Applies to managed Chrome browsers and ChromeOS devices.
As a Chrome Enterprise admin you can block and allow URLs so that users can only visit certain websites. Restricting users’ internet access can increase productivity and protect your organization from viruses and malicious content found on some websites.
When to block and allow URLs
Use the blocklist and allowlist for basic URL management. If you need stronger filtering, use a content-filtering web-proxy server or extension.
Use the URL blocklist and allowlist to:
- Allow access to all URLs except the ones you block—Use the blocklist to prevent users from visiting certain websites, while allowing them access to the rest of the web.
- Block access to all URLs except the ones you allow—Use the blocklist to block access to all URLs. Then, use the allowlist to allow access to a limited list of URLs.
- Define exceptions to very restrictive blocklists—Use the blocklist to block access to all URLs. Then, use the allowlist to let users access certain schemes, subdomains of other domains, ports, or specific paths.
- Allow Chrome browser to open apps—Allow specific external protocol handlers so that Chrome browser can automatically open certain apps.
Sometimes, the blocklist and allowlist does not work as expected. For example, if you block an entire website and allow a specific webpage URL for that site, users might be able to access other content on that website.
When SAML or OpenID Connect single sign-on is used for user authentication, or when configuring network connections with Captive Portals outside of user sessions, you can block or allow URLs on user sign-in and lock screens using the DeviceAuthenticationURLBlocklist and DeviceAuthenticationURLAllowlist policies.
For more details, see Blocked URLs on the sign-in / lock screens and Blocked URL exceptions on the sign-in / lock screens.
URL blocking exceptions
It is best practice to not block some URLs, like:
- chrome://settings
- chrome://os-settings
- chrome-untrusted://
To block Chrome URLs, we recommend that you use Block sensitive internal Chrome URLs in the Google Admin console instead of adding the URLs manually to the blocked URLs list. This is a faster and safer way of blocking user access to sensitive internal URLs. Adding URLs manually might cause unexpected issues on the device. To view the full list of blocked Chrome URLs, see Block sensitive internal Chrome URLs.
To block system features like camera, OS setttings, and browser settings, we recommend that you use Disabled system features in the Admin console instead of using the URL blocking setting or blocking apps and extensions by ID. This blocks all the settings, not just the URL part.
If you have a specific page you want to block, you should isolate what exactly in the page that you want to block from users. You can then alert Chrome or ChromeOS support about what policies you want implemented. Developers can then add a policy for the specific functionality that should be blocked instead.
Step 1: Review policies
| Policy |
Description |
|
URLBlocklist
|
Prevent users from accessing a list of blocked URLs. Users can access all URLs except those that you block.
Unset: Users can access all website URLs without restriction.
|
|
URLAllowlist
|
Use it with URLBlocklist to allow users to access specific URLs as exceptions to the URL blocklist. The allowlist takes precedence over the blocklist. To work, you need at least one entry in the blocklist.
Unset: There are no exceptions to the URL blocklist.
|
Step 2: Specify URLs Chrome users can visit
Click below for the steps, based on how you want to manage these policies.
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, Linux, or Android. For details, see Understand when settings apply.
-
Sign in with an
administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
-
(Optional) To apply the setting only to some users and enrolled browsers, at the side, select an
organizational unit (often used for departments) or configuration
group (advanced).
Show me how
Group settings override organizational units. Learn more
- Go to Content.
- Click URL Blocking and enter URLs as needed:
You can block and allow up to 1,000 URLs.
-
Click
Save. Or, you might click
Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
- Blocked URLs is not recognized by apps that use Android System WebView. To enforce a blocklist on these apps, define the blocked URLs in a text file and apply the blocklist to the Android apps on an app-by-app basis. For apps that don’t use Android System WebView, see the app documentation for information on how to restrict access in a similar way.
- Blocked URL exceptions is usually recognized by Android apps that use Android System WebView. However, other apps might not respect the blocklist. You can allow the apps that use Android System WebView and omit the ones that don’t. For information on allowing Android apps, see Allow the installation of approved apps.
Applies to Windows users who sign in to a managed account on Chrome browser.
Using Group Policy
In your Microsoft Windows Group Policy Editor (Computer or User Configuration folder):
- Go to Policies
Administrative TemplatesGoogleGoogle Chrome.
- Enable Block access to a list of URLs.
Tip: If you don't see this policy, download the latest policy template.
- Add the URLs that you want to block.
Leaving this policy Not configured uses the Unset behavior described above.
- Enable Allows access to a list of URLs.
- Add the URLs that you want users to access.
Leaving this policy Not configured uses the Unset behavior described above.
- Deploy the update to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
Applies to Mac users who sign in to a managed account on Chrome browser.
In your Chrome policy configuration profile (.plist file):
- Add or update the following keys.
- Add the URLs that you want to block to the URLBlocklist key.
- Add the URLs that you want users to access to the URLAllowlist key.
- Deploy the changes to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
The example shows how to block all URLs except mail.example.com, wikipedia.org, and google.com.
<key>URLBlocklist</key>
<dict>
<array>
<string>*</string>
</array>
</dict>
<key>URLAllowlist</key>
<dict>
<array>
<string>mail.example.com</string>
<string>wikipedia.org</string>
<string>google.com</string>
</array>
</dict>
Applies to Linux users who sign in to a managed account on Chrome browser.
Using your preferred JSON file editor:
- Go to your /etc/opt/chrome/policies/managed folder.
- Create or update a JSON file and enter URLs as needed:
- In URLBlocklist, add the URLs that you want to block.
- In URLAllowlist, add the URLs that you want users to access.
- Deploy the update to your users.
You can block and allow up to 1,000 URLs. For URL syntax, see Allow or block websites—URL filter format.
The example shows how to block all URLs except mail.example.com, wikipedia.org, and google.com.
First, create a file that contains the blocked URLs.
{
"URLBlocklist": ["*"]
}
Then, create a file that contains the allowed URLs.
{
"URLAllowlist": ["mail.example.com", "wikipedia.org", "google.com"]
}
Applies to Android users who sign in to Chrome browser using a managed account.
If you've signed up for Chrome Enterprise Core, use your Admin console to manage Chrome browser on Android devices. Follow the steps in Admin console above.
Otherwise, we recommend that you ask your Mobile Device Management (MDM) vendor to configure URL blocking policies for Chrome on Android.
Read Set up Chrome Enterprise Core
Applies to iPhone and iPad users who sign in to Chrome browser using a managed account.
If you've signed up for Chrome Enterprise Core, use your Admin console to manage Chrome browser on iPhones and iPads. Follow the steps in Admin console above.
Otherwise, we recommend that you ask your Mobile Device Management (MDM) vendor to configure URL blocking policies for Chrome on iOS and iPadOS.
Read Set up Chrome Enterprise Core
Step 3: Verify policies are applied
After you apply any Chrome policies, users need to restart Chrome browser for the settings to take effect. You can check users’ devices to make sure the policy was applied correctly.
- On a managed device, go to chrome://policy.
- Click Reload policies.
- For URLBlocklist and URLAllowlist, make sure Status is set to OK.
- For URLBlocklist and URLAllowlist, click Show value and make sure that the value fields are the same as what you set in the policy.
Administrative Templates