Set Chrome policies for users or browsers

Controls how long user sessions last. The remaining session time is shown on a countdown timer in the user's system tray. After the specified time, users are automatically signed out and the session ends.

Enter a value between 1 and 1440 minutes (24 hours). For unlimited sessions, do not enter a value.

You can upload a custom Terms of Service agreement, .txt or .text file, that users must accept before they can sign in to start a session.

Replaces the default avatar with a custom avatar. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 512 KB. Other file types are not supported.

Replaces the default wallpaper with a custom wallpaper. You can upload images in JPG format (.jpg or .jpeg files) that are no larger than 16 MB. Other file types are not supported.

Specifies the Chrome browser theme color and users can’t change it. Enter the color into the text field in #RRGGBB hexadecimal format.

Left blank, users can change their browser theme color.

Turns on or off QR Code Generator in Chrome.

Specifies whether users can sign in to Chrome browser and sync browser information to their Google Account.

Choose one of these options:

• Disable browser sign-in—Users can’t sign in to Chrome browser or sync browser information to their Google Account.
• Enable browser sign-in—Users can sign in to Chrome browser and sync browser information to their Google Account. Chrome browser automatically signs in users when they sign in to a Google service, such as Gmail.
• Force users to sign-in to use the browser—Forces users to sign in to Chrome browser before they can use it. To prevent secondary users from signing in, use the Separate profile for managed Google Identity setting.

Specifies a regular expression that determines which Google Accounts can be set as browser primary accounts in Chrome browser. For example, the value .*@example\.com restricts sign in to accounts in the example.com domain.

If users try to set a browser primary account with a username that doesn't match your specified pattern, an error is displayed.

Left blank, users can set any Google Account as a browser primary account in Chrome browser.

By default, Enable signin interception is selected. The signin interception dialog is displayed when a Google Account is added on the web, and the user would benefit from moving this account to another new or existing profile.

Select Show the display password button on the login and lock screen to let users make their password visible on ChromeOS devices. Users can click the Show password icon at the end of the password field to reveal the currently typed password. If you select Do not show the display password button on the login and lock screen, users don't see the icon.

Lets users choose a Google Photos image as wallpaper on their ChromeOS devices.

For details, see Change background wallpaper and screen saver.

Controls whether the introduction screen for in-session AI features is displayed during the sign-in flow.

By default, Use the default Chrome behavior is selected—The AI introduction screen is skipped for enterprise-managed users and displayed for unmanaged users.

Only takes effect if the device is being enrolled into the domain for the first time or if the device was previously deprovisioned

Selecting Keep Chrome device in current location means that when you enroll the Chrome OS device, it stays in the top-level organizational unit for your domain and pulls device settings from there.

Selecting Place Chrome device in user organization means that when you enroll the Chrome OS device, the device is placed in the organizational unit that the enrolling user is in. The settings you've applied for that user's organizational unit are applied to the device.

Place Chrome device in user organization is a useful setting if you need to manually enroll many devices. The device settings unique to the user's organizational unit are automatically added to the device, instead of requiring an additional step of manually moving each device into a specific organizational unit after enrollment.

Controls whether users can add an asset ID and location for a device when they enroll it.

• Do not allow for users in this organization—Users don't have the option to enter the asset ID and location.
• Users in this organization can provide asset ID and location during enrollment—Users can enter the asset ID and location of the device.

If you choose to allow users to enter the asset ID and location, the Device information page is shown with pre-existing data for the fields. If no data exists, the fields are blank. Users can edit or enter the device details before they complete enrollment. The information that users enter populates the asset ID and location fields in the Admin console and at chrome://policy.

By default, users in this organizational unit are allowed to enroll a new or re-enroll a deprovisioned device. Enrolling a new device or re-enrolling a deprovisioned device consumes an upgrade. Users can also re-enroll a device that was wiped or factory reset. Re-enrolling a device that was wiped or factory reset doesn't consume a new upgrade because the device is still managed.

Selecting Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) allows users to only re-enroll devices that were wiped or factory reset, but not deprovisioned. They can’t enroll new or re-enroll deprovisioned devices (anytime an upgrade would be consumed).

Selecting Do not allow users in this organization to enroll new or re-enroll existing devices prevents users from enrolling or re-enrolling any device, which includes re-enrolling through forced re-enrollment.

By default, Allow users to end processes with the Chrome task manager is selected.

If you select Block users from ending processes with the Chrome task manager, users can still open the task manager, but can’t use it to end a process because the End process button is dimmed.

Turns on site isolation for managed Chrome browser users on ChromeOS devices. Isolate websites and origins that you specify.

• Enable site isolation for all websites and any origins below, but allow users to opt out—Every site runs in a dedicated rendering process and all sites are isolated from each other but the user can choose to change this behavior.  (Default setting if you don't specify anything).
• Require site isolation for all websites, as well as any origins below—Every site runs in a dedicated rendering process. All sites are isolated from each other.

You can also enter a list of origins, separated by commas, to isolate them from their respective websites. For example, you could enter https://login.example.com to isolate it from the rest of the https://example.com website.

For details, see Protect your data with site isolation.

Controls how long Chrome keeps browser data, such as history, cookies, and passwords. This setting is useful for users that work with sensitive data.

Warning: Setting this policy can impact and permanently remove local personal data. We recommend testing your settings before deploying to prevent the accidental deletion of personal data. Sync is disabled for the respective data types if the SyncDisabled or the BrowserSignin policies are not disabled.

Chrome deletes expired data 15 seconds after the browser starts, and then every hour while the browser is running. Browser data that is older than the length of time that you specify is automatically deleted. The minimum value that you can specify is 1 hour. Left blank, Chrome never automatically deletes certain types of browsing data.

The browser data types that you can delete are:

• Browsing history
• Download history
• Cookies and other site data
• Cached images and files
• Passwords and other sign-in data
• Autofill form data
• Site settings
• Data cache for hosted apps

Configures the required domain name for remote access clients and prevents users from changing the setting. Only clients from the specified domain can connect to the host device. Left blank, the host allows connections from authorized users from any domain.

Specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts that are registered on one of the specified domain names. Left blank, hosts can be shared using any user account.

You can enable the use of Session Traversal Utilities for NAT (STUN) and Relay (TURN) servers when remote clients are trying to establish a connection to the user’s device.

If you select Enable firewall traversal, remote clients can discover and connect to the user’s device even if they are separated by a firewall. The use of relay servers is enabled by default but you can choose to disable them. Relay servers allow a connection to other peers and transfer data without the need for a direct connection when a firewall is in place. To restrict the UDP port range used by the remote access host in the user’s device, in the UDP port range field, enter the range from minimum to maximum. Left blank, any port can be used.

If you select Disable firewall traversal and outgoing UDP connections are filtered by the firewall, the user’s device only allows connections with client machines within the local network.

Select Show sign-out button in tray to show the sign-out button explicitly in the shelf. This setting is useful for users who might need to quickly sign out of a ChromeOS device.

Select Enable Kerberos to use Kerberos tickets on ChromeOS devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. For details, go to Configure Kerberos single sign-on for ChromeOS devices.

Specifies whether users can allow Chrome to remember Kerberos passwords, so that they don’t have to enter them again. By default, Allow users to remember Kerberos passwords is selected. Chrome automatically fetches Kerberos tickets unless additional authentication, such as 2-Factor Authentication is required.

Choose Do not allow users to remember Kerberos passwords to never let Chrome remember passwords and remove all previously stored passwords. Users have to enter their password every time they need to authenticate with the Kerberos system.

Determines whether users can add Kerberos accounts. By default, Allow users to add Kerberos accounts is selected. Users have full control over the accounts that they add. So, they can modify or remove them.

Selecting Do not allow users to add Kerberos accounts allows you to add accounts only using policy.

Specifies how ChromeOS connects to the internet.

If you leave the setting at its default Allow user to configure, a direct connection is the default configuration for ChromeOS devices and users can change the proxy configuration in their Chrome settings. If you choose any of the other Proxy mode options, users can't change the configuration.

• Never use a proxy—ChromeOS devices always establish a direct connection to the internet without passing through a proxy server.
• Always auto detect the proxy—Instructs ChromeOS devices to determine which proxy server to connect to using the Web Proxy Autodiscovery Protocol (WPAD).
• Always use the proxy specified below—Sets a specific proxy server for handling requests from users. You'll need to enter the URL of the proxy server in the Proxy server URL field that appears. Format the Proxy Server URL as IP address:port, such as 192.168.1.1:3128.
  If there are any URLs that should bypass the proxy server that handles other user requests, enter them in the URLs which bypass the proxy, one per line field. If you include multiple URLs, separate them by putting one URL per line.
• Always use the proxy auto-config specified below—Inserts the URL of the .pac file that should be used for network connections for the Proxy Server Auto Configuration File URL.

How ChromeOS handles bad proxies

PROXY (foo) is how one names a proxy server in Proxy autoconfiguration scripts. If your first proxy doesn’t work, Chrome will try the second, marking the first as a bad proxy.

Currently, when applying a proxy list resolved through PAC, Chrome can rearrange the proxy choices based on the past availability of the proxy. For instance, when applying "PROXY foo1; PROXY foo2;" Chrome might start by trying foo2 if foo1 timed out the last time it was tried (within the past 5 minutes).

If foo2 succeeds, then Chrome will mark foo1 as a bad proxy and redo the priority of the proxy list by putting foo2 first for every other subsequent request.

For ChromeOS devices, the management URLs require a direct path to the internet. Filtering through proxy can cause unexpected functionality.

Android apps running on ChromeOS

If you have enabled Android Apps on supported ChromeOS devices, a subset of proxy settings is made available to Android apps, which they might voluntarily choose to honor. Typically, apps using Android System WebView or the in-built network stack will do so). If you choose:

• Never use a proxy server—Android apps are informed that no proxy is configured.
• Use system proxy settings or fixed server proxy—Android apps are provided with the http proxy server address and port.
• Auto detect proxy server—The script URL "http://wpad/wpad.dat" is provided to Android apps. No other part of the proxy autodetection protocol is used.
• .pac proxy script—The script URL is provided to Android apps.

Specifies whether ChromeOS can bypass a configured proxy server for captive portal authentication. For example, captive portal pages such as landing or sign-in pages where users are prompted to accept terms or sign in before Chrome detects a successful internet connection.

A configured proxy server can be set:

• In the Admin console using the Proxy mode setting
• By users on their ChromeOS device in chrome://settings
• By apps or extensions that are allowed to set or modify a proxy

When you set this policy to Ignore policies for captive portal pages, Chrome opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user. When you set it to Keep policies for captive portal pages, Chrome opens captive portal pages in a new browser tab and applies the current user’s policies and restrictions.

Specifies which HTTP authentication schemes are supported. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is selected. You can override the default behavior by disabling specific authentication schemes.

• Basic—Most insecure method with authentication handled without any encryption.
• Digest—A challenge-response scheme that is more secure than basic authentication.
• NTLM—(NT LAN Manager) A more advanced challenge-response scheme that is more secure than digest.
• Negotiate—The most secure option. We recommend this option if available. Otherwise, we recommend NTLM.

By default, Chrome browser allows Basic authentication challenges over non-secure HTTP connections. If you select HTTPS is required to use Basic authentication scheme, Chrome browser allows Basic authentication challenges over HTTPS only.

Note: If Basic is not specified under Supported authentication schemes, this setting is ignored.

By default, NTLMv2 authentication is turned on. Unless you have backward compatibility issues, we do not recommend turning off this setting. Selecting Disable NTLMv2 authentication reduces the security of authentication.

Selecting Enable SSL record splitting allows SSL record splitting in Chrome. Record splitting is a workaround for a weakness in SSL 3.0 and TLS 1.0 but can cause compatibility issues with some HTTPS servers and proxies.

Specifies the minimum version of Transport Layer Security (TLS) allowed for your users.

Specifies whether users can bypass SSL warnings and proceed to the page.

Allows you to enter the list of domain names where a user can bypass SSL warnings. Users can bypass SSL warnings only on origin domains that are on this list.

Enter a list of URL values, one per line. For example:

For details, see Enterprise policy URL pattern format.

Note: If SSL error override is enabled, this policy is ignored.

Allows you to specify a UDP port range to use for WebRTC connections from the user. The port range is 1024–65535 and the maximum should be greater than or equal to the minimum.

Allows you to add URLs for Web Real-Time Communication Interactive Connectivity Establishment (WebRTC ICE) candidates for local IPs.

Google services call the Chrome API to collect the WebRTC events for customers who have opted in. WebRTC transports data over User Datagram Protocol (UDP).

You must put each URL in a new line. The wildcard character * is allowed.

Patterns you add to this list are matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in WebRTC ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.

Allows the Quick UDP Internet Connections (QUIC) protocol to be used in Chrome. QUIC is a transport protocol that reduces latency compared to Transmission Control Protocol (TCP). For details, see Chromium.

Controls the default mode of the remote Domain Name System (DNS) resolution via the HTTPS protocol for each query. DNS-over-HTTPS (DoH) helps to improve safety and privacy while users are browsing the web. For example, attackers are prevented from observing what sites you visit or sending you to phishing websites.

Choose an option:

• Disable DNS-over-HTTPS—Chrome never sends DoH queries to DNS servers.
• Enable DNS-over-HTTPS with insecure fallback—If a DNS server that supports DoH is available, Chrome first sends a DNS-over-HTTPS query. If an error is received or a server that supports DoH isn’t available, Chrome just sends a DNS query to the server instead.
• Enable DNS-over-HTTPS without insecure fallback—Chrome sends DoH queries only to DNS servers.

If you enable DoH, you can add a list of the URI templates of DoH resolvers that you want to make available to your users.

The default setting is Enable DNS-over-HTTPS with insecure fallback. However, sometimes it reverts to Disable DNS-over-HTTPS and users can’t change it. This happens if Chrome detects parental controls or enterprise policies. Chrome detects enterprise policies if:

• You manage Chrome browser on domain-joined computers.
• You have set at least one active policy for Chrome browser.

Specifies whether the built-in DNS client is used in Chrome browser.

The built-in DNS client is enabled by default on macOS, Android and ChromeOS and users can change the setting.

This policy has no effect on DNS-over-HTTPS. To change the DNS-over-HTTPS behavior, see the DNS-over-HTTPS setting.

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome browser and ChromeOS devices with version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

Specifies whether Chrome browser can use the legacy CORS protocol, which is less secure and strict than Out-Of-Renderer CORS.

Cross-Origin Resource Sharing (CORS) lets users access other domains’ resources while protecting your organization from unexpected cross-origin network access.

For Chrome browser and devices ChromeOS with version 79 and later, the new CORS implementation, Out-Of-Renderer CORS, carries out CORS inspections on network requests, including Chrome extensions. Out-Of-Renderer CORS is more strict and secure than previous CORS implementations. For example, modified request HTTP headers that were previously ignored by the CORS protocol are inspected by the Out-Of-Renderer CORS protocol.

To make Chrome extensions and specific HTTP headers exempt from CORS inspection, select Enable mitigations.

Specifies the Android VPN app that handles Android and ChromeOS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic, such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established. Choose from the list of Android VPN apps that are automatically installed on users’ devices.

Select Do not allow user to disconnect from a VPN manually to prevent users from manually disconnecting from the VPN.

For details, read Set up virtual private networks (Android VPN app).

Specifies which servers are allowed for Integrated Windows Authentication (IWA). When Chrome gets an authentication challenge from a proxy or from a server that is part of this allowed list, integrated authentication is then turned on.

You must separate multiple server names with commas. Wildcards * and , are allowed.

Left blank, Chrome tries to detect if a server is on the intranet. If it is, Chrome will respond to IWA requests. If Chrome detects that a server is on the internet, IWA requests from it are ignored.

Specifies which servers Chrome can delegate to for Integrated Windows Authentication (IWA).

You must separate multiple server names with commas. Wildcards * and , are allowed.

Left blank, Chrome doesn't delegate user credentials, even if a server is detected as on the intranet.

Specifies whether to respect Key Distribution Center (KDC) policy to delegate Kerberos tickets.

Specifies the source of the name used to generate the Kerberos service principal name (SPN).

Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.

Specifies whether third-party sub-content on a page is allowed to pop up an HTTP basic authentication dialog box.

Specifies whether websites that are not cross-origin isolated can use SharedArrayBuffers. Chrome version 91 and later requires cross-origin isolation when using SharedArrayBuffers for Web Compatibility reasons.

For details, see SharedArrayBuffer updates.

Specifies the Chrome default referrer policy. A referrer policy controls how much referrer information is included with network requests.

If you select Use Chrome’s default referrer policy, the strict-origin-when-cross-origin policy is used. This policy:

• sends the origin, path, and querystring when performing a same-origin request
• only sends the origin when the protocol security level stays the same while performing a cross-origin request, HTTPS to HTTPS
• sends no header to less secure destinations, HTTPS to HTTP

If you select Set Chrome’s default referrer policy to the legacy referrer policy, the legacy no-referrer-when-downgrade policy is used for network requests. This policy:

• sends the origin, path, and querystring of the URL as a referrer when the protocol security level stays the same, HTTP to HTTP or HTTPS to HTTPS, or improves HTTP to HTTPS
• sends no header to less secure destinations, HTTPS to HTTP

Specifies whether the Chrome browser can actively make requests that include information about the user's browser and environment. Servers can then enable analytics and customize the response. By default, Allow User-Agent client hints is selected.

These granular request headers might break some websites that restrict the characters included in some requests.

By default, Accept web contents served as Signed HTTP Exchanges is selected to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution.

Configures a single global per profile cache with HTTP server authentication credentials.

• (Default) HTTP authentication credentials are scoped to top-level sites—For version 80 and later, Chrome scopes HTTP server authentication credentials by top-level site. If two sites use resources from the same authenticating domain, credentials need to be provided independently in the context of both sites and cached proxy credentials are reused across sites.
• HTTP authentication credentials entered in the context of one site will automatically be used in the context of another—This can leave sites open to some types of cross-site attacks. It also allows users to be tracked across sites, even without cookies, by adding entries to the HTTP authentication cache using credentials embedded in URLs.

This policy is intended to give organizations depending on the legacy behavior a chance to update their sign-in procedures, and will be removed in the future.

Specifies whether Chrome always performs revocation checks for successfully validated server certificates signed by locally installed CA certificates. If Chrome can't get any revocation status information, it treats these certificates as revoked.

The default is Use existing online revocation-checking settings.

Some proxy servers can't handle a high number of concurrent connections per client. Specify the maximum number of concurrent connections to the proxy server. The value should be lower than 100 but higher than 6. Some web apps are known to consume many connections with hanging GETs. The default value is 32. Setting a value below 32 might cause the browser network to freeze if there are too many web apps already open with hanging connections.

Specifies which GSSAPI (Generic Security Service Application Program Interface) library Chrome should use for HTTP authentication. Set the policy to either a library name or a full path such as GSSAPILibraryName or libgssapi_krb5.so.2. Left blank, Chrome uses a default library name.

Specifies a list of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy check. The HSTS policy forces web browsers to interact with websites only via secure HTTPS connections and never HTTP connections.

Only enter single-label hostnames; one per line. Hostnames must be canonicalized, any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the hostnames specified, and not to subdomains of those hostnames.

Specifies the type of accounts that are provided by the Android authentication app which supports HTTP Negotiate authentication. Authentication apps generate security codes for signing into sites that require a high level of security. For example, Kerberos authentication. This information should be provided by the supplier of the authentication app. For details, see The Chromium Projects.

By default, Perform DNS interception checks is selected. DNS interception checks perform a check on the browser to see if it is behind a proxy that redirects unknown host names.

This policy is temporary and will be removed in a future version of Chrome.

Allows legacy TLS (Transport Layer Security) and Datagram Transport Layer Security (DTLS) downgrades in Web Real-Time Communications (WebRTC).

By default, Disable WebRTC peer connections downgrading to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols is selected. So, these TLS/DTLS versions are disabled.

Turn on or off WPAD (Web Proxy Auto-Discovery) optimization in Chrome.

WPAD allows a client, such as Chrome browser, to automatically locate and interface with cache services in a network. Information can then be delivered more quickly to the user.

The default is Enable Web Proxy Auto-Discovery (WPAD) optimization. If you select Disable Web Proxy Auto-Discovery (WPAD) optimization, Chrome must wait longer for DNS-based WPAD servers.

Users cannot change the WPAD optimization setting.

Specifies whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

If you choose Use login credentials for network authentication to a managed proxy case, and authentication fails, users are prompted to enter their username and password.

Permits bypassing the list of restricted ports built into Google Chrome by selecting one or more ports that outgoing connections are permitted on.

Ports are restricted to prevent Google Chrome being used as a vector to exploit network vulnerabilities. Setting this policy can expose your network to attacks. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.

If you do not not set this policy, all restricted ports are blocked. If there are both valid and invalid values selected, the valid ones values are applied.

This policy overrides the --explicitly-allowed-ports command-line option.

Specifies if Chrome follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS).

CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on users' devices.

CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. You can disable CECPQ2 while networking issues are being resolved.

Google plans to gradually reduce, in a phased manner, the granularity of available information in the User-Agent header field. Use this setting to help with website testing and compatibility. You can turn on or off reduction for all origins. Or, you can let reduction be controlled via field trials and origin trials.

For details about User-Agent Reduction and its timeline, read the Chromium blog.

When ChromeOS or Chrome browser’s major version contains a 3-digit User Agent string, instead of 2 digits, some apps and websites might stop working. For Chrome version 100 or later, forcing Chrome to keep 99 as the major version in the User-Agent string might prevent User-Agent issues.

Choose an option:

• Default to browser settings for User-Agent string—(Default) Users can choose whether to freeze the major version in the User-Agent string.
• Do not freeze the major version—Chrome never freezes the major version in the User-Agent string.
• Freeze the major version as 99—Sets the Chrome major version to 99 in the User-Agent string, and forces the actual major version number to the minor version position.
  So, instead of Chrome reporting User Agent string, <major_version>.<minor_version>.<build_number>.<patch_number>, it reports 99.<major_version>.<build_number>.<patch_number>, where the minor version is omitted.
  Example, Chrome version 100.0.1234.56 reports as 99.100.1234.56.

Allows users to back up content, data, and settings from Android apps to their Google Account. When users sign in to another ChromeOS device, they can restore their Android app data.

Specifies whether Android apps on ChromeOS devices are allowed to use Google location services to search the device location and send anonymous location data to Google during initial setup. After initial setup, users can turn on or off location services.

Choose one of the options:

• Disable location services during initial setup for Android apps on ChromeOS—This is the default. Android apps cannot use location services during initial setup.
• Allow the user to decide whether to use location services for Android apps on ChromeOS during initial setup—Users are prompted to allow Android apps to use location services during initial setup.

Note: The Google location services setting has no effect if Geolocation is set to Do not allow sites to detect users’ geolocation. Read about the Geolocation setting

Deprecated. Chrome version 75 and earlier.

By default, users can add a secondary account (for example, their personal Gmail account) to get access to more Android apps than just the ones you explicitly approved for managed Google Play. To stop users from adding a second Google Account, check the Google account box.

By default, ChromeOS Certificate Authority (CA) certificates are not synchronized to Android apps. To make them available to Android apps, select Enable usage of ChromeOS CA certificates in Android apps.

By default, ChromeOS lets Android apps use Android’s built-in sharing system to share text and files to supported web apps. Metadata for installed web apps is sent to Google to generate and install a shim Android app on the ChromeOS device. To prevent this, select Disable Android to Web Apps sharing.

Controls the default behavior for opening links—either using an Android app or Chrome browser. By default, Open links in Android apps by default is selected.

Regardless of the default behavior that you select, users can still change their preferred supported link behavior on their ChromeOS devices at SettingsAppsManage your apps.

Note: For consumers, links open in Chrome browser by default.

Example

A managed user has installed the Google Maps Android app from the Google Play Store on their ChromeOS device. While using Google Docs, they open a link that starts with https://www.google.com/maps/—By default, the URL opens using the Google Maps Android app. To change the default behavior, select Open links in Chrome browser by default.

Specifies whether the Home button appears on the toolbar. This policy corresponds to the user setting Show Home button in their Chrome Settings. 

Controls what users see when they click the Home button on the toolbar. You can select Allow user to configure (default), Homepage is always the new tab page, or Homepage is always the URL set below.

To set a URL, enter the URL in the Homepage URL field.

Specifies a URL for the new tab page and users can't change it. Left blank, the browser’s default page is used.

By default, Show content suggestions on the New Tab page is selected. So, Chrome displays automatically generated content suggestions on the New Tab page, based on user browsing history, interests, or location.

By default, users can customize the background on the New Tab page.

Selecting Do not allow users to customize the background on the New Tab page prevents users from customizing the New Tab page background. Existing custom backgrounds are permanently removed, even if you later revert to Allow users to customize the background on the New Tab page.

If you are a Microsoft Windows administrator, turning this setting on only works for machines running Windows 7. For later versions, see Make Chrome default browser (Windows 10).

Specifies the default browser checks in Chrome.

• Allow the user to decide (default)—Users can select Chrome browser as the default browser. If it is not the default browser, users can choose whether notifications are shown asking them to select Chrome browser as the default browser.
• Attempt to register Chrome as the default browser during startup if it is not already—Chrome browser always checks if it's the default browser on device startup and, if possible, automatically registers itself.
• Prevent Chrome from checking if it is the default browser during startup if it is not already and turn off user controls to make it the default browser—Chrome browser never checks if it's the default browser and prevents users from making it the default browser.

Specifies whether the profile picker is enabled, disabled or forced on browser startup. Choose an option:

• Allow the user to decide—The profile picker is shown at startup by default, but users can disable it.
• Do not show profile picker at browser startup—The profile picker is never shown, and users cannot change the setting.
• Always show profile picker at browser startup—The profile picker is always shown, even if there is only one profile available.

By default, the profile picker is not shown where:

• the browser starts in guest or incognito mode
• a profile directory or URLs are specified by command line
• an app is explicitly requested to open
• the browser was launched by a native notification
• there is only one profile available
• or where the ForceBrowserSignin policy is set to true

Lets users import autofill form data from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of autofill data—Automatically imports autofill form data. Users can reimport later.
• Disable imports of autofill data—Autofill form data isn't imported on first run, and users can't manually import it.
• Allow the user to decide—Users can choose whether to manually import autofill form data.

Lets users import bookmarks from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of bookmarks—Automatically imports bookmarks. Users can reimport later.
• Disable imports of bookmarks—Bookmarks aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import bookmarks.

Lets users import browsing history from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of browsing history—Automatically imports browsing history. Users can reimport later.
• Disable imports of browsing history—Browsing history isn't imported on first run, and users can't manually import it.
• Allow the user to decide—Users can choose whether to manually import browsing history.

Lets users import homepage settings from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of homepage—Automatically imports homepage settings. Users can reimport later.
• Disable imports of homepage—Homepage settings aren't imported on first run, and users can't import manually them.
• Allow the user to decide—Users can choose whether to manually import homepage settings.

Lets users import saved passwords from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of saved passwords—Automatically imports saved passwords. Users can reimport later.
• Disable imports of saved passwords—Saved passwords aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import saved passwords.

Lets users import search engine settings from the default browser to Chrome browser on first run. Choose an option:

• Enable imports of search engines—Automatically imports search engine settings. Users can reimport later.
• Disable imports of search engines—Search engines settings aren't imported on first run, and users can't manually import them.
• Allow the user to decide—Users can choose whether to manually import search engine settings.

SafeSearch for Google Search queries

Turns on or off SafeSearch, which filters explicit content, including pornography, in user search results.

For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. Users must use SafeSearch.

For all other domains, the default is Do not enforce Safe Search for Google Web Search queries.

For more details, see Lock SafeSearch for devices & networks you manage.

Restricted Mode for YouTube

Before you set restrictions on YouTube, we recommend updating to the latest stable version of Chrome.

• Do not enforce Restricted Mode on YouTube (default).

• Enforce at least Moderate Restricted Mode on YouTube—Forces users to use Restricted mode. The mode algorithmically limits which videos are viewable based on their content.

• Enforce Strict Restricted Mode for YouTube—Forces users to use Strict Restricted mode to further limit available videos.

For details on restriction levels, see Manage your organization's YouTube settings.

Controls whether users in your organization can take screenshots on ChromeOS devices. The policy applies to screenshots taken by any means, including the keyboard shortcut and apps and extensions that use the Chrome API to capture screenshots.

If you enable Android apps on supported ChromeOS devices in your organization, screenshot policies also apply to those devices.

Controls whether specific websites are allowed to prompt users to live stream a tab, window, or their entire screen.

If you set the policy to Do not allow sites to prompt the user to share a video stream of their screen, sites that match the URL patterns that you specify in this setting are allowed to prompt users to share.

URLs that you specify in the lists below are matched against the origin of the requesting URL. Paths in the URL pattern are ignored. For details on valid URL patterns, see Enterprise policy URL pattern format.

Allow tab video capture (same site only) by these sites

Specifies sites that can prompt users to live stream a tab with their same origin. Sites that match the URL pattern that you specify in this field are ignored in the three subsequent fields.

Allow tab video capture by these sites

Specifies sites that can prompt users to live stream a tab. Sites that match the URL pattern that you specify in this field are ignored in the two subsequent fields. Similarly, this policy is ignored on sites that match the URL pattern in the field above.

Allow tab and window video capture by these sites

Specifies sites that can prompt users to live stream a window and tab. Sites that match the URL pattern that you specify in this field are ignored in the next field. Similarly, this policy is ignored on sites that match the URL pattern in the two fields above.

Allow tab, window, and desktop video capture by these sites

Specifies sites that can prompt users to live stream an entire screen, window, or tab. This policy is ignored on sites that match the URL patterns in the three fields above.

Controls whether websites are allowed to prompt users to live stream a tab, window, or their entire screen.

• Allow sites to prompt the user to share a video stream of their screen—This is the default. Webpages can use screenshare APIs, such as getDisplayMedia() and the Desktop Capture extension API, to prompt users to share.
• Do not allow sites to prompt the user to share a video stream of their screen—Screenshare APIs fail with an error. However, if a particular site matches one of the URLs that you specify in Screen video capture allowed by sites, webpages are allowed to prompt users to share. See Screen video capture allowed by sites.

Specifies whether users can share the current webpage using Chrome browser’s sharing hub. Users can access the sharing hub by clicking Share  in the address bar or More  at the top right of their browser window. If you choose Disable desktop sharing hub, users no longer see the sharing icon in the sharing hub.

Allows you to specify a list of URL patterns (as a JSON string) for which sites Chrome automatically selects for client certificates. If set, Chrome skips the client certificate selection prompt for matching sites if a valid client certificate is installed. If this policy is not set, auto-selection won’t be done for websites that request certificates.

The ISSUER/CN parameter specifies the common name of the certification authority that client certificates must have as their issuer to be autoselected.

How to format the JSON string:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

Example JSON string:

{"pattern": "https://[*.]ext.example.com", "filter": {}}
{"pattern": "https://[*.]corp.example.com", "filter": {}}
{"pattern": "https://[*.]intranet.usercontent.com", "filter": {}}

Specifies URLs and domains for which no prompt is shown when the device requests attestation certificates from security keys.

Controls whether Chrome browser allows webpages to use the Web-based Graphics Library (WebGL) API and plugins. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Default cookie setting

Sets whether websites are allowed to store browsing information, such as your site preferences or profile information.

This setting corresponds to a user’s cookie options in Chrome Settings. You can allow the user to configure the option. Or, you can specify that cookies are always allowed, never allowed, or kept only for the duration of a user's session.

Allow cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

• "http://www.example.com"
• "[*.]example.edu"

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Block cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are not allowed to set cookies. For example, you can put URLs in the following formats on separate lines:

• "http://www.example.com"
• "[*.]example.edu"

If this policy is not set, what you specify under Default cookie setting is the global default or a user can set their own configuration.

Allow session-only Cookies for URL patterns

Allows you to specify a list of URL patterns of sites that are allowed to set session-only cookies. You can put URLs in the following formats on separate lines:

• "http://www.example.com"
•  "[*.]example.edu"

The cookies after these sessions are deleted. If this policy is not set, what you specify under Default cookie setting is the global default, or a user can set their own configuration.

Allows or blocks third-party cookies. By default, users are allowed to decide.

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can temporarily revert Chrome browser to the legacy behavior, which is less secure. That way, users can continue to use services that developers have not yet updated, such as single sign-on and internal applications.

Choose an option:

• Revert to legacy SameSite behavior for cookies on all sites—Cookies with the setting configured as SameSite=None do not require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. So, third-party cookies can continue to track users across sites.
• Use SameSite-by-default behavior for cookies on all sites—For cookies that don't specify a SameSite attribute, how Chrome browser treats cookies depends on the default behavior specified in Chrome browser.

To see how Chrome browser treats cookies that don't specify a SameSite attribute:

1. On a managed computer, open Chrome browser.
2. In the address bar at the top, type chrome://flags.
3. Press Enter.
4. For #same-site-by-default-cookies, read the description and check to see if the flag is turned on or off.

Developers use the SameSite setting to prevent browsers from sending cookies with cross-site requests.

For Chrome browser version 80 and later, the SameSite setting is more strict than previous implementations. Cookies are protected from external access unless developers use the SameSite=None; Secure setting to allow cross-site access over HTTPS connections only.

You can specify the domains that you want Chrome browser to temporarily revert to the legacy behavior, which is less secure. Don’t specify schemes or ports. Cookies with the setting configured as SameSite=None no longer require the Secure attribute. Cookies that don't specify a SameSite attribute are treated as if they are set to SameSite=None. As a result, third-party cookies can continue to track users across specific sites.

If no domains are listed, the Default legacy SameSite cookie behavior setting specifies how cookies are treated. Otherwise, how Chrome browser treats cookies might vary, depending on the default behavior specified in Chrome browser.

Specifies whether websites are allowed to display images. For Show images on these sites and Block images on these sites, put one URL pattern on each line.

Specifies whether websites are allowed to run JavaScript. If you select Do not allow any site to run JavaScript, some sites might not work properly.

Suspends JavaScript timers for tabs opened in the background and not used for 5 minutes or more. For these tabs, timers only execute their code once a minute. This can decrease CPU load and battery power consumption.

The default is Allow throttling of background javascript timers to be controlled by Chrome’s logic and configurable by users. The policy is controlled by its own internal logic and can be manually configured by users.

If you select Force throttling of background javascript timers or Force no throttling of background javascript timers, the policy is force enabled or force disabled and users cannot override the option.

The policy is applied per webpage, with the most recently set option applied when a webpage is loaded. The user must perform a full restart for the policy setting to be applied to all loaded tabs. It is harmless for webpages to run with different values of this policy.

You can specify whether Google Chrome allows sites to run the v8 JavaScript engine with the Just In Time (JIT) compiler enabled. JIT compilation is a way of executing computer code using compilation during, not before, the execution of a program.

Choose an option:

• Allow sites to run JavaScript JIT (default)—Web content might render more slowly and parts of JavaScript, including WebAssembly, might be disabled. 
• Do not allow sites to run JavaScript JIT—Web content might be rendered in a more secure way.

You can also add specific URLs that you want to allow or block from running JavaScript JIT.  For information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies whether websites are allowed to display desktop notifications.

You can allow or block notifications or ask the user each time a website wants to show desktop notifications.

Note: With Chrome version 64 and later, JavaScript alerts are no longer allowed to interrupt users. Apps that previously used alerts, such as Google Calendar, can send notifications instead. To allow this, in the Allow these sites to show notifications box, add calendar.google.com.

Specifies a list of URL patterns of pages that are allowed to automatically play video content with sound, without user consent. If you change this setting while users are running Chrome, it only applies to newly opened tabs.

For information about valid url patterns, see Enterprise policy URL pattern format.

You can register a list of protocol handlers that are included with any protocol handlers the user registers, so both sets available for use. 

A protocol handler is an application that can handle particular types of links. For example, mailto: links are handled by a mail client protocol handler. When the user clicks a mailto: link, the browser opens the application selected as the handler for the mailto: protocol.

For example, to set up a mail client protocol handler:

1. Under Configure default protocol handlers for your users, click .
2. In the URL field, enter the URL pattern of the application that handles the protocol scheme. The pattern must include a %s placeholder that the handled URL replaces. URLs must also have an HTTPS scheme, for example, https://example.com.
3. From the Protocol list, select mailto. 
4. Click Save.

Note: The Custom Protocol field is only used if you select the web+ protocol.

Users cannot remove a protocol handler that you add using this setting. However, by installing a new default handler themselves, they can then select that protocol handler as the default.

In 2021, Chrome ended support for the Adobe Flash Player plugin.

Visit the Chrome blog to learn more.

Sets whether websites are allowed to run outdated plugins such as Adobe Flash Player on their Chrome browser or ChromeOS device. Plugins are used by websites to enable certain types of web content that Chrome browser can't process.

Specifies how PDF files are opened in Google Chrome.

Chrome downloads PDF files and lets users open them with the system default application—The internal PDF viewer is turned off in Google Chrome, and PDF files are downloaded for users to open with the default application.

Chrome opens PDF files, unless the PDF plugin is turned off—Chrome opens all PDF files unless users have turned off the PDF plugin.

Auto open file types

Specifies a list of file types that automatically open after download. If Safe Browsing is turned on, files are still checked and only open after they pass. Left blank, only file types that users allow can automatically open.

Don’t include the leading separator. For example, just type txt for .txt files.

For Microsoft Windows, machines need to be joined to a Microsoft Active Directory domain, running on Windows 10 Pro, or enrolled in Chrome Enterprise Core.

For macOS, machines need to be managed using MDM or joined to a domain with MCX.

Auto open URLs

Specifies a list of URL patterns of pages that are allowed to automatically open the file types that you specify in Auto open file types.

This setting has no effect on file types that users choose to automatically open.

If you specify one or more URL patterns, Chrome automatically opens files that match both the URL pattern and file type. Chrome also continues to automatically open file types that users allow.

Left blank, Chrome automatically opens file types that you specify in Auto Open file types, no matter what URL they downloaded from.

For URL syntax, see URL blocklist filter format.

Sets whether websites are allowed to show pop-ups. If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.

In Chrome browser version 91 or later, Chrome prevents iframes from triggering prompts (window.alert, window.confirm, window.prompt) if the iframe is a different origin from the top-level page. So, embedded content can’t spoof users into believing that a message is coming from the website they're visiting, or from Chrome browser.

Select Allow JavaScript dialogs triggered from a different origin subframe to revert to the previous behavior.

Specifies whether websites are allowed to show pop-ups while the website is unloading.

A web page unloads when:

• The user clicks a link to leave the page
• The user types a new URL in the address bar
• The user clicks the forward or back buttons
• The browser window is closed
• The page is reloaded

If the browser blocks pop-ups for a site, users see and can click Blocked on the address bar to see the pop-ups that have been blocked.

Blocked URLs

Prevents Chrome browser users from accessing specific URLs.

To configure this setting, enter up to 1,000 URLs on separate lines.

Blocked URL exceptions

Specifies exceptions to the list of blocked URL.

To configure the setting, enter up to 1,000 URLs on separate lines.

Examples

Using blocked URL lists with Android apps

If you enable Android apps on supported ChromeOS devices in your organization, the blocked URLs list and blocked URL exceptions are not honored by apps that use Android System WebView. To enforce a blocklist on these apps, define the blocked URLs in a text file (see below). Then, apply the blocklist to the Android apps. For details, see Apply managed configurations to an Android app.

The following example shows how to define a blocked URL:

{ "com.android.browser:URLBlocklist": "[\"www.solamora.com\"]" }

For apps that don’t use Android System WebView, consult the app documentation for information on how to restrict access in a similar way.

Lets you configure whether users can sync with Google Drive on their ChromeOS device. You can enable or disable Drive syncing or let users choose.

This setting has no effect on the Google Drive Android app on ChromeOS. To completely disable any syncing to Google Drive, configure this policy and do not allow the Google Drive Android app to be installed on supported ChromeOS devices. For details, see Deploy Android apps to managed users on ChromeOS devices.

Lets you configure whether or not users can sync with Google Drive over a cellular connection on their ChromeOS device. This policy has no effect on the Google Drive Android app on ChromeOS.

Allow users to cast from Chrome

Decide if users can use a Chromecast device to cast from a Chrome tab.

Restrict Google Cast to connect to Cast devices only on RFC1918/RFC4193 private addresses

You can specify how Google Cast connects to Cast devices based on their IP addresses.

Choose from one of the following options:

• Enable restrictions, unless the CastAllowAllIPs feature is turned on—Allows Google Cast to connect only to devices on private IP addresses, unless the CastAllowAllIPs feature on devices is turned on.
• Disable restrictions (allow all IP addresses)—Allows Google Cast to connect to devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
• Enable restrictions—Allows Google Cast to only connect to devices on private IP addresses.

If you don't let users cast, you can't configure this policy.

Show Cast icon in the toolbar

Specify whether Cast appears on the browser toolbar in Chrome. If you select Always show the Cast icon in the toolbar, it always appears on the toolbar or overflow menu and users can't remove it.

If you don't let users cast, you can't configure this policy. The Cast icon doesn't appear on the toolbar.

Supported on Chrome version 80 to 83 inclusive

Specifies how Chrome browser and ChromeOS devices treat insecure HTTP audio, video, and image mixed content.

By default, Chrome uses strict treatment for mixed content. On HTTPS sites:

• Audio and video are automatically upgraded from HTTP to HTTPS.
• There is no fallback if audio or video is not available over HTTPS.
• Chrome shows a warning in the URL bar for pages that contain images.

Select Do not use strict treatment for mixed content to prevent Chrome from automatically upgrading audio and video to HTTPS and show no warning for images.

For Chrome browser and ChromeOS devices, Google has started to automatically block mixed content. So, in future https:// pages will only load secure https:// resources, not http:// resources. For details about the roll-out plan, see this Chromium blog.

Selecting Allow users to add exceptions to allow blockable mixed content lets users specify certain pages that can run active mixed content. Otherwise, users can’t load active mixed content, such as scripts and iframes. Chrome does not automatically upgrade optionally-blockable mixed content from HTTP to HTTPS on sites users add as exceptions.

To run pages with active mixed content, tell users to:

1. On your computer, open Chrome.
2. At the top right, click More Settings.
3. Under Privacy and security, click Site settings.
4. Scroll to Insecure content.
5. For Allow, click Add.
6. Add URLs of the pages that you want to allow.

Note: URLs that you specify in the Allow insecure content on these sites and Block insecure content on these sites settings take precedence over this setting.

Specifies a list of pages that can display active mixed content, such as scripts and iframes. Also, Chrome does not automatically upgrade optionally-blockable, or passive, mixed content from HTTP to HTTPS. Passive mixed content includes images, audio, and video.

For information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a list of pages that cannot display active mixed content, such as scripts and iframes. Also, Chrome automatically upgrades optionally-blockable, or passive, mixed content from HTTP to HTTPS. Chrome does not load passive mixed content that fails to load over https://. Passive mixed content includes images, audio, and video

For information on valid URL patterns, see Enterprise policy URL pattern format.

Controls whether and how websites can make requests to more-private network endpoints.

• Allow the user to decide (default)—Requests to more-private network endpoints follow the Private Network Access web specification. The requesting website must be secure and the user must opt into receiving the request. Exact behavior depends on the user's personal configuration for several feature flags which can be set by field trials or on the command-line, including  BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights and PrivateNetworkAccessRespectPreflightResults.
• Websites are allowed to make requests to any network endpoint in an insecure manner—This is subject to other cross-origin checks.

For information on valid URL patterns, see Enterprise policy URL pattern format.

Secure websites

A website is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the Secure Contexts specification. For more detail, see Secure contexts. If it does not meet the standards outlined, it is considered insecure.

Private network endpoints

A network endpoint is considered more private than another if:

• Its IP address is localhost and the other is not.
• Its IP address is private and the other is public.

Controls how Chrome treats insecure forms, forms that submit over HTTP, that are embedded in secure HTTPS websites.

By default, Show warnings and disable autofill on insecure forms is selected. So, users see a full page warning when an insecure form is submitted. In addition, users see a warning bubble next to the form fields when they’re focused and autofill is turned off for those forms.

Selecting Do not show warnings or disable autofill on insecure forms prevents warnings from being shown for insecure forms and users can use autofill.

This policy will be removed after Chrome 84.

Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were deprecated in 2018. They are disabled by default in Chrome version 80 and later. For Chrome browser and ChromeOS devices with version 80 to 84 inclusive, select Re-enable Web Components v0 API to temporarily re-enable the APIs for all sites.

This policy was removed in Chrome 99.

Specifies whether pages can send synchronous XMLHttpRequest (XHR) requests during page dismissal. For example, when users close tabs, quit the browser, type a new entry in the address bar, and so on.

Chrome browser detects window occlusion when a browser window is covered by another window. If that happens, Chrome browser does not paint pixels on the covered page. Showing blank white pages helps to reduce CPU and power consumption.

Select Disable detection of window occlusion to prevent Chrome browser on Microsoft Windows devices from showing blank pages when they’re covered.

This policy will be removed after Chrome 84

Starting in Chrome version 83, we are refreshing standard form control elements, such as <select>, <button>, and <input type=date>. This will help to improve accessibility and platform uniformity.

For Chrome browser and ChromeOS devices with version 83 and 84, select Use legacy (pre-M81) form control element for all sites to temporarily revert to legacy form control elements. Otherwise, updated form control elements are used as they are launched in Chrome versions 83 and 84.

Specifies whether users can follow links that scroll to a text fragment on a webpage.

If you enable this setting, hyperlinks and address bar URL navigations can target specific text within a webpage. When the webpage is fully loaded it then scrolls to that text.

You can specify whether URL-keyed anonymized data collection is performed for user and browser sessions or managed guest sessions.

User and browser sessions

For Chrome browser and ChromeOS devices, URL-keyed anonymized data collection sends Google the URL of each site the user visits to make searching and browsing better.

If this policy is not set, it is active by default, but the user can change it.

Managed guest sessions

If you turn the setting on for managed guest sessions, URL-keyed metrics are collected for force-installed apps. If this policy is not set it is active by default, and the user cannot change it.

Specifies whether page load metadata and machine learning models that enhance the browsing experience are fetched. If you disable this setting some features might not work appropriately.

AppCache is a deprecated web feature allowing websites to save data offline. Removed from Chrome in version 89 and AppCache fully deprecated at that time. Learn more about AppCache deprecation.

Specifies whether websites can request access to bluetooth devices via the Web Bluetooth API.

The default is Allow the user to decide, where websites request access to nearby Bluetooth devices and the user can decide to allow or block this access.

Controls whether or not the Always open box is shown on external protocol launch confirmation prompts. If the user clicks a link with a protocol, a dialog is displayed asking if they want to use an app instead. When the policy is enabled, a box is displayed in the dialog.

If the user checks the box, future prompts asking to use the app for similar requests are skipped. If the policy is disabled, the box does not appear and users can't skip the confirmation prompts.

When enabled the Back-Forward cache feature stores the exact state of a webpage. When navigating away from a page, its current state might be preserved in the back-forward cache. When a browser’s back button is clicked, the page might load from cache and restore the page, allowing for quick navigation back and forth.

This feature might cause issues for some websites that do not expect this caching. Specifically, some websites depend on the "unload" event being dispatched when the browser navigates away from the page. The "unload" event will not be dispatched if the page enters the back-forward cache.

If this policy is set to enabled or is not set, the feature will be enabled.

By default, the PDF viewer can annotate PDFs on ChromeOS devices.

This setting is temporary and will be removed in a future version of Chrome. 

Cross-origin WebAssembly module sharing will be removed after Chrome 95. You can use this setting to re-enable cross-origin WebAssembly module sharing, providing a longer transition period in the deprecation process. 

The default is to prevent cross-origin WebAssembly module sharing and sites can only send WebAssembly modules to windows and workers in the same origin.

You can enable or disable printing. When printing is disabled, a user won’t be able to print from the Chrome menu, extensions, JavaScript applications, and so on.

This policy has no effect on Android apps running on ChromeOS.

Specifies whether available privet printers appear in the print preview dialog.

Settings also available for Managed guest session devices.

Default printer selection

To use the default system printer as the default printer for Chrome, select Use default print behavior.

To define a default printer for users, select Define the default printer. When a user prints, the ChromeOS device tries to find a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.

This policy has no effect on Android apps running on ChromeOS.

Printer Types

Select the type of printer to search for and use as the default printer. To search for all types, select Cloud & Local.

Printer Matching

Select if you want to search for printers by name or ID.

Default Printer

Specify a regular expression that matches the name or ID of the printer that you want to use as the default printer. The expression is case-sensitive. Printing defaults to the first printer that matches the name. For example:

• To match a printer named Solarmora Lobby, enter Solarmora Lobby.
• To match a printer in solarmora-lobby-1 or solarmora-lobby-2, enter solarmora-lobby-.$.
• To match a printer in solarmora-lobby-guest or solarmora-partner-guest, enter solarmora-.*-guest.

This policy has no effect on Android apps running on ChromeOS.

Lets you push a list of bookmarks for the convenience of users on Chrome on all platforms, including mobile devices. On Chrome devices and Chrome browser, the bookmarks appear in a folder on the bookmark bar. The user cannot modify the contents of this folder but can choose to hide it from the bookmark bar. For details, see Manage bookmarks.

Note: You can add managed bookmarks up to a maximum size of 500KB.

Determines whether users see a bookmark bar. Allow the user to decide is the default setting.

Specifies the position of the row of apps, also called the shelf, on users’ ChromeOS devices.

Specifies whether the row of apps, also called the shelf, automatically hides on users’ ChromeOS devices.

If you select Always auto-hide the shelf, users need to move the pointer to the side of the screen where the shelf is positioned to see their apps, bookmarks, and so on.

If you select Allow the user to decide, users can right-click the shelf and check or uncheck Autohide shelf.

Allows users to add, edit, or remove items from their Chrome bookmarks bar.

Specifies whether users can see the apps shortcut in their bookmark bar.

Specifies whether users are asked where they want to save each file before they download it. Choose an option:

• Allow the user to decide—Lets users choose whether they want to specify a location for each download. To adjust download settings, users open Chrome and go to MoreSettingsAdvancedDownloads.
• Do not ask the user (downloads start immediately)—Downloads files to the default download location without asking users where to save them. To set the default download location, configure the Download location setting.
• Ask the user where to save the file before downloading—Lets users choose a specific location for each download.

Specifies whether the new download bubble UI is displayed in Google Chrome.

The download bubble is enabled by default and if you disable it, the old download shelf UI is displayed.

Determines whether users can use spell check. Choose one of the options:

• Allow the user to decide—This is the default. Users can turn on or off spell check in the language settings.
• Disable spell check—Turns off spell check from all sources, and users can't turn it on. The Spell check service, Enforced spellcheck languages, and Disabled spellcheck languages settings have no effect.
• Enable spell check—Turns on spell check and users can’t turn it off. On Microsoft Windows, ChromeOS, and Linux devices, users can still turn on or off spell check for individual languages.

If you select Enable spell check, you can turn on or off spell check for specific languages. For Enforced spellcheck languages and Disabled spellcheck languages, select the languages that you want to use or block from the list available.

To prevent users from turning off spell check for every language, use the Enforced spellcheck languages setting to turn on the spellcheck languages that you want.

Note: The Enforced spellcheck languages and Disabled spellcheck languages settings are available in the Admin console only if you select Enable spell check.

Select Enable the spell checking web service to always let Chrome use a Google web service to resolve spelling errors in text that users type.

By default, Allow the user to decide is selected. Users can turn on or off Enhanced spell check.

If the Spell check setting is set to Disable spell check, the Spell check service setting has no effect.

Specifies what language Google Chrome uses. 

The default is Use the language specified by user or system and the fallback locale is en-US.

Specifies the preferred languages that Chrome browser uses. Select the languages that you want from the list available. Then, order the list in descending order of preference.

Users can view the list of languages in chrome://settings/languages under Order languages based on your preference. The preferred languages that you specify always appear at the top of the list and users can’t remove or reorder them. However, they can add and reorder their own preferred languages underneath. Users also have full control over the browser's UI language as well as translation and spell check settings, unless enforced by other policies.

If you don’t specify any preferred languages, users can change the entire list of preferred languages.

Specifies the keyboard languages that users can choose on Chrome OS devices. Select the languages that you want from the list available. Then, order the Selected languages list in descending order of preference.

• If users have already chosen a keyboard language that you don’t allow, their ChromeOS device’s keyboard language switches to the hardware keyboard layout, if allowed, or the first language in the list that you specify.
• If you don’t specify any languages, users can choose the keyboard language that they want, without restrictions.

After you configure the allowed keyboard languages, you can force all allowed keyboard languages to be enabled in a user session. Under the list of languages, select Automatically install selected keyboard languages. When selected, no other keyboard languages can be enabled in the user sessions.

For details about how users can change their device’s keyboard language, go to Choose keyboard language & special characters.

Lets you configure whether Chrome uses Google Translate, which offers content translation for web pages in languages not specified on a user's ChromeOS device. You can allow Chrome to always offer translation, never offer translation, or let users choose.

Controls whether Chrome browser shows suggestions for a page when it is unable to connect to a web address. The user sees suggestions to navigate to other parts of the website or to search for the page.

Corresponds to the user option Use a web service to help resolve navigation errors in their Chrome settings. You can allow the user to configure the option, or you can specify that it is always on or always off.

Developer tools availability

Controls whether the Developer tools option appears on the Tools menu. Developer tools allow web developers and programmers access into the internals of the browser and their web applications. For more information about the tools, see the Developer Tools Overview.

The default for Enterprise customers is to Allow use of built-in developer tools except for force-installed extensions and component extensions. This setting means all keyboard shortcuts, menu entries, and context menu entries that open the Developer tools or JavaScript console are enabled in general, but are disabled within extensions that are force-installed using enterprise policy.

The default for unmanaged users is Always allow use of built-in developer tools. To disable developer tools in all contexts, select Never allow use of built-in developer tools.

If you have enabled Android apps on supported ChromeOS devices in your organization, this setting will also control access to Android Developer Options. If set to Never allow use of built-in developer tools, users can’t access Developer Options. If set to any other value or unset, users can access Developer Options by tapping 7 times on the build number in the Android settings app.

Extensions page developer mode

Controls whether users can use developer tools on the extensions page, chrome://extensions.

By default, Use 'developer tools availability' selection is selected. As long as Developer tools availability is not set to Never allow use of built-in developer tools, users can use developer tools on the extensions page.

If you select Allow use of developer tools on extensions page or Do not allow the use of developer mode on extensions page, the Developer tools availability setting no longer controls developer tools on the extensions page.

Controls whether websites are allowed to check if users have payment methods saved.

Lets you turn on or off emoji suggestions as users type on their ChromeOS devices.

When DNS prefetching is enabled, Chrome looks up the IP addresses of all links on a displayed webpage so that links the user clicks load faster.

You can allow the user to configure the option, or you can specify that it is always enabled or disabled.

Allows you to decide whether Chrome predicts network actions. You might want Chrome to use a prediction service so it loads pages faster or helps complete searches and URLs that users enter in the address bar.

As an administrator, you can disable or require network prediction. Or, if you select Allow the user to decide, the setting is on for Chrome. Users can then change their own prediction service settings.

By default, users can add profiles in Chrome Browser to keep Chrome info separate, including bookmarks, history, passwords, and other settings. Profiles are ideal for users who share a computer. Or, to keep different accounts, such as work and personal, separate. Select Disable adding new profiles to prevent users from adding new profiles in Chrome Browser.

Before using this setting, review Let multiple users sign in at the same time.

In the case of Android apps running on ChromeOS, even if you choose Unrestricted user access (allow any user to be added to any other user's session), only the primary user can use Android apps. If you choose Managed user must be the primary user (secondary users are allowed), Android apps can be used in the primary user as long as the device supports Android apps and you have enabled them in your organization.

After signing in to their device, allows users to switch between accounts in their browser window and Google Play.

Note: If you allowlist Android apps, users can’t switch to secondary accounts in Google Play.

1. Choose an option:
   • To allow users to sign in to any Google Account within the browser, select Allow users to sign-in to any secondary Google Accounts. For details, see Types of Google Accounts.
   • To block users from signing in or out of Google Accounts within the browser, select Block users from signing in to or out of secondary Google Accounts.
   • To allow users to access Google services using an account only from a list of specified Google Workspace domains, select Allow users to only sign in to the Google Workspace domains set below.
2. If you allow users to sign in only to specific Google Workspace domains:
   1. Make sure you list all of your organization’s domains. If you don’t, your users might not have access to Google services. To see a list of your domains, click organization’s domains under the domain list.
   2. To include consumer Google Accounts, such as @gmail.com and @googlemail.com, enter consumer_accounts in the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.
3. If you allow users to sign in only to specific Google Workspace domains or block users from signing in or out in the browser, you should also:
   1. Set a sign-in restriction so that only users in your organization can sign in to ChromeOS devices. For details, see Sign-in Restriction.
   2. Turn off guest browsing on devices. For details, see Guest mode.
   3. Prevent users from browsing in Incognito mode. See Incognito Mode.

Controls whether to allow users to sign in to Chrome Browser as a guest. If you select Allow guest browser logins (default), users can start guest browser sessions and all windows are in incognito mode. When users exit Guest mode, their browsing activity is deleted from the device.

When you have this setting enabled you can also Allow guest browser logins and profile logins (default). Users can sign in as a guest and use new and existing profiles. To enforce guest sessions and prevent profile logins, select Only allow guest browser logins.

If you select Prevent guest browser logins, Chrome Browser does not allow guest profiles to be started.

Setting also available for managed guest sessions and kiosk apps

To let users span a window across multiple monitors or TVs, you can select Make Unified Desktop mode available to user. By default, this feature is turned off. Users can disable unified desktop and still use 2 external displays, but individual windows are in one display or the other, even if the desktop is extended across both.​

• Up to 2 external displays are supported.
• Unified desktop is intended to work across monitors of the same resolution.
• When enabled, unified desktop is the default mode when a user connects a monitor to their device.

To allow web applications to generate and collect WebRTC event logs for your users, select Allow WebRTC Event Log Collection. The logs can help Google identify and resolve issues with audio and video meetings. They contain diagnostic information, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. The logs have no video or audio content from the meetings.

To collect logs for Google Meet customers, you must enable both this setting and the Client logs upload policy in the Google Admin console.

By default, Quick Answers settings are turned on. Quick Answers has permission to access selected content and send the info to the Google server to get definition, translation, or unit conversion results. On their ChromeOS devices, users can right-click or long press their text selection to show related information.

If you use the Admin console to turn off Quick Answer features, users can’t change or override them.

Specifies which system features are disabled on ChromeOS devices. We recommend that you use this setting to block camera, OS settings, and browser settings instead of using the URL blocking setting or blocking apps and extensions by ID.

When users try to open a feature that you’ve disabled, they’ll see a message letting them know that it has been blocked by their administrator.

Controls whether users can play the dinosaur game on Chrome Browser or ChromeOS devices when devices are offline. Choose one of the options:

• Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled ChromeOS devices—When devices are offline, users can’t play the dinosaur game on enrolled ChromeOS devices, but they can play it on Chrome Browser.
• Allow users to play the dinosaur game when the device is offline—Users can play the dinosaur game when devices are offline.
• Do not allow users to play the dinosaur game when the device is offline—Users can’t play the dinosaur game when devices are offline.

When the search box is empty, controls whether the launcher on Chrome devices recommends apps that were previously installed on other devices.

When users open the launcher on their ChromeOS device and start to type in the search box, Google Chrome suggests content, including webpage URLs and apps.

Specifies whether users can see the webpage's full URL in the address bar.

For some users, the webpage's full URL is not shown in the address bar. Instead, they see the default URL, which only shows the domain. This helps to protect users from some common phishing strategies.

Specifies whether signed-in users can copy and paste text between Chrome desktops and Android devices when Chrome sync is enabled. The shared clipboard feature is enabled by default.

Specifies whether, with appropriate permissions, users, apps, and extensions can use fullscreen mode. The default is to allow the use of fullscreen mode.

Specifies whether the fullscreen alert displays when the device returns from sleep or dark screen.

By default, an alert displays to remind the users to exit fullscreen before entering their password. Select Disable fullscreen alert when waking the device to switch off this alert.

Controls the availability of Google Lens integration in the Gallery app on ChromeOS devices.

By default, Enable Lens integration is selected—In the Gallery app, users can use Google Lens to search the content that they select.

Supported on Chrome version 93 to 102 inclusive.

Chrome 93 and later has a new address bar icon for secure connections. By default, Use default icons for secure connections is selected. Select Use the lock icon for secure connections to continue using the existing lock icon for secure connections.

Controls the visibility of the middle slot announcement on the new tab page.

Specifies whether a warning dialog is displayed when the user is attempting to quit their browser.

Specifies whether the browser can filter URL parameters.

The default allows the browser to filter URL parameters. This means the filter might remove some parameters when a user selects Open Link in Incognito Window from the context menu.

Sets the storage location for screen captures, including screenshots and screen recordings, on ChromeOS devices and specifies whether users are allowed to change it.

Set local Downloads folder as default, but allow user to change—This is the default. Screen captures download to the user's local directory, and users are allowed to change it.

Set Google Drive as default, but allow user to change/Set Onedrive as default, but allow user to change—Screen captures save to OneDrive or Google Drive, and users are allowed to change it.

Force Google Drive/Force OneDrive—Screen captures save to OneDrive or Google Drive, and users are not allowed to change it.

Controls whether users can store data locally on their ChromeOS devices.

By default, Allow users to store and read local data is selected. Users can store and access data on their local directories.

If you select Do not allow users to store and read local data, users cannot store or access data on local directories. Before you do this, make sure that users have another way to store their data, such as cloud storage access. In addition, existing local files are read-only unless you control migration of local files to the cloud—So, you'll need to choose how existing data on devices will be handled:

• Migrate existing local files to Google Drive—Recommended for Google Drive. Existing local files are moved to Google Drive and local folders are hidden.
• Migrate existing local files to OneDrive—Recommended for Microsoft OneDrive. Existing local files are moved to Microsoft OneDrive and local folders are hidden. 
• Keep existing local files in read-only mode—Existing local files remain in read-only mode.

Note: This setting controls local storage access for web apps and the ChromeOS Files app. Android apps and Linux virtual machines are not affected by this setting.

Allows information from Google apps and services to appear on users’ Chrome OS devices.

By default, Allow integrations is selected. The contextual integrations that you select in Configuration, such as Tasks and Calendar, appear on users’ devices.

Information is shown only for Google apps and services that are turned on and URLs that are not blocked. For example, to use the Calendar contextual integration, ensure that Google Calendar Integration is set to Enable Google Calendar Integration—Read about the Google Calendar Integration setting.

Selecting Disable integrations turns off contextual integrations for all Google apps and services.

Shows or hides the UI toggle to exclude a display from mirror mode.

On ChromeOS devices, mirror mode turns all displays into one display. The Exclude Display in Mirror Mode toggle allows users to exclude one display from mirroring and instead appear as an extended display.

By default, Do not allow users to exclude displays from mirror mode is selected—Users don’t see the Exclude Display in Mirror Mode toggle on their ChromeOS devices. If you select Allow users to exclude displays from mirror mode, users see the Exclude Display in Mirror Mode toggle and they can turn it on or off.

Note: This policy only affects the UI. ChromeOS keeps the current setting when the UI is hidden.

Users can set up their SMS Messages to be synced between their phones and ChromeOS devices.

Note: If this policy is allowed, users must explicitly opt into this feature by completing a setup flow. Once the setup flow is complete, users will be able to send and receive SMS messages on their devices.

Specifies whether users can send phone numbers from ChromeOS devices to an Android device when the user is signed in.

The default is Allow users to send phone numbers from Chrome to their phone.

Specifies whether users can interact with their Android phone on a ChromeOS device.

The default is Do not allow Phone Hub to be enabled and users are not allowed to opt into Phone Hub.

If you select Allow Phone Hub to be enabled, users are allowed to opt into Phone Hub and 2 additional options are displayed:

• Allow Phone Hub notifications to be enabled—Specifies whether users who have already opted in to Phone Hub can send or receive their phone's notifications on ChromeOS.
• Allow Phone Hub task continuation to be enabled—Specifies whether users who have already opted in to Phone Hub can continue tasks such as viewing their phone's webpages on ChromeOS.

Specifies the maximum amount of time that browser shutdown is delayed to let Chrome process keepalive requests. Enter a value between 0 and 5 seconds. Left blank, the default value of 0 seconds is used and Chrome immediately shuts down.

For details on keepalive requests, see Fetch standard documentation.

You can enable the adaptive charging model to hold the charging process and extend the battery life of devices.

When you plug your device into a charger, the adaptive charging model automatically adjusts the amount of power that is sent to your device based on how much power it needs. This means that your device does not overcharge, potentially damaging the battery.

When the adaptive charging model does hold the charging process, the battery is kept at a certain level, for example 80%. It will then charge the device to 100% when the user needs it.

Action on lid close

Select if you want a user's device to go to sleep, sign them out, shut down, or do nothing, when they close the device lid. The default for user sessions is Sleep and the default for managed guest sessions is Logout.

AC/Battery idle action

The delay values you can add are the same for both AC and battery power.

Select if you want a user's device to go to sleep, sign them out, shut down, or do nothing, when they idle when connected to AC power or battery power. The default is Sleep.

For all the fields in which you enter a delay, the following applies:

• Specify the delay in seconds.
• The value entered must be set to a value greater than 0 to trigger the specified action.
• Enter 0 to never carry out the specified action on idle.
• Leave the box empty to use the system default, which varies by device.
• Screen dim delay value ≤ screen off delay value ≤ screen lock delay value ≤ idle delay value (excluding delays that are 0 or unset).
• Idle warning delay value ≤ idle delay value.
• If idle delay value = 0 this is a special case when no other action is taken.

Enter a value in the following fields;

• AC/Battery idle delay in seconds—Specify the amount of idle time in seconds before the user’s device carries out the action that you have selected.
• AC/Battery idle warning delay in seconds—Specify the amount of idle time in seconds before the user’s device displays a warning that it is about to carry out the action that you have selected. The warning is only displayed if the idle action you selected is Logout or Shutdown. If you have selected Sleep or Do nothing, enter 0 or leave empty.
• AC/Battery screen dim delay in seconds—Specify the amount of idle time in seconds before the screen dims on the user’s device.
• AC/Battery screen off delay in seconds—Specify the amount of idle time in seconds before the screen turns off on the user’s device.
• AC/Battery screen lock delay in seconds—Specify the amount of idle time in seconds before the screen locks on the user’s device.

Lock screen on sleep or lid close

Select to lock a user’s screen when the device goes to sleep or the lid is closed, or let the user decide. If you select Allow user to configure, users configure the option in their device settings.

If devices are docked and using an external monitor, they do not lock when the lid is closed. In this case, the device only locks if the external monitor is removed and the lid is still closed.

Considerations

• Some extensions such as Imprivata can override the power management settings, unless the Screen wake locks or Allow wake locks settings are turned off. For more details, see Wake locks.
• Currently, you cannot change the screen dim and screen off delays on the lock screen. Existing screen dim and screen off delays are only for dimming or turning off the screen during a user session or managed guest session.
• The screen lock settings might not work on devices in dev mode.
• You can use the AC/Battery screen lock delay in seconds setting to lock the screen before the idle action. You can use the Lock screen on sleep or lid close setting to control whether the screen is locked on lid close or when the device goes to sleep on idle delay. If the lock screen action is turned off using one of these settings, the screen might still be locked depending on the value of the other setting.
• If the AllowScreenLock policy is turned on, the device could sign out the user instead of locking the screen. For details, see the Lock screen setting in Set Chrome policies for users or browsers.
• To lock the screen when the device goes idle, set the idle action to Do nothing and enter equal screen lock and idle delay values.

Controls whether screen dim delay on ChromeOS devices can be extended.

By default, Enable smart dim model is selected. If the smart dim model extends the time until screens dim, the time it takes for users’ screens to turn off, lock, or go to sleep automatically adjusts to keep the same amount of time between them and the screen dim delay originally set.

If you choose Disable smart dim model, the smart dim model doesn’t influence screen dimming. You can set Scale percent for screen dim delay on user activity and Scale percent for screen dim delay when presenting, where the scale factor must be at least 100%.

• Scale percent for screen dim delay on user activity—Percentage by which to increase the screen dim delay if the user becomes active while the screen dims or soon after it turns off.
• Scale percent for screen dim delay when presenting—Percentage by which to increase the screen dim delay if the user is presenting using their ChromeOS device.

Controls whether audio activity on ChromeOS devices affects power management.

By default, Disallow idle action when audio is playing is selected. Users are not considered idle while audio is playing—This prevents idle timeout from being reached and the idle action from being taken. Despite audio activity, screens still dim, turn off, and lock after their configured timeouts.

Controls whether video activity on ChromeOS devices affects power management.

By default, Disallow idle action when video is playing is selected. Users are not considered idle while video is playing—This prevents idle timeout from being reached and the idle action from being taken. Despite video activity, screens still dim, turn off, and lock after their configured timeouts.

Specifies when to start power management delays and session length limits—Either at the start of the session or after initial user activity. By default, Start power management delays and session length limits at session start is selected.

Allows you to enable or disable a prediction service for users to help complete the web addresses or search terms. You can specify that it’s always enabled or disabled or you can let the user configure it in their Chrome settings.

Specifies the name of the default search provider. If you select Lock the Omnibox Search Provider settings to the values below, you can customize the following options:

Omnibox search provider name

Enter a name to use for the address bar. If you don't provide one, Chrome uses the host name from the Omnibox search provider search URL.

Omnibox search provider keyword

Specifies the keyword used as the shortcut to trigger the search.

Omnibox search provider search URL

Specifies the URL of the search engine.

The URL must contain the string '{searchTerms}', which is replaced at query time by the terms the user is searching for, for example, "http://search.my.company/search?q={searchTerms}".

To use Google as your search engine, enter:

{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}

Omnibox search provider suggest URL

Specifies the URL of the search engine used to provide search suggestions.

The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.

To use Google as the search engine that provides search suggestions, enter:

{google:baseURL}complete/search?output=chrome&q={searchTerms}

Omnibox search provider instant URL

Specifies the URL of the search engine used to provide instant results.

The URL should contain the string '{searchTerms}', which is replaced at query time by the text the user has entered so far.

Omnibox search provider icon URL

Specifies the icon URL of the search provider. You need to access your search provider site at least once so that the icon file is retrieved and cached before you enable Lock the Omnibox Search Provider settings to the values below.

Omnibox search provider encodings

Specifies the character encodings supported by the search provider.

Encodings are code page names like UTF-8, GB2312, and ISO-8859-1. They are tried in the order provided. The default is UTF-8.

Provides a list of sites that users can quickly search using predefined shortcuts in their address bar. For example, you can create predefined shortcuts to your organization’s company intranet, most used tools, and so on. Users trigger a search by typing @shortcut, or just shortcut, followed by Space bar or Tab key in their address bar.

Enter details for the shortcuts you want to configure:

• Site or page—The name that is shown to the user in their address bar.
  For example, enter Workspace.
• Shortcut—The keyword that the user enters to trigger the search. The shortcut can include plain words and characters, but cannot include spaces or start with the @ symbol. Shortcuts must be unique.
  For example, enter ws. Then, users type ws in their address bar to trigger the search.
• URL—The URL on which to search. Enter the web address for the search engine's results page, and use {searchTerms} in place of the query.
  For example, enter https://drive.google.com/corp/drive/search?q={searchTerms}
• Featured—When selected as Featured, the shortcut appears as a recommendation when users type @ in their address bar. Up to three entries can be selected as Featured.

Controls whether users in your organization can use ChromeOS devices to mount external drives, including USB flash drives, external hard drives, optical storage, Secure Digital (SD) cards, and other memory cards. If you disallow external storage and a user attempts to mount an external drive, Chrome notifies the user that the policy is in effect.

If you choose to Allow external storage devices (read-only), users can read files from external devices but cannot write to them. Formatting of devices is also disallowed.

This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

You can specify if sites can or cannot ask users to grant them access to connected USB devices or you can allow the user to make the decision. You can also add a list of URLs that can or cannot request access from the user to a connected USB device.

In the Can web sites ask for access to connected USB devices section, select one of the following:

• Allow the user to decide if sites can ask (default)—Lets websites ask for access, but users can change this setting.
• Allow sites to ask the user for access—Lets websites ask the user for access to connected USB devices.
• Do not allow any site to request access—Denies access to connected USB devices.

In the Allow these sites to ask for USB access field, enter all URLs that are allowed to request access to connected USB devices from the user.

In the Block these sites from asking for USB access field, enter all URLs that are not allowed access to connected USB devices.

If the URL is not blocked, the option set in the Can web sites ask for access to connected USB devices section or the users' personal settings take precedence, in that order.

Do not enter the same URL in both the Allow these sites to ask for USB access and Block these sites from asking for USB access. If a URL matches with both, neither policy takes precedence.

For details on valid URL patterns, see Enterprise policy URL pattern format.

Controls whether users in your organization can let websites access audio input from the built-in microphone on a ChromeOS device.

When a user connects an external audio input device, the audio on the ChromeOS device unmutes immediately.

If you have enabled Android apps on supported ChromeOS devices in your organization and have this setting disabled, the microphone input is disabled for all Android apps without exceptions.

Allows URLs to be granted access to audio capture devices without prompt.

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to audio capture devices will be granted without prompting the user for confirmation.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format

Controls whether users in your organization can play sound on their ChromeOS devices. The policy applies to all audio outputs on ChromeOS devices, including built-in speakers, headphone jacks, and external devices attached to HDMI and USB ports.

If you disable audio, the ChromeOS device still shows its audio controls but users can't change them. Also, a mute icon appears.

This setting has no effect on the Google Drive Android app on ChromeOS.

Controls the priority of the Chrome browser audio process.

This setting lets admins run audio with higher priority to address certain performance issues with audio capture, and will be removed in the future.

Specifies whether URLs can access any type of video input, not just the built-in camera.

By default, Enable camera input for websites and apps is selected. For URLs other than the ones you specify in Video input allowed URLs, users are prompted for video capture access.

If you select Disable camera input for websites and apps, video capture access is available only to URLs that you specify in Video input allowed URLs.

This policy also affects Android apps on supported ChromeOS devices. For example, if you’ve enabled Android apps on supported ChromeOS devices in your organization, you can prevent Android apps from accessing the built-in camera.

Allows URLs to be granted access to video capture devices without prompt.

Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted without prompting the user for confirmation.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format

Note: To allow access to a video capture device, you can also add the application’s ID. For example, hmbjbjdpkobdjplfobhljndfdfdipjhg gives access to Zoom^® Meetings^®.

Specifies whether hardware acceleration is enabled for the graphics processing unit (GPU) unless a certain GPU feature is added to a blocklist.

Hardware acceleration uses your device’s GPU to perform graphics-intensive tasks, like playing videos or games, while your central processing unit (CPU) runs all other processes.

Determines the behavior of the top row of keys on the keyboard. If this setting is unset or set to media keys, the keyboard's top row of keys will act as media keys. If the policy is set for function keys, then the keys will act as function keys (such as F1, F2). In both scenarios, users can change the behavior. Also, users can turn a media key to a function key (and vice versa) by holding down the search key.

You can specify if sites can or cannot ask users to grant them access to a serial port or you can allow the user to make the decision. You can also add a list of URLs that can or cannot request access from the user to a serial port.

In the Control use of the Web Serial API section, select one of the following:

• Allow the user to decide (default)—Lets websites ask for access, but users can change this setting.
• Allow sites to ask the user to grant access to serial ports via the Web Serial API—Lets websites ask the user for access to serial ports.
• Do not allow any site to request access to serial ports via the Web Serial API—Denies access to serial ports.

In the Allow the Web Serial API on these sites field, enter all URLs that are allowed to request access to serial ports from the user.

In the Block the Web Serial API on these sites field, enter all URLs that are not allowed access to serial ports.

If the URL is not blocked, the option set in the Control use of the Web Serial API section or the users' personal settings take precedence, in that order.

Do not enter the same URL in both the Allow the Web Serial API on these sites and Block the Web Serial API on these sites. If a URL matches with both, neither policy takes precedence.

For details on valid URL patterns, see Enterprise policy URL pattern format.

Only for ChromeOS devices with an integrated electronic privacy screen.

Specifies whether the privacy screen is always turned on or off. You can enable or disable the privacy screen, or let users choose.

Specifies whether sites can or cannot ask users to grant them read access to files or directories in the host operating system's file system using the File System API. You can add a list of URLs that can or cannot request read access from the user.

Select one of the following:

• Allow the user to decide (default)—Lets websites ask for access, but users can change this setting. This access applies for sites that don't match a URL defined in the Allow file system read access on these sites or the Block read access on these sites fields.
• Allow sites to ask the user to grant read access to files and directories—Lets websites ask the user for read access to files and directories. 
• Do not allow sites to request read access to files and directories—Denies read access to files and directories.

In the Allow file system read access on these sites field, enter all URLs that are allowed to request read access to files and directories from the user. Put each URL on it’s own line. 

In the Block read access on these sites field, enter all URLs that are not allowed access to files and directories. Put each URL on it’s own line. 

If a URL isn't explicitly allowed or blocked, the option you selected from the File system read access drop-down or the users' personal settings take precedence, in that order.

Do not enter the same URL in both the Allow file system read access on these sites and Block read access on these sites. If a URL matches with both, neither policy takes precedence.

For details on valid URL patterns, see Enterprise policy URL pattern format.

Allows extensions installed by enterprise policy to use the Enterprise Hardware Platform API. This API handles requests from extensions for the manufacturer and model of the hardware platform where the browser is running. This policy also impacts component extensions built into Chrome.

Specifies whether users see a notification each time ChromeOS detects that a USB device was inserted. By default, Show notifications when USB devices are detected is selected.

When users insert USB devices that can be shared with active virtual machines on their device, they’ll see a USB device detected notification that prompts them to connect to the virtual machine. For example, they might get prompted to connect to Android apps, Linux, Managed Development Environment, or Parallels Desktop. If you select Do not show notifications when USB devices are detected, users are no longer prompted to connect so they can’t access USB devices from the virtual machines.

Not currently available for Google Workspace for Education domains

Gives EMM partners programmatic access to manage user policies for Chrome and ChromeOS devices. Partners can use this access feature to integrate Google Admin console functionality into their EMM console.

When partner access is turned on, your EMM partner can manage individual user policies that determine your users' experience on Chrome and ChromeOS devices. Therefore EMM partners no longer have to manage user policies by Admin console organizational unit structure. Instead, they can use the structure configured in their EMM console. You can’t simultaneously set the same policy for the same user using partner access and the Admin console. User-level policies configured using partner access controls take precedence over organizational unit policies set in the Admin console. To enforce policies on users by organizational unit, you must select Disable Chrome management—partner access.

You can also use your EMM console to set device policies. 

Specifies whether Google Safe Browsing is turned on for users. Safe Browsing in Chrome helps protect users from websites that may contain malware or phishing content.

If you select Safe Browsing is active in the enhanced mode, it provides better security, but requires sharing more browsing information with Google.

By default, Allow user to decide is selected and users can turn on or off Safe Browsing. If you choose to activate Safe Browsing, users cannot change or override that setting in Google Chrome.

If you select Allow users to override this setting, users can change the setting on their own device. This is not available if you select Allow user to decide.

Specifies whether extended reporting is turned on and sends some system information and page content to Google to help detect dangerous apps and sites.

Specifies URLs that Safe Browsing should trust. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs. Safe Browsing's download protection service does not check downloads hosted on these domains.

Prevents users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those flagged by Google Safe Browsing. If users try downloading files flagged by Safe Browsing, they are shown a security warning. 

For more details, see Prevent users from downloading harmful files.

Choose an option:

• No special restrictions—All downloads are allowed. Users still receive warnings about sites identified as dangerous by Safe Browsing. But, they can bypass the warning and download the file.
• Block malicious downloads—All downloads are allowed, except for those assessed, with high confidence, to be malware. Unlike with dangerous downloads, this does not take into account file type, but does take into account the host.
• Block malicious downloads and dangerous file types—All downloads are allowed, except those marked with Safe Browsing warnings of dangerous downloads.
• Block malicious downloads, uncommon or unwanted downloads and dangerous file types—All downloads are allowed, except those marked with Safe Browsing warnings of potentially dangerous downloads. Users cannot bypass the warnings and download the file.
• Block all downloads—No downloads are allowed.

Specifies whether users can bypass Safe Browsing warnings and access deceptive or dangerous sites or download potentially harmful files.

Specifies whether you can prevent users from reusing their password on dangerous websites or on websites that aren’t allowlisted by your organization. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

Specify the domains that are exceptions to the URLs that appear on the Safe Browsing list. Allowlisted domains are not checked for:

• Password reuse
• Phishing and deceptive social engineering sites
• Sites that host malware or unwanted software
• Harmful downloads

Specify the URLs of webpages where users usually enter their password to sign in to their account. If a sign-in process is split across 2 pages, add the URL of the webpage where users enter their password. When users enter their password, a non-reversible hash is stored locally and used to detect password reuse. Make sure that the change password URL that you specify follows these guidelines.

Turns on or off the SafeSites URL filter. This filter uses the Google Safe Search API to classify URLs as pornographic or not.

Choose an option:

• Filter top level sites (but not embedded iframes) for adult content—For K-12 EDU domains, this is the default. Pornographic sites are not displayed for users.
• Do not filter sites for adult content—For all other domains, this is the default.

Chrome is introducing a new "safety tip" for sites with URLs that look very similar to those of other sites. This UI warns users about sites that might be spoofing other sites.

These warnings are typically shown on sites that Google Chrome believes might be trying to spoof another site the user is familiar with. This policy prevents the display of the lookalike URL warnings on the sites listed.

For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".

Allows or blocks ads from being displayed on sites that contain intrusive ads.

The default is Allow ads on all sites.

You can allow Admin console admins to enable Enterprise Connectors for Chrome. 

Defines the default setting for Chrome’s generative AI features. This setting does not override settings for individual generative AI features that you set using your Google Admin console. For example, if you select Do not allow GenAI features, you can still turn on generative AI settings, such as Help me write, Create themes with AI and Tab organizer.

For details about defining your organization’s defaults for Chrome and ChromeOS generative AI features, go to Define generative AI defaults.

Specifies whether users can use Chrome’s DevTools generative artificial intelligence (AI) features to get additional debugging information. Chrome sends data such as error messages, stack traces, code snippets, and network requests to a Google-owned server that runs a generative AI model. Response body or authentication, as well as cookie headers in network requests are not included in the data sent to the server.

For details about what data is collected and the default values for this feature, go to Chrome DevTools AI.

Controls how Chrome browser downloads the foundational GenAI model and uses it locally for inference.

By default, Download model automatically is selected. The model is automatically downloaded and used for inference.

To prevent Chrome browser from downloading the model, select Do not download model. Alternatively, you can use the Component updates setting to prevent model downloading. Read about the Component updates setting.

Specifies whether users can search their browsing history based on page contents, and not just the page title and URL.

For details about what data is collected and the default values for this feature, go to Search your history in Chrome with AI.

Specifies whether users can use the tab compare feature to compare and summarize product information across their open browser tabs. For example, when users open multiple tabs about a type of product—such as product specifications, features, price, and ratings—tab compare presents them with an AI-generated overview of the product, all in one place.

For details about what data is collected and the default values for this feature, go to Tab compare.

Specifies whether Chrome browser components, such as Widevine DRM (for encrypted media), automatically update.

This policy does not apply to all components. For a full list of exempted components, see ComponentUpdatesEnabled.

Controls how users are notified to relaunch Chrome browser or restart their ChromeOS device to get the latest update. Choose one of the options:

• No relaunch notification—Activates a minimal default level of notifications. Chrome browser indicates to users that a relaunch is needed via subtle changes to its menu. In ChromeOS, a notification in the system tray prompts the user to relaunch.
• Show notification recommending relaunch—Users see a recurring message that they should relaunch Chrome browser or restart their ChromeOS device. Users can close the notification and keep using the old version of Chrome browser or ChromeOS until they choose to relaunch Chrome browser or restart their ChromeOS device.
• Force relaunch after a period—Users can close the notification but will see a recurring message that they need to relaunch Chrome browser or restart their ChromeOS device within a certain amount of time.

Time period (hours)

If you show notifications to users, you can set the time period, between 1 and 168 hours, over which users are repeatedly notified to relaunch Chrome browser or restart their ChromeOS device. To use the system default, 168 hours (7 days), leave the field unset.

Initial quiet period (hours)

For ChromeOS devices, you can specify an initial quiet period, during which users aren't notified to restart their ChromeOS devices. After the initial quiet period, users see the first notification that they need to restart their ChromeOS devices to apply updates. By default, ChromeOS devices only show notifications for the last 3 days of the notification time period that you specify, not the entire duration.

For ChromeOS devices, setting the Auto reboot after updates device setting to Allow auto-reboots automatically restarts devices when updates are applied. This minimizes the amount of notifications that users see. For details about configuring automatic updates on ChromeOS devices, read Auto-update settings.

Relaunch window start time

Caution: Setting a relaunch window might delay software updates.

Specifies the time of day, in 24-hour format (hh:mm), that you want to defer the end of the relaunch notification period that you set in Time period (hours). Use in conjunction with Force relaunch after a period and Relaunch window duration (minutes) to specify a time window when Chrome browser automatically relaunches and ChromeOS devices restart to apply updates.

Left blank, for ChromeOS devices the default start time is 02:00 in the user’s timezone, and Chrome browser never defers the end of the relaunch notification period.

Relaunch window duration (minutes)

Caution: Setting a relaunch window might delay software updates.

Specifies the length of time, in minutes, of the window when Chrome browser relaunches and ChromeOS devices restart to apply updates. Use in conjunction with Force relaunch after a period and Relaunch window start time.

Left blank, the Relaunch window duration (minutes) for ChromeOS devices is 120 minutes. By default, Chrome browser never defers the end of the relaunch notification period.

Specifies a daily time period when automatic checks for Chrome browser updates do not occur. Enter:

• Start time—Time of day, in 24-hour format (hh:mm), that you want to begin suppressing checks for browser updates each day.
• Duration (minutes)— Length of time, in minutes, that you want to suppress browser update checks for.

Specifies the number of hours between automatic checks for Chrome browser updates. Enter 0 to disable all auto-update checks (not recommended).

Select Attempt to provide cache-friendly download URLs to get the Google Update server to attempt to provide cache-friendly URLs for update payloads in its responses. This helps to reduce bandwidth and improve response times.

Specifies whether devices automatically update to new versions of Chrome browser as they are released.

To make sure that users are protected by the latest security updates, we strongly recommend that you select Allow updates. By running earlier versions of Chrome browser, you will expose your users to known security issues.

To temporarily roll back to the 3 latest major versions of Chrome browser specify the Target version prefix override and select Rollback to target version.

Choose when to roll out Chrome browser updates to users by placing them on a release channel:

• Stable channel—(Recommended) Fully tested by the Chrome test team and should be used by most of your users.
• Beta channel—Users can get a 4–6 week preview of what’s coming to the Stable version of Chrome.
• Dev Channel—Developers can get a 9–12 week preview of what’s coming to the Stable version of Chrome.
• Extended stable channel—Get feature updates less frequently than the Stable channel, but still receive security fixes.

For information to help you decide which channel to have your users on, go to Chrome browser release channels.

For details about how to manage Chrome browser updates, see Manage Chrome updates (Chrome Enterprise Core).

Specifies the number of user data snapshots retained by Chrome browser in case of an emergency rollback.

After every major version update of Chrome browser, user data snapshots of specific parts of the user's browsing data are created. These can be used if an emergency version rollback of the Chrome browser update is required.

If Chrome browser is rolled back to a version retained by the user, the data in the snapshot is restored, such as bookmarks and autofill data.

If the policy is set to a specific value, only that number of snapshots are saved. For example, if it is set to 6, only the last 6 snapshots are saved and all others saved before those are deleted.

If the policy is set to 0, no snapshots are taken. If the policy is not set, the default value of 3 snapshots are saved.

Specifies whether users can open some URLs in an alternative browser, such as Microsoft Internet Explorer.

Specifies the length of time, in seconds, that it takes to open the alternative browser. During this time, users see an interstitial page that lets them know they're switching to another browser. By default, URLs immediately open in the alternative browser, without showing the interstitial page.

Controls how Chrome browser interprets sitelist or greylist policies that you set. This setting affects:

• Legacy Browser Support site list—BrowserSwitcherExternalSitelistUrl
• Use Internet Explorer site list—BrowserSwitcherUseIeSitelist
• URL to list of websites to open in either browser—BrowserSwitcherExternalGreylistUrl
• Websites to open in alternative browser—BrowserSwitcherUrlList
• Websites to open in either browser—BrowserSwitcherUrlGreylist

By default, Default is selected. Rules that don't contain a slash, /, look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.

Select Enterprise mode IE/Edge compatible to make URL matching more strict. Rules that don't contain a slash, /, only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive.

Example

For rules example1.com and example2.com/abc:

• http://example1.com/, http://subdomain.example1.com/, and http://example2.com/abc match regardless of parsing mode.
• http://notexample1.com/, http://example1.com.invalid.com/, http://example1.comabc/ match only if Default is selected.
• http://example2.com/ABC matches only if in Enterprise mode IE/Edge compatible is selected.

Allows you to use your Internet Explorer site list to control whether URLs open in Chrome browser or Internet Explorer.

Specifies the URL of the XML file that contains the list of website URLs that open in an alternative browser. You can review this sample XML file.

Specifies the URL of the XML file that contains the list of website URLs that do not trigger a browser switch.

Specifies a list of website URLs that open in an alternative browser.

Specifies a list of website URLs that do not trigger a browser switch.

By default, only the URL is passed as a parameter to the alternative browser. You can specify parameters to be passed to the alternative browser’s executable. Parameters that you specify are used when the alternative browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Lets you specify the program that's used as an alternative browser. For example, for Windows computers, the default alternative browser is Internet Explorer.

You can specify a file location or use one of these variables:

• ${chrome}—Chrome browser
• ${firefox}— Mozilla Firefox
• ${ie}—Internet Explorer
• ${opera}—Opera
• ${safari}—Apple Safari

Specifies the parameters to be passed to Chrome browser's executable when returning from the alternative browser. By default, only the URL is passed as a parameter to Chrome browser. Parameters that you specify are used when Chrome browser is invoked. You can use the special placeholder ${url} to specify where the URL should appear in the command line.

You don't have to specify the placeholder if it's the only argument or if it should be appended to the end of the command line.

Specifies the executable of Chrome browser to be launched when returning from the alternative browser.

You can specify a file location or use the variable ${chrome}, which is the default installation location for Chrome browser.

Specifies whether to close Chrome browser after the last tab in the window switches to the alternative browser.

Chrome browser tabs automatically close after switching to the alternative browser. If you specify Close Chrome completely and the last tab is open in the window before switching, Chrome browser closes completely.

Specifies whether users can access the command line (CLI) to manage virtual machines (VMs).

If the policy is enabled, the user can use virtual machine management CLI.

Allows you to control whether users can use virtual machines to support Linux apps. The setting is applied to starting new Linux containers, not to those already running.

On managed devices, the default is Block usage for virtual machines needed to support Linux apps for users and users can't use virtual machines to support Linux apps.

However, on unmanaged devices, the default is Allow usage for virtual machines needed to support Linux apps for users.

If you do not want users to have access, regardless of the device they are using, you must explicitly select Block usage for virtual machines needed to support Linux apps for users.

If you select Allow usage for virtual machines needed to support Linux apps for users, affiliated users can use Linux virtual machines.

To enable it for unaffiliated users, select Allow usage for virtual machines needed to support Linux apps for unaffiliated users in the Devices page. For details, see Linux virtual machines for unaffiliated users (BETA).

Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users

Allows you to control whether users can backup and restore all installed apps, data, and settings for Linux virtual machines.

The option for restoration and backup is enabled by default.

Note: This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users.

Specifies whether users are allowed to configure port forwarding into virtual machine (VM) containers.

If you select Do not allow users to enable and configure port forwarding into the VM container, port forwarding is disabled.

Allows you to control the use of Android apps from untrusted sources for individual users. It does not apply to Google Play.

The default is to prevent the user from using Android apps from untrusted sources.

If the user's device is managed, the user is blocked from installing apps from untrusted sources unless both the device and user policy are set to allow the use of Android apps from untrusted sources.

If the user's device is not managed, the user can only install apps from untrusted sources if they are the device owner, first to sign into the device, and the user policy is set to allow the use of Android apps from untrusted sources.

Specifies whether SSH outgoing client connections in the Terminal System App are allowed on all devices, allowed on all devices except enrolled ChromeOS devices, or not allowed on any devices.

The default is to enable it for unmanaged ChromeOS devices.

Controls whether users can use Parallels Desktop for Chromebook to access the Microsoft Windows applications and files, including Microsoft Office.

When you select Allow users to use Parallels desktop, you must accept the end-user license agreement.

Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.

Specifies the URL for the Microsoft Windows image and the SHA-256 hash of the Windows image file that users download to their Chromebooks before using Parallels Desktop.

Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.

Specifies the required disk space in gigabytes for running Parallels Desktop. The default value is 20GB.

If you set a required free disk space value and the user device detects that the remaining space is smaller than that value, it cannot run Parallels. Therefore, we recommend you check the size of your uncompressed virtual machine (VM) image as well as how much additional data or applications you expect to install before deciding on a required disk space value.

Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.

To allow Parallels to generate and collect event logs from your users, select Enable sharing diagnostics data to Parallels. For details on the information collected in the logs, see Parallels Customer Experience Program.

Each Parallels Desktop user needs a Parallels Desktop for ChromeOS license. For details about getting licenses and setting up Parallels, go to Set up Parallels Desktop for ChromeOS.

Specifies the order of precedence, from highest to lowest, that Chrome policies are applied for users and browsers. For details, see Understand Chrome policy management.

Specifies whether Chrome browser sends usage statistics and crash-related data to Google. You can allow the user to configure the option, or you can specify that it is always on or always off.

Usage statistics contain information, such as preferences, button clicks, and memory usage. If users have Make searches and browsing better turned on, they might include webpage URLs or personal information.

Crash reports contain system information at the time of the crash and might contain webpage URLs or personal information, depending on what was happening when the crash report was triggered.

To learn more about what info we collect from these reports and what we do with it, read Chrome's privacy policy.

Allows you to set a limit on how much memory a single Chrome browser session can use before browser tabs start closing automatically to save memory. If the policy is set, the browser will start to close tabs in order to save memory once the limitation is exceeded. However, if the policy is not set, the browser will only attempt to save memory once it has detected that the amount of physical memory on its machine is low.

Specifies the directory used by Chrome to store cached files on the disk.

If you enter a variable in the Disk cache directory field, Chrome uses that directory even if the user has defined the disk cache dir parameter. If the policy is left unset, the default cache directory is used and the user can override this by defining the disk cache dir parameter.

For a list of supported variables, see Supported directory variables.

Specifies the Chrome storage limit for cached files on the disk.

If you set the policy to a specified size, Chrome uses that cache size even if the user has defined the disk cache size parameter. Values below a few megabytes are rounded up.

If you leave it unset, Chrome uses the default cache size and users can change it.

Specifies whether background apps continue running when Chrome Browser is closed.

If the policy is enabled, when Chrome Browser is closed background apps and the current browsing session remain active, including any session cookies. The user can close it at any time using the icon displayed in the system tray.

Allow the user to decide—Background mode is initially disabled and can be controlled by the user in the browser settings.

Disable background mode—Background mode is disabled and cannot be controlled by the user in the browser settings.

Enable background mode—Background mode is enabled and cannot be controlled by the user in the browser settings.

Controls whether Google Chrome can occasionally send queries to a Google server to retrieve an accurate timestamp. By default, queries are allowed.

Specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service.

Valid values range from 1,000 (1 second) to 300,000 (5 minutes). If you enter a value below 1 second, the value 1 second is used. If you enter a value above 5 minutes, the value 5 minutes is used.

If you leave the policy unset, the default value of 10 seconds is used.

Specifies whether Wi-Fi network configurations can be synced across Chrome OS devices and a connected Android phone.

If you select the default Do not allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone, users are not allowed to sync Wi-Fi network configurations.

If you select Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone, users can sync Wi-Fi network configurations between their Chrome OS devices and a connected Android phone. However, users must first explicitly opt-in to this feature by completing a setup flow.

Specifies whether the user is prompted to select a client certificate when more than one certificate matches.

If you choose to prompt the user and have entered a list of URL patterns in the Client certificates setting, whenever the auto-selection policy matches multiple certificates the user is asked to select the client certificate.

If you left the Client certificates setting empty, the user might only be prompted when no certificate matches the auto-selection.

For more details, see Client certificates.

Specifies whether user-level Chrome policies that you set in your Admin console are enforced when users sign in to Chrome with their Google Account on any device. To configure the setting, click Edit.By default, Apply all user policies when users sign into Chrome, and provide a managed Chrome experience is selected.

For backward compatibility, you can let users sign into Chrome as unmanaged users—select Do not apply any policies when users sign into Chrome. Allow users to access Chrome as an unmanaged user. Then, when users sign in to Chrome, they no longer receive user-level policies that you set in the Admin console, including apps and extensions.

Turning Chrome management off and on again might cause some users to experience changes to their account. Before you turn it on again, inform your users. While Chrome management was turned off, users might have signed in as unmanaged users. When the setting is turned back on again, Android apps might be removed or users might no longer be able to sign in multiple people at the same time on ChromeOS devices.

You don't need to turn on Chrome management to apply policies if you manage ChromeOS devices using your Admin console. User-level policies apply to those ChromeOS devices, even if you turn off this setting.

For information about how to set up Chrome browser user-level management, see Manage user profiles on Chrome browser.