Chrome version 73 and later.
For administrators who manage Chrome devices for a business or school.
With managed guest sessions, multiple users can share the same device running Chrome OS without having to sign in to their Google Account. For example, use managed guest sessions to configure Chrome devices as loaner devices, shared computers.
With managed guest sessions, your users can have a full browsing experience and access multiple websites in windowed mode, not full-screen.
Before you begin
- Enroll the devices that you want to let users run managed guest sessions on. For details, see Enroll Chrome devices.
- Place devices that users will use to run managed guest sessions in an organizational unit. You can place a Chrome device in only one organizational unit at a time. You can then apply managed guest session settings to devices in that organizational unit.
- Managed guest session pods are prioritized over user pods on the sign-in screen. Make sure that the sign-in screen displays users’ names and pictures. For details, see Sign-in screen.
- You need Chromebook Enterprise devices or an upgrade, such as Chrome Enterprise Upgrade or Chrome Education Upgrade, for each standalone Chrome device that you want to run a managed guest session on. Managed guest session settings are not available for devices enrolled with Chrome Kiosk.
- Private apps and extensions that are limited to users in a domain can't be installed because managed guest sessions don't require users to sign in.
Set up managed guest sessions
From the Admin console Home page, go to DevicesChrome management.
- Click Managed guest session settings.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Next to Managed guest session, choose an option:
- To use managed guest sessions on Chrome devices, select Allow managed guest sessions.
- To automatically launch a managed guest session, select Auto-launch managed guest session.
- Enter the name that you want your users to see for the session. For example, Fremont High School Library or Solarmora shared computer.
- Configure the settings for managed guest sessions. For details, see Step 2 below.
- Click Save.
Settings that are unique to managed guest sessions are in the table below. Most settings that are available on the Managed guest session settings page are also available on the User & browsers settings page. The policies behave in a similar way, but they apply inside the guest session instead of when users are signed in. These policies are described in Set Chrome policies for users or browsers.
|Managed guest session||
Session name to appear on login screen
The name that you want your users to see for the session.
The settings below are only available for managed guest sessions that automatically launch on Chrome devices
Enter the number of seconds to wait before automatically launching the managed guest session.
Enable device health monitoring
Select Enable device health monitoring to allow the health status of a kiosk to be reported. Then, you can check if a device is online and working properly. For information, see Monitor kiosk health.
Enable device system log upload
Important: Before using this setting, you must inform the users of managed kiosk devices that their activity might be monitored and data might be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.
Select Enable device system log upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console. Logs are stored for up to 60 days.
At any one time, 7 logs are available to download:
For information, see Monitor kiosk health.
Screen rotation (clockwise)
To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.
|Maximum user session length||Sign the user out of the session after a specified amount of time, between one and 1,440 minutes. For unlimited sessions, do not enter a value.|
|Custom terms of service||You can upload a custom Terms of Service agreement, .txt or .text file, that users must accept.|
Action on idle
Select what you want the device to do after the idle time expires. Choose whether devices go to sleep, exit session, shut down, or do nothing.
Idle time in minutes
To specify the amount of idle time, enter a value in minutes. To use the system default, which varies by device, leave the box empty.
Action on lid close
Choose whether you want devices to go to sleep, exit session, shut down, or do nothing when users close the device lid.
|Browser launch on startup||Specifies whether Chrome Browser should automatically launch when users start their Chrome devices.|
Specify the order of recommended languages on the Chrome device's sign-in screen.
The language and keyboard layout will go back to their previous values when the managed guest session ends.
How to set up managed guest sessions
Learn how to create OUs, apply an initial managed guest session policy, and move enrolled devices to the OU to receive the policy.
How users browse in managed guest sessions
On the sign-in screen, users see the session display name that you set in Step 1 above. To use a managed guest session, users:
- Click the managed guest session pod.
- The domain name of the organization that manages the session
- A message that the admin might have access to all activity during the session, including passwords and communications
- Click Next.
- If there is a custom Terms of Service agreement, click Accept to start the session.
- Start browsing the web.
The session is valid until the user signs out, reaches the maximum session time, or reaches the specified amount of idle time for the device. When the managed guest session ends, the user is automatically signed out and all local user data is wiped from the device.
When to use managed guest sessions
To only allow students a specified amount of time, you can set the exam or assessment time for however long you want. You can lock down internet access to prevent students from looking up answers online or taking screenshots. Read about using Chromebooks for student assessments.
You can specify the length of the session. You can also configure the device to print to local and network printers using Common UNIX Printing System (CUPS). For details, see Manage local and network printers.
Similar to library mode, you can set the length of time for the user session. You can also set up device-based policies on the device.
You can configure the device so that it doesn’t have a session timer. People can browse on the device at a kiosk or sales floor for an unlimited amount of time. You can also automatically launch a managed guest session on the device. Read about kiosk settings.
"Your organization manages this device and has access to all user activity, including webpages visited, passwords, and email."
Users will see this message when they sign in to a managed guest session if their device has any of the following advanced settings:
- Non-allowlisted extension. For more information, Which extensions are allowlisted?
- Root or MitM certificate. For details about how to set up a root certificate authority in your Admin console, see Set up an HTTPS certificate authority.
- Proxy used to initiate secure connections.
- Website-sharing or system-security policies:
"Your organization manages this device and may be able to monitor your activity."
Users will see this message if auto-launch is not enabled and the device doesn't have any of the advanced settings listed above.
The following extensions are allowlisted: