To enable your employees to work from their personal laptop or a shared device that they trust, you can force the Chrome profile to be ephemeral by policy to reduce the the chances of any browsing information being left behind on their device.
How does it work?
Ephemeral mode is supported on Google Chrome on Windows, Mac and Linux. Here's how it works:
- When a user signs in to Google Chrome with their corporate account a new profile is created for that session and stored on disk.
- If ephemeral mode is set for the user or device, the profile is deleted immediately after the last browser window associated with the profile is closed.
- The ephemeral session will end when the user logs out of Chrome or exits the browser.
What does the user have access to in ephemeral mode?
During the ephemeral session the user has access to the full extents of a browser session including:
- Signing in for Chrome Sync
- Cloud print
- Cloud policy
- Password storage
- Auto-fill and other data normally present in the user profile.
- Any corporate assets that are enabled in ephemeral mode, which may include corporate webmail, documents and intranet pages
If Google Chrome Sync is enabled, any changes that the user makes to the browser's settings or to their Chrome data (such as bookmarks, history, apps etc.) during an ephemeral session will be saved for future sessions. The settings are saved in the user's Google account in the cloud. If Google Chrome Sync is not enabled, any changes are lost when the user exits the browser.
Note: We strongly recommend that you enable this policy in combination with Chrome Sync being enabled.
Setting up ephemeral mode
If you set up ephemeral mode via GPO, each Chrome profile will be ephemeral regardless of the user that signs in. The user needs to sign in to receive the productivity benefits of Chrome Sync, such as access to corporate bookmarks.
How does it differ to Incognito mode?
Incognito mode enables a user to browse the web without saving certain information. Here's how it differs to ephemeral mode:
- Entering Incognito mode is a user choice, while ephemeral mode is a policy that is enforced by the administrator.
- In Incognito mode the user cannot sign in and have the benefits of Chrome Sync, such as corporate bookmarks and will lose all data after a session. In Ephemeral mode (if used with sync as recommended) the employee can sign in and start where they left off.
- Apps and Extensions are not available in Incognito mode, but they are in Ephemeral mode.
Ephemeral mode gives the employee productivity benefits, while reducing the risk of leaving data behind.
When ephemeral mode is set at the user level in the Google Admin console, it relies on the user to sign in to Chrome for sync benefits and for the policy to take effect. The policy should only be used on devices that the user trusts and that are compliant with other corporate policies.
The deletion of the profile is dependent on the user manually closing every window associated with the profile or by signing out. There are also more granular policies that control whether Chrome retains certain types of data or not.