Managed guest session devices
This article has general information about setting up managed guest sessions on Chrome devices. To find out how to use a Chromebook for student assessments, see Use Chromebooks for student assessments.
With managed guest sessions, multiple users can share the same Chrome device without the need to sign in. For example, use managed guest sessions to configure Chrome devices for use as loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in.
With managed guest sessions, your users can have a full browsing experience and access multiple websites in a windowed mode (not full-screen).
How are they different from public sessions?
Managed guest sessions have more features than public sessions and allow admins greater control and visibility into user activities.
|Legacy public sessions||Managed guest sessions|
|Available on all devices.||Available only on devices running Chrome version 73 or above.|
|Supports a limited set of Chrome policies.||Supports all Chrome policies.|
|Supports a limited set of Chrome apps and extensions.||Supports all Chrome apps and extensions.|
|Doesn't support network certificates.||Supports network certificates.|
Before you start
- Enroll the device you want to use as a managed guest session in your domain. Once successfully enrolled, the device appears in the Admin console's list of Chrome devices. Read about enrolling devices.
- Make sure that Always show user names and photos is enabled in the Admin console.
- You need Chromebook Enterprise devices or an upgrade, such as Chrome Enterprise Upgrade or Chrome Education Upgrade, for each standalone Chrome device you want to run in managed guest session mode.
Set up managed guest sessions
From the Admin console Home page, go to DevicesChrome management.
If you don't see Devices on the Home page, click More controls at the bottom.
- Click Managed guest session settings.
- Select the organizational unit unit you want the settings to apply to.
- Configure the settings on the page and include a Session Display Name that you would like to appear on the device’s home screen, such as the name of your organization.
- Click Save changes.
- Go to Device management Chrome management Device settings.
- Select the organization you want to configure and under Kiosk Settings Managed guest sessions, select Allow managed guest session.
This attaches the managed guest session settings to the devices in the organization you select.
- Click Save changes.
Settings typically take effect within minutes, but they might take up to an hour to propagate to the devices.
- Move the desired Chrome devices into the organization that has the managed guest session settings applied.
The Chrome devices must be enrolled in the domain for management before they appear under Chrome devices in the Admin console.
- Managed guest session pods are prioritized over user pods on the sign-in screen.
- You can only associate settings from one organization per device for setting up managed guest sessions.
- Managed guest session settings only apply to the Chrome devices you specify.
- Managed guest session settings are not available for devices enrolled with a Chrome Kiosk License.
Settings unique to managed guest sessions are listed in this table. Other settings are described in Set Chrome user policies.
To quickly find a setting in the Admin console, use the Search settings box at the top of the screen.
In addition to the settings above, you can also configure most of the user and device settings offered by Chrome management with managed guest sessions. Read about managing user & browser settings and managing device settings.
Popular settings include:
- Set up a home page
- Define a proxy
- Configure network certificates
- Cloud Print
- Configure SafeSearch to filter objectionable content
- Custom wallpaper to personalize the desktop background
- Blacklist or whitelist access to different sites
- Preinstall specific apps to the device
- Configure a user’s length of session
- Allow Incognito Mode, Screenshots, Access to External storage, Allow Audio I/O and Video Input, among others.
How to use managed guest sessions
On the sign-in screen, the user sees the Session Display Name that you can set in the Admin console.
- The user clicks a managed guest session pod.
It expands to show:
- the domain name of the organization that manages the session
- a message that the admin may have access to all activity, including passwords and communications
- The user clicks Next .
Their session begins. Or if you uploaded a Terms of Service agreement in the Admin console, it will appear.
- The user clicks Accept to start the session.
They can start browsing the web.
The session is valid until a user signs out. Or it's idle for a period that you specify and is automatically signed out. When the user ends the managed guest session, all local user data is wiped from the device.
You can set the length of time for the exam for however long you want to give students to take the test. You can lock down internet access to prevent students from looking up answers online, and prevent them from taking screenshots. Read about Using Chromebooks for Student Assessments.
You can specify the period of use for the device for any length. You can also configure the device to print with Cloud Print.
Similar to library mode, you can set the length of time for the user session. You can also set up device-based policies on the device.
Unlike for library use, you can configure the device so that it doesn’t have a session timer. People can browse on the device at a kiosk or sales floor for an unlimited amount of time. You can also automatically launch a managed guest session on the device. Read about Auto-launch managed guest sessions settings.
"The device administrator has access to all activity, including passwords and communications."
Users will see this message when they sign in to a managed guest session if their device has any of the following advanced settings:
- Non-whitelisted extension. For more information, Which extensions are whitelisted?
- Root or MitM certificate.
- Proxy used to initiate secure connections.
- Website-sharing or system-security policies.
"The device administrator may be able to monitor your activity."
Users will see this message if auto-launch is not enabled and the device doesn't have any of the advanced settings listed above.
The following extensions are whitelisted: