Managed guest session devices

This article has general information about setting up managed guest sessions on Chrome devices. To find out how to use a Chromebook for student assessments, see Use Chromebooks for student assessments.

Chromebook icon updated Dec 2013

With managed guest sessions, multiple users can share the same Chrome device without the need to sign in. For example, use managed guest sessions to configure Chrome devices for use as loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in.

With managed guest sessions, your users can have a full browsing experience and access multiple websites in a windowed mode (not full-screen).
 

How are they different from public sessions?

Managed guest sessions have more features than public sessions and allow admins greater control and visibility into user activities. 

Legacy public sessions Managed guest sessions
Available on all devices. Available only on devices running Chrome version 73 or above.
Supports a limited set of Chrome policies. Supports all Chrome policies.
Supports a limited set of Chrome apps and extensions. Supports all Chrome apps and extensions.
Doesn't support network certificates. Supports network certificates.

 

Before you start

  • Enroll the device you want to use as a managed guest session in your domain. Once successfully enrolled, the device appears in the Admin console's list of Chrome devices. Read about enrolling devices.
  • Make sure that Always show user names and photos is enabled in the Admin console.
  • Purchase a Chrome Enterprise license for each device you want to run in managed guest session mode. Read about Chrome Enterprise licenses.

Set up managed guest sessions

Step 1: Configure your Chrome devices
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click Managed guest session settings.
  4. Select the organizational unit unit you want the settings to apply to.
  5. Configure the settings on the page and include a Session Display Name that you would like to appear on the device’s home screen, such as the name of your organization.
  6. Click Save changes.
  7. Go to Device management and then Chrome management and then Device settings.
  8. Select the organization you want to configure and under Kiosk Settings and then Managed guest sessions, select Allow managed guest session.
    This attaches the managed guest session settings to the devices in the organization you select.
  9. Click Save changes.
    Settings typically take effect within minutes, but they might take up to an hour to propagate to the devices.
  10. Move the desired Chrome devices into the organization that has the managed guest session settings applied.
    The Chrome devices must be enrolled in the domain for management before they appear under Chrome devices in the Admin console.

Notes:

  • Managed guest session pods are prioritized over user pods on the sign-in screen.
  • You can only associate settings from one organization per device for setting up managed guest sessions.
  • Managed guest session settings only apply to the Chrome devices you specify.
  • Managed guest session settings are not available for devices enrolled with a Chrome Kiosk License.
Step 2: Evaluate managed guest session settings

Settings unique to managed guest sessions are listed in this table. Other settings are described in Set Chrome user policies.

To quickly find a setting in the Admin console, use the Search settings box at the top of the screen.

Setting Description
Session Display Name Enter the name you want your users to see for the session. For example, Fremont High School Library or Solarmora shared computer.
Maximum User Session Length You can specify the device to sign the user out of his session after one to 1440 minutes. Leave empty for unlimited sessions.
Logout on Idle after You can specify the device to sign the user out of his session if the device is idle for one to 1440 minutes. Leave empty to never logout. User input is needed to start idle timeout countdown.
Custom Terms of Service Agreement You can upload a custom Terms of Service agreement that you would like users of your device to accept. This file needs to be a .txt or .text file.
Custom Avatar You can upload a custom avatar that will accompany a managed guest session. This file needs to be a JPEG (.jpg and .jpeg) and no larger than 512 KB.
Custom Wallpaper Replaces the default wallpaper with your own custom wallpaper. This file needs to be a JPEG (.jpg and .jpeg) and no larger than 16 MB.
Policy Refresh Rate You can specify between 30 to 1440 minutes as the interval for the Chrome devices to sync new policies from the Admin console.
Session Locale

Specify the order of recommended languages on the Chromebook's sign-in screen. More details:

  • If you do not specify any recommended languages—Chrome OS will keep the current language when starting a managed guest session by default. The user can change this default during sign-in.
  • If you specify only one language—Chrome OS will use this language when starting a managed guest session by default. The user can change this default during sign-in.
  • If you specify more than one language—Chrome OS will ask the user to choose a language during sign-in. The languages you choose will be presented at the top of the language list, in the order you choose. By default, Chrome will use the most popular keyboard layout for the chosen language. The user can change this during sign-in or afterwards, during the session.

The language and keyboard layout will go back to their previous values when the managed guest session ends.

Step 3: More settings for managed guest sessions

In addition to the settings above, you can also configure most of the user and device settings offered by Chrome management with managed guest sessions. Read about managing user settings and managing device settings.

Popular settings include:

  • Set up a home page
  • Define a proxy
  • Configure network certificates
  • Cloud Print
  • Configure SafeSearch to filter objectionable content
  • Custom wallpaper to personalize the desktop background
  • Blacklist or whitelist access to different sites
  • Preinstall specific apps to the device
  • Configure a user’s length of session
  • Allow Incognito Mode, Screenshots, Access to External storage, Allow Audio I/O and Video Input, among others.

How to use managed guest sessions

How users browse in a managed guest session

On the sign-in screen, the user sees the Session Display Name that you can set in the Admin console.

  1. The user clicks a managed guest session pod.
    It expands to show:
    1. the domain name of the organization that manages the session
    2. a message that the admin may have access to all activity, including passwords and communications
  2. The user clicks Next Next.
    Their session begins. Or if you uploaded a Terms of Service agreement in the Admin console, it will appear.
  3. The user clicks Accept to start the session.
    They can start browsing the web.

The session is valid until a user signs out. Or it's idle for a period that you specify and is automatically signed out. When the user ends the managed guest session, all local user data is wiped from the device.

Common scenarios

Assessments

You can set the length of time for the exam for however long you want to give students to take the test. You can lock down internet access to prevent students from looking up answers online, and prevent them from taking screenshots. Read about Using Chromebooks for Student Assessments.

Library use

You can specify the period of use for the device for any length. You can also configure the device to print with Cloud Print.

Business center/cybercafe

Similar to library mode, you can set the length of time for the user session. You can also set up device-based policies on the device.

Retail store

Unlike for library use, you can configure the device so that it doesn’t have a session timer. People can browse on the device at a kiosk or sales floor for an unlimited amount of time. You can also automatically launch a managed guest session on the device. Read about Auto-launch managed guest sessions settings.

FAQ

How do I print from a Chrome device with managed guest sessions?
You can set up printing with managed guest sessions with the Cloud Print setting in the Admin console under Chrome Management, then Device Settings.
How are managed guest sessions different from guest browsing?
Guest browsing is useful for quickly browsing the web. However, with guest browsing, you can’t preconfigure apps, limit the session length, enforce a variety of security policies, or manage sessions in a way most businesses and schools require. Managed guest session browsing allows you to enforce many user policies without requiring each user to sign in. Read about Guest browsing.
What devices can run managed guest sessions?
Managed guest sessions can be set up on any Chrome device that has the management console. If you’re having trouble, try updating the device to the latest version of Chrome OS. Read about managed Chrome devices. If you’re interested in purchasing devices or licenses, contact our sales team.
What security features are built into managed guest sessions?
Managed guest sessions are built with all of the security settings that you get with the Chrome Browser, including sandboxing, privacy settings, and the ability for an admin to customize the security policies. What’s unique about using managed guest sessions on Chrome devices is that all local user data is removed from the device when the user signs out. Read about Chrome Browser security settings.
What messages are shown to users?

Users might see a disclaimer message on their device when they sign in to a managed guest session, depending on whether their device has any of the following advanced settings:

  • a non-whitelisted extension
  • a root certificate or MitM certificate
  • a proxy that is used to initiate secure connections
  • website sharing policies
  • system security policies

If the device has any of the advanced settings above configured, users see this disclaimer: "The device administrator may be able to monitor your activity."

If the device has none of the advanced settings above configured, and auto-launch is not enabled, users see this disclaimer: "The device administrator may be able to monitor your activity."

If the device has none of the above configured, and auto-launch is enabled, users don't see a disclaimer.

Was this article helpful?
How can we improve it?