Chrome version 61 and later.
For administrators who manage Chrome browser or Chrome OS devices for a business or school.
As a Chrome administrator, you can use the DownloadRestrictions policy to prevent users from downloading dangerous files, such as malware or infected files. You can prevent users from downloading all files or those that Google Safe Browsing identifies as dangerous. If users try downloading dangerous files, they get a security warning that they can’t bypass.
Step 1: Review the policy
Policy: DownloadRestrictions
There are many types of download warnings within Chrome that can generally be categorized as follows:
- Malicious, as flagged by the Safe Browsing server.
- Uncommon or unwanted, as flagged by the Safe Browsing server.
- A dangerous file type. For example, all SWF downloads and many EXE downloads.
For more details on these categories, see Google Chrome blocks downloads.
Setting the DownloadRestrictions policy blocks different subsets of these, depending on it's value:
- 0—Default. No special restrictions.
- 1—Blocks malicious files flagged by the Safe Browsing server and blocks all dangerous file types.
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious. - 2—Blocks the following files:
- Malicious files flagged by the Safe Browsing server.
- Uncommon or unwanted files flagged by the Safe Browsing server.
- All dangerous file types.
Note: We only recommend setting this policy for organization units, browsers, or users that do not regularly incorrectly identify an entity, such as a file or a process, as malicious.
- 3—Blocks all downloads. Not recommended, except for special use cases.
- 4—Recommended. Blocks malicious files flagged by the Safe Browsing server but does not block dangerous file type.
Unset: Defaults to No restrictions, as described above.
What the policy restricts
These restrictions apply to downloads that are triggered on webpages when users click a download link on the page or right-click a file and choose Save link as.
What the policy does not restrict
The restrictions do not apply when users save a webpage by clicking File Save page as, or Print
Save as PDF.
For more details, see What is Safe Browsing?
Step 2: Set the policy
Click below for steps, based on how you want to manage these policies.
Admin console-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices
Chrome.
- Click Settings
Users & browsers.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Scroll to Chrome Safe Browsing.
- For Download restrictions, choose an option:
- No special restrictions
- Block all malicious downloads
- Block dangerous downloads
- Block potentially dangerous downloads
- Block all downloads
- Click Save.
Using Group Policy
- Go to Policies
Administrative Templates
Google
Google Chrome.
- Enable Allow Download Restrictions.
- Set an option:
- No special restrictions
- Block all malicious downloads
- Block dangerous downloads
- Block potentially dangerous downloads
- Block all downloads
- Deploy the policy to your users.
In your Chrome configuration profile, add or update the following key and then deploy the change to your users.
Set the DownloadRestrictions key to <integer>value</integer>, where <value> is 0, 1, 2, 3, or 4.
Example code:
<key>DownloadRestrictions</key>
<dict>
<integer>1</integer>
</dict>
In your preferred JSON file editor, add or update a JSON file and then deploy the change to your users.
- Go to your etc/opt/chrome/policies/managed folder.
- Set the DownloadRestrictions key to 0, 1, 2, 3, or 4.
Example code:
{
"DownloadRestrictions": "1"
}