Set Chrome policies for one app

This page is for IT administrators who manage Chrome Browsers or Chrome OS devices for a business or school.

As a Chrome Enterprise admin, you can use your Admin console to set policies for a specific Chrome app, extension, or supported Android app. For example, you might force-install an app and pin it to users' Chrome taskbar.  

Access App Management settings

These steps require access to the Admin console, such as with G Suite.

Set policies for an app (main steps)

Before you begin: To make settings for a specific group of users, put their accounts in an organizational unit.​

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. On the left, use the App Type filter to display Chrome Apps or Android Apps.
  5. On the left, use the Type filter to display:
    • Approved or configured Android apps
    • Domain, business, or configured Chrome apps
    • Business extensions
  6. Click the title, not the icon, of the app you want to manage.
  7. Click the category of settings you want to configure:
    • User settings—Configure the app for users who sign in with a managed Google Account on any device.

      Important: To apply User settings for managed Chrome Browsers on Windows, Mac, or Linux computers, you need to turn on Chrome Management.

    • Public session settings—Configure the app for users who sign in to a public session on a managed Chrome OS device.
    • Kiosk settings—Deploy the app as a kiosk app if the app is kiosk-enabled in the app’s manifest file.
  8. On the left, select the organization containing the users you want to apply the settings for.
    For all users, select the top-level organization. Otherwise, select a child organization. Learn more
  9. Set the app and extension policies you want to change. Learn about each setting.

    Initially, an organization inherits the settings of its parent. If you're changing a setting for a child organization:

    • To override an inherited value, click Override. You can then change the setting.
    • To return an overridden setting to the value of its parent, click Inherit.
  10. Click Save.
View and search for apps

From your Admin console, you can list all apps and extensions you've set policies for. You can also search for more apps in the Chrome Web store that you want to configure.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. At the left in the Search field, enter any search text for finding a specific app.

    The Admin console searches the Chrome Web Store and all of your configured apps. For each result. see details about the app, such as whether it’s blocked, installed, recommended in the Chrome Web Store, or is a kiosk app.

Install custom policies for an app

For some apps and extensions, you can upload a config file to install custom policies for that app. For example, a digital signage kiosk app might have a schedule of events that’s contained in a config file. A config file for a call center kiosk app would contain the VoIP server IP address and port number.

Before you begin: To see if an app supports a config file and, if so, what custom policies it lets you set, see its documentation.

  1. Follow steps above to set policies for one app or extension.
  2. Locate the app you want to install custom policies for.
  3. After selecting the organizational unit you want to configure, click the button to upload a config file.

    If you don't see the Configure option, the app cannot be customized.

  4. Upload the config file with the new policies you want to install.

Kiosk settings

Learn about each setting

Settings apply when users sign in to a managed Google Account on a Chrome Browser or Chrome OS device.

Available settings depend on whether you're updating a User, Public session, or Kiosk setting.  

User, Public session, and Kiosk settings

Allow access to client certificates and keys

Applies to User settings, Public session settings, and Kiosk settings.

Allows the app to read and use client certificates.

Exception: Even if you have enabled Android Apps on supported Chrome devices in your organization, this policy cannot be used to grant Android apps access to client certificates and keys.

Configure

Applies to User settings, Public session settings, and Kiosk settings.

Uploads a configuration file to install customized policies and settings supported by the app. The Configure setting is only available if the app supports a configuration file.

For details, see:

User and Public session settings

Allow installation

Applies to User settings and Public session settings.

Lets users install the app.

Block extensions by permission

Applies to User settings and Public session settings.

You can use this setting in two ways:

Block installing types of apps

Prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. Select whether to allow or block apps that request specific permissions. Then check the permissions to allow or block.

For details, see Prevent users from running apps based on permissions.  

Prevent apps from altering company webpages

Control whether an app or extension can alter web pages you specify.

For detailed steps, see Prevent Chrome extensions from altering webpages.

  • Blocked URLs—URLs to pages that you want to prevent this app from altering.
  • Allowed URLs—URLs to pages that you want to allow this app to alter. Access is allowed even if the pages are also defined in Blocked URLs.

URL syntax

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*
Pin to taskbar

Applies to User settings and Public session settings.

(Chrome OS only) Pins the app to the taskbar.

Force installation

Applies to User settings and Public session settings.

Installs the app automatically and prevents users from removing it.

For details, see Automatically install apps and extensions.

User settings only

Add to Chrome Web Store collection

Applies to User settings.

Recommends the app to your users in the Chrome Web Store.

Allow access to challenge enterprise keys

Applies to User settings

Allows a force-installed app to call the chrome.enterprise.platformKeys.challengeUserKey and challengeMachineKey APIs. For details, see the Developer Guide for Verified Access.

Kiosk settings only

Allow app to manage power

Applies to Kiosk settings.

Lets the app call the power APIs to modify the default Chrome device behavior.

Device settings page

Applies to Kiosk settings.

Configures a kiosk app to launch automatically on the Device settings page. You can deploy multiple kiosk apps to a device but you can only choose one to launch automatically when the device starts.

To configure an app as a single-app kiosk:

  1. Click the device settings page link.
  2. Go to Kiosk Settings.
  3. For Auto-Launch Kiosk App, choose the kiosk app you want to launch automatically.
Disable virtual keyboard

Applies to Kiosk settings.

Disables the virtual keyboard for an app. When disabled, the virtual keyboard never pops up, even on devices with touch screens or with touch enabled.

Enable unified desktop (beta)

Applies to Kiosk settings.

Lets users span an app across multiple monitors or TVs that have the same resolution. Up to 2 external displays are supported. When enabled, unified desktop is the default mode when a user connects a monitor to their device. When disabled, users can still use 2 external displays, but individual windows will be in one display or the other, even if the desktop is extended across both.

Install automatically

Applies to Kiosk settings.

Installs the app automatically on kiosk devices.

Maintenance window

Applies to Kiosk settings.

Specifies the start and end time (local time) of a maintenance window for the kiosk app. At the start time, the kiosk app is automatically stopped and maintenance activities, such as pending app updates, are performed on the app. At the end time, the app is automatically started again.

Plugins

Applies to Kiosk settings.

Sets whether websites are allowed to run plug-ins. Plug-ins are used by websites to enable certain types of web content (such as Adobe® Flash®) that Chrome can't inherently process. By default, plug-ins run automatically on kiosks.

For more, see Managing Flash on Chrome.

Treat top-row keys as function keys

Applies to Kiosk settings.

Determines the default behavior of the top row of keys on the keyboard. When you turn on this setting, the keys act as function keys, such as F1 and F2. When you turn it off, they act as media keys, such as Play and Pause. Users can turn a function key into a media key (and vice versa) by holding down the Search key on the Chromebook keyboard.

Related topics

Was this article helpful?
How can we improve it?