View and configure apps and extensions

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can use your Admin console to set policies for a specific web app, Chrome app or extension, or supported Android app. For example, you might force-install an app and pin it to users' Chrome taskbar.

Before you begin

  • To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.
  • To apply settings for Chrome browser users on Windows, Mac, or Linux computers, turn on Chrome management for the organizational unit that they belong to.
  • If you allowlist Android apps, users can’t switch to secondary accounts in Google Play.
  • Even if Chrome Web Store or Google Play are turned off, apps and extensions that you set to Force-install or Force-install + pin to ChromeOS taskbar automatically download. To let users manually download apps or extensions, you need to turn on Chrome Web Store or Google Play. For details about how to turn services on or off for users, go to Additional Google services.
  • There is a limit of 500 for the total number of apps times the number of groups.

Note: If a user belongs to both a group and an organizational unit where app and extension policies are set, the policies set for groups take precedence over those set for organizational units. This does not affect the policy precedence as set by the CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy policies. For details, see Understand Chrome policy management. You might also need to consider if a user belongs to a security group. For details, see Control access to sensitive data with security groups.

Make app management settings

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

Open all   |   Close all

Set policies for an app (main steps)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensions. The Overview page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensions.

  3. At the top, click the type of app or extension you want to configure:
    • Users & browsers—Configure the app for users who sign in with a managed Google Account on any device, and for enrolled browsers. You can also configure the app for a specific organizational unit or group.
    • Kiosks—Deploy the app to a managed ChromeOS device as a kiosk app if the app is kiosk-enabled in the app’s manifest file. For information about turning ChromeOS devices into single-purpose devices, see Create and deploy Chrome kiosk apps.
    • Managed guest sessions—Configure the app for users who sign in to a managed guest session on a managed ChromeOS device.
  4. Find and click the app you want to manage. See View apps below.
  5. In the panel that opens on the right, set the app and extension policies you want to change. Learn about each setting.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

View apps

From your Admin console, you can list all apps and extensions you've set policies for in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensions. The Overview page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensions.

  3. At the top, click the type of app or extension you want to view:
    • Users & browsers
    • Kiosks
    • Managed guest sessions
  4. On the left, choose your search:
    • Users—search for apps for a specific user
    • Groups—Search for apps within a specific group
    • Organizational units—Search for apps within a specific organizational unit
  5. At the top, click Search or add a filter and search by:
    • Full-text—Enter the app or extension name or ID.
    • Title—Enter the app or extension name.
    • ID—Enter the app or extension ID.
    • Type—Choose whether to display Android, Chrome, or web apps.
    • Installation policy—Choose whether to display apps, depending on their installation policy.
  6. Click Apply.
Add apps

You can search for apps to add and configure in the Chrome Web Store or Google Play. Or, to install a progressive web app for users or create a shortcut to a website, you can add the app by URL.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensions. The Overview page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensions.

  3. Click the type of app or extension you want to add:
    • Users & browsers
    • Kiosks
    • Managed guest sessions
  4. To add a Chrome Web Store app that costs money, click Add Add question and choose Add Chrome app or extension by ID.
    Note: This option is not available for Google Workspace for Education Fundamentals customers.
  5. To add a free app, click Add Add question and choose an option:
    • Add from Chrome Web Store
    • Add from Google Play
    • Add Chrome app or extension by ID
    • Add by URL (available for Users & browsers only)
  6. If you're adding an app from the Chrome Web Store or Google Play, find the app and click Select. If prompted, accept the app permissions on behalf of your organization.
  7. If you're adding by ID, enter the ID and click Save. If the extension is outside of the Chrome Web Store, enter the ID, select From a custom URL, enter the URL, and click Save.
  8. If you're adding by URL:
    1. Enter the URL of the progressive web app (PWA) or website shortcut.
    2. Choose how you want to open the app:
      • Open in a browser tab—For website shortcuts.
      • Open in a separate window—For website shortcuts or PWAs.
      • Open as a progressive web app (PWA) only—For PWAs. Available only for Users & browsers.
    3. If you choose Open as a progressive web app (PWA) only, the unique value for the PWA Manifest ID is automatically added. However, if the ID is not found, you’ll need to manually add it—Go to Chrome for Developers documentation.
    4. Click Save. Or, you might click Override for an organizational unit.

      To later restore the inherited value, click Inherit (or Unset for a group).

Remove apps
You can remove apps that you no longer want on user devices. The next time users sign in to their ChromeOS device, the app and its associated user data are removed.

Get app or extension ID

To remove a specific app or extension, including ones that are pre-installed on devices, first you need to identify it. Every app and extension has its own unique identification (ID) that doesn’t change across versions. Each ID is 32 characters long.

To find the app or extension ID that you want to remove:

  1. On a managed ChromeOS device, browse to chrome://system.
  2. On the left, find extensions.
  3. Click Expand.
  4. In the list, find the app or extension that you want to remove and take note of its ID.

Remove an app and its associated user data

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensions. The Overview page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensions.

  3. At the top, click Users & browsers.
  4. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  5. Find and click the app that you want to remove.
  6. Under Installation policy, choose Block.
  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

About the Apps & extensions page

On the Apps & extensions page, you can see the following details for each of your apps and extensions.

Field Description

App

The app or extension name and ID. The ID format depends on app or extension type:

  • Android—The Android app's unique app ID that looks like a Java package name, such as com.example.myapp. The ID uniquely identifies the app in the Admin console, on users' devices, and in Google Play.
  • Chrome—For apps that are hosted in the Chrome Web Store, the unique ID is 32 characters long. For self-hosted apps, the name and ID are the same. The app ID uniquely identifies the app in the Admin console, on users' devices, and in Chrome Web Store.
  • Web—The web app's URL.

Installation policy

Displays how the app or extension is installed for users. For example, Allow install or Force install.

For details, see Learn about installation policies below.

Version pinning

Users & browsers—For ChromeOS devices with version 89 or later
Managed guest sessions—For ChromeOS devices with version 98 or later

Indicates whether the app or extension is pinned to a specific version. Apps and extensions that are pinned to an outdated version have a warning symbol that lets you know that a newer version is available.

For details, see Pin Chrome app or extension updates.

Learn about installation policies

Available installation policies depend on whether you're updating an app or extension for users and browsers, kiosks, or managed guest sessions.

Installation policy What it does Applies to
Force install

Installs the app automatically and prevents users
from removing it.

Users & browsers

Managed guest sessions

Force install + pin to ChromeOS taskbar Installs the app automatically and prevents users
from removing it. On ChromeOS device, pins
the app to the taskbar.

Users & browsers

Managed guest sessions

Allow install Lets users install the app.

Users & browsers

Block Prevents users from installing the app. Removes the app
from users that have the app installed

Users & browsers

Installed Installs the app automatically and prevents users
from removing it.
Kiosks
Not Installed Uninstalls the app automatically.

Kiosks

Managed guest sessions

Deploy apps and extensions

For a step by step guide, watch this how-to demo video

How to deploy applications for ChromeOS

Learn about app and extension settings

Available settings depend on whether you're updating an app or extension for users and browsers, kiosks or managed guest sessions.

Users & browsers

Extension is mandatory for Incognito

Configure a list of extension IDs that are mandatory for browsing in Incognito mode. When opening an Incognito session, managed users are asked to allow certain extensions to run in Incognito mode before they can browse.

Note: Check the IncognitoModeAvailability policy to ensure that Incognito mode is turned on. If Incognito mode is turned off, then this MandatoryExtensionsForIncognitoNavigation policy has no effect.

Launch on login

Controls whether the PWA automatically launches when a user signs in to their ChromeOS device.

  • Allow user to launch manually—Users can configure the app to automatically launch when they sign in.
  • Force launch and allow closing—App automatically launches when the user signs in. Users, task manager, and web APIs can close the app.
  • Force launch and prevent closing—App automatically launches when the user signs in. Users and web APIs can’t close the app.

Users & browsers and Managed Guest Sessions settings

Include in Chrome Web Store collection
Recommends the app to your users in the Chrome Web Store.
Permissions and URL access

Prevents users from running apps or extensions that request certain permissions that your organization doesn’t allow. For details, see Prevent users from running apps based on permissions.

Control whether apps or extensions in general can alter web pages you specify. For details, see Prevent Chrome extensions from altering webpages.

Allow enterprise challenge

Allows a force-installed app to call the chrome.enterprise.platformKeys.challengeUserKey and challengeMachineKey APIs. For details, see the Verified Access API Developer Guide.

Deployment settings

Specifies the version that self-hosted Chrome apps and extensions are pinned to. For details, see Pin self-hosted apps.

Users & browsers, Kiosks, and Managed Guest Sessions settings

Policy for extensions

For some apps and extensions, you can install custom policies. For example, a digital signage kiosk app might have a schedule of events that’s contained in a JavaScript Object Notation (JSON) file.

Before you install custom policies, check the app or extension’s documentation to see what custom policies you can set, if any. Then, enter the JSON data in the text field. We recommend that you use the JSON validation tool of your choice to pre-check your configuration.

Policy for web applications

For some web apps and PWAs (Progressive Web Applications), you can pass managed configuration policies using JSON. For example, a video conferencing web app might utilize specific settings for your entire organization and these settings can be configured for all users with JSON.

Before you install custom policies, check the app or extension’s documentation to see what custom policies you can set, if any. Then, enter the JSON data in the text field. We recommend that you use the JSON validation tool of your choice to pre-check your configuration.

Kiosk settings

Allow App to Manage Power
Lets the app call the power APIs to modify the default ChromeOS device behavior.
Use Unified Desktop
Lets users span an app across multiple monitors or TVs that have the same resolution. Up to 2 external displays are supported. When enabled, unified desktop is the default mode when a user connects a monitor to their device. When disabled, users can still use 2 external displays, but individual windows will be in one display or the other, even if the desktop is extended across both.
Allow On-screen Keyboard
Allows the on-screen keyboard for an app. When turned off, the on-screen keyboard never pops up, even on devices with touch screens or with touch enabled.
Enable Plug-ins
Sets whether websites are allowed to run plug-ins. Plug-ins are used by websites to enable certain types of web content that Chrome can't inherently process. By default, plugins run automatically on kiosks.
Set Keyboard Top Row as FN Keys
Determines the default behavior of the top row of keys on the keyboard. When you turn on this setting, the keys act as function keys, such as F1 and F2. When you turn it off, they act as media keys, such as Play and Pause. Users can turn a function key into a media key (and vice versa) by holding down the Search key on the Chromebook keyboard.
Allow multiple windows on any screen

Lets the web app open multiple fullscreen browser windows across monitors that are connected to the device.

When Allow multiple windows on any screen is turned off, web apps can open only 1 browser window.

Maintenance window
Specifies the start and end time (in local time) of a maintenance window for the kiosk app. At the start time, the kiosk app automatically stops. Then, maintenance activities, such as pending app updates, are performed on the app. At the end time, the app automatically starts again.

Auto-Launch Kiosk App Settings

Enable Health Monitoring
Select Enable Health Monitoring to allow the health status of the kiosk to be reported. After doing this, you can check if a device is online and working properly.
Enable System Log Upload

Select Enable System Log Upload to automatically capture system logs for kiosk devices. Logs are captured every 12 hours and uploaded to your Admin console, where they’re stored for a maximum of 60 days. At any one time, 7 logs are available to download—1 for each day for the past 5 days, 1 for 30 days ago, and 1 for 45 days ago.

For more information, see Monitor kiosk health.

Note: Before you enable logs to be uploaded, you must inform the users of managed kiosk devices that their activity may be monitored and data may be inadvertently captured and shared. Without notification to your users, you are in violation of the terms of your agreement with Google.

Screen Rotation (Clockwise)
To configure screen rotation for your kiosk devices, select your desired screen orientation. For example, to rotate the screen for a portrait layout, select 90 Degrees. This policy can be overridden by manually configuring the device to a different screen orientation.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu