If the Restore all apps and app windows option is selected, this setting only applies when a user launches a new session for the first time on a new device or if sessions are ephemeral. For details, see Set app and extension policies.
If you are a Microsoft Windows administrator, turning this setting on only works for machines running Windows 7. For later versions, see Make Chrome default browser (Windows 10).
Specifies the default browser checks in Chrome.
- Allow the user to decide (default)—Users can select Chrome browser as the default browser. If it is not the default browser, users can choose whether notifications are shown asking them to select Chrome browser as the default browser.
- Attempt to register Chrome as the default browser during startup if it is not already—Chrome browser always checks if it's the default browser on device startup and, if possible, automatically registers itself.
- Prevent Chrome from checking if it is the default browser during startup if it is not already and turn off user controls to make it the default browser—Chrome browser never checks if it's the default browser and prevents users from making it the default browser.
Specifies whether the profile picker is enabled, disabled or forced on browser startup. Choose an option:
- Allow the user to decide—The profile picker is shown at startup by default, but users can disable it.
- Do not show profile picker at browser startup—The profile picker is never shown, and users cannot change the setting.
- Always show profile picker at browser startup—The profile picker is always shown, even if there is only one profile available.
By default, the profile picker is not shown where:
- the browser starts in guest or incognito mode
- a profile directory or URLs are specified by command line
- an app is explicitly requested to open
- the browser was launched by a native notification
- there is only one profile available
- or where the ForceBrowserSignin policy is set to true
Import settings
Import autofill dataLets users import autofill form data from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of autofill data—Automatically imports autofill form data. Users can reimport later.
- Disable imports of autofill data—Autofill form data isn't imported on first run, and users can't manually import it.
- Allow the user to decide—Users can choose whether to manually import autofill form data.
Lets users import bookmarks from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of bookmarks—Automatically imports bookmarks. Users can reimport later.
- Disable imports of bookmarks—Bookmarks aren't imported on first run, and users can't manually import them.
- Allow the user to decide—Users can choose whether to manually import bookmarks.
Lets users import browsing history from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of browsing history—Automatically imports browsing history. Users can reimport later.
- Disable imports of browsing history—Browsing history isn't imported on first run, and users can't manually import it.
- Allow the user to decide—Users can choose whether to manually import browsing history.
Lets users import homepage settings from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of homepage—Automatically imports homepage settings. Users can reimport later.
- Disable imports of homepage—Homepage settings aren't imported on first run, and users can't import manually them.
- Allow the user to decide—Users can choose whether to manually import homepage settings.
Lets users import saved passwords from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of saved passwords—Automatically imports saved passwords. Users can reimport later.
- Disable imports of saved passwords—Saved passwords aren't imported on first run, and users can't manually import them.
- Allow the user to decide—Users can choose whether to manually import saved passwords.
Lets users import search engine settings from the default browser to Chrome browser on first run. Choose an option:
- Enable imports of search engines—Automatically imports search engine settings. Users can reimport later.
- Disable imports of search engines—Search engines settings aren't imported on first run, and users can't manually import them.
- Allow the user to decide—Users can choose whether to manually import search engine settings.
Content
SafeSearch and Restricted ModeSafeSearch for Google Search queries
Turns on or off SafeSearch, which filters explicit content, including pornography, in user search results.
For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. Users must use SafeSearch.
For all other domains, the default is Do not enforce Safe Search for Google Web Search queries.
For more details, see Lock SafeSearch for devices & networks you manage.
Restricted Mode for YouTube
Before you set restrictions on YouTube, we recommend updating to the latest stable version of Chrome.
- Do not enforce Restricted Mode on YouTube (default).
-
Enforce at least Moderate Restricted Mode on YouTube—Forces users to use Restricted mode. The mode algorithmically limits which videos are viewable based on their content.
- Enforce Strict Restricted Mode for YouTube—Forces users to use Strict Restricted mode to further limit available videos.
For details on restriction levels, see Manage your organization's YouTube settings.
Controls whether users in your organization can take screenshots on ChromeOS devices. The policy applies to screenshots taken by any means, including the keyboard shortcut and apps and extensions that use the Chrome API to capture screenshots.
If you enable Android apps on supported ChromeOS devices in your organization, screenshot policies also apply to those devices.
You can allow Chrome Enterprise users to create and view screencasts. They can then upload them to Google Drive.
For more details on Screencast, see Use Screencast to record and share on your ChromeOS devices.
Controls whether specific websites are allowed to prompt users to live stream a tab, window, or their entire screen.
If you set the policy to Do not allow sites to prompt the user to share a video stream of their screen, sites that match the URL patterns that you specify in this setting are allowed to prompt users to share.
URLs that you specify in the lists below are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, see Enterprise policy URL pattern format.
Allow tab video capture (same site only) by these sites
Specifies sites that can prompt users to live stream a tab with their same origin. Sites that match the URL pattern that you specify in this field are ignored in the three subsequent fields.
Allow tab video capture by these sites
Specifies sites that can prompt users to live stream a tab. Sites that match the URL pattern that you specify in this field are ignored in the two subsequent fields. Similarly, this policy is ignored on sites that match the URL pattern in the field above.
Allow tab and window video capture by these sites
Specifies sites that can prompt users to live stream a window and tab. Sites that match the URL pattern that you specify in this field are ignored in the next field. Similarly, this policy is ignored on sites that match the URL pattern in the two fields above.
Allow tab, window, and desktop video capture by these sites
Specifies sites that can prompt users to live stream an entire screen, window, or tab. This policy is ignored on sites that match the URL patterns in the three fields above.
Controls whether websites are allowed to prompt users to live stream a tab, window, or their entire screen.
- Allow sites to prompt the user to share a video stream of their screen—This is the default. Webpages can use screenshare APIs, such as getDisplayMedia() and the Desktop Capture extension API, to prompt users to share.
- Do not allow sites to prompt the user to share a video stream of their screen—Screenshare APIs fail with an error. However, if a particular site matches one of the URLs that you specify in Screen video capture allowed by sites, webpages are allowed to prompt users to share. See Screen video capture allowed by sites.
This policy is implemented due to a new behavior. If you have PPAPI applications that do not work as expected, this policy allows you to use the old implementation.
Specifies whether Pepper can use shared images for video decoding.
When you select Allow new implementation, the browser decides which implementation is used. When you select Force old implementation, the browser uses the old implementation until the policy expires.
Note: Only newly-started renderer processes reflect changes to this policy while the browser is running.
Specifies whether users can share the current webpage using Chrome browser’s sharing hub. Users can access the sharing hub by clicking Share in the address bar or More at the top right of their browser window. If you choose Disable desktop sharing hub, users no longer see the sharing icon in the sharing hub.
Allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome automatically selects for client certificates. If set, Chrome skips the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy is not set, auto-selection won’t be done for websites that request certificates.
The ISSUER/CN parameter specifies the common name of the certification authority that client certificates must have as their issuer to be autoselected.
How to format the JSON string:
{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}
Example JSON string:
{"pattern": "https://[*.]ext.example.com", "filter": {}}
{"pattern": "https://[*.]corp.example.com", "filter": {}}
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}
Specifies URLs and domains for which no prompt is shown when the device requests attestation certificates from security keys.
Controls whether Chrome browser allows webpages to use the Web-based Graphics Library (WebGL) API and plugins. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.
Default cookie setting
Sets whether websites are allowed to store browsing information, such as your site preferences or profile information.
This setting corresponds to a user’s cookie options in Chrome Settings. You can allow the user to configure the option. Or, you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.
Allow cookies for URL patterns
Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in the following formats on separate lines:
- "http://www.example.com"
- "[*.]example.edu"
If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.
Block cookies for URL patterns
Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in the following formats on separate lines:
- "http://www.example.com"
- "[*.]example.edu"
If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.
Allow session-only Cookies for URL patterns
Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. You can put URLs in the following formats on separate lines:
- "http://www.example.com"
- "[*.]example.edu"
The cookies after these sessions are deleted. If this policy is not set, what you specify under Default cookie setting is the global default, or a user can set their own configuration.
Allows or blocks third-party cookies. By default, users are allowed to decide.
Specifies how Chrome handles cookies set via JavaScript that contain these control characters: NULL, carriage return, and line feed.
By default, Block truncated cookies is selected. If these characters are present, the entire cookie string is ignored.
If you select Allow truncated cookies, cookie strings that contain these characters are truncated but still set.
Specifies whether Chrome supports First-Party Sets (FPS) related integrations for users.
Using FPS, organizations can declare relationships between sites. That way browsers can allow limited third-party cookie access for specific purposes.
Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.
For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure
setting to allow cross-site access over HTTPS connections only.
You can temporarily revert Chrome browser to the legacy behavior, which is less secure. That way, users can continue to use services that developers have not yet updated, such as single sign-on and internal applications.
Choose an option:
- Revert to legacy SameSite behavior for cookies on all sites—Cookies with the setting configured as
SameSite=None
do not require theSecure
attribute. Cookies that don't specify a SameSite attribute are treated as if they are set toSameSite=None
. So, third-party cookies can continue to track users across sites. - Use SameSite-by-default behavior for cookies on all sites—For cookies that don't specify a SameSite attribute, how Chrome browser treats cookies depends on the default behavior specified in Chrome browser.
To see how Chrome browser treats cookies that don't specify a SameSite attribute:
- On a managed computer, open Chrome browser.
- In the address bar at the top, type chrome://flags.
- Press Enter.
- For #same-site-by-default-cookies, read the description and check to see if the flag is turned on or off.
Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.
For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure
setting to allow cross-site access over HTTPS connections only.
You can specify the domains that you want Chrome browser to temporarily revert to the legacy behavior, which is less secure. Don’t specify schemes or ports. Cookies with the setting configured as SameSite=None
no longer require the Secure
attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None
. As a result, third-party cookies can continue to track users across specific sites.
If no domains are listed, the Default legacy SameSite cookie behavior setting specifies how cookies are treated. Otherwise, how Chrome browser treats cookies might vary, depending on the default behavior specified in Chrome browser.
Specifies whether websites are allowed to display images. For Show images on these sites and Block images on these sites, put one URL pattern on each line.
Specifies whether websites are allowed to run JavaScript. If you select Do not allow any site to run JavaScript, some sites might not work properly.
Suspends JavaScript timers for tabs opened in the background and not used for 5 minutes or more. For these tabs, timers only execute their code once a minute. This can decrease CPU load and battery power consumption.
The default is Allow throttling of background javascript timers to be controlled by Chrome’s logic and configurable by users. The policy is controlled by its own internal logic and can be manually configured by users.
If you select Force throttling of background javascript timers or Force no throttling of background javascript timers, the policy is force enabled or force disabled and users cannot override the option.
The policy is applied per webpage, with the most recently set option applied when a webpage is loaded. The user must perform a full restart for the policy setting to be applied to all loaded tabs. It is harmless for webpages to run with different values of this policy.
This policy is temporary and is planned to be removed in Chrome version 107.
Specifies the JavaScript setTimeout() clamping behavior.
setTimeout(…, 0) is commonly used to break down long Javascript tasks letting other internal tasks run and prevents the browser from hanging.
- JavaScript setTimeout() will not be clamped as aggressively—setTimeouts and setIntervals with an interval smaller than 4ms are not clamped as aggressively. This improves performance in the short term, but websites abusing the API will still eventually have their setTimeouts clamped.
- JavaScript setTimeout() will be clamped after a normal nesting threshold—setTimeouts and setIntervals with an interval smaller than 4ms are clamped. This can change the order of tasks on a web page and lead to unexpected behavior on sites that are dependent on a certain ordering. It could also affect sites that use a lot of setTimeout() with a timeout of 0ms by, for example, increasing CPU load.
You can specify whether Google Chrome allows sites to run the v8 JavaScript engine with the Just In Time (JIT) compiler enabled. JIT compilation is a way of executing computer code using compilation during, not before, the execution of a program.
Choose an option:
- Allow sites to run JavaScript JIT (default)—Web content might render more slowly and parts of JavaScript, including WebAssembly, might be disabled.
- Do not allow sites to run JavaScript JIT—Web content might be rendered in a more secure way.
You can also add specific URLs that you want to allow or block from running JavaScript JIT. For information on valid URL patterns, see Enterprise policy URL pattern format.
You can specify if sites can or cannot ask users to grant them access to the clipboard or you can allow the user to make the decision. You can also add a list of URLs that can or cannot request access from the user to the clipboard.
Select one of the following:
- Allow the user to decide (default)—Lets websites ask for access, but users can change this setting.
- Allow sites to ask the user to grant the clipboard site permission—Lets websites ask the user for access to the clipboard.
- Do not allow any site to use the clipboard site permission—Denies access to the clipboard for all sites.
In the Allow these sites to access the clipboard field, enter all URLs that are allowed to request access to the clipboard from the user.
In the Block these sites from accessing the clipboard field, enter all URLs that are not allowed access to the clipboard.
If the URL is not blocked, the option you have selected or the users' personal settings take precedence, in that order.
Do not enter the same URL in both URL fields. If a URL matches with both, neither policy takes precedence.
For details on valid URL patterns, see Enterprise policy URL pattern format.Specifies whether websites are allowed to display desktop notifications.
You can allow or block notifications or ask the user each time a website wants to show desktop notifications.
Note: With Chrome version 64 and later, JavaScript alerts are no longer allowed to interrupt users. Apps that previously used alerts, such as Google Calendar, can send notifications instead. To allow this, in the Allow these sites to show notifications box, add calendar.google.com.
Specifies a list of URL patterns of pages that are allowed to automatically play video content with sound, without user consent. If you change this setting while users are running Chrome, it only applies to newly opened tabs.
For information about valid url patterns, see Enterprise policy URL pattern format.
You can register a list of protocol handlers that are included with any protocol handlers the user registers, so both sets available for use.
A protocol handler is an application that can handle particular types of links. For example, mailto: links are handled by a mail client protocol handler. When the user clicks a mailto: link, the browser opens the application selected as the handler for the mailto: protocol.
For example, to set up a mail client protocol handler:
- Under Configure default protocol handlers for your users, click .
- In the URL field, enter the URL pattern of the application that handles the protocol scheme. The pattern must include a %s placeholder that the handled URL replaces. URLs must also have an HTTPS scheme, for example, https://example.com.
- From the Protocol list, select mailto.
- Click Save.
Note: The Custom Protocol field is only used if you select the web+ protocol.
Users cannot remove a protocol handler that you add using this setting. However, by installing a new default handler themselves, they can then select that protocol handler as the default.
In 2021, Chrome ended support for the Adobe Flash Player plugin.
Visit the Chrome blog to learn more.
Sets whether websites are allowed to run outdated plugins such as Adobe Flash Player on their Chrome browser or ChromeOS device. Plugins are used by websites to enable certain types of web content that Chrome browser can't process.
Specifies how PDF files are opened in Google Chrome.
Chrome downloads PDF files and lets users open them with the system default application—The internal PDF viewer is turned off in Google Chrome, and PDF files are downloaded for users to open with the default application.
Chrome opens PDF files, unless the PDF plugin is turned off—Chrome opens all PDF files unless users have turned off the PDF plugin.
Auto open file types
Specifies a list of file types that automatically open after download. If Safe Browsing is turned on, files are still checked and only open after they pass. Left blank, only file types that users allow can automatically open.
Don’t include the leading separator. For example, just type txt for .txt files.
For Microsoft Windows, machines need to be joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Enterprise Core.
For macOS, machines need to be managed using MDM or joined to a domain with MCX.
Auto open URLs
Specifies a list of URL patterns of pages that are allowed to automatically open the file types that you specify in Auto open file types.
This setting has no effect on file types that users choose to automatically open.
If you specify one or more URL patterns, Chrome automatically opens files that match both the URL pattern and file type. Chrome also continues to automatically open file types that users allow.
Left blank, Chrome automatically opens file types that you specify in Auto Open file types, no matter what URL they downloaded from.
For URL syntax, see URL blocklist filter format.
Sets whether websites are allowed to show pop-ups. If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.
In Chrome browser version 91 or later, Chrome prevents iframes from triggering prompts (window.alert
, window.confirm
, window.prompt
) if the iframe is a different origin from the top-level page. So, embedded content can’t spoof users into believing that a message is coming from the website they're visiting, or from Chrome browser.
Select Allow JavaScript dialogs triggered from a different origin subframe to revert to the previous behavior.
This temporary policy will be removed after Google Chrome version 117.
Chrome blocks navigations to external protocols inside a sandboxed iframe. If you need more time to update your internal website that’s affected by this restriction, select Allow navigation to external protocols inside a sandboxed iframe.
By default, Do not allow navigation to external protocols inside a sandboxed iframe is selected.
For details, see Chrome Platform Status documentation.Specifies whether websites are allowed to show pop-ups while the website is unloading.
A web page unloads when:
- The user clicks a link to leave the page
- The user types a new URL in the address bar
- The user clicks the forward or back buttons
- The browser window is closed
- The page is reloaded
If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.
Blocked URLs
Prevents Chrome browser users from accessing specific URLs.
To configure this setting, enter up to 1,000 URLs on separate lines.
Blocked URL exceptions
Specifies exceptions to the list of blocked URL.
To configure the setting, enter up to 1,000 URLs on separate lines.
URL syntax
Each URL must have a valid hostname (such as google.com), an IP address, or an asterisk (*) in place of the host. The asterisk functions like a wildcard, representing all hostnames and IP addresses.
URLs can also include:
- The URL scheme, which is http, https followed by ://
- A valid port value from 1 to 65,535
- The path to the resource
- Query parameters
Notes:
- To disable subdomain matching, put an extra period before the host.
- You cannot use user:pass fields, such as http://user:pass@example.com/pub/bigfile.iso. Instead, enter http://example.com/pub/bigfile.iso.
- When both blocked URLs and blocked URLs exception filters apply (with the same path length), the exception filter takes precedence.
- If an extra period precedes the host, the policy filters exact host matches only.
- You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- The key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
Examples
Blocked URLs entry | Result |
---|---|
example.com | Blocks all requests to example.com, www.example.com, and sub.www.example.com |
http://example.com | Blocks all HTTP requests to example.com and any of its subdomains, but allows HTTPS requests |
https://* | Blocks all HTTPS requests to any domain |
mail.example.com | Blocks requests to mail.example.com but not to www.example.com or example.com |
.example.com | Blocks example.com but not its subdomains, like example.com/docs |
.www.example.com | Blocks www.example.com but not its subdomains |
* | Blocks all requests to URLs except for those listed as a blocked URL exception. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy. |
*:8080 | Blocks all requests to port 8080 |
*/html/crosh.html | Blocks Chrome Secure Shell (Also known as Crosh Shell) |
chrome://settings chrome://os-settings |
Blocks all requests to chrome://os-settings |
example.com/stuff | Blocks all requests to example.com/stuff and its subdomains |
192.168.1.2 | Blocks requests to 192.168.1.2 |
youtube.com/watch?v=V1 | Blocks youtube video with id V1 |
Using blocked URL lists with Android apps
If you enable Android apps on supported ChromeOS devices in your organization, the blocked URLs list and blocked URL exceptions are not honored by apps that use Android System WebView. To enforce a blocklist on these apps, define the blocked URLs in a text file (see below). Then, apply the blocklist to the Android apps. For details, see Apply managed configurations to an Android app.
The following example shows how to define a blocked URL:
{ "com.android.browser:URLBlocklist": "[\"www.solamora.com\"]" }
For apps that don’t use Android System WebView, consult the app documentation for information on how to restrict access in a similar way.
Lets you configure whether users can sync with Google Drive on their ChromeOS device. You can enable or disable Drive syncing or let users choose.
This setting has no effect on the Google Drive Android app on ChromeOS. To completely disable any syncing to Google Drive, configure this policy and do not allow the Google Drive Android app to be installed on supported ChromeOS devices. For details, see Deploy Android apps to managed users on ChromeOS devices.
Lets you configure whether or not users can sync with Google Drive over a cellular connection on their ChromeOS device. This policy has no effect on the Google Drive Android app on ChromeOS.
Google ChromeOS file sync automatically makes Google Drive files in a user's My Drive available offline on Chromebook Plus devices. This is subject to the space available in the user's drive.
When the user turns ChromeOS file sync on, all new files are made available offline automatically. If later, there is insufficient space, all new files are automatically not available offline. However, the user can still manually make items available offline.
When you select the default Show the ChromeOS file sync feature, file sync is shown in the Files app and Settings. The user can turn file sync on or off.
When you select Do not show the ChromeOS file sync feature, file sync is turned off if it was previously turned on by the user. The feature is hidden from the Files app and Settings and the user can’t turn it back on. Existing files that were made available offline by the user remain available offline. The user can still manually make items available offline.Allow users to cast from Chrome
Decide if users can use a Chromecast device to cast from a Chrome tab.
Restrict Google Cast to connect to Cast devices only on RFC1918/RFC4193 private addresses
You can specify how Google Cast connects to Cast devices based on their IP addresses.
Choose from one of the following options:
- Enable restrictions, unless the CastAllowAllIPs feature is turned on—Allows Google Cast to connect only to devices on private IP addresses, unless the CastAllowAllIPs feature on devices is turned on.
- Disable restrictions (allow all IP addresses)—Allows Google Cast to connect to devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
- Enable restrictions—Allows Google Cast to only connect to devices on private IP addresses.
If you don't let users cast, you can't configure this policy.
Show Cast icon in the toolbar
Specify whether Cast appears on the browser toolbar in Chrome. If you select Always show the Cast icon in the toolbar, it always appears on the toolbar or overflow menu and users can't remove it.
If you don't let users cast, you can't configure this policy. The Cast icon doesn't appear on the toolbar.
Specifies whether a user has the option, within the Google Cast menu, to cast to cast devices set up for cast moderator, using either the access code or QR code displayed on the cast device's screen.
Before you enable cast moderator, you need to allow users to cast using the Cast setting. For details, see Cast.
To use this policy, you must first select Allow users to cast in the Cast setting.
Choose one of the following:
- Enable cast moderator—Users have the option to select cast devices by using an access code or by scanning a QR code. The Cast moderator device duration field is displayed.
- From the Cast moderator device duration list, you can select how long a cast moderator device stays in the user’s cast menu after connecting with a code. For this period of time, users can cast to the same device without having to re-enter a code. After this period expires, the cast moderator device no longer appears in the user's cast menu and the user must enter a new code to connect.
Note: If you are enabling cast moderator for staff organizational units, we recommend setting the Cast moderator device duration to a longer period of time. This means teachers will not need to enter a code asoften. We recommend you use the default Remove immediately for students or users that you require to use a code every time they connect.
- From the Cast moderator device duration list, you can select how long a cast moderator device stays in the user’s cast menu after connecting with a code. For this period of time, users can cast to the same device without having to re-enter a code. After this period expires, the cast moderator device no longer appears in the user's cast menu and the user must enter a new code to connect.
- Disable cast moderator (Default)—Users are not given the option to select cast devices by using an access code or by scanning a QR code.
For more details, see Set up Google cast moderator.
Supported on Chrome version 80 to 83 inclusive
Specifies how Chrome browser and ChromeOS devices treat insecure HTTP audio, video, and image mixed content.
By default, Chrome uses strict treatment for mixed content. On HTTPS sites:
- Audio and video are automatically upgraded from HTTP to HTTPS.
- There is no fallback if audio or video is not available over HTTPS.
- Chrome shows a warning in the URL bar for pages that contain images.
Select Do not use strict treatment for mixed content to prevent Chrome from automatically upgrading audio and video to HTTPS and show no warning for images.
For Chrome browser and ChromeOS devices, Google has started to automatically block mixed content. So, in future https:// pages will only load secure https:// resources, not http:// resources. For details about the roll-out plan, see this Chromium blog.
Selecting Allow users to add exceptions to allow blockable mixed content lets users specify certain pages that can run active mixed content. Otherwise, users can’t load active mixed content, such as scripts and iframes. Chrome does not automatically upgrade optionally-blockable mixed content from HTTP to HTTPS on sites users add as exceptions.
To run pages with active mixed content, tell users to:
- On your computer, open Chrome.
- At the top right, click More Settings.
- Under Privacy and security, click Site settings.
- Scroll to Insecure content.
- For Allow, click Add.
- Add URLs of the pages that you want to allow.
Note: URLs that you specify in the Allow insecure content on these sites and Block insecure content on these sites settings take precedence over this setting.
Specifies a list of pages that can display active mixed content, such as scripts and iframes. Also, Chrome does not automatically upgrade optionally-blockable, or passive, mixed content from HTTP to HTTPS. Passive mixed content includes images, audio, and video.
For information on valid URL patterns, see Enterprise policy URL pattern format.
Specifies a list of pages that cannot display active mixed content, such as scripts and iframes. Also, Chrome automatically upgrades optionally-blockable, or passive, mixed content from HTTP to HTTPS. Chrome does not load passive mixed content that fails to load over https://. Passive mixed content includes images, audio, and video
For information on valid URL patterns, see Enterprise policy URL pattern format.
Controls whether and how websites can make requests to more-private network endpoints.
- Allow the user to decide (default)—Requests to more-private network endpoints follow the Private Network Access web specification. The requesting website must be secure and the user must opt into receiving the request. Exact behavior depends on the user's personal configuration for several feature flags which can be set by field trials or on the command-line, including BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights and PrivateNetworkAccessRespectPreflightResults.
- Websites are allowed to make requests to any network endpoint in an insecure manner—This is subject to other cross-origin checks.
For information on valid URL patterns, see Enterprise policy URL pattern format.
Secure websites
A website is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the Secure Contexts specification. For more detail, see Secure contexts. If it does not meet the standards outlined, it is considered insecure.
Private network endpoints
A network endpoint is considered more private than another if:
- Its IP address is localhost and the other is not.
- Its IP address is private and the other is public.
Controls how Chrome treats insecure forms, forms that submit over HTTP, that are embedded in secure HTTPS websites.
By default, Show warnings and disable autofill on insecure forms is selected. So, users see a full page warning when an insecure form is submitted. In addition, users see a warning bubble next to the form fields when they’re focused and autofill is turned off for those forms.
Selecting Do not show warnings or disable autofill on insecure forms prevents warnings from being shown for insecure forms and users can use autofill.
Non-standard API window.webkitStorageInfo is deprecated and is planned for removal.
You can use this setting to re-enable the window.webkitStorageInfo API to make it available.
This policy will be removed after Chrome 84.
Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018. They are disabled by default in Chrome version 80 and later. For Chrome browser and ChromeOS devices with version 80 to 84 inclusive, select Re-enable Web Components v0 API to temporarily re-enable the APIs for all sites.
Starting in Chrome version 109, the non-standard API Event.path will be removed to improve web compatibility.
You can use this setting to re-enable the API until Chrome version 115. The default is the Event.path API is available before M109, and unavailable in Chrome version 109 and later.
This policy will be removed after Chrome 115.
Starting in Chrome version 106, CryptoToken will be removed.
You can choose whether to load the CryptoToken component extension at startup. This setting is a temporary workaround for sites broken by chrome.runtime being undefined due to the removal of CryptoToken. Websites can not depend on chrome.runtime being defined unconditionally.
If you select Enable the CryptoToken component extension until Chrome 105, the built-in CryptoToken component extension is loaded at startup until Chrome 105.
If you select Enable the CryptoToken component extension until Chrome 107, the built-in CryptoToken component extension will continue to be loaded at startup in Chrome 106 and 107.
This policy was removed in Chrome 99.
Specifies whether pages can send synchronous XMLHttpRequest (XHR) requests during page dismissal. For example, when users close tabs, quit the browser, type a new entry in the address bar, and so on.
Chrome browser detects window occlusion when a browser window is covered by another window. If that happens, Chrome browser does not paint pixels on the covered page. Showing blank white pages helps to reduce CPU and power consumption.
Select Disable detection of window occlusion to prevent Chrome browser on Microsoft Windows devices from showing blank pages when they’re covered.
Controls the availability of network file sharing for ChromeOS devices.
If you select the default Allow network file shares, you can also set the options below.
NetBIOS discovery
Specifies whether the Network file shares feature will use the NetBIOS name query request protocol to discover shares on the network.
If this policy is not set, NetBIOS discovery will be allowed for enterprise-managed users but will not be allowed for non-managed users.
NTLM authentication protocol
Specifies whether the Network file shares feature will use NTLM as an authentication protocol for SMB mounts.
If this policy is not set, the policy will be available for enterprise-managed users but will not be available for non-managed users.
Preconfigured network file shares
You can add a list of pre configured network file shares that is shared by default to the users’ ChromeOS device.
For each pre configured network file shares, you must specify the following:
- URL—The URL of the file or resource that you want to share. For example, smb://server/share, \\shared\resource.
- Mode—Determines the way the file is going to be shared. Options for the URL are drop down or pre mount.
- drop down—The shared url will be added to the share discovery drop down. When a file is shared as a drop down, this means the file is going to be added as an option in the drop down menu under File share URL -> Add file share -> File Manager -> Add new service -> SMB file share.
- pre mount—Indicates that the shared url will be mounted. When a file is shared as Pre mount, it will show up in the left side of the file manager.
This policy will be removed after Chrome 84
Starting in Chrome version 83, we are refreshing standard form control elements, such as <select>
, <button>
, and <input type=date>
. This will help to improve accessibility and platform uniformity.
For Chrome browser and ChromeOS devices with version 83 and 84, select Use legacy (pre-M81) form control element for all sites to temporarily revert to legacy form control elements. Otherwise, updated form control elements are used as they are launched in Chrome versions 83 and 84.
Specifies whether users can follow links that scroll to a text fragment on a webpage.
If you enable this setting, hyperlinks and address bar URL navigations can target specific text within a webpage. When the webpage is fully loaded it then scrolls to that text.
You can specify whether URL-keyed anonymized data collection is performed for user and browser sessions or managed guest sessions.
User and browser sessions
For Chrome browser and ChromeOS devices, URL-keyed anonymized data collection sends Google the URL of each site the user visits to make searching and browsing better.
If this policy is not set, it is active by default, but the user can change it.
Managed guest sessions
If you turn the setting on for managed guest sessions, URL-keyed metrics are collected for force-installed apps. If this policy is not set it is active by default, and the user cannot change it.
Specifies whether page load metadata and machine learning models that enhance the browsing experience are fetched. If you disable this setting some features might not work appropriately.
AppCache is a deprecated web feature allowing websites to save data offline. Removed from Chrome in version 89 and AppCache fully deprecated at that time. Learn more about AppCache deprecation.
Specifies whether websites can request access to bluetooth devices via the Web Bluetooth API.
The default is Allow the user to decide, where websites request access to nearby Bluetooth devices and the user can decide to allow or block this access.
Controls whether or not the Always open box is shown on external protocol launch confirmation prompts. If the user clicks a link with a protocol, a dialog is displayed asking if they want to use an app instead. When the policy is enabled, a box is displayed in the dialog.
If the user checks the box, future prompts asking to use the app for similar requests are skipped. If the policy is disabled, the box does not appear and users can't skip the confirmation prompts.
When enabled the Back-Forward cache feature stores the exact state of a webpage. When navigating away from a page, its current state might be preserved in the back-forward cache. When a browser’s back button is clicked, the page might load from cache and restore the page, allowing for quick navigation back and forth.
This feature might cause issues for some websites that do not expect this caching. Specifically, some websites depend on the "unload" event being dispatched when the browser navigates away from the page. The "unload" event will not be dispatched if the page enters the back-forward cache.
If this policy is set to enabled or is not set, the feature will be enabled.
By default, the PDF viewer can annotate PDFs on ChromeOS devices.
Specifies if users can move files to Trash in the Files app. This feature is only available on supported filesystems.
Choose one of these options:
- Allow files to be sent to the Trash bin in the Files app (default)—Users can move files from My filesDownloads to the available Trash bin.
- Do not allow files to be sent to the Trash bin in the Files app—Users can't move files to Trash bin but can still access files that they previously deleted. These files are displayed as hidden files in the .Trash directory under My filesDownloads.
Specifies whether users can turn on Always use secure connections. Connections to sites that use HTTPS are more secure than those that don’t. When users turn on Always use secure connections, Chrome attempts to load all sites over HTTPS and displays a warning before they visit a site that doesn’t support it.
Choose an option:
- Allow users to enable HTTPS-Only Mode—This is the default. Users can turn on Always use secure connections.
- Do not allow users to enable HTTPS-Only Mode—Users can’t turn on Always use secure connections.
- Force enable HTTPS-Only Mode—Supported on Chrome version 112 and later. Always use secure connections is turned on and users can’t turn it off.
You can use the HTTP Allowlist setting to prevent this policy from upgrading specific hostnames or hostname patterns from HTTP to HTTPS. For details, see HTTP Allowlist.
This setting is temporary and will be removed in a future version of Chrome.
Cross-origin WebAssembly module sharing will be removed after Chrome 95. You can use this setting to re-enable cross-origin WebAssembly module sharing, providing a longer transition period in the deprecation process.
The default is to prevent cross-origin WebAssembly module sharing and sites can only send WebAssembly modules to windows and workers in the same origin.
Native Client is deprecated in Chrome. If you have tools that rely on Native Client, this policy allows you to keep using your legacy code.
You can choose to allow the Native Client to run even if it is disabled by default or you can choose to use the default behavior.
Controls the availability of the shopping list feature for your users.
If you select Enable the shopping list feature, your users can track the price of the product displayed on the current page. The tracked product is shown in the bookmarks side panel.
Specifies whether users can see their events when they click on the date in the calendar.
Selecting Enable Google Calendar Integration lets users open their calendar through Quick Settings:
- Sign in to Chromebook using a managed Google Account.
- Open Quick Settings—At the bottom right, select the time.
- Open the calendar—Click the date.
- Navigate calendar—Select the up and down arrows.
- Check Google Calendar events—Select a date that has a dot underneath it.
When users sign in to their managed Chromebook, next to the date at the bottom right of their screen, users see the managed device icon , letting them know that their admin manages the calendar.
If you want to use this policy, file a bug on crbug.com explaining your use case and CC {blundell, vasilyt}@chromium.org.
The PPB_VideoDecoder(Dev) API was introduced for Adobe Flash. Flash is no longer supported in Chrome and we are removing this API in ChromeOS version 111. If you need more time to migrate legacy applications, you can use this policy to temporarily allow the browser to support the deprecated API.
You can choose to either force the browser to support the PPB_VideoDecoder(Dev) API or allow the browser to decide.
This policy is temporary and will be removed in a future version of Chrome.
By default, Chrome autoupgrades audio, video, and image mixed content (HTTP content in HTTPS sites) by rewriting the URL to HTTPS. If the content is not available over HTTPS, there is no fallback to HTTP.
To block autoupgrading and allow blockable mixed content to load, select Disable mixed content autoupgrading.You can allow or block users from turning on third-party storage partitioning. Third-party storage partitioning partitions storage and communications APIs in third-party contexts and prevents some types of side-channel cross-site tracking.
For more details, see Storage Partitioning.
You can also set a list of URL patterns that specify top-level origins, the URL in the tab's address bar, that block third-party storage partitioning. Patterns in this list are treated as origins, not URLs, so you do not have to specify a path.
For detailed information on valid URL patterns, see Enterprise policy URL pattern format.On macOS 13.5 or later, Google Chrome might direct passkey or WebAuthn creation requests directly to iCloud Keychain. If iCloud Keychain syncing is not turned on yet, users are prompted to sign in with iCloud or enable iCloud Keychain syncing.
Choose one of the following:
- Use the default Chrome setting—The default depends on factors such as whether iCloud Drive is enabled, and whether the user has recently used or created a credential in their Google Chrome profile.
- Default to creating passkeys in iCloud Keychain when possible—iCloud Keychain is set as the default whenever the WebAuthn request is compatible with that choice.
- Default to creating passkeys in other stores (such as the Google Chrome profile)—iCloud Keychain is not used by default and the previous behavior, of creating the credential in the Google Chrome profile, might be used instead. Users can still select iCloud Keychain as an option, and might still see iCloud Keychain credentials when signing in.
This policy is temporary and will be removed in the future.
You can specify whether zstd is used in the Accept-Encoding request header, and support for decompressing zstd-compressed web content. Zstandard (zstd) is a fast compression algorithm, providing high compression ratios.
If you select Allow zstd-compressed web content, Google Chrome accepts web contents compressed with zstd.
By default, Allow to use previous responses as compression dictionaries for future requests is selected. So, Chrome uses external dictionaries such as Brotli (sbr) and Zstandard (zst-d) to compress HTTP content, helping websites to load faster. The Accept-Encoding
header is used for negotiating dictionary-specific content encoding.
Control whether the deprecated :--foo syntax
for CSS custom state is allowed on Chrome browser.
By default, the deprecated syntax is no longer supported on Chrome browser.
When turned on, this setting allows you to extend the timeline for using :--foo
syntax on Chrome browser. To avoid breakages, you might want to continue using :--foo
instead of :state(foo)
syntax temporarily. For example, a CSS button element with a custom state property set using :--foo
syntax might not work, or it might work but display differently in another browser that expects custom state values in :state(foo)
syntax. To safeguard interoperability between browsers, you can start using the new syntax :state(foo)
to replace all instances of the deprecated :--foo
syntax.
Note: The deprecation of :--foo
syntax might cause some CSS elements of Chrome browser-only websites to stop working as intended if they are still using this syntax.
Printing
PrintingYou can enable or disable printing. When printing is disabled, a user won’t be able to print from the Chrome menu, extensions, JavaScript applications, and so on.
This policy has no effect on Android apps running on ChromeOS.
By default, Allow using print preview is selected. To prevent users from using built-in print preview, select Always use the system print dialog instead of print preview.
Specifies whether available privet printers appear in the print preview dialog.
Settings also available for Managed guest session devices.
Default printer selection
To use the default system printer as the default printer for Chrome, select Use default print behavior.
To define a default printer for users, select Define the default printer. When a user prints, the ChromeOS device tries to find a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.
This policy has no effect on Android apps running on ChromeOS.
Printer Types
Select the type of printer to search for and use as the default printer. To search for all types, select Cloud & Local.
Printer Matching
Select if you want to search for printers by name or ID.
Default Printer
Specify a regular expression that matches the name or ID of the printer that you want to use as the default printer. The expression is case-sensitive. Printing defaults to the first printer that matches the name. For example:
- To match a printer named Solarmora Lobby, enter Solarmora Lobby.
- To match a printer in solarmora-lobby-1 or solarmora-lobby-2, enter solarmora-lobby-.$.
- To match a printer in solarmora-lobby-guest or solarmora-partner-guest, enter solarmora-.*-guest.
This policy has no effect on Android apps running on ChromeOS.
Lets you allow or block your users from adding native printers to their ChromeOS devices.
The default is to Allow users to add new printers. To block your users from adding printers, select Do not allow users to add new printers.
For information about setting up native printing, see Manage local and network printers.
Specifies whether to print in color or black and white by default. Users can choose whether to print in color or black and white on individual print jobs.
Forces users to print in in color or black and white. To let users choose whether to print in color or black and white, select Do not restrict color printing mode.
Specifies whether users can print on both sides of paper. If you choose choose two-sided printing, select whether to bind pages along their long or short edge. Users can only print double-sided on printers with built-in duplex capability. Users can choose whether to print on one or both sides on individual print jobs.
Forces users to print in simplex or duplex mode on printers with built-in duplex capability. To let users choose whether to print on one or both sides on individual print jobs, select Do not restrict duplex printing mode.
Specifies whether to print background graphics by default. Users can choose whether to print background graphics on individual print jobs.
Lets you force or prevent users from printing background graphics. To let users choose whether to print background graphics on individual print jobs, select Allow the user to decide.
Lets you allow or block your users from adding native printers to their ChromeOS devices.
The default is to Allow users to add new printers. To block your users from adding printers, select Do not allow users to add new printers.
For information about setting up native printing, see Manage local and network printers.
Specifies how long the metadata for completed print jobs is stored on ChromeOS devices. Enter a value in days.
- To use the system default, which is 90 days, leave the field unset.
- To store print job metadata indefinitely, enter -1.
- To prevent print job metadata from being stored, enter 0.
Lets users delete their print job history using the print management app or by deleting their browser history.
For printers with built-in PIN-printing capability
Forces users to print with or without a PIN. To let users choose whether to print using a PIN, select Do not restrict PIN printing mode.
Note: Applies to printers configured for driverless printing that support the job-password attribute or compatible PPD based printers.
For printers with built-in PIN-printing capability
Determines the default setting for PIN printing. If you choose With PIN, users can enter a code when they’re sending print jobs. Then, they need to enter the same code on the printer keypad to release the print job.
Note: Applies to printers configured for driverless printing that support the job-password attribute or compatible PPD based printers.
Specifies the maximum number of sheets users can print in a single print job.
If the policy is not set, no limitations are applied and users can print any number of sheets.
Overrides the default page size set by the printer or the last used page size set by the user.
Select the required page size from the Page size list. If you select Custom, enter the required height and width in micrometers.
If you enter incompatible values for the custom page size or the selected page size is unavailable on the printer chosen by the user, the policy is ignored.
Lets you force or prevent users from printing headers and footers. The default is the user can decide whether to print headers and footers.
You can disable certain printer types or destinations from being available for printing.
Printer destinations include:
- Zeroconf-based (mDNS + DNS-SD) protocol
- Extension-based—Also known as print provider destinations, and include any destination that belongs to a Google Chrome extension.
- Save as PDF
- Local printer—Also known as native printing destinations, and include destinations available to the local machine and shared network printers.
- 'Save to Google Drive'
Selecting all printer types effectively disables printing, as there are no available destinations to send a document for printing.
If you do not select any printer type, users can print to all printer types.
When printing to a non-PostScript printer, some print jobs need to be rasterized to print correctly. By default, Google Chrome does full page rasterization, if necessary.
Select Fast to avoid rasterization when possible. Reducing the amount of rasterization can help to reduce print job sizes and increase printing speed.
Specifies whether Chrome browser uses the most recently used printer or the system default printer as the default choice for print preview. By default, Use the most recently used printer as the default choice in Print Preview is selected.
When users print to a PostScript printer, different PostScript generation methods can affect printing performance.
By default, when generating PostScript, Chrome browser always renders text using Type 3 fonts. To increase printing speed for some PostScript printers, select Type 42. Then, Chrome browser renders text using Type 42 fonts, if possible.
Specifies whether users can print PDF documents as images on Microsoft Windows and macOS.
If you select Allow users to print PDF documents as images, users will be able to choose to rasterize the print job to an image for certain printers achieving a clearer image output.
This policy will be removed in the future, after the out-of-process print drivers feature has fully rolled out.
Controls if Google Chrome interacts with printer drivers from a separate service process.
If you turn on the setting, Google Chrome uses a separate service process for platform printing tasks—which include checking for available printers, getting printer driver settings, and submitting documents for printing to local printers. Using a separate service process for such tasks helps improve stability and reduce frozen user interface (UI) behavior in Print Preview.
If you turn off the policy, Google Chrome uses the browser process for platform printing tasks instead.
User Experience
Managed bookmarksLets you push a list of bookmarks for the convenience of users on Chrome on all platforms, including mobile devices. On Chrome devices and Chrome browser, the bookmarks appear in a folder on the bookmark bar. The user cannot modify the contents of this folder but can choose to hide it from the bookmark bar. For details, see Manage bookmarks.
Note: You can add managed bookmarks up to a maximum size of 500KB.
Determines whether users see a bookmark bar. Allow the user to decide is the default setting.
Specifies the position of the row of apps, also called the shelf, on users’ ChromeOS devices.
Specifies whether the row of apps, also called the shelf, automatically hides on users’ ChromeOS devices.
If you select Always auto-hide the shelf, users need to move the pointer to the side of the screen where the shelf is positioned to see their apps, bookmarks, and so on.
If you select Allow the user to decide, users can right-click the shelf and check or uncheck Autohide shelf.
Allows users to add, edit, or remove items from their Chrome bookmarks bar.
Specifies whether users can see the apps shortcut in their bookmark bar.
Controls shortcut behavior on ChromeOS devices.
Choose an option:
- Do not override system shortcuts—This is the default. All ChromeOS shortcuts work as expected.
- Override some system shortcuts—A predetermined list of Launcher key shortcuts never work.
- Override some system shortcuts while in fullscreen— A predetermined list of Launcher key shortcuts don’t work while an app is in fullscreen mode.
Sets the default download location on ChromeOS devices and specifies whether a user is allowed to modify that location.
This policy applies to downloaded files only. If the user selects the Save option (ctrl+S), the pop-up is displayed with the local Downloads folder selected.
If the user has already explicitly chosen a download location before you select Set Google Drive as default, but allow user to change or Set local Downloads folder as default, but allow user to change, the user's original choice is respected. If the user has not already chosen a download location before you select one of these two policies, the default is set but the user can change it later.
If you select Force Google Drive (regardless of prior user choice), Google Drive is forced to be the download folder and a user is not allowed to change it. However, the user can still move files between local folders and Google Drive using the Files app. For Chrome version 90 and later, this setting has no effect on screenshots taken on ChromeOS. Screenshots download to the default ChromeOS downloads folder, and do not adhere to the Force Google Drive option.
This setting has no effect on Android apps running on ChromeOS. Android apps usually download to a download folder mapped to the ChromeOS downloads folder, however they may download to other locations as well.
Specifies whether users are asked where they want to save each file before they download it. Choose an option:
- Allow the user to decide—Lets users choose whether they want to specify a location for each download. To adjust download settings, users open Chrome and go to MoreSettingsAdvancedDownloads.
- Do not ask the user (downloads start immediately)—Downloads files to the default download location without asking users where to save them. To set the default download location, configure the Download location setting.
- Ask the user where to save the file before downloading—Lets users choose a specific location for each download.
Specifies whether the new download bubble UI is displayed in Google Chrome.
The download bubble is enabled by default and if you disable it, the old download shelf UI is displayed.
Determines whether users can use spell check. Choose one of the options:
- Allow the user to decide—This is the default. Users can turn on or off spell check in the language settings.
- Disable spell check—Turns off spell check from all sources, and users can't turn it on. The Spell check service, Enforced spellcheck languages, and Disabled spellcheck languages settings have no effect.
- Enable spell check—Turns on spell check and users can’t turn it off. On Microsoft Windows, ChromeOS, and Linux devices, users can still turn on or off spell check for individual languages.
If you select Enable spell check, you can turn on or off spell check for specific languages. For Enforced spellcheck languages and Disabled spellcheck languages, select the languages that you want to use or block from the list available.
To prevent users from turning off spell check for every language, use the Enforced spellcheck languages setting to turn on the spellcheck languages that you want.
Note: The Enforced spellcheck languages and Disabled spellcheck languages settings are available in the Admin console only if you select Enable spell check.
Select Enable the spell checking web service to always let Chrome use a Google web service to resolve spelling errors in text that users type.
By default, Allow the user to decide is selected. Users can turn on or off Enhanced spell check.
If the Spell check setting is set to Disable spell check, the Spell check service setting has no effect.
Specifies what language Google Chrome uses.
The default is Use the language specified by user or system and the fallback locale is en-US.
Specifies the preferred languages that Chrome browser uses. Select the languages that you want from the list available. Then, order the list in descending order of preference.
Users can view the list of languages in chrome://settings/languages under Order languages based on your preference. The preferred languages that you specify always appear at the top of the list and users can’t remove or reorder them. However, they can add and reorder their own preferred languages underneath. Users also have full control over the browser's UI language as well as translation and spell check settings, unless enforced by other policies.
If you don’t specify any preferred languages, users can change the entire list of preferred languages.
Specifies the languages that users can choose as their preferred language on ChromeOS devices. Select the languages that you want from the list available. Then, order the Selected languages list in descending order of preference.
The first language in the Selected languages list is the default language for new users.
If users have already chosen a language that you don’t allow, their ChromeOS device’s language switches to one that you allow the next time they sign in.
If you don’t specify any languages, users can choose the language that they want, without restrictions.
For details about how users can change their device’s language, go to Manage your Chromebook's languages.
Specifies the keyboard languages that users can choose on Chrome OS devices. Select the languages that you want from the list available. Then, order the Selected languages list in descending order of preference.
If users have already chosen a keyboard language that you don’t allow, their ChromeOS device’s keyboard language switches to the hardware keyboard layout, if allowed, or the first language in the list that you specify.
If you don’t specify any languages, users can choose the keyboard language that they want, without restrictions.
For details about how users can change their device’s keyboard language, go to Choose keyboard language & special characters.
Lets you configure whether Chrome uses Google Translate, which offers content translation for web pages in languages not specified on a user's ChromeOS device. You can allow Chrome to always offer translation, never offer translation, or let users choose.
Controls whether Chrome browser shows suggestions for a page when it is unable to connect to a web address. The user sees suggestions to navigate to other parts of the website or to search for the page.
Corresponds to the user option Use a web service to help resolve navigation errors in their Chrome settings. You can allow the user to configure the option, or you can specify that it is always on or always off.
Developer tools availability
Controls whether the Developer tools option appears on the Tools menu. Developer tools allow web developers and programmers access into the internals of the browser and their web applications. For more information about the tools, see the Developer Tools Overview.
The default for Enterprise customers is to Allow use of built-in developer tools except for force-installed extensions and component extensions. This setting means all keyboard shortcuts, menu entries, and context menu entries that open the Developer tools or JavaScript console are enabled in general, but are disabled within extensions that are force-installed using enterprise policy.
The default for unmanaged users is Always allow use of built-in developer tools. To disable developer tools in all contexts, select Never allow use of built-in developer tools.
If you have enabled Android apps on supported ChromeOS devices in your organization, this setting will also control access to Android Developer Options. If set to Never allow use of built-in developer tools, users can’t access Developer Options. If set to any other value or unset, users can access Developer Options by tapping 7 times on the build number in the Android settings app.
Extensions page developer mode
Controls whether users can use developer tools on the extensions page, chrome://extensions.
By default, Use 'developer tools availability' selection is selected. As long as Developer tools availability is not set to Never allow use of built-in developer tools, users can use developer tools on the extensions page.
If you select Allow use of developer tools on extensions page or Do not allow the use of developer mode on extensions page, the Developer tools availability setting no longer controls developer tools on the extensions page.
Specifies whether the user can use the autofill feature to simplify the completion of their address online. The first time a user enters their address, Chrome automatically saves the entered information.
You can turn the autofill feature off or allow the user to configure the option.
If you select Never Autofill address forms, autofill never suggests or fills address information or saves any additional address information users submit when browsing the web.
Specifies whether the user can use the autofill feature to simplify the completion of their credit card details online. The first time a user enters their credit card details, Chrome automatically saves the entered information.
You can turn the autofill feature off or allow the user to configure the option.
If you select Never Autofill credit card forms, autofill never suggests or fills credit card information or saves any additional credit card information users submit when browsing the web.
Controls whether websites are allowed to check if users have payment methods saved.
Specifies whether the virtual keyboard resizes the layout viewport by default.
Note: This setting only affects the default resizing behavior. If a page requests a specific behavior using a tag or the Virtual Keyboard API, that behavior takes precedence.
Specifies if users can access the predictive writing feature on their physical keyboard. By default, the predictive writing feature is turned on. To turn off predictive writing on your physical keyboard, select Disable physical keyboard predictive writing.
Specifies if users can access the autocorrect feature on their physical keyboard. By default, the autocorrect feature is turned on. To turn off autocorrect on your physical keyboard, select Disable physical keyboard autocorrect.
Lets you turn on or off emoji suggestions as users type on their ChromeOS devices.
When DNS prefetching is enabled, Chrome looks up the IP addresses of all links on a displayed webpage so that links the user clicks load faster.
You can allow the user to configure the option, or you can specify that it is always enabled or disabled.
Allows you to decide whether Chrome predicts network actions. You might want Chrome to use a prediction service so it loads pages faster or helps complete searches and URLs that users enter in the address bar.
As an administrator, you can disable or require network prediction. Or, if you select Allow the user to decide, the setting is on for Chrome. Users can then change their own prediction service settings.
By default, users can add profiles in Chrome Browser to keep Chrome info separate, including bookmarks, history, passwords, and other settings. Profiles are ideal for users who share a computer. Or, to keep different accounts, such as work and personal, separate. Select Disable adding new profiles to prevent users from adding new profiles in Chrome Browser.
Before using this setting, review Let multiple users sign in at the same time.
In the case of Android apps running on ChromeOS, even if you choose Unrestricted user access (allow any user to be added to any other user's session), only the primary user can use Android apps. If you choose Managed user must be the primary user (secondary users are allowed), Android apps can be used in the primary user as long as the device supports Android apps and you have enabled them in your organization.
After signing in to their device, allows users to switch between accounts in their browser window and Google Play.
Note: If you allowlist Android apps, users can’t switch to secondary accounts in Google Play.
- Choose an option:
- To allow users to sign in to any Google Account within the browser, select Allow users to sign-in to any secondary Google Accounts. For details, see Types of Google Accounts.
- To block users from signing in or out of Google Accounts within the browser, select Block users from signing in to or out of secondary Google Accounts.
- To allow users to access Google services using an account only from a list of specified Google Workspace domains, select Allow users to only sign in to the Google Workspace domains set below.
- If you allow users to sign in only to specific Google Workspace domains:
- Make sure you list all of your organization’s domains. If you don’t, your users might not have access to Google services. To see a list of your domains, click organization’s domains under the domain list.
- To include consumer Google Accounts, such as @gmail.com and @googlemail.com, enter consumer_accounts in the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.
- If you allow users to sign in only to specific Google Workspace domains or block users from signing in or out in the browser, you should also:
- Set a sign-in restriction so that only users in your organization can sign in to ChromeOS devices. For details, see Sign-in Restriction.
- Turn off guest browsing on devices. For details, see Guest mode.
- Prevent users from browsing in Incognito mode. See Incognito Mode.
Allows you to manage which Google Accounts are visible in Chrome. Accounts that match the pattern that you specify are visible in Chrome. Otherwise, they’re hidden. Left blank, all Google Accounts on the device are visible in Chrome.
Enter the list of patterns, one per line. For example:
*@example.com
user@solarmora.com
Use the wildcard character, *, to match zero or more arbitrary characters. The escape character is \. So, to match actual * or \ characters, put \ in front of them.
Controls whether to allow users to sign in to Chrome Browser as a guest. If you select Allow guest browser logins (default), users can start guest browser sessions and all windows are in incognito mode. When users exit Guest mode, their browsing activity is deleted from the device.
When you have this setting enabled you can also Allow guest browser logins and profile logins (default). Users can sign in as a guest and use new and existing profiles. To enforce guest sessions and prevent profile logins, select Only allow guest browser logins.
If you select Prevent guest browser logins, Chrome Browser does not allow guest profiles to be started.
Setting also available for managed guest sessions and kiosk apps
To let users span a window across multiple monitors or TVs, you can select Make Unified Desktop mode available to user. By default, this feature is turned off. Users can disable unified desktop and still use 2 external displays, but individual windows are in one display or the other, even if the desktop is extended across both.
- Up to 2 external displays are supported.
- Unified desktop is intended to work across monitors of the same resolution.
- When enabled, unified desktop is the default mode when a user connects a monitor to their device.
To allow web applications to generate and collect WebRTC event logs for your users, select Allow WebRTC Event Log Collection. The logs can help Google identify and resolve issues with audio and video meetings. They contain diagnostic information, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. The logs have no video or audio content from the meetings.
To collect logs for Google Meet customers, you must enable both this setting and the Client logs upload policy in the Google Admin console.
To allow web applications to generate and collect WebRTC text logs for your users, select Allow WebRTC text logs collection from Google Services. The logs can help Google identify and resolve issues with audio and video meetings. They contain diagnostic information, such as the textual metadata describing incoming and outgoing WebRTC streams, WebRTC specific log entries, and additional system information.. The logs have no video or audio content from the meetings.
To collect logs for Google Meet customers, you must enable both this setting and the Client logs upload policy in the Google Admin console.
Specifies whether users can use Google Assistant on the web.
Select Allow using Google Assistant on the web to allow faster checkout and password changes. However, Google Assistant will then only run if users consent to using it.
By default, Allow the user to decide is selected. Users can turn on or off Google Assistant.
By default, Quick Answers settings are turned on. Quick Answers has permission to access selected content and send the info to the Google server to get definition, translation, or unit conversion results. On their ChromeOS devices, users can right-click or long press their text selection to show related information.
If you use the Admin console to turn off Quick Answer features, users can’t change or override them.
Specifies which system features are disabled on ChromeOS devices. We recommend that you use this setting to block camera, OS settings, and browser settings instead of using the URL blocking setting or blocking apps and extensions by ID.
When users try to open a feature that you’ve disabled, they’ll see a message letting them know that it has been blocked by their administrator.
Controls whether users can play the dinosaur game on Chrome Browser or ChromeOS devices when devices are offline. Choose one of the options:
- Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled ChromeOS devices—When devices are offline, users can’t play the dinosaur game on enrolled ChromeOS devices, but they can play it on Chrome Browser.
- Allow users to play the dinosaur game when the device is offline—Users can play the dinosaur game when devices are offline.
- Do not allow users to play the dinosaur game when the device is offline—Users can’t play the dinosaur game when devices are offline.
You can let users run Steam on ChromeOS.
Steam uses Borealis, a Linux container that lets users play Steam games on their ChromeOS devices by hosting Steam with all the required packages, latest drivers, and dependencies.
For managed ChromeOS devices, the default is Do not allow Steam on ChromeOS. However, for unmanaged users, Steam is available by default.
If you choose to turn on Steam for users, it is only available if no other policy or setting disables it.
When the search box is empty, controls whether the launcher on Chrome devices recommends apps that were previously installed on other devices.
When users open the launcher on their ChromeOS device and start to type in the search box, Google Chrome suggests content, including webpage URLs and apps.
Specifies whether users can see the webpage's full URL in the address bar.
For some users, the webpage's full URL is not shown in the address bar. Instead, they see the default URL, which only shows the domain. This helps to protect users from some common phishing strategies.
Specifies whether signed-in users can copy and paste text between Chrome desktops and Android devices when Chrome sync is enabled. The shared clipboard feature is enabled by default.
Specifies whether, with appropriate permissions, users, apps, and extensions can use fullscreen mode. The default is to allow the use of fullscreen mode.
Specifies whether the fullscreen alert displays when the device returns from sleep or dark screen.
By default, an alert displays to remind the users to exit fullscreen before entering their password. Select Disable fullscreen alert when waking the device to switch off this alert.
Lists the URLs that are allowed to remain in fullscreen mode without showing a notification after ChromeOS devices are unlocked. For URL syntax, see URL blocklist filter format. Left blank, no URLs are allowed to continue in fullscreen mode without a notification.
Specifies whether Chrome Browser shows full-tab product information that helps users to sign in to Chrome, choose Chrome as their default browser, or learn about product features.
You can specify if cards are displayed on the New Tab Page when card content is available. Cards remind users about recent searches and are based on their browsing behavior.
The default is Allow the user to decide and the user can decide whether cards are visible or not.
Specifies whether Chrome always maximizes the first window when users first run Chrome.
Specifies whether Chrome browser can use native messaging hosts installed at the user level. Default is Allow usage of Native Messaging hosts installed at the user level. Regardless of the option that you choose, hosts installed at the system level are allowed.
Specifies exceptions to the hosts that you list in the Native Messaging blocked hosts setting. Enter the list of native messaging hosts that are not blocked, one per line.
For example, you can:
- Allow all native messaging hosts—This is the default. Leave Native Messaging blocked hosts and Native Messaging allowed hosts blank.
- Block all native messaging hosts—For Native Messaging blocked hosts, enter deny list value of * and leave Native Messaging allowed hosts blank.
- Only allow the native messaging hosts that you specify—For Native Messaging blocked hosts, enter deny list value of *. And, for Native Messaging allowed hosts, enter the domains that you want to allow.
Read about Native Messaging blocked hosts.
Specifies which native messaging hosts are blocked, unless they're explicitly allowed in the Native Messaging allowed hosts setting.
For example, you can:
- Allow all native messaging hosts—This is the default. Leave Native Messaging blocked hosts and Native Messaging allowed hosts blank.
- Block all native messaging hosts—For Native Messaging blocked hosts, enter deny list value of * and leave Native Messaging allowed hosts blank.
- Only allow the native messaging hosts that you specify—For Native Messaging blocked hosts, enter deny list value of *. And, for Native Messaging allowed hosts, enter the domains that you want to allow.
Read about Native Messaging allowed hosts.
By default the browser will show media recommendations that are personalized to the user. These recommendations are based on the user’s behavior such as sites that have been frequently visited or web searches. Disabling this policy will result in these recommendations being hidden from the user.
Allows users to open dialog boxes in Chrome that contain files that can be opened and selected. If this policy is disabled, whenever a user performs an action that produces a file selection dialog box such as importing bookmarks, uploading files, and saving links, a message appears instead and file selection dialog boxes are blocked.
Specifies if users can send feedback to Google using MenuHelpReport an Issue or key combination.
The default is Allow user feedback.
You can enable or disable the Touch to Search feature for users.
Touch to search lets users perform searches by pressing and holding on a word or phrase until an overlay is displayed at the bottom of the screen. They can tap on the overlay to complete a search and display the search results.
The default is Allow users to use touch to search and they can then turn it on or off.
Specifies whether users can access experimental browser features through an icon in the toolbar.
Note: chrome://flags and any other means of turning off and on browser features still behaves as expected, whether this policy is enabled or disabled.
Specifies whether users can use Google Lens on Android devices to learn more about images.
For details about how users can search the web with images, see Search the web on Chrome.
You can allow users to view and use the Google Lens region search menu item in the context menu.
If you select Disable Google Lens region search, users will not see it in the context menu even when Google Lens region search is supported.
Controls the availability of Google Lens integration in the Gallery app on ChromeOS devices.
By default, Enable Lens integration is selected—In the Gallery app, users can use Google Lens to search the content that they select.
Supported on Chrome version 93 to 102 inclusive.
Chrome 93 and later has a new address bar icon for secure connections. By default, Use default icons for secure connections is selected. Select Use the lock icon for secure connections to continue using the existing lock icon for secure connections.
Controls the visibility of the middle slot announcement on the new tab page.
Specifies whether a warning dialog is displayed when the user is attempting to quit their browser.
Specifies whether the browser can filter URL parameters.
The default allows the browser to filter URL parameters. This means the filter might remove some parameters when a user selects Open Link in Incognito Window from the context menu.
Specifies the UI theme recommended to users on their ChromeOS devices; light theme, dark theme, or auto mode.
Auto mode automatically switches between dark and light themes on sunrise and sunset. Users can change the theme in system settings.
You can specify whether Google Chrome asks for consent from managed users to share device signals on unmanaged devices to gain access. Device signals can include OS information, registry, or file presence.
The default is Ask for consent to share signals on unmanaged devices.Allow or block automatic full-screen display on sites that you specify, without prompting users for permission.
Users can allow Isolated Web Apps, but the automatic fullscreen setting overrides users' personal settings. Admins can use this setting to allow or block additional URLs.
Note: Sites not specified in this setting, or in the users’ configuration, prompt the user to allow or block full-screen display.
For more information about this setting, see Automatic Fullscreen Content Setting.
For details on valid URL patterns, see Enterprise policy URL pattern format. The use of wildcard characters (*) is allowed.
Allows information from Google apps and services to appear on users’ Chrome OS devices.
By default, Allow integrations is selected. The contextual integrations that you select in Configuration, such as Tasks and Calendar, appear on users’ devices.
Information is shown only for Google apps and services that are turned on and URLs that are not blocked. For example, to use the Calendar contextual integration, ensure that Google Calendar Integration is set to Enable Google Calendar Integration—Read about the Google Calendar Integration setting.
Selecting Disable integrations turns off contextual integrations for all Google apps and services.
Control the default keyboard-focusable scroller behavior.
When a pointing device, trackpad, or touchscreen is not a user's optimal way to navigate a webpage, they can use the keyboard to navigate across the page and access focusable elements, such as text, buttons, icons and so on.
Previously, a scroller element could only be keyboard-focusable if the tabindex was explicitly set to 0 or higher. When you turn on this setting, scrollers are keyboard-focusable, click-focusable, and programmatically-focusable by default. By making scrollers focusable by default, users who can't (or don't want to) use a mouse can use the keyboard tab and arrow keys to focus content.
Note: This behavior only works for scrollers without keyboard-focusable children, such as buttons. If the scroller already contains a button, then the tab key focus skips the scroller and focuses on the button directly.
If you turn off this setting, scroll controls are not focusable by default.
You can control the sounds played in Focus Mode on a ChromeOS device. You can allow all sounds, no sounds, or reduce user distraction by allowing users to listen to a limited set of music to help them focus.
By default, all sounds play in Focus Mode.
Connected devices
Smart LockAllows your users to unlock their ChromeOS device without a password using their nearby Android phone. For details, go to Unlock your Chromebook with your Android phone.
Users can instantly tether from their Google phone to share its mobile data with their device.
Users can set up their SMS Messages to be synced between their phones and ChromeOS devices.
Note: If this policy is allowed, users must explicitly opt into this feature by completing a setup flow. Once the setup flow is complete, users will be able to send and receive SMS messages on their devices.
Specifies whether users can send phone numbers from ChromeOS devices to an Android device when the user is signed in.
The default is Allow users to send phone numbers from Chrome to their phone.
Specifies whether users can turn on Nearby Share to share files with Android and ChromeOS devices that are nearby. By default, Prevent users from enabling nearby share is selected.
For details about how users turn on and use Nearby Share on their ChromeOS devices, go to Share files with devices near you.Specifies whether users can interact with their Android phone on a ChromeOS device.
The default is Do not allow Phone Hub to be enabled and users are not allowed to opt into Phone Hub.
If you select Allow Phone Hub to be enabled, users are allowed to opt into Phone Hub and 2 additional options are displayed:
- Allow Phone Hub notifications to be enabled—Specifies whether users who have already opted in to Phone Hub can send or receive their phone's notifications on ChromeOS.
- Allow Phone Hub task continuation to be enabled—Specifies whether users who have already opted in to Phone Hub can continue tasks such as viewing their phone's webpages on ChromeOS.
You can prevent users from streaming apps by, for example, clicking on a Phone Hub notification.
The default is to allow users to stream apps.
Accessibility
Note: By default, the accessibility settings are turned off until the user turns them on in the Chromebook accessibility settings or by using keyboard shortcuts. We strongly advise using caution before disabling any of the accessibility features, as this can cause problems for users with disabilities or particular needs. If a policy is left unset, users can access the feature anytime. However, if you set a policy, users can’t change or override it.
Spoken feedbackThe ChromeVox screen reader helps users with visual impairments. When turned on, their Chromebook will read aloud text that is on the screen. For users who are hearing impaired, this feature will allow the text to be shown on a connected braille display.
For details, see Use the built-in screen readerand Use a braille device with your Chromebook.
Users can hear specific text on a page read aloud, including specific words, selections of text, or sections of the screen. View word-by-word highlighting as words are read aloud for a better audio and visual experience.
For details, see Hear text read aloud.
High contrast mode changes the font and background color scheme to make pages easier to read. On ChromeOS devices, users can turn on high contrast mode in the accessibility settings or by pressing Search + Ctrl + h or Launcher + Ctrl + h.
Lets the user zoom in their screen up to 20x the default size. You can turn off the screen magnifier or choose which type of screen magnifier your users can use.
For details, see Zoom in or magnify your Chromebook screen.
Users can type shortcut key combinations in sequence, instead of pressing multiple keys at once. For example, instead of pressing the Ctrl and V keys at the same time, sticky keys lets users first press Ctrl and then press V after.
For details, see Use keyboard shortcuts one key at a time
Users can input characters without the need for physical keys. An on-screen keyboard is typically used on devices with a touchscreen interface, but it’s also accessible using a touchpad, mouse, or connected joystick.
For details, see Use the on-screen keyboard.
For more information on how the virtual keyboard policies work, see Virtual keyboard policies.
Lets users input characters, when devices are in tablet mode, without the need for physical keys. An on-screen keyboard is typically used on devices with a touchscreen interface, but it’s also accessible using a touchpad, mouse, or connected joystick.
For details, see Use the on-screen keyboard.
Note: When you set this policy, users cannot change it.
If you enable either the Accessibility on-screen keyboard setting or the user enables the Enable on-screen keyboard ChromeOS setting on their device, this setting has no effect.
If you disable either the Accessibility on-screen keyboard setting or the user disables the Enable on-screen keyboard ChromeOS setting on their device, the option you select for this setting is applied.
If you select Enable touch on-screen keyboard in both tablet and laptop modes, the on-screen keyboard will always be displayed even when a physical keyboard is present.
The on-screen keyboard could change to a compact layout depending on the input method.
For more information on how the virtual keyboard policies work, see Virtual keyboard policies.
Users can type long documents and emails using their voice instead of a keyboard.
For details, see Type text with your voice
Lets users highlight objects on the screen as they navigate through them using the keyboard. Users can more easily see where they are on a page while filling forms or selecting an option.
While editing text, this feature highlights the area that surrounds the caret, also known as the cursor.
The mouse cursor will automatically click or scroll where it hovers. This can be helpful for users who find clicking the mouse or touchpad difficult.
For details, see Automatically click objects on your Chromebook.
Increases the size of the mouse cursor so that it's more visible on the screen.
Creates a colored focus ring around the mouse cursor for better visibility on the screen.
Changes the order of the primary mouse button and touchpad from left to right. By default, the left mouse button is primary, but it can be changed anytime.
Changes the audio outputs on Chrome devices so that the same volume plays through the left and right built-in speakers and headphones. This setting can be useful for users who have better hearing in one ear than the other.
Specifies whether accessibility keyboard shortcuts are turned on or off. By default, keyboard shortcuts are available for your users. To turn them off, select Disable accessibility shortcuts.
For more information, see Turn on Chromebook accessibility features.
Shows or hides accessibility options in the system tray menu. To give users quick access to accessibility features, select Show accessibility options in the system tray menu.
For details, see Turn on Chromebook accessibility features.
Lets users who use a screen reader or other similar assistive technology in Chrome get descriptions of unlabeled images on the web, such as images that don’t have alt text. Chrome sends images to Google to create the descriptions. No cookies or other user data is sent, and Google does not save or log any image content.
For details, see Get image descriptions on Chrome.
Control whether web pages read text out loud by using content distillation and text-to-speech synthesis.
The default is Always allow read aloud.
This policy is temporary and is planned to be removed in Chrome version 137.
Specifies whether accessibility tools can use Chrome's UI Automation provider. While we gradually roll out Chrome's UI Automation accessibility framework provider to users, you can use this setting to control its deployment in your organization.
Accessibility and other tools that use the UI Automation accessibility framework might require updates to work properly with Chrome’s UI Automation provider. Select Disable the UI Automation provider to temporarily stop using Chrome’s UI Automation provider, and continue to only use Microsoft’s compatibility shim. This gives you time to work with third-party providers to update tools and fix incompatibilities that might be caused by the switching to Chrome’s UI Automation provider.
Selecting Enable the UI Automation provider allows you to opt in early to use Chrome's UI Automation provider and ensure that third-party accessibility tools with the newer UI Automation accessibility framework continue to work as expected. Tools can also use Chrome’s Microsoft Active Accessibility provider.
By default, Use the default Chrome setting is selected. Chrome’s UI Automation provider is set via the variations framework.
Power and shutdown
Battery Saver ModeSpecifies whether battery saver mode for devices is turned on or off. Turn on the setting to ensure that the frame rate is throttled to lower power consumption.
If you select End user can control this setting, users can turn on or off battery saver mode in chrome://settings/performance.
Note: The Enable when the device is on battery power option has been deprecated. In Chrome version 121 and after, this option turns on battery saver mode when the device is on battery power and battery level is low.
Specifies whether wake locks are allowed for power management. Wake locks force the PowerManager to keep the screen on or have the CPU still running in standby mode. For example, wake locks are useful if you want to make sure that the Wi-fFi connection keeps running at full performance. Extensions can request wake locks through the power management extension API and ARC apps.
By default, Allow wake locks is selected. In addition, you can configure Screen wake locks. To prevent devices from dimming or locking the screen when an application needs to keep running, select Allow screen wake locks for power management.
If you select Do not allow wake locks, wake lock requests are ignored.
Specifies the maximum amount of time that browser shutdown is delayed to let Chrome process keepalive requests. Enter a value between 0 and 5 seconds. Left blank, the default value of 0 seconds is used and Chrome immediately shuts down.
For details on keepalive requests, see Fetch standard documentation.
You can enable the adaptive charging model to hold the charging process and extend the battery life of devices.
When you plug your device into a charger, the adaptive charging model automatically adjusts the amount of power that is sent to your device based on how much power it needs. This means that your device does not overcharge, potentially damaging the battery.
When the adaptive charging model does hold the charging process, the battery is kept at a certain level, for example 80%. It will then charge the device to 100% when the user needs it.
Action on lid close
Select if you want a user's device to go to sleep, sign them out, shut down, or do nothing, when they close the device lid. The default for user sessions is Sleep and the default for managed guest sessions is Logout.
AC/Battery idle action
The delay values you can add are the same for both AC and battery power.
Select if you want a user's device to go to sleep, sign them out, shut down, or do nothing, when they idle when connected to AC power or battery power. The default is Sleep.
For all the fields in which you enter a delay, the following applies:
- Specify the delay in seconds.
- The value entered must be set to a value greater than 0 to trigger the specified action.
- Enter 0 to never carry out the specified action on idle.
- Leave the box empty to use the system default, which varies by device.
- Screen dim delay value ≤ screen off delay value ≤ screen lock delay value ≤ idle delay value (excluding delays that are 0 or unset).
- Idle warning delay value ≤ idle delay value.
- If idle delay value = 0 this is a special case when no other action is taken.
Enter a value in the following fields;
- AC/Battery idle delay in seconds—Specify the amount of idle time in seconds before the user’s device carries out the action that you have selected.
- AC/Battery idle warning delay in seconds—Specify the amount of idle time in seconds before the user’s device displays a warning that it is about to carry out the action that you have selected. The warning is only displayed if the idle action you selected is Logout or Shutdown. If you have selected Sleep or Do nothing, enter 0 or leave empty.
- AC/Battery screen dim delay in seconds—Specify the amount of idle time in seconds before the screen dims on the user’s device.
- AC/Battery screen off delay in seconds—Specify the amount of idle time in seconds before the screen turns off on the user’s device.
- AC/Battery screen lock delay in seconds—Specify the amount of idle time in seconds before the screen locks on the user’s device.
Lock screen on sleep or lid close
Select to lock a user’s screen when the device goes to sleep or the lid is closed, or let the user decide. If you select Allow user to configure, users configure the option in their device settings.
If devices are docked and using an external monitor, they do not lock when the lid is closed. In this case, the device only locks if the external monitor is removed and the lid is still closed.
Considerations
- Some extensions such as Imprivata can override the power management settings, unless the Screen wake locks or Allow wake locks settings are turned off. For more details, see Wake locks.
- Currently, you cannot change the screen dim and screen off delays on the lock screen. Existing screen dim and screen off delays are only for dimming or turning off the screen during a user session or managed guest session.
- The screen lock settings might not work on devices in dev mode.
- You can use the AC/Battery screen lock delay in seconds setting to lock the screen before the idle action. You can use the Lock screen on sleep or lid close setting to control whether the screen is locked on lid close or when the device goes to sleep on idle delay. If the lock screen action is turned off using one of these settings, the screen might still be locked depending on the value of the other setting.
- If the AllowScreenLock policy is turned on, the device could sign out the user instead of locking the screen. For details, see the Lock screen setting in Set Chrome policies for users or browsers.
- To lock the screen when the device goes idle, set the idle action to Do nothing and enter equal screen lock and idle delay values.
Controls whether screen dim delay on ChromeOS devices can be extended.
By default, Enable smart dim model is selected. If the smart dim model extends the time until screens dim, the time it takes for users’ screens to turn off, lock, or go to sleep automatically adjusts to keep the same amount of time between them and the screen dim delay originally set.
If you choose Disable smart dim model, the smart dim model doesn’t influence screen dimming. You can set Scale percent for screen dim delay on user activity and Scale percent for screen dim delay when presenting, where the scale factor must be at least 100%.
- Scale percent for screen dim delay on user activity—Percentage by which to increase the screen dim delay if the user becomes active while the screen dims or soon after it turns off.
- Scale percent for screen dim delay when presenting—Percentage by which to increase the screen dim delay if the user is presenting using their ChromeOS device.
Controls whether audio activity on ChromeOS devices affects power management.
By default, Disallow idle action when audio is playing is selected. Users are not considered idle while audio is playing—This prevents idle timeout from being reached and the idle action from being taken. Despite audio activity, screens still dim, turn off, and lock after their configured timeouts.
Controls whether video activity on ChromeOS devices affects power management.
By default, Disallow idle action when video is playing is selected. Users are not considered idle while video is playing—This prevents idle timeout from being reached and the idle action from being taken. Despite video activity, screens still dim, turn off, and lock after their configured timeouts.
Specifies when to start power management delays and session length limits—Either at the start of the session or after initial user activity. By default, Start power management delays and session length limits at session start is selected.
You can select what actions the browser performs when idle for a specified period of time.
Warning: Setting this policy can impact and permanently remove local personal data. We recommend testing your settings before deploying to prevent the accidental deletion of personal data. Sync is disabled for the respective data types if the SyncDisabled or the BrowserSignin policies are not disabled.
In the Browser idle timeout (minutes) field, enter the length of time without user input before the browser performs the actions you have selected. The minimum length of time you can enter is 1 minute.
If you leave the Browser idle timeout (minutes) field empty or do not select any actions, no action is performed by the browser.
User input is defined by Operating System APIs, and includes things like moving the mouse or typing on the keyboard.
Omnibox search provider
Search suggestAllows you to enable or disable a prediction service for users to help complete the web addresses or search terms. You can specify that it’s always enabled or disabled or you can let the user configure it in their Chrome settings.
Specifies the name of the default search provider. If you select Lock the Omnibox Search Provider settings to the values below, you can customize the following options:
Omnibox search provider name
Enter a name to use for the address bar. If you don't provide one, Chrome uses the host name from the Omnibox search provider search URL.
Omnibox search provider keyword
Specifies the keyword used as the shortcut to trigger the search.
Omnibox search provider search URL
Specifies the URL of the search engine.
The URL must contain the string '{searchTerms}', which is replaced at query time by the terms the user is searching for, for example, "http://search.my.company/search?q={searchTerms}".
To use Google as your search engine, enter:
{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}
Omnibox search provider suggest URL
Specifies the URL of the search engine used to provide search suggestions.
The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.
To use Google as the search engine that provides search suggestions, enter:
{google:baseURL}complete/search?output=chrome&q={searchTerms}
Omnibox search provider instant URL
Specifies the URL of the search engine used to provide instant results.
The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.
Omnibox search provider icon URL
Specifies the icon URL of the search provider. You need to access your search provider site at least once so that the icon file is retrieved and cached before you enable Lock the Omnibox Search Provider settings to the values below.
Omnibox search provider encodings
Specifies the character encodings supported by the search provider.
Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. The default is UTF-8.
Provides a list of sites that users can quickly search using predefined shortcuts in their address bar. For example, you can create predefined shortcuts to your organization’s company intranet, most used tools, and so on. Users trigger a search by typing @shortcut, or just shortcut, followed by Space bar or Tab key in their address bar.
Enter details for the shortcuts you want to configure:
- Site or page—The name that is shown to the user in their address bar.
For example, enter Workspace. - Shortcut—The keyword that the user enters to trigger the search. The shortcut can include plain words and characters, but cannot include spaces or start with the @ symbol. Shortcuts must be unique.
For example, enter ws. Then, users type ws in their address bar to trigger the search. - URL—The URL on which to search. Enter the web address for the search engine's results page, and use {searchTerms} in place of the query.
For example, enter https://drive.google.com/corp/drive/search?q={searchTerms} - Featured—When selected as Featured, the shortcut appears as a recommendation when users type @ in their address bar. Up to three entries can be selected as Featured.
Specifies whether users can view their most recent Google Search results in a side panel and a webpage at the same time. Learn how to Open search results in Side panel.
If you select Disable showing the most recent Google Search results in a Browser side panel, users don’t see the icon.
Hardware
External storage devicesControls whether users in your organization can use ChromeOS devices to mount external drives, including USB flash drives, external hard drives, optical storage, Secure Digital (SD) cards, and other memory cards. If you disallow external storage and a user attempts to mount an external drive, Chrome notifies the user that the policy is in effect.
If you choose to Allow external storage devices (read-only), users can read files from external devices but cannot write to them. Formatting of devices is also disallowed.
This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.
You can specify if sites can or cannot ask users to grant them access to connected USB devices or you can allow the user to make the decision. You can also add a list of URLs that can or cannot request access from the user to a connected USB device.
In the Can web sites ask for access to connected USB devices section, select one of the following:
- Allow the user to decide if sites can ask (default)—Lets websites ask for access, but users can change this setting.
- Allow sites to ask the user for access—Lets websites ask the user for access to connected USB devices.
- Do not allow any site to request access—Denies access to connected USB devices.
In the Allow these sites to ask for USB access field, enter all URLs that are allowed to request access to connected USB devices from the user.
In the Block these sites from asking for USB access field, enter all URLs that are not allowed access to connected USB devices.
If the URL is not blocked, the option set in the Can web sites ask for access to connected USB devices section or the users' personal settings take precedence, in that order.
Do not enter the same URL in both the Allow these sites to ask for USB access and Block these sites from asking for USB access. If a URL matches with both, neither policy takes precedence.
For details on valid URL patterns, see Enterprise policy URL pattern format.
You can specify a list of sites that can connect to USB devices with specific vendor and product IDs. Access to these devices is automatically allowed for the corresponding web applications on the client side.
In the WebUSB API allowed devices section, do the following:
- Next to No USB devices were configured yet, click .
- Enter the URL patterns that specify the sites that are automatically granted permission to access a USB device.
- For each URL under VID-PID, enter the corresponding vendor and product IDs.
- Click Save.
URLs that you specify in the lists are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, see Enterprise policy URL pattern format.
Considerations
- All devices and URLs must be valid or the policy is ignored.
- Each item in the VID-PID field can have a vendor ID and product ID. If you do not add a vendor ID, the policy matches any device. If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- This policy overrides the WebUSB API setting and the user's preferences.
- This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.
Lists the website URLs that can automatically connect to HID devices with specific vendor and product IDs.
The URLs that you list are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, go to Enterprise policy URL pattern format.
For each URL, enter the vendor identifier (VID) and product identifier (PID) of the devices you want to allow access to as a colon separated hexadecimal pair (VID:PID). Put each device on a separate line.
Considerations
- For each item in the list, the URL and device IDs must be valid. Otherwise, the item is ignored.
- For each device, you can enter a vendor ID and product ID.
- If you do not add a vendor ID, the policy matches any device.
- If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- This policy takes precedence over DefaultWebHidGuardSetting and WebHidBlockedForUrls as well as the user’s preference.
Controls whether users in your organization can let websites access audio input from the built-in microphone on a ChromeOS device.
When a user connects an external audio input device, the audio on the ChromeOS device unmutes immediately.
If you have enabled Android apps on supported ChromeOS devices in your organization and have this setting disabled, the microphone input is disabled for all Android apps without exceptions.
Allows URLs to be granted access to audio capture devices without prompt.
Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to audio capture devices will be granted without prompting the user for confirmation.
For detailed information on valid URL patterns, see Enterprise policy URL pattern format
Controls whether users in your organization can play sound on their ChromeOS devices. The policy applies to all audio outputs on ChromeOS devices, including built-in speakers, headphone jacks, and external devices attached to HDMI and USB ports.
If you disable audio, the ChromeOS device still shows its audio controls but users can't change them. Also, a mute icon appears.
This setting has no effect on the Google Drive Android app on ChromeOS.
Controls the priority of the Chrome browser audio process.
This setting lets admins run audio with higher priority to address certain performance issues with audio capture, and will be removed in the future.
Specifies whether URLs can access any type of video input, not just the built-in camera.
By default, Enable camera input for websites and apps is selected. For URLs other than the ones you specify in Video input allowed URLs, users are prompted for video capture access.
If you select Disable camera input for websites and apps, video capture access is available only to URLs that you specify in Video input allowed URLs.
This policy also affects Android apps on supported ChromeOS devices. For example, if you’ve enabled Android apps on supported ChromeOS devices in your organization, you can prevent Android apps from accessing the built-in camera.
Allows URLs to be granted access to video capture devices without prompt.
Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted without prompting the user for confirmation.
For detailed information on valid URL patterns, see Enterprise policy URL pattern format
Note: To allow access to a video capture device, you can also add the application’s ID. For example, hmbjbjdpkobdjplfobhljndfdfdipjhg
gives access to Zoom® Meetings®.
Specifies whether hardware acceleration is enabled for the graphics processing unit (GPU) unless a certain GPU feature is added to a blocklist.
Hardware acceleration uses your device’s GPU to perform graphics-intensive tasks, like playing videos or games, while your central processing unit (CPU) runs all other processes.
Determines the behavior of the top row of keys on the keyboard. If this setting is unset or set to media keys, the keyboard's top row of keys will act as media keys. If the policy is set for function keys, then the keys will act as function keys (such as F1, F2). In both scenarios, users can change the behavior. Also, users can turn a media key to a function key (and vice versa) by holding down the search key.
You can specify if sites can or cannot ask users to grant them access to a serial port or you can allow the user to make the decision. You can also add a list of URLs that can or cannot request access from the user to a serial port.
In the Control use of the Web Serial API section, select one of the following:
- Allow the user to decide (default)—Lets websites ask for access, but users can change this setting.
- Allow sites to ask the user to grant access to serial ports via the Web Serial API—Lets websites ask the user for access to serial ports.
- Do not allow any site to request access to serial ports via the Web Serial API—Denies access to serial ports.
In the Allow the Web Serial API on these sites field, enter all URLs that are allowed to request access to serial ports from the user.
In the Block the Web Serial API on these sites field, enter all URLs that are not allowed access to serial ports.
If the URL is not blocked, the option set in the Control use of the Web Serial API section or the users' personal settings take precedence, in that order.
Do not enter the same URL in both the Allow the Web Serial API on these sites and Block the Web Serial API on these sites. If a URL matches with both, neither policy takes precedence.
For details on valid URL patterns, see Enterprise policy URL pattern format.
You can specify a list of sites that can connect to serial devices with specific vendor and product IDs. Access to these devices is automatically allowed for the corresponding web apps on the client side.
In the Web Serial API allowed devices section, do the following:
- Next to No serial devices were configured yet, click .
- Enter the URL patterns that specify the sites that are automatically granted permission to access a serial device.
- For each URL under VID-PID, enter the corresponding vendor and product IDs.
- Click Save.
URLs that you specify in the lists are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, see Enterprise policy URL pattern format.
Considerations
- All devices and URLs must be valid or the policy is ignored.
- Each item in the VID-PID field can have a vendor ID and product ID. If you do not add a vendor ID, the policy matches any device. If you do not add a product ID, the policy matches any device with the given vendor ID.
- Any policy with a product ID but no vendor ID is invalid.
- This policy overrides the Web Serial API setting and the user's preferences.
This policy only affects access to serial devices through the Web Serial API. To grant access to serial devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.
Only for ChromeOS devices with an integrated electronic privacy screen.
Specifies whether the privacy screen is always turned on or off. You can enable or disable the privacy screen, or let users choose.
Specifies whether sites can or cannot ask users to grant them read access to files or directories in the host operating system's file system using the File System API. You can add a list of URLs that can or cannot request read access from the user.
Select one of the following:
- Allow the user to decide (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow file system read access on these sites or the Block read access on these sites fields.
- Allow sites to ask the user to grant read access to files and directories—Lets websites ask the user for read access to files and directories.
- Do not allow sites to request read access to files and directories—Denies read access to files and directories.
In the Allow file system read access on these sites field, enter all URLs that are allowed to request read access to files and directories from the user. Put each URL on it’s own line.
In the Block read access on these sites field, enter all URLs that are not allowed access to files and directories. Put each URL on it’s own line.
If a URL isn't explicitly allowed or blocked, the option you selected from the File system read access drop-down or the users' personal settings take precedence, in that order.
Do not enter the same URL in both the Allow file system read access on these sites and Block read access on these sites. If a URL matches with both, neither policy takes precedence.
For details on valid URL patterns, see Enterprise policy URL pattern format.
Specifies whether sites can or cannot ask users to grant them write access to files or directories in the host operating system's file system using the File System API. You can add a list of URLs that can or cannot request write access from the user.
Select one of the following:
- Allow the user to decide (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow write access to files and directories on these sites or the Block write access to files and directories on these sites fields.
- Allow sites to ask the user to grant write access to files and directories—Lets websites ask the user for write access to files and directories.
- Do not allow sites to request write access to files and directories—Denies write access to files and directories.
In the Allow file system write access on these sites field, enter all URLs that are allowed to request write access to files and directories from the user. Put each URL on it’s own line.
In the Block write access on these sites field, enter all URLs that are not allowed access to files and directories. Put each URL on it’s own line.
If a URL isn't explicitly allowed or blocked, the option you selected from the File system write access drop-down or the users' personal settings take precedence, in that order.
Do not enter the same URL in both the Allow file system write access on these sites and Block write access on these sites. If a URL matches with both, neither policy takes precedence.
For details on valid URL patterns, see Enterprise policy URL pattern format.
Starting in Chrome version 108, all FileSystemSyncAccessHandle methods will be invoked synchronously.
Until Chrome version 110, you can specify that FileSystemSyncAccessHandle methods are invoked asynchronously by selecting Re-enable the deprecated async interface for FileSystemSyncAccessHandle.
When a file system entry is handled synchronously, the file reads and writes allows for higher performance for critical methods. Asynchronous operations can have higher overhead.
You can specify whether websites can access and use sensors such as motion and light sensors.
In the Default access section, select one of the following:
- Allow the user to decide if a site may access sensors (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow access to sensors on these sites or the Block access to sensors on these sites fields.
- Allow sites to access sensors—Allows access to sensors for all sites.
- Do not allow any site to access sensors—Denies access to sensors for all sites.
In the Allow access to sensors on these sites field, enter URLs that are always allowed access to sensors. Put each URL on it’s own line.
In the Block access to sensors on these sites field, enter URLs that are never allowed access to sensors. Put each URL on it’s own line.
If the URL isn't explicitly allowed or blocked, the option set in the Default access section or the users' personal settings take precedence, in that order.
Do not enter the same URL in both the Allow access to sensors on these sites and Block access to sensors on these sites. If a URL matches with both, the Block access to sensors on these sites applies and access to motion or light sensors is blocked.
For details on valid URL patterns, see Enterprise policy URL pattern format.
Allows extensions installed by enterprise policy to use the Enterprise Hardware Platform API. This API handles requests from extensions for the manufacturer and model of the hardware platform where the browser is running. This policy also impacts component extensions built into Chrome.
Specifies whether users see a notification each time ChromeOS detects that a USB device was inserted. By default, Show notifications when USB devices are detected is selected.
When users insert USB devices that can be shared with active virtual machines on their device, they’ll see a USB device detected notification that prompts them to connect to the virtual machine. For example, they might get prompted to connect to Android apps, Linux, Managed Development Environment, or Parallels Desktop. If you select Do not show notifications when USB devices are detected, users are no longer prompted to connect so they can’t access USB devices from the virtual machines.
Legacy site compatibility
Disabled element MouseEventsThis policy is temporary and implemented due to a vital fix. If you have sites that rely on the previous broken behavior, this policy gives you time to update them.
You can turn on or off the new behavior for MouseEvents dispatching on disabled form controls. MouseEvents are events that occur when the user interacts with a pointing device such as a mouse.
If you select Dispatch most MouseEvents from disabled control elements, all MouseEvents are dispatched on disabled form control elements, except for click, mouseup, and mousedown. The new events include mousemove, mouseenter, and mouseleave.
The event path of click, mouseup, and mousedown is also truncated when they are dispatched on the children of disabled form controls. They are not dispatched on the disabled form control or any of its ancestors.
Available until Chrome version 120
This policy is temporary and implemented due to a vital fix. If you have sites that rely on the previous broken behavior, this policy gives you time to update them.
You can select the new or legacy behavior for HTMLElement.offsetParent.
See here for polyfill code you can use to provide the modern functionality required on older browsers that do not natively support it.This policy is temporary and will be removed in Chrome version 117. If you have sites that rely on the previous broken behavior, this policy gives you time to update them.
Chrome behavior is changing and users cannot visit unsafe sites from web pages with invalid SSL certificates. They will be shown an error page without the option to unsafely proceed.
If you select Allow proceeding to unsafe sites, you can allow users to continue to proceed to unsafe sites and have time to prepare for the new Chrome behavior.
If you select the default Use default navigation protections, the change to Chrome is automatically implemented as it is rolled out through the Chrome release process.Available to preview the behavior of a future release where this check is turned on by default. This policy will remain temporarily available for administrators that need more time to update their system.
You can specify whether RSA key usage for server certificates issued by local trust anchors is checked.
The X.509 key usage extension declares how the key in a certificate is used and ensures certificates are not used in an unintended way. This protects against cross-protocol attacks on HTTPS and other protocols. HTTPS clients must check that server certificates match the connection's TLS parameters.
Choose one of the following options:
- Use the default setting for RSA key usage checking
- Enable RSA key usage checking—Chrome performs the check. This helps prevent attacks that manipulate the browser into interpreting a key in ways that the certificate owner did not intend.
- Disable RSA key usage checking—Chrome skips the check in HTTPS connections that both negotiate TLS 1.2 and use an RSA certificate that chains to a local trust anchor. Examples of local trust anchors include policy-provided or user-installed root certificates. In all other cases, the check is performed independent of this policy's setting.
Temporarily turn back on deprecated and retired mutation events. Mutation events store, modify, or delete information in the IT system.
By default, mutation events cannot be triggered after their retirement date. Use this setting to temporarily turn back on mutation events, even when turned off by default for regular web users.
Manage the availability of deprecated prefixed video-specific full-screen APIs from JavaScript.
Choose one option:
- Use the default Chrome setting—Applies the default
PrefixedVideoFullscreen
API deprecation timelines and determines if the API is available for websites. - Disable prefixed video fullscreen APIs—Prevents prefixed video-specific full-screen APIs, such as
Video.webkitEnterFullscreen()
, from being used in JavaScript. Only standard full-screen APIs, such asElement.requestFullscreen()
, can be used. - Enable prefixed video fullscreen APIs—Allows prefixed video-specific full-screen APIs, such as
Video.webkitEnterFullscreen()
, to be used in JavaScript.
This policy is temporary and will be removed in a future version of Chrome.
Specifies whether Chrome uses standard or legacy CSS zoom.
By default Standard CSS zoom is selected. Choosing Legacy CSS zoom enables the pre-standardized CSS zoom behavior. This provides time to migrate to the newly-adopted CSS zoom specification.
User verification
Verified ModeBy default, Skip boot mode check for Verified Access is selected, allowing user sessions on devices in Dev mode to work. If you select Require verified mode boot for Verified Access, user sessions on devices in Dev mode always fail the Verified Access check.
Service accounts which are allowed to receive user data
List email addresses of the service accounts that gain full access to the Google Verified Access API. These are the service accounts created in the Google API Console.
Service accounts which can verify users but do not receive user data
List email addresses of the service accounts that gain limited access to the Google Verified Access API. These are the service accounts created in the Google API Console.
For Verified Access instructions:
Chrome management—partner access
Allow EMM partners access to device managementNot currently available for Google Workspace for Education domains
Gives EMM partners programmatic access to manage user policies for Chrome and ChromeOS devices. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.
When partner access is turned on, your EMM partner can manage individual user policies that determine your users' experience on Chrome and ChromeOS devices. Therefore EMM partners no longer have to manage user policies by Admin console organizational unit structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same user using partner access and the Admin console. User-level policies configured using partner access controls take precedence over organizational unit policies set in the Admin console. To enforce policies on users by organizational unit, you must select Disable Chrome management—partner access.
You can also use your EMM console to set device policies.
Browser reporting
Managed browser reportingTurns on or off managed browser cloud reporting for organizations using Chrome Enterprise Core. For details about how to sign up and manage Chrome browser from the Admin console, go to Set up Chrome Enterprise Core.
Select Enable managed browser cloud reporting to get a detailed view of Chrome browsers and extensions used in your organization. To find out what information gets uploaded from users' devices, go to Turn on Chrome browser reporting.
Note: This setting always applies for ChromeOS, regardless of whether your organization signs up for Chrome Enterprise Core. For additional usage details of installed apps on ChromeOS devices, turn on the App usage reporting policy.
Turns on or off managed Chrome profiles reporting for the Managed profiles list and details pages in the Google Admin console. A managed Chrome profile is created for a user when they sign in to Chrome with their managed Google Account using Google Workspace or Cloud Identity.
To view the reporting information in the Managed profiles list and details pages you must be subscribed to Chrome Enterprise Core.
The Cloud profile reporting information includes profile-level information, browser-level information, and limited device information. For more details, see View Chrome browser profile details.
Note: To view managed profile reporting for managed Google Accounts, you don’t have to turn on Managed browser reporting and the browser doesn’t need to be enrolled in the browser list. Only the user must be managed using Cloud Identity (Google Workspace), and the Managed profile reporting setting must be turned on.
Sets the frequency, in hours, of Chrome status report uploads. Enter a value between 3 and 24 hours. The default is 24—the report is sent once a day.
Specifies which security events you want Chrome to report. Event types include malware transfer, unsafe site visits, and password reuse.
For details about how to configure reporting and let Chrome report events using your configured providers and configurations, go to Manage Chrome Enterprise reporting connectors.
Specifies whether a site, visited within an organization, that uses legacy technologies is reported based on its URL. You can use your Google Admin console to see details about the allowlisted sites that are using the legacy web platform API and features.
Considerations
When you have turned on legacy technology reporting, the reporting data is automatically sent to the Admin console. However, the data is not displayed in a report until at least 5 browsers are active in the organizational unit. It can take a few minutes for data to show up in reports.
In the Configuration field, add any URLs that you want to allow for the legacy technology report.
- Supports a max of 100 URLs, including all paths and sub-domains with a max of 256 characters per URL.
- IP addresses are supported.
- Wildcard, schema, port, and query are not supported.
Note: For better results, we recommend that you use detailed URL paths.
The URLs you add to the Configuration field are used to generate reports and are uploaded to the Admin console. Unmatched URLs are ignored.
For Google Chrome, this policy is only applied when the machine is enrolled with Chrome Enterprise Core. For details, see Enroll cloud-managed Chrome browsers.
For more information about legacy technologies, see Chrome Platform Status.Installed App Reporting
App usage reportingYou can turn on and off detailed installed app reporting for specified app types on ChromeOS devices. This provides reports of app usage telemetry data for affiliated users.
You can view the reports using the Chrome Management Telemetry API. For details, see Use Chrome Management Telemetry API to monitor devices.
Note: This setting provides additional information to that captured by the Managed browser reporting setting. It has no effect on Android logs for ChromeOS devices supporting Android apps.Chrome Safe Browsing
Safe Browsing ProtectionSpecifies whether Google Safe Browsing is turned on for users. Safe Browsing in Chrome helps protect users from websites that may contain malware or phishing content.
If you select Safe Browsing is active in the enhanced mode, it provides better security, but requires sharing more browsing information with Google.
By default, Allow user to decide is selected and users can turn on or off Safe Browsing. If you choose to activate Safe Browsing, users cannot change or override that setting in Google Chrome.
If you select Allow users to override this setting, users can change the setting on their own device. This is not available if you select Allow user to decide.
Specifies whether extended reporting is turned on and sends some system information and page content to Google to help detect dangerous apps and sites.
Specifies URLs that Safe Browsing should trust. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs. Safe Browsing's download protection service does not check downloads hosted on these domains.
Available only on instances that are joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Enterprise Core.
By default, Perform Safe Browsing checks on all downloaded files is selected. So, Chrome sends all downloaded files to be analyzed by Safe Browsing, even when they’re from a trusted source.
Selecting Skip Safe Browsing checks for files downloaded from trusted sources means that downloaded files from a trusted source aren’t sent to be analyzed by Safe Browsing.
Restrictions apply to downloads triggered from webpage content and the download link menu option. Restrictions don't apply to saving or downloading the currently displayed page, or to saving as PDF from the printing options.
Prevents users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those flagged by Google Safe Browsing. If users try downloading files flagged by Safe Browsing, they are shown a security warning.
For more details, see Prevent users from downloading harmful files.
Choose an option:
- No special restrictions—All downloads are allowed. Users still receive warnings about sites identified as dangerous by Safe Browsing. But, they can bypass the warning and download the file.
- Block malicious downloads—All downloads are allowed, except for those assessed, with high confidence, to be malware. Unlike with dangerous downloads, this does not take into account file type, but does take into account the host.
- Block malicious downloads and dangerous file types—All downloads are allowed, except those marked with Safe Browsing warnings of dangerous downloads.
- Block malicious downloads, uncommon or unwanted downloads and dangerous file types—All downloads are allowed, except those marked with Safe Browsing warnings of potentially dangerous downloads. Users cannot bypass the warnings and download the file.
- Block all downloads—No downloads are allowed.
Specifies whether users can bypass Safe Browsing warnings and access deceptive or dangerous sites or download potentially harmful files.
Specifies whether you can prevent users from reusing their password on dangerous websites or on websites that aren’t allowlisted by your organization. Preventing password reuse across multiple websites can protect your organization from compromised accounts.
Specify the domains that are exceptions to the URLs that appear on the Safe Browsing list. Allowlisted domains are not checked for:
- Password reuse
- Phishing and deceptive social engineering sites
- Sites that host malware or unwanted software
- Harmful downloads
Specify the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password. When users enter their password, a non-reversible hash is stored locally and used to detect password reuse. Make sure that the change password URL that you specify follows these guidelines.
Turns on or off the SafeSites URL filter. This filter uses the Google Safe Search API to classify URLs as pornographic or not.
Choose an option:
- Filter top level sites (but not embedded iframes) for adult content—For K-12 EDU domains, this is the default. Pornographic sites are not displayed for users.
- Do not filter sites for adult content—For all other domains, this is the default.
Chrome is introducing a new "safety tip" for sites with URLs that look very similar to those of other sites. This UI warns users about sites that might be spoofing other sites.
These warnings are typically shown on sites that Google Chrome believes might be trying to spoof another site the user is familiar with. This policy prevents the display of the lookalike URL warnings on the sites listed.
For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".
Allows or blocks ads from being displayed on sites that contain intrusive ads.
The default is Allow ads on all sites.
Specifies whether sites with abusive experiences can open new windows or tabs. By default, Prevent sites with abusive experiences from opening new windows or tabs is selected.
You can specify whether Google Chrome sends suspicious downloads from Safe Browsing-enabled users to Google to scan for malware.
This policy does not impact any download content analysis configured by Chrome Enterprise Connectors.
Chrome Enterprise connectors
Allow enterprise connectorsYou can allow Admin console admins to enable Enterprise Connectors for Chrome.
You can choose cloud service APIs for a set of content analysis connectors that are used by Chrome to send the full contents and metadata of files attached to web content for analysis.
For more details, see Manage the Chrome Enterprise Data Loss Prevention connectors.
You can choose cloud service APIs for a set of content analysis connectors that are used by Chrome to send the full contents and metadata of downloaded files for analysis.
For more details, see Manage the Chrome Enterprise Data Loss Prevention connectors.
You can choose cloud service APIs for a set of content analysis connectors that are used by Chrome to send the full contents and metadata of transferred files for analysis.
For more details, see Manage the Chrome Enterprise Data Loss Prevention connectors.
You can choose cloud service APIs for a set of content analysis connectors that are used by Chrome to send the full contents and metadata of clipboard contents pasted on the web for analysis.
For more details, see Manage the Chrome Enterprise Data Loss Prevention connectors.
You can choose cloud service APIs for a set of content analysis connectors that are used by Chrome to send the full contents and metadata of printed pages for analysis.
For more details, see Manage the Chrome Enterprise Data Loss Prevention connectors.
Generative AI
Generative AI policy defaultsDefines the default setting for Chrome’s generative AI features. This setting does not override settings for individual generative AI features that you set using your Google Admin console. For example, if you select Do not allow GenAI features, you can still turn on generative AI settings, such as Help me write, Create themes with AI and Tab organizer.
For details about defining your organization’s defaults for Chrome and ChromeOS generative AI features, go to Define generative AI defaults.
Specifies whether users can use Help me write to get writing suggestions when they write or refine existing text in open text fields on the web.
For details about what data is collected and the default values for this feature, go to Help me write.
Specifies whether users can create their own theme for Chrome through Generative AI. For example, users can choose a subject, style, mood, and color based on their preferences.
For details about what data is collected and the default values for this feature, go to Create themes.
Specifies whether users can let Chrome suggest and automatically create tab groups through Generative AI to help them stay organized.
For details about what data is collected and the default values for this feature, go to Tab group suggestions.
Specifies whether users can use Chrome’s DevTools generative artificial intelligence (AI) features to get additional debugging information. Chrome sends data such as error messages, stack traces, code snippets, and network requests to a Google-owned server that runs a generative AI model. Response body or authentication, as well as cookie headers in network requests are not included in the data sent to the server.
For details about what data is collected and the default values for this feature, go to Chrome DevTools AI.
Controls how Chrome browser downloads the foundational GenAI model and uses it locally for inference.
By default, Download model automatically is selected. The model is automatically downloaded and used for inference.
To prevent Chrome browser from downloading the model, select Do not download model. Alternatively, you can use the Component updates setting to prevent model downloading. Read about the Component updates setting.
Specifies whether users can search their browsing history based on page contents, and not just the page title and URL.
For details about what data is collected and the default values for this feature, go to Search your history in Chrome with AI.
Specifies whether users can use the tab compare feature to compare and summarize product information across their open browser tabs. For example, when users open multiple tabs about a type of product—such as product specifications, features, price, and ratings—tab compare presents them with an AI-generated overview of the product, all in one place.
For details about what data is collected and the default values for this feature, go to Tab compare.
Chrome updates
Component updatesSpecifies whether Chrome browser components, such as Widevine DRM (for encrypted media), automatically update.
This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.
Controls how users are notified to relaunch Chrome browser or restart their ChromeOS device to get the latest update. Choose one of the options:
- No relaunch notification—Activates a minimal default level of notifications. Chrome browser indicates to users that a relaunch is needed via subtle changes to its menu. In ChromeOS, a notification in the system tray prompts the user to relaunch.
- Show notification recommending relaunch—Users see a recurring message that they should relaunch Chrome browser or restart their ChromeOS device. Users can close the notification and keep using the old version of Chrome browser or ChromeOS until they choose to relaunch Chrome browser or restart their ChromeOS device.
- Force relaunch after a period—Users can close the notification but will see a recurring message that they need to relaunch Chrome browser or restart their ChromeOS device within a certain amount of time.
Time period (hours)
If you show notifications to users, you can set the time period, between 1 and 168 hours, over which users are repeatedly notified to relaunch Chrome browser or restart their ChromeOS device. To use the system default, 168 hours (7 days), leave the field unset.
Initial quiet period (hours)
For ChromeOS devices, you can specify an initial quiet period, during which users aren't notified to restart their ChromeOS devices. After the initial quiet period, users see the first notification that they need to restart their ChromeOS devices to apply updates. By default, ChromeOS devices only show notifications for the last 3 days of the notification time period that you specify, not the entire duration.
For ChromeOS devices, setting the Auto reboot after updates device setting to Allow auto-reboots automatically restarts devices when updates are applied. This minimizes the amount of notifications that users see. For details about configuring automatic updates on ChromeOS devices, read Auto-update settings.
Relaunch window start time
Caution: Setting a relaunch window might delay software updates.
Specifies the time of day, in 24-hour format (hh:mm), that you want to defer the end of the relaunch notification period that you set in Time period (hours). Use in conjunction with Force relaunch after a period and Relaunch window duration (minutes) to specify a time window when Chrome browser automatically relaunches and ChromeOS devices restart to apply updates.
Left blank, for ChromeOS devices the default start time is 02:00 in the user’s timezone, and Chrome browser never defers the end of the relaunch notification period.
Relaunch window duration (minutes)
Caution: Setting a relaunch window might delay software updates.
Specifies the length of time, in minutes, of the window when Chrome browser relaunches and ChromeOS devices restart to apply updates. Use in conjunction with Force relaunch after a period and Relaunch window start time.
Left blank, the Relaunch window duration (minutes) for ChromeOS devices is 120 minutes. By default, Chrome browser never defers the end of the relaunch notification period.
Specifies a daily time period when automatic checks for Chrome browser updates do not occur. Enter:
- Start time—Time of day, in 24-hour format (hh:mm), that you want to begin suppressing checks for browser updates each day.
- Duration (minutes)— Length of time, in minutes, that you want to suppress browser update checks for.
Specifies the number of hours between automatic checks for Chrome browser updates. Enter 0 to disable all auto-update checks (not recommended).
Select Attempt to provide cache-friendly download URLs to get the Google Update server to attempt to provide cache-friendly URLs for update payloads in its responses. This helps to reduce bandwidth and improve response times.
Specifies whether devices automatically update to new versions of Chrome browser as they are released.
To make sure that users are protected by the latest security updates, we strongly recommend that you select Allow updates. By running earlier versions of Chrome browser, you will expose your users to known security issues.
To temporarily roll back to the 3 latest major versions of Chrome browser specify the Target version prefix override and select Rollback to target version.
Choose when to roll out Chrome browser updates to users by placing them on a release channel:
- Stable channel—(Recommended) Fully tested by the Chrome test team and should be used by most of your users.
- Beta channel—Users can get a 4–6 week preview of what’s coming to the Stable version of Chrome.
- Dev Channel—Developers can get a 9–12 week preview of what’s coming to the Stable version of Chrome.
- Extended stable channel—Get feature updates less frequently than the Stable channel, but still receive security fixes.
For information to help you decide which channel to have your users on, go to Chrome browser release channels.
For details about how to manage Chrome browser updates, see Manage Chrome updates (Chrome Enterprise Core).
Specifies the number of user data snapshots retained by Chrome browser in case of an emergency rollback.
After every major version update of Chrome browser, user data snapshots of specific parts of the user's browsing data are created. These can be used if an emergency version rollback of the Chrome browser update is required.
If Chrome browser is rolled back to a version retained by the user, the data in the snapshot is restored, such as bookmarks and autofill data.
If the policy is set to a specific value, only that number of snapshots are saved. For example, if it is set to 6, only the last 6 snapshots are saved and all others saved before those are deleted.
If the policy is set to 0, no snapshots are taken. If the policy is not set, the default value of 3 snapshots are saved.
Chrome variations
VariationsUsing variations, Google can offer modifications to Chrome without shipping a new browser version, by selectively turning on or off existing features.
By default, Enable Chrome variations is selected. Selecting Enable variations for critical fixes only allows only variations considered critical security or stability fixes to be applied to Chrome.
Note: We do not recommend selecting Disable variations. This can potentially prevent Chrome developers from providing critical security fixes in a timely manner.
Legacy Browser Support
Legacy Browser SupportSpecifies whether users can open some URLs in an alternative browser, such as Microsoft Internet Explorer.
Specifies the length of time, in seconds, that it takes to open the alternative browser. During this time, users see an interstitial page that lets them know they're switching to another browser. By default, URLs immediately open in the alternative browser, without showing the interstitial page.
Controls how Chrome browser interprets sitelist or greylist policies that you set. This setting affects:
- Legacy Browser Support site list—BrowserSwitcherExternalSitelistUrl
- Use Internet Explorer site list—BrowserSwitcherUseIeSitelist
- URL to list of websites to open in either browser—BrowserSwitcherExternalGreylistUrl
- Websites to open in alternative browser—BrowserSwitcherUrlList
- Websites to open in either browser—BrowserSwitcherUrlGreylist
By default, Default is selected. Rules that don't contain a slash, /, look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.
Select Enterprise mode IE/Edge compatible to make URL matching more strict. Rules that don't contain a slash, /, only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive.
Example
For rules example1.com and example2.com/abc:
- http://example1.com/, http://subdomain.example1.com/, and http://example2.com/abc match regardless of parsing mode.
- http://notexample1.com/, http://example1.com.invalid.com/, http://example1.comabc/ match only if Default is selected.
- http://example2.com/ABC matches only if in Enterprise mode IE/Edge compatible is selected.
Allows you to use your Internet Explorer site list to control whether URLs open in Chrome browser or Internet Explorer.
Specifies the URL of the XML file that contains the list of website URLs that open in an alternative browser. You can review this sample XML file.
Specifies the URL of the XML file that contains the list of website URLs that do not trigger a browser switch.
Specifies a list of website URLs that open in an alternative browser.
Specifies a list of website URLs that do not trigger a browser switch.
By default, only the URL is passed as a parameter to the alternative browser. You can specify parameters to be passed to the alternative browser’s executable. Parameters that you specify are used when the alternative browser is invoked. You can use the special placeholder ${url}
to specify where the URL should appear in the command line.
You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.
Lets you specify the program that's used as an alternative browser. For example, for Windows computers, the default alternative browser is Internet Explorer.
You can specify a file location or use one of these variables:
${chrome}
—Chrome browser${firefox}
— Mozilla Firefox${ie}
—Internet Explorer${opera}
—Opera${safari}
—Apple Safari
Specifies the parameters to be passed to Chrome browser's executable when returning from the alternative browser. By default, only the URL is passed as a parameter to Chrome browser. Parameters that you specify are used when Chrome browser is invoked. You can use the special placeholder ${url}
to specify where the URL should appear in the command line.
You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.
Specifies the executable of Chrome browser to be launched when returning from the alternative browser.
You can specify a file location or use the variable ${chrome}
, which is the default installation location for Chrome browser.
Specifies whether to close Chrome browser after the last tab in the window switches to the alternative browser.
Chrome browser tabs automatically close after switching to the alternative browser. If you specify Close Chrome completely and the last tab is open in the window before switching, Chrome browser closes completely.
Virtual machines (VMs) and developers
Command line accessSpecifies whether users can access the command line (CLI) to manage virtual machines (VMs).
If the policy is enabled, the user can use virtual machine management CLI.
Allows you to control whether users can use virtual machines to support Linux apps. The setting is applied to starting new Linux containers, not to those already running.
On managed devices, the default is Block usage for virtual machines needed to support Linux apps for users and users can't use virtual machines to support Linux apps.
However, on unmanaged devices, the default is Allow usage for virtual machines needed to support Linux apps for users.
If you do not want users to have access, regardless of the device they are using, you must explicitly select Block usage for virtual machines needed to support Linux apps for users.
If you select Allow usage for virtual machines needed to support Linux apps for users, affiliated users can use Linux virtual machines.
To enable it for unaffiliated users, select Allow usage for virtual machines needed to support Linux apps for unaffiliated users in the Devices page. For details, see Linux virtual machines for unaffiliated users (BETA).
Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users
Allows you to control whether users can backup and restore all installed apps, data, and settings for Linux virtual machines.
The option for restoration and backup is enabled by default.
Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users.
Specifies whether users are allowed to configure port forwarding into virtual machine (VM) containers.
If you select Do not allow users to enable and configure port forwarding into the VM container, port forwarding is disabled.
Allows you to control the use of Android apps from untrusted sources for individual users. It does not apply to Google Play.
The default is to prevent the user from using Android apps from untrusted sources.
If the user's device is managed, the user is blocked from installing apps from untrusted sources unless both the device and user policy are set to allow the use of Android apps from untrusted sources.
If the user's device is not managed, the user can only install apps from untrusted sources if they are the device owner, first to sign into the device, and the user policy is set to allow the use of Android apps from untrusted sources.
Specifies whether SSH outgoing client connections in the Terminal System App are allowed on all devices, allowed on all devices except enrolled ChromeOS devices, or not allowed on any devices.
The default is to enable it for unmanaged ChromeOS devices.
Parallels Desktop
Parallels DesktopControls whether users can use Parallels Desktop for Chromebook to access the Microsoft Windows applications and files, including Microsoft Office.
When you select Allow users to use Parallels desktop, you must accept the end-user license agreement.
Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.
Specifies the URL for the Microsoft Windows image and the SHA-256 hash of the Windows image file that users download to their Chromebooks before using Parallels Desktop.
Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.
Specifies the required disk space in gigabytes for running Parallels Desktop. The default value is 20GB.
If you set a required free disk space value and the user device detects that the remaining space is smaller than that value, it cannot run Parallels. Therefore, we recommend you check the size of your uncompressed virtual machine (VM) image as well as how much additional data or applications you expect to install before deciding on a required disk space value.
Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.
To allow Parallels to generate and collect event logs from your users, select Enable sharing diagnostics data to Parallels. For details on the information collected in the logs, see Parallels Customer Experience Program.
Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.
Setting sources
Policy precedenceSpecifies the order of precedence, from highest to lowest, that Chrome policies are applied for users and browsers. For details, see Understand Chrome policy management.
You can enter a list of on-device policies that can then be merged when they come from different sources. Merging is only supported for list and dictionary type policies.
For more information, see Understand Chrome policy management.
Enter the policies to merge, one per line, or use the wildcard character * to allow the merging of all supported policies.
If a policy is on the list and there is conflict between sources with the same scope and level, the values merge into a new policy. If there is conflict between sources with different scopes or levels, the policy with the highest priority applies.
If a policy is not on the list and there's conflict between sources, scopes, or levels, the policy with the highest priority applies.
You can verify the final value of these policies by checking chrome://policy on your end-users’ Chrome browser.
Specifies whether policies associated with a Google Workspace account can be merged into machine-level policies.
The default is Do not merge user cloud policies with machine policies and prevents user-level cloud policies from being merged with policies from any other sources.
This setting only applies if the Chrome browser and profile are managed through the Google Admin console by the same organization. Policies applied to Chrome profiles can be merged.
You must add the user cloud policies that you want to merge to the policy mergelist. If they are not added there, this setting is ignored.
Other settings
Metrics reportingSpecifies whether Chrome browser sends usage statistics and crash-related data to Google. You can allow the user to configure the option, or you can specify that it is always on or always off.
Usage statistics contain information, such as preferences, button clicks, and memory usage. If users have Make searches and browsing better turned on, they might include webpage URLs or personal information.
Crash reports contain system information at the time of the crash and might contain webpage URLs or personal information, depending on what was happening when the crash report was triggered.
To learn more about what info we collect from these reports and what we do with it, read Chrome's privacy policy.
Allows you to set a limit on how much memory a single Chrome browser session can use before browser tabs start closing automatically to save memory. If the policy is set, the browser will start to close tabs in order to save memory once the limitation is exceeded. However, if the policy is not set, the browser will only attempt to save memory once it has detected that the amount of physical memory on its machine is low.
Specifies whether high efficiency mode is always turned on or off. Select Enable high efficiency mode to ensure tabs are discarded in the background after a few hours to reclaim memory.
By default, Allow the user to decide is selected. Users can turn on or off high efficiency mode in chrome://settings/performance.
Specifies a list of pages that will never be discarded by the browser, including memory pressure and high efficiency mode discarding.
A discarded page is unloaded and its resources fully reclaimed. The associated tab remains in the tabstrip, but making it visible will trigger a full reload.
For information on valid URL patterns, see Enterprise policy URL pattern format.
Specifies the directory used by Chrome to store cached files on the disk.
If you enter a variable in the Disk cache directory field, Chrome uses that directory even if the user has defined the disk cache dir parameter. If the policy is left unset, the default cache directory is used and the user can override this by defining the disk cache dir parameter.
For a list of supported variables, see Supported directory variables.
Specifies the Chrome storage limit for cached files on the disk.
If you set the policy to a specified size, Chrome uses that cache size even if the user has defined the disk cache size parameter. Values below a few megabytes are rounded up.
If you leave it unset, Chrome uses the default cache size and users can change it.
Specifies whether background apps continue running when Chrome Browser is closed.
If the policy is enabled, when Chrome Browser is closed background apps and the current browsing session remain active, including any session cookies. The user can close it at any time using the icon displayed in the system tray.
Allow the user to decide—Background mode is initially disabled and can be controlled by the user in the browser settings.
Disable background mode—Background mode is disabled and cannot be controlled by the user in the browser settings.
Enable background mode—Background mode is enabled and cannot be controlled by the user in the browser settings.
Controls whether Google Chrome can occasionally send queries to a Google server to retrieve an accurate timestamp. By default, queries are allowed.
Specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service.
Valid values range from 1,000 (1 second) to 300,000 (5 minutes). If you enter a value below 1 second, the value 1 second is used. If you enter a value above 5 minutes, the value 5 minutes is used.
If you leave the policy unset, the default value of 10 seconds is used.
Specifies whether websites that users visit are allowed to create immersive augmented reality (AR) sessions using the WebXR Device API.
By default, Allow creating WebXR immersive-ar sessions is selected. So, users can enter AR experiences.
Selecting Prevent creating WebXR immersive-ar sessions forces the WebXR Device API to reject requests to create new immersive-ar sessions. Current immersive-ar sessions continue to run.
Specifies if Chrome information such as passwords, history, and settings, is synced to the cloud. The default is to allow Chrome sync.
You can select the browsing data types that are deleted when the user closes all browser windows. This setting does not take precedence over the Clear browser history setting.
You can select the browsing data types that are deleted when the user closes all browser windows. This setting does not take precedence over the Clear browser history setting.
Warning: Choosing to delete some data types can impact and permanently remove local personal data. We recommend testing your settings before deploying to prevent the accidental deletion of personal data. Sync is disabled in the browser for the browsing data types you select if the SyncDisabled or the BrowserSignin policies are not disabled.
If Google Chrome does not close properly, for example, if the browser or the OS crashes, the browsing data is cleared the next time the user profile is loaded.
Specifies whether users can synchronize their Chrome information—such as passwords, history, and bookmarks—on multiple devices. Choose an option:
- Allow Chrome Sync—This is the default. Chrome sync is turned on for users. Chrome information is automatically synced to users’ Google Accounts.
- Allow Roaming Profiles—Users create a single Chrome profile that contains their Chrome information. They reuse their Chrome profile on each computer they need for work or school. For Roaming profile directory, enter the directory that Chrome browser should use to store the roaming copy of Chrome profiles.
- Disallow Sync—Users can only access Chrome information that's stored locally on devices.
If you select Allow Chrome Sync or Allow Roaming Profiles, choose which types of Chrome information, if any, are excluded from synchronization.
For information about roaming profiles, go to Use Chrome browser with Roaming User Profiles.
If you select Allow Chrome Sync, when a user’s authentication expires, they automatically see Paused at the top right of their browser toolbar. In addition, you can use Re-authentication prompt to open a new browser tab where managed users sign in again.
Warning: Choosing to delete some data types can impact and permanently remove local personal data. We recommend testing your settings before deploying to prevent the accidental deletion of personal data. Sync is disabled in the browser for the browsing data types you select if the SyncDisabled or the BrowserSignin policies are not disabled.
This policy can only be set at the top-level organization unit.
You can invalidate or delete device tokens when you delete browsers from the Admin console.
When a device is enrolled in Chrome Enterprise Core, a unique device token is added to the device. This device token is used to identify the browsers in the Admin console during policy refresh and report sync operations.
If you select Invalidate token (default), the device token remains on the device when a browser is deleted from the Managed browsers list and it is marked as invalid. The device cannot be re-enrolled in Chrome Enterprise Core and it remains unmanaged until the device token is manually deleted and a valid enrollment token is placed on the device.
If you select Delete token, the device token is deleted from the device when a browser is deleted from the Managed browsers list. If the device has a valid enrollment token deployed, it can be re-enrolled in Chrome Enterprise Core the next time the browser restarts.
For more information on where the device token is stored, see Enroll cloud-managed Chrome browsers.Specifies whether Wi-Fi network configurations can be synced across Chrome OS devices and a connected Android phone.
If you select the default Do not allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone, users are not allowed to sync Wi-Fi network configurations.
If you select Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone, users can sync Wi-Fi network configurations between their Chrome OS devices and a connected Android phone. However, users must first explicitly opt-in to this feature by completing a setup flow.
Determines how long a browser can be inactive for before it’s deleted from the Google Admin console. Any enrolled browsers that have been inactive for longer than the value set by this policy will be deleted.
The original default value of the policy is 540 days (18 months). The minimum value is 28 days, while the maximum is 730 days.
Important: If you lower the set policy value, it might have a global impact on any currently enrolled browsers. All impacted browsers will be considered inactive and, therefore, be irreversibly deleted. To ensure the deleted browsers re-enroll automatically next time they restart, set the Device Token Management policy value to Delete token before lowering the value of this policy. The enrollment tokens on these browsers need to still be valid at the time of the restart.
For more information, see Stop managing or delete Chrome browsers.
Controls whether Fast Pair is enabled or disabled on a user's account.
Fast Pair is a Bluetooth pairing that links paired peripherals with a Google account. Other ChromeOS and Android devices signed in with the same Google account can then pair automatically with that user's device.
The setting default is disabled for enterprise users and enabled for non-managed users.
Specifies whether the user is prompted to select a client certificate when more than one certificate matches.
If you choose to prompt the user and have entered a list of URL patterns in the Client certificates setting, whenever the auto-selection policy matches multiple certificates the user is asked to select the client certificate.
If you left the Client certificates setting empty, the user might only be prompted when no certificate matches the auto-selection.
For more details, see Client certificates.
For Chrome version 106 and later, persistent quota is no longer supported.
Web applications can query the system for the size of the storage space currently used and available for applications. Google Chrome maintains separation between temporary and persistent storage and allows Web apps to request more storage space, if needed.
You can use this setting to re-enable the persistent quota functionality for webkitRequestFileSystem, until Chrome version 107, and webkitRequestFileSystem with persistent type will operate with persistent quota.
If you select the default setting Disable persistent quota, webkitRequestFileSystem with persistent type will operate with temporary quota.
You can choose to not report domain reliability related data to Google. The default is to upload reports on any network errors that occur when connecting to sites if the Chrome User Metrics policy allows it.
Controls whether Google Chrome data is included in backups of iOS devices.
By default, the setting is turned on. If you turn off this setting, Google Chrome data—including cookies and website local storage—is excluded from iCloud and local backups on iOS devices.
Data controls
Data controls reportingYou can allow real-time reporting of data leak prevention events triggered by data controls. Reporting is disabled by default; if you select Enable reporting of data control events, reporting is switched on.
For more details on how to turn on data controls, see Set ChromeOS data controls.
Applies only to managed users and browsers with a Chrome Enterprise Premium license.
Controls whether or not users in your organization can copy content from certain sources.
You can specify the URLs you want to block, allow, or warn users from copying from certain sources. For information on valid URL patterns, see Enterprise policy URL pattern format.
Allow copying from the following content sources, except when pasting to certain destinations
Specify the source URLs that users can copy from, except when pasting that content to certain destinations. For example, you can allow users to copy content from the organization’s intranet or knowledge base, but they can only paste that content into internal communication channels and not on external ones like social media.
- Content sources—Specify the source URLs that users can copy from. You must fill in this field for the setting to take effect.
- Show a warning when pasting to the following destinations—Specify the destination URLs that display a warning when users attempt to paste content to these destinations. Users can choose to paste the content or not after the warning is displayed.
- Block pasting to the following destinations—Specify the destination URLs users can’t copy and paste content to.
- Block pasting to—Check the relevant boxes to block the pasting of content to other Chrome profiles, an Incognito window, or non-Chrome applications.
Block copying from the following content sources, except when pasting to certain destinations
Specify the source URLs that users can’t copy from, except when pasting that content to certain destinations. For example, you can block users from copying web content on websites that contain sensitive data and pasting this into other websites or external applications like a text file or another browser.
- Content sources—Specify the source URLs that users can’t copy from. You must fill in this field for the setting to take effect.
- Show a warning when pasting to the following destinations—Specify the destination URLs that display a warning when users attempt to paste content copied from these sources. Users can choose to paste the content or not after the warning is displayed.
- Allow pasting to the following destinations—Specify the destination URLs users can copy and paste content to.
Applies only to managed users and browsers with a Chrome Enterprise Premium license.
Controls whether or not users in your organization can paste content to specific destinations.
You can specify what URLs you want to block, allow, or warn users from pasting to specific destinations. For information on valid URL patterns, see see Enterprise policy URL pattern format.
Allow pasting content to the following destinations, except when copied from certain sources
Specify the destination URLs where content can be pasted, except when copied from certain sources. For example, you can allow pasting of content into the organization’s code repository only if the content comes from specific web-based work apps and not from open-source repositories, competitors' websites, non-Chrome applications such as a Notes app, or a non-Chrome browser.
- Paste destinations—Specify the destination URLs where users can paste content to. You must fill in this field for the setting to take effect.
- Show a warning when pasting content copied from the following sources—Specify the source URLs that display a warning when users attempt to paste content copied from these sources. Users can choose to paste the content or not after the warning is displayed.
- Block pasting content copied from the following sources—Specify the source URLs users can’t copy and paste content from.
- Block pasting content from—Check the relevant boxes to block the pasting of content from other Chrome profiles, an Incognito window, or non-Chrome applications.
Block pasting content to the following destinations, except when copied from certain sources
Specify the destination URLs where content can’t be pasted, except when copied from certain sources. For example, you can block pasting content into the organization’s Customer Relationship Management (CRM) platform, unless that content is being copied from within the CRM.
- Paste destinations—Specify the destination URLs where users can’t paste content to. You must fill in this field for the setting to take effect.
- Show a warning when pasting content copied from the following sources—Specify the source URLs that display a warning when users attempt to paste content copied from these sources. Users can choose to paste the content or not after the warning is displayed.
- Allow pasting content copied from the following sources—Specify the source URLs users can copy and paste content from.
Screenshot prevention is available on Windows and Mac devices, while screen share prevention is supported on Windows only. This setting is not available on Linux devices.
Applies only to managed users and browsers with a Chrome Enterprise Premium license.
Controls whether or not users in your organization can take screenshots and share screens on certain websites on their devices. The policy applies to screenshots taken by any means, including the keyboard shortcut and apps and extensions that use the Chrome API to capture.
You can specify a list of URL patterns that are exceptions to your chosen screenshot behavior. For information on valid URL patterns, see see Enterprise policy URL pattern format.
- Enable screenshot prevention, except for these URLs—Specify the URLs of the websites where you want to allow screenshots and screen sharing. Users can’t take screenshots and screen share on all websites, except for the ones you specified.
- Disable screenshot prevention, except for these URLs—Specify the URLs of the websites where you want to prevent screenshots and screen sharing. Users can take screenshots and screen share on all websites, except for the ones you specified.
Chrome management for signed-in users
Chrome management for signed-in usersSpecifies whether user-level Chrome policies that you set in your Admin console are enforced when users sign in to Chrome with their Google Account on any device. To configure the setting, click Edit.By default, Apply all user policies when users sign into Chrome, and provide a managed Chrome experience is selected.
For backward compatibility, you can let users sign into Chrome as unmanaged users—select Do not apply any policies when users sign into Chrome. Allow users to access Chrome as an unmanaged user. Then, when users sign in to Chrome, they no longer receive user-level policies that you set in the Admin console, including apps and extensions.
Turning Chrome management off and on again might cause some users to experience changes to their account. Before you turn it on again, inform your users. While Chrome management was turned off, users might have signed in as unmanaged users. When the setting is turned back on again, Android apps might be removed or users might no longer be able to sign in multiple people at the same time on ChromeOS devices.
You don't need to turn on Chrome management to apply policies if you manage ChromeOS devices using your Admin console. User-level policies apply to those ChromeOS devices, even if you turn off this setting.
For information about how to set up Chrome browser user-level management, see Manage user profiles on Chrome browser.
Related topics
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.