Restrict networks and network interfaces

For administrators who manage Chrome devices for a business or school.

As an admin, you can use the Google Admin console to configure device policies to restrict network connectivity. For example, you can restrict devices enrolled in an organizational unit to connect only to Ethernet. Or, you can prevent employees from connecting to a Wi-Fi hotspot running off their personal phones.

Restrict network connectivity

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. From the Admin console Home page, go to Devices. On the left, click Networks.

    Requires having the Shared device settings administrator privilege.

  4. Click General Settings.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. (Optional) To automatically connect to managed networks only, do the following:
    1. Click Auto-connect.
    2. Check the Only allow managed networks to auto-connect box.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
    Note: This only applies to Wi-Fi or Ethernet on Chrome devices.
  7. (Optional) To allow users to connect only to the Wi-Fi networks configured for the selected organizational unit, do the following:
    1. Under Restrict Wi-Fi networks, click Edit Edit.
    2. Check the Restrict users to connecting only to the Wi-Fi networks configured for this Organizational Unit (Chrome version 49 or later) box.
    3. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
  8. (Optional) To select the network interfaces that your users can connect to:
    1. Click Allowed network interfaces.
    2. Check the network interface boxes that you want to allow. Choose one or more of the following options: Wi-Fi, Ethernet, Cellular, WiMaxVPN.
      Note: The VPN checkbox applies only to integrated Chrome OS VPNs. For VPN app solutions, use app restriction policies to allow or block VPN access.
    3. Click Save.

Considerations

  • The policies are applied device-wide to managed and unmanaged users. Policies that you set are also applied to managed guest sessions and kiosks.
  • The policies will have some implications on your Chromebook deployment as outlined below.
Policy misconfiguration

If you misconfigure policies, devices might not be able to connect to the web and receive policy updates. For example, if you restrict devices to connect only to a specific set of Wi-Fi configurations, and then switch the SSID of your network hardware, your users won’t be able to connect to the new SSID. You won’t be able to push new network policies to them because their devices are no longer connected to the web.

To minimize deployment issues, network restrictions are only applied to devices after users sign in. The sign-in screen does not enforce the restrictions that you set.  So, if you misconfigure the policy, users can sign out, connect to a network from the sign-in screen, and then sign back in to their session while connected to a valid network that allows them to download the amended policy.

We recommend that you configure a valid device-wide network that devices can automatically connect to on the sign-in screen. That way, if there’s a deployment error, users can sign out of their accounts and their devices will automatically connect to that network. 

Staged deployment

We recommend that you roll out these settings in a staged approach per organizational unit. That way, if policies are misconfigured, only a small number of users are affected.

Personal usage of corporate device

These policies are applied device-wide. Users might not be able to use their corporate devices at home as they might not comply with policy restrictions outside the workplace. For example, users will not have the same Wi-Fi configurations at home as at work. Or they might not have an Ethernet connection available if they want to use the device to work from a coffee shop.

Corporate usage of personal device

If network restrictions are applied to your managed accounts, users might not be able to use their personal devices at work. Policies apply to devices and not to users, so users can still sign in with their managed accounts to their personal devices. But the network restrictions that you set are not applied to the device.

Was this helpful?
How can we improve it?