Manage multiple sign-in access
Starting with Chrome version 37, a user who has set up several profiles on their Chrome device can choose to sign in to multiple profiles and switch between them quickly without having to sign out and sign in again. The first user to sign in is the primary user, and all subsequent users that are added are called secondary users. The data in each user profile is kept separate, and the user needs to switch between profiles to access data in each.
Device settings that you have configured for Chrome devices (such as restricting the users who can sign in to the device), are not affected by this new feature, and they will continue to apply. However, settings that are not device-wide may be enforced differently depending whether or not the user is the primary or secondary user.
Special note to administrators for Chrome 37
In Chrome 37, the default setting for unmanaged accounts (e.g. Gmail) is to allow any user to use Multiple Sign-in. In order to give IT admins more time to evaluate and specify how they want this feature to work on their domain, the default behavior on managed accounts is that this feature is disabled. For Chrome 38+, Managed user must be the primary user (secondary users are allowed) is the default setting.
How to control Multiple Sign-in Access
In the Google Admin console, go to Device Management > Chrome > User Settings > Multiple Sign-in Access. From here, you can choose one of the following settings for organizational units in your domain:
- Managed user must be the primary user (secondary users are allowed):
This setting does not apply to managed Chrome devices in Chrome 37 (where this feature is disabled by default for managed accounts). This setting is the default with Chrome versions 38 and higher.
- Unrestricted user access (allow any user to be added to any other user’s session): If you select this, it will apply immediately in Chrome versions 37 and higher.
- Block multiple sign-in access for users in this organization: If you select this, it will apply immediately in Chrome versions 37 and higher.
Please review the following considerations in making the appropriate choice for your organization.
Considerations for deployment
For most user settings, the policies set for each profile will be respected within that profile. However the following settings require special consideration:
TLS or SSL inspection
If you set up TLS or SSL inspection, Multiple Sign-in Access will be disabled for users in your organization regardless of choice in the above policy setting.
If the Restrict sign-in device policy has been set for your organization, like all other device policies, this will continue to apply. Users restricted from signing in by the policy will not be able to sign in to the Chrome device as primary or secondary accounts.
Unlocking the screen
- If you have not set the policy Block multiple sign-in access for users in this organization, the primary user’s password can unlock the screen, and that user will have access to the primary as well as secondary accounts without entering a password.
- If you want users to be able to use Multiple Sign in but want to make sure that passwords to non-managed accounts are not used to unlock the screen, then please select Managed user must be the primary user.
Managed user is the primary user (by user choice or Admin console policy)
- If the primary account belongs to your organization and the following policies are set for the primary account, they will also apply to secondary accounts:
- If you have a policy-defined network but allow secondary accounts to join, then those secondary accounts can also have access to your network. Some apps and extensions blocked by your organization may be allowed in those secondary accounts, which could have access to your network in this scenario.
If either of these scenarios is a concern for your organization, set the above policy to Block multiple sign-in access for users in this organization.