For managed Chromebooks and other devices running Chrome OS.
By default, users can sign in to multiple Google Accounts at the same time on a device running Chrome OS. Users can switch between accounts without signing out and in again. As a Chrome administrator, you can control whether multiple users can sign in on a device. For example, you can specify that the first user must sign in to a managed Google Account. Or, you can allow only one user to sign in at a time.
- The first user to sign in is the primary user. Subsequent users are secondary users.The data in each user account is kept separate.
- Device-level settings that you set using the Google Admin console apply to all users on a device, even if they sign in as a guest or with a personal Google Account.
- Most user-level policies are individually applied to each account on a device. However, if a primary user signs in to a managed Google Account, the following user policies that you set also apply to secondary accounts on the device:
- Admin Console—Screenshot, External Storage Devices, and Online Revocation Checks. For information about these settings, see Set Chrome policies for users or browsers.
- Chromium policies that are not applied individually to each account. In the Chromium policy list, search for policies with Per Profile: No. See the Policy List.
- If you set up TLS (or SSL) inspection on devices running Chrome OS, multiple users cannot sign in at the same time.
- On a device running Chrome OS, the primary user’s password unlocks the screen. To prevent unmanaged users from unlocking a screen and accessing primary and secondary accounts, only let users with a managed Google Account be primary users.
- Secondary users on a device might be able to access your network, even if they don’t have a managed Google Account. For example, apps and extensions that you do not allow users in your organization to install can be installed in secondary accounts. Those apps and extensions might access your network. To prevent unmanaged access to your network, do not let users sign in to more than one account at a time.
Let multiple users sign in to a device
From the Admin console Home page, go to DevicesChrome.
- Click User & browser settings.
- On the left, select the organizational unit where you want to configure policies.
For all users, select the top-level organizational unit. Initially, an organizational unit inherits the settings of its parent.
- Go to User ExperienceMultiple Sign-in Access.
- Choose an option:
- To let multiple users sign in at the same time but specify that the primary user must sign in to a managed Google Account, select Managed user must be the primary user (secondary users are allowed).
- To let multiple users sign in and allow the primary user to sign in to an unmanaged account, such as their personal Google Account, select Unrestricted user access (allow any user to be added to any other user’s session).
- To prevent managed users from signing in to more than one account at a time, select Block multiple sign-in access for users in this organization.
- At the bottom, click Save.