Planning your return to office strategy? See how Chrome OS can help.

Restrict networks and network interfaces

For administrators who manage ChromeOS devices for a business or school.

As an admin, you can use the Google Admin console to configure device policies to restrict network connectivity. For example, you can restrict devices enrolled in an organizational unit to connect only to Ethernet. Or, you can prevent employees from connecting to a Wi-Fi hotspot running off their personal phones.

If you have a productive and a guest network in your organization, you might want to block devices from accessing the guest network but allow users to use their personal devices at home. In that case, you can block access to certain Wi-Fi SSIDs.

Restrict network connectivity

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices and on the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  3. Click General Settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. (Optional) To automatically connect to managed networks only, do the following: Note: This only applies to Wi-Fi or Ethernet on Chrome devices.
    1. Click Auto-connect.
    2. Check the Restrict users to only auto-connect to managed networks box.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  6. (Optional) To allow users to connect only to the Wi-Fi networks configured for the selected organizational unit, do the following:
    1. Click Wi-Fi networks.
    2. Check the Restrict users to connecting only to the Wi-Fi networks configured for this organizational unit (Chrome version 49 or later) box.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  7. (Optional) To allow users to connect only to the cellular networks configured for the selected organizational unit, do the following:
    1. Click Cellular networks.
    2. Check the Restrict users to only connect to the cellular networks configured for this organizational unit (Chrome version 100 or later) box.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  8. (Optional) To select the network interfaces that your users can connect to:
    1. Click Allowed network interfaces.
    2. Check the network interface boxes that you want to allow. Choose one or more of the following options: Wi-Fi, Ethernet, Cellular, WiMax, VPN.
      Note: The ;VPN checkbox applies only to integrated Chrome OS VPNs. For VPN app solutions, use app restriction policies to allow or block VPN access.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  9. (Optional) To block users from connecting to specific WI-FI networks:
    1. Click Blocked WI-FI networks.
    2. Enter the list of SSIDs that you want to block..
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Considerations

  • The policies are applied device-wide to managed and unmanaged users. Policies that you set are also applied to managed guest sessions and kiosks.
  • The policies will have some implications on your Chromebook deployment as outlined below.
Policy misconfiguration

If you misconfigure policies, devices might not be able to connect to the web and receive policy updates. For example, if you restrict devices to connect only to a specific set of Wi-Fi configurations, and then switch the SSID of your network hardware, your users won’t be able to connect to the new SSID. You won’t be able to push new network policies to them because their devices are no longer connected to the web.

To minimize deployment issues, network restrictions are only applied to devices after users sign in. The sign-in screen does not enforce the restrictions that you set.  So, if you misconfigure the policy, users can sign out, connect to a network from the sign-in screen, and then sign back in to their session while connected to a valid network that allows them to download the amended policy.

We recommend that you configure a valid device-wide network that devices can automatically connect to on the sign-in screen. That way, if there’s a deployment error, users can sign out of their accounts and their devices will automatically connect to that network. 

Staged deployment

We recommend that you roll out these settings in a staged approach per organizational unit. That way, if policies are misconfigured, only a small number of users are affected.

Personal usage of corporate device

These policies are applied device-wide. Users might not be able to use their corporate devices at home as they might not comply with policy restrictions outside the workplace. For example, users will not have the same Wi-Fi configurations at home as at work. Or they might not have an Ethernet connection available if they want to use the device to work from a coffee shop.

Corporate usage of personal device

If network restrictions are applied to your managed accounts, users might not be able to use their personal devices at work. Policies apply to devices and not to users, so users can still sign in with their managed accounts to their personal devices. But the network restrictions that you set are not applied to the device.

Moving devices with eSIM profiles

When moving devices to another organizational unit, be aware of the following:

  • To retain existing eSIMs on devices in the new organizational unit, first make sure that a cellular network configuration with the same SDMP+URL exists in the new organizational unit.
  • To clear existing eSIMs from devices, before you move them use Reset eSIM to permanently remove eSIM profiles from devices. For details, see View Chrome OS device details.
  • Moving devices to an organizational unit without matching network configurations causes managed eSIMs on devices to become unmanaged. No policy settings are applied to the network.
Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
410864
false
false