Chrome app and extension permissions

This page is for IT administrators who manage Chrome Browsers or Chrome OS devices for a business or school.

As a Chrome Enterprise admin, you can control whether your Chrome users can install apps or extensions based on the information an app can access—also known as permissions. For example, you might want to prevent users from installing apps that want permission to see a device location.

See the steps

Click your platform below for steps on how to allow or block apps, based on permissions.

Set permissions for: CHROME OS DEVICES WINDOWS MAC  LINUX

Review permissions

Here's the list of permissions you can allow or block.

Admin console permission API What it does
2-factor devices u2fDevices Allows app or extension to communicate with devices with 2-Factor Authentication that support  U2F.
Alarms alarms Schedules code to run periodically or at a specified time.
Audio capture audioCapture Allows app or extension to capture audio directly from the microphone.
Block web requests webRequestBlocking Allows app or extension to block specific web requests.
Captive portal authenticator networking.config Allows app or extension to support captive portal authentication.
Certificate provider certificateProvider Exposes certificates to Chrome so they can be used for Transport Layer Security (TLS) authentication.
Clipboard read clipboardRead Allows app or extension to read the contents of the clipboard at any time.
Context menus contextMenus Allows app or extension developers to add items to the context menu in Chrome. To open the context menu, users right-click a webpage.
CPU metadata system.cpu Allows app or extension to  query metadata about the system's CPU.
Desktop capture desktopCapture Allows app or extension to capture screen, window, or tab content.
Detect idle idle Allows app or extension to detect when the device's idle state changes.
Display metadata system.display Allows app or extension to query metadata about the system's display.
Document scan documentScan (Chrome OS only) Allows app or extension to get images from attached document scanners. 
Enterprise device attributes enterprise_deviceAttributes (Chrome OS only) Allows app or extension installed by a policy to query the device's unique ID.
Experimental APIs experimental Allows app or extension to use experimental APIs.
File browser handler fileBrowserHandler (Chrome OS only) Extends Chrome. For example, apps or extensions can allow users to upload files to a website.
File system fileSystem Allows app or extension to create, read, navigate, and write to the user's local file system at a user-selected location.
File system provider fileSystemProvider (Chrome OS only) Allows app or extension to create file systems that can be accessible from the file manager on a Chrome device.
Fullscreen apps app.window.fullscreen     Allows app to open in full screen.
Geo location geolocation Allows app or extension to get the user's current location.
Google Cloud Messaging gcm Allows app or extension to send and receive messages through the Google Cloud Messaging service.
HID hid Allows app or extension to interact with connected Human Interface Devices (HIDs). Apps can function as drivers for hardware devices.
Identity identity Allows app or extension to get OAuth 2.0 access tokens.
Media galleries mediaGalleries Allows app or extension to access media files from a user's device with the user's consent. Media files include audio, images, and video.
Memory metadata system.memory Allows app or extension to  query metadata about the system's physical memory.
Native messaging nativeMessaging Allows app or extension to exchange messages with native apps on user's devices. Native apps must be registered as a native messaging host.
Network metadata system.network Allows app or extension to query metadata about the system's network.
Notifications notifications Allows app or extension to create notifications and display them in the user's system tray.
Override fullscreen escape app.window.fullscreen.overrideEsc Sets app to always be in full screen, even if a user presses the Escape key.
Platform keys platformKeys (Chrome OS only) Allows app or extension to access Chrome-managed client certificates for authentication. For example, authenticating to VPN.
Power power Allows app or extension to override the operating system's power-management features.
Printers printerProvider Allows app or extension to control printers, submit print jobs, and query the status of a print job.
Serial serial Allows app or extension to read from and write to a device connected to a serial port.
Set proxy proxy Allows app or extension developer to set or modify a proxy for specific URLs.
Storage storage Allows app or extension to store, retrieve, and track changes to a user's data.
Storage metadata system.storage Allows app or extension to query metadata about the system's storage.
Sync file system syncFileSystem Allows app or extension to save and synchronize data in Google Drive. 
Text to speech tts Allows app or extension to play synthesized text-to-speech (TTS).
Unlimited storage unlimitedStorage Removes limit on how much data an extension or app can store on a user's computer.
USB usb Allows app or extension to communicate with USB devices so an app can function as a driver for hardware devices.
Video capture videoCapture Allows app or extension to capture video directly from a user's camera.
VPN provider vpnProvider (Chrome OS only) Allows app or extension to implement a VPN client.
Web requests webRequest Allows app or extension to observe and analyze web traffic. It also intercepts or modifies in-progress requests.
Was this article helpful?
How can we improve it?