Set Chrome policies for one app

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can use your Admin console to set policies for a specific Chrome app, extension, or supported Android app. For example, you might force-install an app and pin it to users' Chrome taskbar.  

Make App Management settings

Can apply for signed-in users on any device, or enrolled browsers on Windows, Mac, or Linux. Learn more

Tip: To force-install or block an extension for enrolled browsers, it's easier to use the Browser Extensions list.

Set policies for an app (main steps)

Before you begin: To make settings for a specific group of users or enrolled Chrome Browsers, put the user accounts or browsers in an organizational unit.​

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. On the left, use the App Type filter to display Chrome Apps or Android Apps.
  5. On the left, use the Type filter to display:
    • Approved or configured Android apps
    • Domain, business, or configured Chrome apps
    • Business extensions
  6. Click the title, not the icon, of the app you want to manage.
  7. Click one of the following:
    • User settings—Configure the app at the user level—when users sign in with a managed Google Account on any device. For user-level settings to work on Windows, Mac, or Linux computers, you need to turn on Chrome Browser Management.

      Some of these settings can also apply for enrolled Chrome Browsers on Windows, Mac, or Linux computers. But you might find it easier to manage apps and extensions for enrolled browsers from the Browser Extensions list.

    • Public session settings—Configure the app for users who sign in to a public session on a managed Chrome OS device.
    • Kiosk settings—Deploy the app as a kiosk app if the app is kiosk-enabled in the app’s manifest file.
  8. Under Orgs, select the organizational unit containing the user accounts or enrolled browsers you want to apply the settings for.
    For all users or browsers, select the top-level organizational unit. Otherwise, select a child. Learn more
  9. Set the app and extension policies you want to change. Learn about each setting.

    Initially, an organizational unit inherits the settings of its parent. If you're changing a setting for a child:

    • To override an inherited value, click Override. You can then change the setting.
    • To return an overridden setting to the value of its parent, click Inherit.
  10. Click Save.
View and search for apps

From your Admin console, you can list all apps and extensions you've set policies for. You can also search for more apps in the Chrome Web store that you want to configure.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App Management.
  4. At the left in the Search field, enter any search text for finding a specific app.

    The Admin console searches the Chrome Web Store and all of your configured apps. For each result. see details about the app, such as whether it’s blocked, installed, recommended in the Chrome Web Store, or is a kiosk app.

Install custom policies for an app

For some apps and extensions, you can upload a config file to install custom policies for that app. For example, a digital signage kiosk app might have a schedule of events that’s contained in a config file. A config file for a call center kiosk app would contain the VoIP server IP address and port number.

Before you begin: To see if an app supports a config file and, if so, what custom policies it lets you set, see its documentation.

  1. Follow steps above to set policies for one app or extension.
  2. Locate the app you want to install custom policies for.
  3. After selecting the organizational unit you want to configure, click the button to upload a config file.

    If you don't see the Configure option, the app cannot be customized.

  4. Upload the config file with the new policies you want to install.

Kiosk settings

Learn about each setting

Available settings depend on whether you're updating a User, Public session, or Kiosk settingLearn more above

User, Public session, and Kiosk settings

Allow access to client certificates and keys

Applies to User settings, Public session settings, and Kiosk settings.

Allows the app to read and use client certificates.

Exception: Even if you have enabled Android Apps on supported Chrome devices in your organization, this policy cannot be used to grant Android apps access to client certificates and keys.


Applies to User settings, Public session settings, and Kiosk settings.

Uploads a configuration file to install customized policies and settings supported by the app. The Configure setting is only available if the app supports a configuration file.

For details, see:

User and Public session settings

Allow installation

Applies to User settings and Public session settings.

Lets users install the app.

Pin to taskbar

Applies to User settings and Public session settings.

(Chrome OS only) Pins the app to the taskbar.

Force installation

Applies to User settings and Public session settings.

Installs the app automatically and prevents users from removing it.

For details, see Automatically install apps and extensions.

User settings only

Block extensions by permission

Applies to User settings.

You can use this setting in two ways:

Block installing types of apps

Prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. Select whether to allow or block apps that request specific permissions. Then check the permissions to allow or block.

For details, see Prevent users from running apps based on permissions.  

Prevent apps from altering company webpages

Control whether an app or extension can alter web pages you specify.

For detailed steps, see Prevent Chrome extensions from altering webpages.

  • Blocked URLs—URLs to pages that you want to prevent this app from altering.
  • Allowed URLs—URLs to pages that you want to allow this app to alter. Access is allowed even if the pages are also defined in Blocked URLs.

URL syntax

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
*://* All Urls  


Invalid host patterns

  • http://t.*
  • http*://
  • http://*
Add to Chrome Web Store collection

Applies to User settings.

Recommends the app to your users in the Chrome Web Store.

Allow access to challenge enterprise keys

Applies to User settings

Allows a force-installed app to call the chrome.enterprise.platformKeys.challengeUserKey and challengeMachineKey APIs. For details, see the Developer Guide for Verified Access.

Kiosk settings only

Allow app to manage power

Applies to Kiosk settings.

Lets the app call the power APIs to modify the default Chrome device behavior.

Device settings page

Applies to Kiosk settings.

Configures a kiosk app to launch automatically on the Device settings page. You can deploy multiple kiosk apps to a device but you can only choose one to launch automatically when the device starts.

To configure an app as a single-app kiosk:

  1. Click the device settings page link.
  2. Go to Kiosk Settings.
  3. For Auto-Launch Kiosk App, choose the kiosk app you want to launch automatically.
Disable virtual keyboard

Applies to Kiosk settings.

Disables the virtual keyboard for an app. When disabled, the virtual keyboard never pops up, even on devices with touch screens or with touch enabled.

Enable unified desktop (beta)

Applies to Kiosk settings.

Lets users span an app across multiple monitors or TVs that have the same resolution. Up to 2 external displays are supported. When enabled, unified desktop is the default mode when a user connects a monitor to their device. When disabled, users can still use 2 external displays, but individual windows will be in one display or the other, even if the desktop is extended across both.

Install automatically

Applies to Kiosk settings.

Installs the app automatically on kiosk devices.

Maintenance window

Applies to Kiosk settings.

Specifies the start and end time (local time) of a maintenance window for the kiosk app. At the start time, the kiosk app is automatically stopped and maintenance activities, such as pending app updates, are performed on the app. At the end time, the app is automatically started again.


Applies to Kiosk settings.

Sets whether websites are allowed to run plug-ins. Plug-ins are used by websites to enable certain types of web content (such as Adobe® Flash®) that Chrome can't inherently process. By default, plug-ins run automatically on kiosks.

For more, see Managing Flash on Chrome.

Treat top-row keys as function keys

Applies to Kiosk settings.

Determines the default behavior of the top row of keys on the keyboard. When you turn on this setting, the keys act as function keys, such as F1 and F2. When you turn it off, they act as media keys, such as Play and Pause. Users can turn a function key into a media key (and vice versa) by holding down the Search key on the Chromebook keyboard.

Related topics

Was this helpful?
How can we improve it?