Chrome Enterprise release notes

Chrome Browser updates

• Chrome will warn about mixed content forms
  Web forms that load using HTTPS but submit their content using HTTP (unsecured) pose potential risk to user privacy. Chrome 85 and above shows a warning on such forms, letting the user know that the form is insecure. Chrome 88 will show an interstitial warning when the form is submitted, which stops any data transmission, so the user will be able to choose whether to proceed or cancel the submission. This was previously rolled out in Chrome 87 but was rolled back due to the way it interacted with redirects. It is being rolled out again in Chrome 88, but will only show warnings for forms that either submit directly to an http:// URL, or when a redirect to an http:// happens and the form data is exposed across the redirect. For example, 307 or 308 code redirects for POST method forms.
  
  
  
  
  
  You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy. To test this behavior before the rollout, use the Mixed Forms Interstitial Chrome flag.
   
• Improved resource consumption for background tabs
  To save on CPU load and prolong battery life, Chrome will limit the power consumption of background tabs. Specifically, Chrome will allow the timers in the background tabs to only run once per minute. Network event handlers are not affected, which allows sites like Gmail or Slack^® to continue delivering timely notifications in the background. Some users saw this feature in Chrome 87. It's now available to all users in Chrome 88.
  
  You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.
   
• Insecure downloads are blocked from secure pages, with changes through Chrome 88
  In Chrome 88 on Windows^®, Mac^®, and Linux^®, downloads from insecure sources will no longer be allowed when started from secure pages. This change has been rolled out gradually, with different file types affected in different releases:

• Executables—Users were warned in Chrome 84, and files were blocked in Chrome 85.
• Archives—Users were warned in the Chrome developer console in Chrome 85, and files were blocked in Chrome 86.
• Other non-safe types, for example, PDFs—Users were warned in the Chrome developer console in Chrome 86, and files were blocked in Chrome 87.
• Other files—Users were warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.
  
  Warnings on Android will lag behind desktop warnings by one release. For example, executables showed a warning starting in Chrome 85.
  
  The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.

• The new tab page allows users to complete previously started workflows
  The Chrome new tab page will show cards to help users return to searches and workflows that were already in progress, like searching for recipes or price comparisons. Users are able to control and remove these cards.
  
  These cards appeared for some users in Chrome 87, and are now included in Chrome 88. You can control these cards using the NTPCardsVisible policy. 
   
• Chrome introduces profiles for separating users or accounts
  Some users will be given the option to create a new Chrome profile and move their account over when they sign in to a profile where another account is already signed in. This allows different users to keep bookmarks, history, and settings separate. If a user signs in with an account that is already signed in to another profile, they’re offered to switch. Some users who have multiple profiles set up will see a profile picker on startup.
  
  You can control whether Chrome offers to create or switch profiles with the SigninInterceptionEnabled enterprise policy. In Chrome 89, you'll also be able to control the startup behavior for the profile picker with the ProfilePickerOnStartupAvailability enterprise policy.

  
  A wider release to more users is planned for a later release

• Certain features are available to users who have signed in without having to enable Chrome Sync 
  Some users who have signed into Chrome might be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.
  
  On Chrome on Android, you can control a user's access to payment methods using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including "passwords" in SyncTypesListDisabled.
   
• DTLS 1.0 has been removed
  DTLS 1.0, a protocol used in WebRTC for interactive audio and video, has been removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted by using the following command line flag when launching Chrome:
  
  --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 
  
  If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.
   
• Chrome supports manifest v3
  Chrome 88 supports extensions written in the new Manifest V3 format. Manifest V3 is a new platform that makes extensions more secure, performant, and privacy-respecting by default. There is no breaking change at this time; extensions using Manifest v2 will continue to function normally in Chrome 88.
   
• Chrome is launching an origin trial for detecting idle state
  An early origin trial allows websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device.
   

• Single words are no longer being treated as intranet locations by default

  By default, Chrome improves user privacy and reduces load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change may interfere with enterprises that use single-word domains in their intranet. For example, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

  You can control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (value 3: Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars.).

• Chrome introduces a new permission chip UI
  Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.
  
  Chrome now shows a less intrusive permissions chip in the address bar. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.
  
  
  
  
  This change will be rolled out gradually throughout Chrome 88.
   
• The Legacy Browser Support extension has been removed from the Chrome Web Store
  Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it is disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here. The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.
   
• Factor in scheme when determining if a request is cross-site (Schemeful Same-Site)
  Chrome 88 modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other which will restrict cookies using SameSite. For additional information please see the Schemeful Same-Site explainer. We recommend testing critical sites using the testing instructions.
  
  You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. These policies will be available at least until Chrome 93, with the domain list planned to be available longer. For more details, including availability, please see Cookie Legacy SameSite Policies.
   
• Chrome 88 on Mac does not support OS X 10.10 (Yosemite)
  Chrome 88 does not support OS X 10.10 (OS X Yosemite). Chrome on Mac requires OS X 10.11 or later.
   
• Popup on page unload policy is no longer supported on Chrome 88
  The AllowPopupsDuringPageUnload enterprise policies have been removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them immediately.
   
• Chrome treats an empty string as an unset policy on Android for some policies in Chrome 88
  To integrate better with mobile management UEMs, Chrome on Android will not set list or dictionary policies from empty strings.
   

• The BasicAuthOverHttpEnabled policy allows you to disable authentication over HTTP
  You can set the new BasicAuthOverHttpEnabled policy to disabled to disallow non-secure HTTP requests from using the Basic authentication scheme. If you do, only secure HTTPS will be allowed.

• The Chrome Cleanup Tool can reset Chrome shortcuts
  When users run the Chrome Cleanup Tool, it will modify command line flags within Chrome shortcuts. This helps users restore Chrome to a safe state if malware has inserted malicious command line flags into the shortcut.
  
  You can control the Chrome Cleanup Tool using the ChromeCleanupEnabled policy, which will prevent this behavior.
   
• Notifications will be suspended while presenting
  While Chrome is sharing a screen, web-notifications from Chrome will not show their content by default. They will be presented to the user after the screen sharing session ends or by manually revealing them via a notification action. Note that sharing a single window or tab does not affect the delivery of notifications from Chrome.
   
• The microphone is visible beside the address bar for some users on Android
  The microphone button is visible in the top UI bar of Chrome for some users on Android. Users can to ask the Google Assistant to read the current page, or translate it to another language.
  
  When users interact with the microphone button, the URL of the current page is shared with Google. You can control this feature using the AudioCaptureAllowed policy.
   
• Cloud Print is no longer supported
  The Google Cloud Print service is no longer supported on any Operating Systems.
  
  Chrome OS admins can select a print solution provider or migrate to the Chrome OS local and network printer solution. Admins of Windows^®, Mac_^®, and Linux_^® operating systems can use the respective OS print workflow or engage with a print solution provider. Learn more about Cloud Print migration. 
   
• Save to Drive is no longer supported
  Saving to Google Drive is no longer available from the Chrome print dialog on Mac^®, Windows^®, Linux^® devices. Users can instead install the Save to Drive Chrome extension which has been updated to include this feature or print locally to PDF then upload the file to Google Drive through drive.google.com and select New > File upload. You can also set up automatic syncing between local files and Google Drive with Backup and Sync or Drive File Stream. More details on printing from Chrome are available here. 
   

• FTP support has been removed
  Chrome 88 has removed support for FTP URLs. The legacy FTP implementation in Chrome no longer supports encrypted connections (FTPS), or proxies. Usage of FTP is very low, and more capable FTP clients are available on all affected platforms.
  
  More information is available here.

Chrome OS updates

• WebAuthn using Fingerprint & PIN
  Tired of typing long passwords? Chrome OS now lets you sign in to supported websites without having to type your passwords for that website, if you have set up a PIN or fingerprint on your Chromebook. This feature, called Web Authentication, makes use of established protocols to make authentication into website simpler and more secure. Your Chromebook PIN/fingerprint are never shared with the websites requesting verification from your Chromebook and you don't have to worry about malicious attackers phishing for your passwords to websites.  If your organization has U2F enabled, the Webauthn feature will not work; U2F will be supported in a future release.
   
• Autocorrect UI improvements
  For users with autocorrect enabled, we have improved the user interface with visual indications that autocorrects have happened, as well as new ways to undo them.
   
• Magnifier Focus Following and Keyboard Support
  Chrome OS Magnifier can now be panned using the keyboard. Use Ctrl + Alt and the arrow key to pan the viewport.
  
  
  
   
• Text app Screen Reader mode
  Text app now has a screen reader mode to support Chromevox users.
   
• Improved switching between virtual desks
  Switching between virtual desks with the keyboard and touchpad is now faster and more responsive. You can double or triple tap the <Search> + [ or <Search> + ] shortcut to move between multiple desks.
   
• Reverse Scrolling + Touchpad gesture consistency
  Touchpad gestures are now more consistent with your preference for Reverse Scrolling.
   
• Chrome OS Camera now saves to a new location
  Photos and videos captured with the Chrome OS Camera app will now get saved to a new Camera folder under My files. Any previously captured photos/videos will remain in your Downloads folder.

Admin console updates

• API for remote commands
  The Admin SDK Directory API now supports issuing remote commands to devices, including wipe users, remote powerwash, remote reboot (kiosk only), screenshot (kiosk only), and set volume (kiosk only). See the developer documentation for details.
   
• Filter Chrome devices by version
  The Chrome device list now supports filtering by Chrome version.  Now you can quickly check which devices are up to date or out of date.
   
• Bookmark Management improvements
  Admin Console has a new and improved bookmarks manager.  Enterprise admins can more easily create, delete, and move around hundreds or even thousands of bookmarks.  Details on the feature are described in the help center article.
   
• New summary report for Chrome versions
  Admin Console has a new version report that shows the number of managed browsers and devices on each Chrome version.  Details on the feature are described in the help center article.
   
• Group-based policy for printer management
  Group-based management is now available for printers. From the printers page, select a group, and then configure which printers are available to users in that group.
   
• Kerberos credential manager
  As an admin, you can now enable Kerberos tickets on Chrome devices to enable single sign-on (SSO) for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on. Details on the feature are described in the help center article.

Additional policies in the Admin console

Many new policies are available in the Admin console, including:

Policy name	Pages	Category/Field
AbusiveExperienceInterventionEnforce	User & Browser Settings Managed Guest Session Settings	Chrome Safe Browsing / Abusive Experience Intervention
AccessibilityImageLabelsEnabled	User & Browser Settings Managed Guest Session Settings	Accessibility / Image descriptions
AdsSettingForIntrusiveAdsSites	User & Browser Settings Managed Guest Session Settings	Chrome Safe Browsing / Sites with intrusive ads
AdvancedProtectionAllowed	User & Browser Settings	Security / Advanced Protection program
AuthAndroidNegotiateAccountType	User & Browser Settings	Network / Account type for HTTP Negotiate authentication / Account type
AutoOpenAllowedForURLs	User & Browser Settings Managed Guest Session Settings	Content / Auto open downloaded files / Auto open URLs
AutoOpenFileTypes	User & Browser Settings Managed Guest Session Settings	Content / Auto open downloaded files / Auto open files types
BackForwardCacheEnabled	User & Browser Settings	Content / Back-forward cache
BrowserNetworkTimeQueriesEnabled	User & Browser Settings	Other settings / Google time service
CACertificateManagementAllowed	User & Browser Settings	Security / User management of installed CA certificates
ClientCertificateManagementAllowed	User & Browser Settings	Security / User management of installed client certificates.
CommandLineFlagSecurity WarningsEnabled	User & Browser Settings	Security / Command-line flags
ContextualSearchEnabled	User & Browser Settings	User experience / Touch to search
DefaultFileSystemReadGuardSetting	User & Browser Settings Managed Guest Session Settings	Hardware / File system read access
DefaultFileSystemWriteGuardSetting	User & Browser Settings Managed Guest Session Settings	Hardware / File system write access
DefaultSerialGuardSetting	User & Browser Settings Managed Guest Session Settings	Hardware / Serial Port API / Control use of the Serial Port API
DefaultWebUsbGuardSetting	User & Browser Settings Managed Guest Session Settings	Hardware / WebUSB API / Can web sites ask for access to connected USB devices
DeviceAllowRedeemChromeOs RegistrationOffers	Device Settings	Other settings / Redeem offers through Chrome OS registration
DeviceQuirksDownloadEnabled	Device Settings	Other settings / Hardware profiles
DeviceShowLowDiskSpaceNotification	Device Settings	Other settings / Low disk space notification
DeviceWebBasedAttestation AllowedUrls	Device Settings	Sign-in settings / Single sign-on verified access / Whitelist of IdP redirect URLs
DNSInterceptionChecksEnabled	User & Browser Settings Managed Guest Session Settings	Network / DNS interception checks enabled
ExtensionCacheSize	Device Settings	Other settings / Apps and extensions cache size / Cache size in bytes
ExternalProtocolDialogShow AlwaysOpenCheckbox	User & Browser Settings	Content / Show "Always open" checkbox in external protocol dialog
FileSystemReadAskForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / File system read access / Allow file system read access on these sites
FileSystemReadBlockedForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / File system read access / Block read access on these sites
FileSystemWriteAskForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / File system write access / Allow write access to files and directories on these sites
FileSystemWriteBlockedForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / File system write access / Block write access to files and directories on these sites
GloballyScopeHTTPAuthCacheEnabled	User & Browser Settings Managed Guest Session Settings	Network / Globally scoped HTTP authentication cache
GSSAPILibraryName	User & Browser Settings	Network / GSSAPI library name / Library name or full path
HSTSPolicyBypassList	User & Browser Settings Managed Guest Session Settings	Network / HSTS policy bypass list / List of hostnames that will bypass the HSTS policy check
InsecureFormsWarningsEnabled	User & Browser Settings Managed Guest Session Settings	Content / Insecure forms
KerberosAccounts	User & Browser Settings	Kerberos / Kerberos tickets
KerberosEnabled	User & Browser Settings	Kerberos / Kerberos tickets
LookalikeWarningAllowlistDomains	User & Browser Settings Managed Guest Session Settings	Chrome Safe Browsing / Suppress lookalike domain warnings on domains / Allowlisted Domains
MaxConnectionsPerProxy	User & Browser Settings	Network / Max connections per proxy / Maximum number of concurrent connections to the proxy server
MaxInvalidationFetchDelay	User & Browser Settings Managed Guest Session Settings	Other settings / Policy fetch delay / Maximum fetch delay after a policy invalidation
NativeMessagingAllowlist	User & Browser Settings	User experience / Native Messaging allowed hosts / Native Messaging hosts not subject to the blocklist
NativeMessagingBlocklist	User & Browser Settings	User experience / Native Messaging blocked hosts / Prohibited Native Messaging hosts
NativeMessagingUserLevelHosts	User & Browser Settings	User experience / Native Messaging user-level hosts
NtlmV2Enabled	User & Browser Settings	Network / NTLMv2 authentication
OverrideSecurityRestrictions OnInsecureOrigin	User & Browser Settings Managed Guest Session Settings	Security / Override insecure origin restrictions / Origin or hostname patterns to ignore insecure origins security restrictions
PaymentMethodQueryEnabled	User & Browser Settings Managed Guest Session Settings	User experience / Payment methods
PrinterTypeDenyList	User & Browser Settings Managed Guest Session Settings	Printing / Blocked printer types
PrintRasterizationMode	User & Browser Settings	Printing / Print rasterization mode
RequireOnlineRevocationChecks ForLocalAnchors	User & Browser Settings Managed Guest Session Settings	Network / Require online OCSP/CRL checks for local trust anchors
SafeBrowsingForTrusted SourcesEnabled	User & Browser Settings	Chrome Safe Browsing / Safe Browsing for trusted sources
ShowAppsShortcutInBookmarkBar	User & Browser Settings	User experience / Apps shortcut in the bookmark bar
SignedHTTPExchangeEnabled	User & Browser Settings Managed Guest Session Settings	Network / Signed HTTP Exchange (SXG) support
SpellcheckEnabled	User & Browser Settings Managed Guest Session Settings	User experience / Spell check
SuppressUnsupportedOSWarning	User & Browser Settings Managed Guest Session Settings	Security / Unsupported system warning
UserFeedbackAllowed	User & Browser Settings Managed Guest Session Settings	User experience / Allow user feedback
WebRtcLocalIpsAllowedUrls	User & Browser Settings	Network / WebRTC ICE candidate URLs for local IPs / URLs for which local IPs are exposed in WebRTC ICE candidates.
WebUsbAskForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / WebUSB API / Allow these sites to ask for USB access
WebUsbBlockedForUrls	User & Browser Settings Managed Guest Session Settings	Hardware / WebUSB API / Block these sites from asking for USB access
WPADQuickCheckEnabled	User & Browser Settings Managed Guest Session Settings	Network / WPAD optimization

New and updated policies (Chrome Browser and Chrome OS)

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Facilitated version pinning for self-hosted extensions & apps in Chrome 89

  To increase the stability in high-reliability environments, Chrome 89 facilitates the pinning of extensions and apps to a specific version. Administrators will be able to self-host the extension or app of their choice, and instruct Chrome to use the update URL from the extension forcelist instead of the extension manifest. This will be via a new boolean parameter in ExtensionSettings policy. As a result, extensions & apps will not be updated via the updateURL that was originally configured in their manifest, and will stay on one specific version.

• Users will be able to search open tabs in Chrome 89
  Users will be able to search for open tabs across windows, as shown in this screenshot:
  
  

• Chrome 89 will introduce privacy-preserving APIs to replace some of the functionality of third-party cookies
  An interest-based targeting API will be introduced as an origin trial. This API allows working with cohorts—groups of users with similar interests. Users cannot be individually identified.
  
  An event-level conversion API will continue in origin-trial stage for Chrome 89 This API enables the correlation of an ad click on a website with a subsequent conversion on an advertiser site, such as a sale, a sign-up, and so on. Users cannot be individually identified.
  
  See the chromium privacy sandbox page for details on these APIs and the privacy sandbox.
   
• Some permission requests will be less intrusive in Chrome 89
  Permission requests that the user is unlikely to allow will be automatically blocked. A less intrusive UI will allow the user to manage permissions for each site.
  
  

• Chrome 89 will require SSE3 for Chrome on x86
  Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.
   
• Chrome 89 will prefer https to http when not specified in the address bar
  When a user types an address into the address bar without specifying the protocol, Chrome will attempt to navigate using https first, then fallback to http if https is not available. For example, if the user navigates to google.com, Chrome will first attempt to navigate to https://google.com, then fallback to http://google.com if required.
  
  This change is planned for Windows, Mac, Linux, and Android in Chrome 89, and in Chrome 90 for iOS.
   
• Chrome 89 will introduce the Serial API
  The Serial API provides a way for websites to read and write from a serial device through script. You can read an explainer on the Serial API here.
  
  You will be able to control access to the Serial API using the DefaultSerialGuardSetting policy. You can also use the SerialAskForUrls and SerialBlockedForUrls policies to control serial device access on a site-by-site basis.

• Insecure public pages will no longer allowed to make requests to private or local URLs in Chrome 91
  Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
   
• Chrome will maintain its own default root store as early as Chrome 92
  In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.
   
• The address bar might show the domain rather than the full URL as early as Chrome 90
  To protect your users from some common phishing strategies, Chrome will test showing only the domain in the address bar for some users. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.
  
  Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.
  
  This change has been enabled for some users, with a potential full rollout in a later release.
   
• The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91
  The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.
  
  We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.
   
• SyncXHR policy will no longer be supported on Chrome 93
  The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. Pinning to or keeping an earlier version of Chrome through any other mechanism, will not prevent this change.

You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome Browser updates

• Google Cloud Print will no longer be supported after December 31, 2020
  As of January 1, 2021 Google Cloud Print will no longer be supported on Chrome. You can continue to use the Windows^®, Mac^®, and Linux^® operating system print solutions or engage with a print solution provider. Chrome OS admins can select a print solution provider or migrate to the Chrome OS local and network printer solution. Learn more about Cloud Print migration.

• Saving to Google Drive will no longer be available from the print dialog after December 31, 2020

  Mac^®, Windows^®, Linux^® devices and Chrome Browser will no longer be able to save directly to Google Drive from the print dialog, starting on January 1, 2021. Users can instead print locally to PDF then upload the file to Google Drive through drive.google.com and select NewFile upload. You can also set up automatic syncing between local files and Google Drive with Backup and Sync or Drive File Stream. More details on printing from Chrome are available here.

  Chrome OS has a new way of saving to Google Drive. See the Chrome OS section below for more information.

• Legacy Browser Support might be affected by IE + Edge redirection

  Starting in November, Microsoft Edge^® might enable automatic redirection from Internet Explorer to Microsoft Edge^® for specific URLs. If you're using Legacy Browser Support, this might interfere with your existing setup. You can disable the redirection by setting the Microsoft Edge^® policy RedirectSitesFromInternetExplorerRedirectMode to 0.

• Improved resource consumption for background tabs

  To save on CPU load and prolong battery life, Chrome limits the power consumption of background tabs. Specifically, Chrome allows the timers in the background tabs to only run once per minute. Network event handlers are not affected, which allows sites like Gmail or Slack^® to continue delivering timely notifications in the background. Some users will see this feature in Chrome 87, with a wider release planned for Chrome 88.

  You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

• Updated PDF viewer

  Chrome has updated PDF viewer to include toolbar updates, table of contents, thumbnails, two-up view, and the ability to view annotations.

• Users can sign into the browser when they sign into Google web services

  When users sign into a Google web service while using an Android device, Chrome offers for them to sign in with the Google account already signed in on the device. Signing into Chrome doesn’t turn on sync; that’s a separate, optional step.

  This simplifies Android sign-in, makes the feature more consistent with Chrome on desktop, and provides signed-in users access to features without sync enabled. For example, click-to-call.

  You can control this feature with the BrowserSignin enterprise policy.

• Certain features are available to users who have signed in without having to enable Chrome Sync

  Users who have signed into Chrome might be able to access and save payment methods and passwords stored in their Google Account without Chrome Sync being enabled.

  You can control users' access to payment methods on Chrome on Android using the AutofillCreditCardEnabled enterprise policy. You can control access to passwords on Chrome on desktop by either setting the SyncDisabled enterprise policy to disabled, or by including "passwords" in SyncTypesListDisabled.

• Enhanced Safe Browsing

  Users will be prompted to consider enabling Enhanced Safe Browsing in Chrome, which provides better protection against phishing attacks. These prompts will show up on security warning interstitials and the new tab page, but only if you are not setting either of the SafeBrowsingProtectionLevel or SafeBrowsingEnabled policies. If one of these policies is set, your users can't change the setting and will not see any prompts to do so.

• The new tab page allows users to complete previously started workflows

  The Chrome new tab page will show cards to help users return to searches and workflows that were already in progress, like searching for recipes or price comparisons. Users are able to control and remove these cards.

  They appear for some users in Chrome 87, but a wider rollout, by way of policy, is planned for a later release.

• Chrome warns about mixed content forms

  Web forms that load using HTTPS but submit their content using HTTP (unsecured) pose potential risk to user privacy. Chrome 85 shows a warning on such forms, letting the user know that the form is insecure. Chrome 87 shows an interstitial warning when the form is submitted, which stops any data transmission, so the user will be able to choose whether to proceed or cancel the submission. This was previously planned for Chrome 86 but the rollout was delayed and is now available in Chrome 87.

  

  
  You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

• Insecure downloads are blocked from secure pages, with changes through Chrome 88

  By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:
  
   

• Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
• Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
• Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
• Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.
  
  Warnings on Android will lag behind computer warnings by one release. For example, executables showed a warning starting in Chrome 85.
  
  The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.

• Introducing more inclusive policy names

  Chrome is moving to more inclusive policy names. The terms "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist". If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  The following policies have been deprecated, and equivalent policies are now available in Chrome 87 and 88. The deprecated policies will continue to work, and there is not yet any removal date planned. Future plans to remove the policies will be published in the enterprise release notes once confirmed.

  Deprecated Policy Name	New Policy Name	Version
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist	87
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist	87
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode	87
  DeviceNativePrinters	DevicePrinters	87
  UsbDetachableWhitelist	UsbDetachableAllowlist	87
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist	87
  AttestationExtensionWhitelist	AttestationExtensionAllowlist	87
  DeviceUserWhitelist	DeviceUserAllowlist	87
  PrintingAPIExtensionsWhitelist	PrintingAPIExtensionsAllowlist	87
  AllowNativeNotifications	AllowSystemNotifications	88

   

• Chrome Actions allow the user to accomplish tasks directly from the address bar

  Some Chrome users will be able take actions directly from the address bar, like clearing browsing data, using a button that appears among auto-complete suggestions. A wider rollout is planned for a later release.

• Chrome will support remote commands from Chrome Browser Cloud Management in the future

  Admins using Chrome Browser Cloud Management will soon be able to issue remote commands to enrolled Chrome Browsers, for example remotely clearing cache and cookies. Although the functionality will come to the Admin console in the future, support for this set of features will be added in Chrome 87.

• The CORB/CORS allowlist has been removed

  Chrome has removed the CORB/CORS allowlist in Chrome 87. Please test Chrome extensions that your business depends on to make sure they work with the new behavior.

  Please test Chrome 87.0.4266.0 or later versions of Chrome and run through critical workflows using your extension. Watch for fetches or XHRs that are initiated by content scripts and blocked by CORB or CORS. Some typical error messages are shown below:

  • Cross-Origin Read Blocking (CORB) blocked cross-origin response <URL> with MIME type <type>. See https://www.chromestatus.com/feature/5629709824032768 for more details.

  • Access to fetch at 'https://another-site.com/' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
    
    If the extension's content scripts create requests that don’t work when Chrome is launched with the chrome://flags listed above, then make sure you keep the extension updated so that it continues to work in Chrome 87 and above. In particular, the extensions must be updated to initiate cross-origin fetches from the extension background page (instead of from a content script).
    
    For more details see: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

• The Chrome Web Store displays more privacy-focused information for extension

  The Chrome Web Store provides more information to users about how an extension uses their data, including authentication information, personally identifiable information, and user activity.

  Developers are required to provide privacy disclosures regarding their data collection and usage. This is mandatory for every update and publishing of extensions.

Chrome OS updates

• Devices have a new way of saving to Google Drive

  The Save to Drive feature has been expanded upon, users can now rename the file or save the file to a specified Google Drive folder location.

• Switch Access

  For users with motor impairments who are unable to use a traditional mouse or keyboard, Switch Access lets you interact with your Chrome OS Device using one or more switches. Switch Access works by scanning the items on your screen until you make a selection. Ablenet, one of the top producers of switch devices, is now in our Works with Chromebooks program, as well.

• Tab Search

  Tab Search lets users search through their open tabs across all windows. This feature is currently available in Chrome OS 87 and will be available for Mac^® and Windows^® in Chrome OS 88.

• Bluetooth battery levels

  Users can now view their connected Bluetooth peripheral battery levels in Settings and Quick Settings.
  
   

• Coexistence of Multiple sign-in access and policy-provided custom trust anchors for TLS

  Starting in Chrome OS 87, the coexistence of Multiple sign-in access and policy-provided custom trust anchors for TLS is no longer blocked. If trust anchors are configured, they will be applied to the primary user account. As a result, users can switch faster between accounts in managed environments that require trust roots.

• Language settings improvement for multilingual users

  Language settings can get extremely confusing if you are bilingual or multilingual. In Chrome OS 87, we have updated the user experience to address the needs of multilingual users.   

• More interactive Alt+Tab

  When using Alt+Tab to switch between windows, you can now select a window with your mouse, touch screen, or stylus.

• Renaming Virtual Desks & Launcher folders

  In Chrome OS 87, you will see visual improvements for the Virtual Desk renaming component. The visual improvements will also apply to folders in the Launcher as they use the same component.

• Zero-touch enrollment

  Admins can configure devices to automatically enroll during the device setup process without requiring a user to invoke enterprise enrollment. More details can be found here.

Admin console updates

• Website icons and titles now display in the Admin console and Kiosk devices

  In the Admin console, web apps that have been added under Apps & extensions now display the website's icon and title. In Kiosk devices, the website icons and titles are also displayed in the list of Kiosk web apps.
  
  

• Restrict access to VPN (openVPN and L2TP)

  Admins can now add VPN to the list of Restricted Network Interfaces in the Admin console. This prevents users from connecting to OS-supported VPN options (openVPN and L2TP). Any third-party VPNs will need to be blocked through application management policies.

• Additional policies in the Admin console

  Many new policies are available in the Admin console, including:

  Policy control	Admin console location	Description
  Emoji suggestions	User & browser settingsUser experienceEmoji suggestions	This policy enables Google Chrome to suggest emojis when users type text with their virtual or physical keyboards.
  URLs in the address bar	User & browser settingsUser experienceURLs in the address bar	This feature enables display of the full URL in the address bar.
  Audio sandbox	User & browser settingsSecurityAudio sandbox	This policy controls the audio process sandbox.
  Browser guest mode	User & browser settingsUser experienceBrowser guest mode	This policy controls guest logins.
  PIN auto-submit	User & browser settingsSecurityPIN auto-submit	The PIN auto-submit feature changes how PINs are entered in Chrome OS. Instead of showing the same textfield that is used for password input, this feature shows a special UI that clearly shows to the user how many digits are necessary for their PIN. As a consequence, the user's PIN length will be stored outside the user encrypted data. Only supports PINs that are between 6 and 12 digits long.
  Variations	Device SettingsDevice update settingsVariations	Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed Google Chrome OS device.
  Single sign-on verified access	Device SettingsSign-in settingsSingle sign-on verified access	This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.

• New and updated policies (Chrome Browser and Chrome OS)

  Policy	Description
  MediaRecommendationsEnabled	Enable Media Recommendations
  WebRtcAllowLegacyTLSProtocols	Allow legacy TLS/DTLS downgrade in WebRTC

Coming soon

Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Single words will not be treated as intranet locations by default in Chrome 88

  By default, Chrome will improve user privacy and reduce load on DNS servers by avoiding DNS lookups for single keywords entered into the address bar. This change might interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".
  
  You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

• Chrome will introduce a new permission chip UI in Chrome 88

  Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

  Chrome will begin showing a less intrusive permissions chip in the address bar. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

  This change will be rolled out gradually throughout Chrome 88.

• Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

  Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other which will restrict cookies using Same-Site. For additional information please see the Schemeful Same-Site explainer. We recommend testing critical sites using the testing instructions.

  You may revert to the previous legacy behavior by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. These policies will be available at least until Chrome 93. For more details, including availability, please see Cookie Legacy SameSite Policies.

• Chrome 88 on Mac^® will not support OS X 10.10 (Yosemite)

  Chrome 88 will not support OS X 10.10 (OS X Yosemite). Chrome on Mac^® will require OS X 10.11 or later.

• Popup on page unload policy will no longer be supported on Chrome 88

  The AllowPopupsDuringPageUnload enterprise policies will be removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 88.

• The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 88

  Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it will be disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.

• Chrome will treat an empty string as an unset policy on Android for some policies in Chrome 88

  To integrate better with mobile management UEMs, Chrome on Android will not set list or dictionary policies from empty strings.

• Users will be able to search open tabs in Chrome 88

  Users will be able to search for open tabs across windows, as shown in this screenshot:
  
  

• The address bar will show the domain rather than the full URL in Chrome 88

  To protect your users from some common phishing strategies, Chrome will show only the domain in the address bar. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.
  
  Although this change is designed to keep your users’ credentials safe, you can revert to the old behavior through the ShowFullUrlsInAddressBar policy.
  
  This change has been enabled for some users, with a full rollout planned for an upcoming release.

• DTLS 1.0 will be removed in Chrome 88

  DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

  --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

  If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.

• Chrome 88 will launch an origin trial for detecting idle state

  An early origin trial will allow websites to request the ability to query if users are idle, allowing messaging apps to direct notifications to the best device.

• Chrome 89 will require SSE3 for Chrome on x86

  Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

• Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 89

  Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

• The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

  The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

  We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

• Chrome will maintain its own default root store as early as Chrome 90

  In order to improve user security, and provide a consistent experience across different platforms, Chrome intends to maintain its own default root store. If you are an enterprise admin managing your own certificate authority, you should not have to manage multiple root stores. We do not anticipate any changes to be required for how enterprises currently manage their fleet and trusted enterprise CAs, such as through group policy, macOS Keychain Access, or system management tools like Puppet.

• SyncXHR policy will no longer be supported on Chrome 93

  The AllowSyncXHRInPageDismissal enterprise policy will be removed in Chrome 93. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 93. This change was previously planned for Chrome 88, but delayed to provide more time for enterprises to update legacy applications.

Upcoming Admin console changes

• New Version Report and Update Controls

  There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features, enter your test domain and a contact email into this form.

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome Browser updates

• Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88 
  By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

   

• Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
• Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
• Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
• Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

• Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind computer warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.

• New lookalikes policy and request flow

  Chrome is introducing a new "safety tip" for sites with URLs that look very similar to those of other sites. This UI, as well as the existing lookalike interstitial warning, uses client-side heuristics to warn users about sites that might be spoofing other sites (For example, goog0le.com spoofing google.com):

  

  
  Chrome is adding the LookalikeWarningAllowlistDomains enterprise policy to give you control of this behavior. This policy suppresses both the full-page interstitial warning and the smaller "safety tip" in the domains indicated.
  
  In addition, if you think a site is triggering a warning incorrectly, you can file a request here.

• Improved resource consumption when a window is not visible

  To save on CPU and power consumption, Chrome detects when a window is covered by another window and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software, resulting in Chrome rendering blank white pages. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  Some users have already seen this change since Chrome 85, however this feature is fully rolled out in Chrome 86.

• User-Agent Client Hints is fully rolled out in Chrome 86

  As part of an ongoing effort to reduce the ability of bad actors to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additional change only, and should not have any negative effect when interacting with any standards-compliant server.

  However, some servers may not be able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard. If the addition of this header causes problems with servers that can't be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers.

  This is a temporary policy that will be removed in Chrome 88.

• Chrome warns about mixed content forms

  Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome 86 shows an interstitial warning when the form is submitted, which stops any data transmission, and the user is able to choose whether to proceed or cancel the submission.

     You are able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

• The address bar shows the domain rather than the full URL for some users

  To protect your users from some common phishing strategies, Chrome shows only the domain in the address bar. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

  Although this change is designed to keep your users’ credentials safe, you are now able to revert to the old behavior through the ShowFullUrlsInAddressBar policy.

  This change is initially only rolled out to some users, however a full rollout is planned for a later release.

• Chrome has a new way to show you it’s time to update your browser

  To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update," replacing the colored arrow that users see today.

• Chrome extensions are not able to inject Flash content settings

  Extensions will not be able to inject content settings for Flash. If you're using an extension to control Flash behavior in Chrome, you should instead use PluginsAllowedForUrls. Otherwise, users will see the default Flash behavior, which will require them to allow Flash to run on each site.

• The Chrome Browser Cloud Management - Reporting Companion extension no longer functions

  The Chrome Browser Cloud Management - Reporting Companion extension ID, oempjldejiginopiohodkdoklcjklbaa is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

• The TLS13HardeningForLocalAnchorsEnabled enterprise policy no longer functions

  As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks. 

  The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

• More inclusive policy names are introduced

  Chrome is moving to more inclusive policy names. The terms "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist". If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  The following policies will be deprecated (but will still work), and equivalent policies will be introduced for each:

  Deprecated Policy Name	New Policy Name	Version
  NativeMessagingBlacklist	NativeMessagingBlocklist	86
  NativeMessagingWhitelist	NativeMessagingAllowlist	86
  AuthNegotiateDelegateWhitelist	AuthNegotiateDelegateAllowlist	86
  AuthServerWhitelist	AuthServerAllowlist	86
  SpellcheckLanguageBlacklist	SpellcheckLanguageBlocklist	86
  AutoplayWhitelist	AutoplayAllowlist	86
  SafeBrowsingWhitelistDomains	SafeBrowsingAllowlistDomains	86
  ExternalPrintServersWhitelist	ExternalPrintServersAllowlist	86
  NoteTakingAppsLockScreenWhitelist	NoteTakingAppsLockScreenAllowlist	86
  PerAppTimeLimitsWhitelist	PerAppTimeLimitsAllowlist	86
  URLWhitelist	URLAllowlist	86
  URLBlacklist	URLBlocklist	86
  ExtensionInstallWhitelist	ExtensionInstallAllowlist	86
  ExtensionInstallBlacklist	ExtensionInstallBlocklist	86
  UserNativePrintersAllowed	UserPrintersAllowed	86
  NativePrinters	Printers	86
  NativePrintersBulkConfiguration	PrintersBulkConfiguration	86
  NativePrintersBulkAccessMode	PrintersBulkAccessMode	86
  NativePrintersBulkBlacklist	PrintersBulkBlocklist	86
  NativePrintersBulkWhitelist	PrintersBulkAllowlist	86
  DeviceNativePrintersBlacklist	DevicePrintersBlocklist	87
  DeviceNativePrintersWhitelist	DevicePrintersAllowlist	87
  DeviceNativePrintersAccessMode	DevicePrintersAccessMode	87
  DeviceNativePrinters	DevicePrinters	87
  UsbDetachableWhitelist	UsbDetachableAllowlist	87
  QuickUnlockModeWhitelist	QuickUnlockModeAllowlist	87
  AttestationExtensionWhitelist	AttestationExtensionAllowlist	87
  DeviceUserWhitelist	DeviceUserAllowlist	87

Chrome OS updates

• Family Link and school account support for Android apps

  Enables Family Link users to sign in to Android apps like Google Classroom using a school account to do schoolwork under parent supervision.

• Smartcard support on the login screen

  As an admin, you can enable users to sign in using smart cards on the managed Chrome devices in your organization. The solution builds upon SAML SSO identity providers (IdP) that supports smart cards. Learn more.

• Guide Parents to Set Up Devices for Children during OOBE/Add Person flow

  Simplifies device setup for families that want to create parental controls for their kids on Chromebooks.

• Redesigned Update Screen during OOBE

  The update page during OOBE has been redesigned to include time/battery estimates and a progress tracker so users don't have to sit in front of the computer while it updates. We have also included educational cards on the screen; users who choose to wait in front of the computer or choose to check in during the update will learn more about the unique values that Chrome OS offers.   

• Option to view password/PIN on start screen and lock screen

  Have a long password that you often type incorrectly? Need to refer to a password manager on your phone to log into your Chromebook? This is now easier as the login screen has a new button to let you review your password/PIN. Simply click the eye-shaped icon to show password/PIN in clear text, review or compare with your password manager, and then submit. For security, we will turn the clear text into ***** after 5 seconds of inactivity and clear the entire input after 30 seconds of inactivity.

• Display Identification on multi-monitor setups

  Managing multiple displays on Chrome OS has never been easier. We improved the ability for users to quickly identify which tab in the Display settings corresponds to a user's external display, and we've made it easier to align displays via a first-of-its-kind alignment overlay. These options are available for anyone using 2 or more displays.    

• Autocorrect UI improvements

  For users with autocorrect enabled, we have improved the user interface with visual indicators which let you know that autocorrects have happened, as well as a new visual way to undo them.

• Linux upgrade flow to Debian 10

  If you have been using Linux (Beta) with Debian 9, you will now see an option to upgrade to Debian 10. You can start the upgrade at any time by going to Linux settings.

• Virtual machine USB support beyond Android devices

  You can now use more types of devices with Linux (Beta), including Arduino and EdgeTPU. Attach a device to your Chromebook and share it through Linux settings.

Admin console updates

• Website icons and names on the Apps & extensions configuration page

  Websites will now display their name and icon in addition to the URL in the Admin console.  Admins can search by either name or URL to find websites.  This change does not affect how website shortcuts display on the Chrome OS shelf.

• Flash deprecation warnings

  Flash Player will no longer be supported after December 2020 (roadmap). The Admin console no longer allows the configuration of Flash using wildcards. There are also additional reminders about the upcoming deprecation.

• Always-on VPN for Android

  Always-on VPN allows you to specify an Android VPN app that handles Android and Chrome OS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established.

• Remotely factory reset a managed device

  You can now perform a full remote factory reset for managed devices, which can be useful for deprovisioning a device for RMA, clearing data on a disabled device that has been misplaced or stolen, and clearing data for troubleshooting purposes.  

  Note: After a device has been factory reset, it must go through the initial setup again.  For a lighter touch reset, you can clear a user’s profile instead.

• Device-level system log export

  This feature extends existing kiosk functionality to any managed device, allowing you to remotely capture device-level system log files. Once the LogUploadEnabled policy is enabled, you can manually request and download logs directly from the device details page, and fetch them through the Chrome Directory API.

• Additional policies in the Admin console

  Many new policies are available in the Admin console, including:

  Policy control	Admin console location	Description
  Metrics reporting	User & browser settingsOther settingsMetrics reporting	Controls anonymous reporting of usage and crash-related data about Google Chrome to Google.
  External extensions	Apps & extensionsAdditional application settingsExternal extensions	Controls installation of external extensions
  Chrome Cleanup	User & browser settingsSecurityChrome Cleanup	Controls whether Chrome Cleanup periodically scans the system for unwanted software on browsers enrolled with Chrome Browser Cloud Management on Windows.
  Disabled system features	User & browser settingsUser experienceDisabled system features	Controls whether users can access the camera, OS settings, and browser settings on Chrome OS devices
  Privacy screen on sign-in screen	Device settingsSign-in settingsPrivacy screen on sign-in screen	Controls whether the privacy screen is enabled on devices supporting an electronic privacy screen
  Disk cache size	User & browser settingsOther settingsDisk cache size	Controls the cache size used by Chrome browser
  PDF files	User & browser settingsContentPDF files	Controls whether PDF files open in Chrome or using the system default application
  Suggested content	User & browser settingsUser experienceSuggested content	Enables suggestions for new content to explore on Chrome OS. Includes apps, webpages, and more.  This policy is disabled by default for managed users
  Default browser check	User & browser settingsStartupDefault browser check	Controls whether Chrome checks if it is the default browser at startup
  Background mode	User & browser settingsOther settingsBackground mode	Controls whether Chrome keeps running when the last browser window is closed, allowing background apps to remain active
  Third party code	User & browser settingsSecurityThird party code	Controls whether third party software will be allowed to inject executable code into Chrome's processes on Windows
  Relaunch notification	User & browser settingsChrome updatesRelaunch notification	Controls the notifications shown to users reminding them to update Chrome

• New and updated policies (Chrome Browser and Chrome OS)

  Policy	Description
  AuthNegotiateDelegateAllowlist	Kerberos delegation server allowlist. Replaces AuthNegotiateDelegateWhitelist
  AuthServerAllowlist	Authentication server allowlist. Replaces AuthServerWhitelist
  AutoplayAllowlist	Allow media autoplay on a whitelist of URL patterns. Replaces AutoplayWhitelist
  CloudPrintWarningsSuppressed	Suppress Google Cloud Print deprecation messages
  DefaultFileSystemReadGuardSetting	Control use of the File System API for reading
  DefaultFileSystemWriteGuardSetting	Do not allow any site to request write access to files and directories. See File System API for details
  DefaultSerialGuardSetting	Control use of the Serial API
  EnterpriseRealTimeUrlCheckMode	Check Safe Browsing status of URLs in real time
  ExtensionInstallAllowlist	Configure extension installation allow list. Replaces ExtensionInstallWhitelist
  ExtensionInstallBlocklist	Configure extension installation blocklist. Replaces ExtensionInstallBlacklist
  FileSystemReadAskForUrls	Allow read access via the File System API on these sites
  FileSystemReadBlockedForUrls	Block read access via the File System API on these sites
  FileSystemWriteAskForUrls	Allow write access to files and directories on these sites. See File System API for details
  FileSystemWriteBlockedForUrls	Block write access to files and directories on these sites. See File System API for details
  InsecureFormsWarningsEnabled	Enable warnings for insecure forms
  LookalikeWarningAllowlistDomains	Suppress lookalike domain warnings on domains
  SafeBrowsingAllowlistDomains	Configure the list of domains on which Safe Browsing will not trigger warnings
  SerialAskForUrls	Allow the Serial API on these sites
  SerialBlockedForUrls	Block the Serial API on these sites
  ShowFullUrlsInAddressBar	Show Full URLs
  SpellcheckLanguageBlocklist	Force disable spellcheck languages. Replaces SpellcheckLanguageBlacklist
  URLBlocklist	Block access to a list of URLs. Replaces URLBlacklist

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• ITP will block third party cookies in Chrome on iOS14

  All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Third Party Cookie Blocking
  • Tracking prevention

• Single words will not be treated as intranet locations by default in Chrome 87 

  By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. This change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

  You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

• Improved resource consumption for background tabs in Chrome 87

  To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

  You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

• DTLS 1.0 will be removed in Chrome 87

  DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

  --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

  If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.

• New PDF UI in Chrome 87

  Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations.

• The CORB/CORS allowlist will be removed in Chrome 87

  Chrome will remove the CORB/CORS allowlist in Chrome 87. Please test Chrome extensions that your business depends on to make sure they work with the new behavior.

  Please test Chrome 87.0.4266.0 or later and run through critical workflows with your extension. Watch for fetches or XHRs that are initiated by content scripts and blocked by CORB or CORS. Typical error messages are shown below:

  • Cross-Origin Read Blocking (CORB) blocked cross-origin response <URL> with MIME type <type>. See https://www.chromestatus.com/feature/5629709824032768 for more details.

  • Access to fetch at 'https://another.example.com/' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

If the extension's content scripts create requests that don’t work when Chrome is launched with the chrome://flags listed above, then make sure you keep the extension updated so that it continues to work in Chrome 87 and above. In particular, the extensions must be updated to initiate cross-origin fetches from the extension background page (instead of from a content script).

For more details please see: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

• Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 88

  Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

• Chrome will introduce a new permission chip UI in Chrome 88

  Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

  Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

• Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

  Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other. We recommend testing critical sites using the testing instructions.

  You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. For more detail please see Cookie Legacy SameSite Policies.

• Chrome 88 on Mac will not support OS X 10.10 (Yosemite)

  Chrome 88 will not support OS X 10.10 (OS X Yosemite). Chrome on Mac will require OS X 10.11 or later.

• SyncXHR and Popup on page unload policies will no longer be supported on Chrome 88

  The AllowPopupsDuringPageUnload and AllowSyncXHRInPageDismissal enterprise policies will be removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 88.

• The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 88

  Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it will be disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.

• Chrome 89 will require SSE3 for Chrome on x86

  Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

• The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

  The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

  We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

Upcoming Admin console changes

• New Version Report and Update Controls

  There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome Browser updates

• User-Agent Client Hints will be introduced in Chrome 85 
  As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

  However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. This is a temporary policy that will be removed in Chrome 88.

  A full rollout of this change is planned in Chrome 85.

• The default referrer policy will change in Chrome 85 
  The HTTP referrer header provides the full URL of the initiating document alongside many navigation and subresource requests. In practice, it can reveal users’ browsing habits or identities. Chrome will improve user privacy and security by switching to strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade. Web developers may specify a referrer policy on their documents if they need a different policy.

  The expected long-term fix is to update all web apps to preferably not depend on the full URL for the referrer, and where unavoidable, specify a referrer policy when they require something other than strict-origin-when-cross-origin. However, to help with the transition, enterprises will be able to use the ForceLegacyDefaultReferrerPolicy enterprise policy to revert to the old default behavior until Chrome 88. 
  
  See more info and best practices.

• Chrome 64-bit on Windows will be installed in "Program Files" instead of "Program Files (x86)" 

  New installations of 64-bit Chrome will be installed in "%ProgramFiles%" on Windows instead of "%ProgramFiles(x86)%". Existing installations won't be impacted.

• Improvements to user productivity in Chrome 85

  Chrome will be making several improvements to user productivity, including collapsible tab groups, tab previews, saving inputs in PDFs, and QR code sharing. You can read more about these improvements on the Keyword.

• Compiler optimization performance improvements in Chrome 85

  Chrome will use an improved compiler optimization technique called PGO (Profile-guided optimization) on Mac and Windows. Enterprises aren't expected to notice any changes, except how software interacts with Chrome in unexpected or unsupported ways. For example, code injection may not function as expected with this version of Chrome.

• Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

  By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

• Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
• Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
• Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
• Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

• Wildcards are no longer supported in PluginsAllowedForUrls in Chrome 85

  In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (For example, “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

• The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

  Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure that you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. 

  The Beta version of the extension (Extension ID ebojbgfomggiamdflnhekjfkmdbeblpb) will be removed in Chrome 85.

• Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

  As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

  Please test Chrome Extensions that your business depends on to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

  --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

  During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS. If extensions you depend on are affected, open a bug to add the affected extensions to a temporary allowlist which will exempt them from the change (the allowlist will be deprecated and removed in Chrome 87). The changes only affect fetches or XHRs for content types that are not blocked by CORB (such as images, JavaScript, and CSS) and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

• Improved resource consumption when a window is not visible in Chrome 85

  To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  Some users will see the change in Chrome 85, with a full rollout planned for Chrome 86.

• The SafeBrowsingExtendedReportingOptInAllowed policy is no longer available in Chrome 85

  The support of SafeBrowsingExtendedReportingOptInAllowed policy has been removed in Chrome 85. Please use SafeBrowsingExtendedReportingEnabled policy instead. You can find the migration instructions on the deprecated policy page.

• Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

  The new AutoLaunchProtocolsFromOrigins policy allows you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

• Chrome on MacOS has additional protections for sensitive enterprise policies in Chrome 85

  Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

• Cross-Origin Resource Setting (CORS) enterprise policies are no longer available

  The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

• The ForceNetworkInProcess policy is now deprecated

  Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ended in Chrome 84, and the policy is no longer available.

• Certificates issued on or after September 01, 2020 must have a lifetime of 398 days or less in Chrome 85

  As part of our ongoing commitment to ensuring user security, Google is reducing the maximum allowed lifetimes of TLS certificates. More details here.

• Chrome 85 uses the Windows-native spell checker for some users

  For Windows users that have the corresponding language packs installed on their system, Chrome will use the Windows-native spell checker. Users without the corresponding language pack will default to the Chrome spell checker.

  Some users will see this change in Chrome 85, with a full rollout planned in Chrome 86.

• The Chrome Web Store tells users if an extension has been blocked by their admin in Chrome 85

  If you block an extension by policy, the Chrome Web Store extension listing will now show “Blocked by Admin” to the user.

• Chrome-on-iOS enterprise policies in Chrome 85

  Chrome supports a limited set of policies on iOS, configurable with unified endpoint management systems.

Chrome OS updates

• Separating Display Resolution and Refresh Rate for external monitors

  The "Displays" page in Settings has been updated to allow independent configuration of the resolution and the refresh rate for external monitors. This setting will be split automatically and users do not need to take any action.

• Sync Wi-Fi settings between devices

  To help users avoid repeatedly joining the same set of networks and typing in the same difficult-to-remember passwords on each of their Chrome OS devices, Wi-Fi Sync helps keep known networks in sync between a user's devices. This can be controlled using the SyncTypesListDisabled policy.

• Option for improved visuals for Select to Speak

  Select to speak lets users drag a box around a given area of text to have text in that area spoken aloud. We’ve now added the option to turn on screen shading behind the selected region of the screen. This screen shading will reduce distraction and help to enhance the user's focus on the core content being spoken aloud.

• Improved gesture support for handwriting keyboard

  When entering text using the handwriting keyboard, you can now use familiar gestures to edit your handwriting. Drawing a strikethrough will delete text, and a caret will give you space to insert text.

• Improved Print management UI

  Users can now manage their ongoing print jobs and view what has been completed.

• PIN printing for Hewlett-Packard^®, Ricoh^®, and Sharp^® printers

  Extended PIN printing is now available for all supported Hewlett-Packard^®, Ricoh^®, and Sharp^® printers that require a PIN to release the print job to a printer.

Admin console updates

• Updated Admin consoleDevices hub page

  The Devices hub in the Admin console is refreshed with a new look and feel, faster load times, and a brand new navigation structure on the left side of the page.

• View apps & extensions that are configured across all organizational units

  The apps & extensions page in the Admin console now supports “Include all organizational units.” Selecting this view will display all apps configured across all modes (User & browser, Devices, and Managed guest session) and all organizational units.

• Expanded ability to block system features

  Admins can now block system features at a granular level directly, without URL blocking. The Camera app, Chrome browser settings and Chrome OS settings are all configurable through policy.

• Connected devices policies for Android phones + Chrome OS devices

  User settingsConnected devices is a suite of features that allows Android phones and Chrome devices to work together seamlessly. Education organizations can enable Smart Lock and Click to Call. In addition, Enterprise organizations can enable Instant Tethering and Messages.

• Multi-select devices for clearing user profiles

  From the ChromeDevices list, admins can now multi-select devices to clear user profiles from all devices at the same time.

• Additional policies now available in the Admin console

  Many additional new policies are available in the Admin console, including:

  • PrintingMaxSheetsAllowed

    User settingsPrintingMaximum sheets - Set a maximum number of pages for a single print job.

  • PrintingMaxSheetsAllowed and PrintingPaperSizeDefault

    User settingsPrintingDefault printing page size - Set a default paper page size for print jobs. 

  • AppCacheForceEnabled

    User settingsContentAppCache - Allow websites to use the deprecated AppCache browser feature.

  • HardwareAccelerationModeEnabled

    User settingsHardwareGPU - Enable or disable GPU hardware acceleration

  • ScrollToTextFragmentEnabled

    User settingsContentScroll to text fragment - Allow sites to scroll directly to a text fragment via URL

  • HideWebStoreIcon

    Apps & extensionsAdditional settingsChrome Web Store app icon - Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.

New and updated policies (Chrome Browser and Chrome OS)

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• ITP will block third party cookies in Chrome on iOS14

  All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Third Party Cookie Blocking
  • Tracking prevention

• Single words will not be treated as intranet locations by default in Chrome 87 

  By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. However, this change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

  You will be able to control the behavior of Chrome via policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

• Chrome will warn about mixed content forms in Chrome 86

  Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

  You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

• The address bar will show the domain rather than the full URL for some users in Chrome 86

  To protect your users from some common phishing strategies, Chrome will begin showing only the domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

  Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

• Improved resource consumption for background tabs in Chrome 86

  To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

  You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

• Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

  Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

• Chrome 86 will have a new way of indicating it should be updated

  To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update."

      ​​​​​ ​

• Chrome extensions will not be able to inject Flash content settings in Chrome 86

  Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.

• The Chrome Cloud Management - Reporting Companion extension will cease functionality in Chrome 86

  The Chrome Cloud Management - Reporting Companion extension (ID oempjldejiginopiohodkdoklcjklbaa) is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

  The extension will no longer function in Chrome 86.

• The TLS13HardeningForLocalAnchorsEnabled enterprise policy will no longer function in Chrome 86

  As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks.

  The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

• More inclusive policy names will be introduced in Chrome 86 and 87

  Chrome will be moving to more inclusive policy names. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

• DTLS 1.0 will be removed in Chrome 87

  DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

  --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/

  If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

• Chrome will introduce a new permission chip UI in Chrome 87

  Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

  Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

• New PDF UI in Chrome 87

  Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations viewing.

• Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

  Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

  For enterprises that need extra time to adjust to these changes, policies will be made available.

Upcoming Admin console changes

• New Version Report and Update Controls

  There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020, therefore Chrome will no longer support Flash content. You can read more about Adobe's plans to discontinue Flash player in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 can get set up with HARMAN and Legacy Browser Support.

Chrome Browser updates

• Updates to cookies with SameSite

  Starting on July 14, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context must explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.

  You will be able to revert to the legacy cookie behavior using policies until Chrome 91. You can specify domains accessing cookies that require legacy semantics using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

  This change started with Chrome 80, but was temporarily on hold in light of the COVID-19 pandemic. It’s being set in motion again, and will take effect in Chrome 80 and more recent versions of Chrome.

• Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

  By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:     

• Executables—Users will be warned in Chrome 84, and files will be blocked in Chrome 85.
• Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
• Other non-safe types (e.g. pdfs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
• Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

• Improved resource consumption when window is not visible

  To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  Some users will see this feature in Chrome 84, with a full release planned in Chrome 85.

• Chrome remembers user preferences when launching external protocols

  As requested by IT admins, users are able to select "always allow for this site" when opening an external protocol in Chrome 84. The approval is scoped to the current origin, and is only available for secure origins.

• The URLAllowlist policy only allows external protocols for domain joined devices

  A recent release of Chrome changed the behavior of the URLAllowlist policy which lets you allow external protocols such as “callto:” or “ms-calendar”. To improve security on Windows^®, this policy only allows external protocols for devices joined to an Active Directory domain.

• Deprecation of TLS 1.0 and TLS 1.1

  The Chrome team announced in October 2019, plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1). In Chrome 84, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

  If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to turn off the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

• Improvements to Chrome downgrades

  When a managed Chrome browser updates to the next version, it will retain a snapshot of User Data. This is useful for admins when Sync is turned off and they need to rollback to a previous version of Chrome. The number of snapshots can be controlled using the UserDataSnapshotRetentionLimit policy and Chrome can function as it did before by setting UserDataSnapshotRetentionLimit to 0. For more details, visit Downgrade your Chrome version.

• Stronger consent for the search and new tab page

  Chrome will protect against extensions that attempt to change the user's preferences without their consent. After an extension changes the default search engine or the new tab page, Chrome will confirm the change with the user, and allow them to keep the change or revert back to the old settings.

  As an admin, you can control your employees' default search provider directly using the Default Search Provider and NewTabPageLocation policies. They will not trigger a confirmation dialog.

• User-Agent Client Hints

  As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we are introducing User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

  However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. Although, this is a temporary policy that will be removed in Chrome 88.

  You can test your environment by enabling the "experimental web platform features" flag in Chrome. A wider rollout of this change is planned in Chrome 85.

• Cross-Origin Resource Sharing (CORS) enterprise policies will no longer take effect

  The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

• The ForceNetworkInProcess policy is now deprecated

  Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ends in Chrome 84, and the policy is no longer available.

Chrome OS updates

• Camera app supports MP4 (H.264)

  Videos captured in the Chrome OS Camera app will now save as MP4 (H.264) videos. This makes it easier to use your recorded videos in other apps.

• Window management improvements for multiple monitors and split screen

  When in Overview mode you can now drag a window to the left or right edge to quickly set up a split screen. If you use multiple monitors, you can drag windows to other displays while in Overview mode.

• Adding search functionality to the ChromeVox menu

  For screen reader users, the ChromeVox menu is a one-stop-shop for learning about ChromeVox and accessing key information and commands. When ChromeVox is turned on, press Search + Period at any time to open the menu and explore options such as jump commands, speech options, and much more. As of Chrome 84, it's now possible to search within the ChromeVox menu to find what you are looking for even faster! Simply open the menu and your mouse cursor will automatically be placed in the Search field. You can either search for a given item, or use the arrow keys to navigate the menu options.

• Sheet Limit Policy for Native Printing

  Many organizations would like to limit the amount of paper used when printing. With the PrintingMaxSheetsAllowed policy, admins can limit the number of sheets used in a single print job for their managed devices users. For example, placing a limit on printing excessively large documents such as an entire digital textbook, ebook, or accidental print requests, prevents ink and paper waste.

• Chrome OS login/lock screen enterprise disclosure

  On the login screen, Chrome OS now shows an enterprise badge on managed profiles. This allows users to see at first glance whether their profile is managed or not.

• Crostini mic permission

  You can now give Crostini access to your microphone through Settings. If you're developing an Android app, you can test the microphone feature using the Android emulator.

Admin console updates

• Update controls are available for managed browsers

  In the Admin console, admins can now configure additional update policies for Chrome browsers that are managed by Chrome Browser Cloud Management. For example, you might want to allow or disable updates, pin a specific version of Chrome, roll back to a previous version of Chrome, set relaunch notifications, or control when Chrome checks for updates. The configuration details are further described in this help center article.

• Network file shares policy

  Admins can now configure network file shares for users under Chrome managementUser settingsNetwork file shares. These policies include configuration of SMB settings for NetBIOS discovery, NTLM authentication, and preconfiguring file shares so users can see them within the Files app on Chrome OS.

• Readable data in the devices export

  Timestamps in the device list’s CSV export file are now in a “human-readable” format. This format helps to make the timestamps easy for users to read. Previously, these columns contained the same value as reported through the Directory API.

• Domain-restricted apps & extensions from the Chrome Web Store

  In the Google Admin console, admins can now add domain-restricted apps & extensions from the Chrome Web Store. These apps are available under Chrome managementAppsAdd from Chrome Web StoreView private apps.

• Device screen resolution

  Admins can now configure the screen resolution and UI scaling for displays.  These settings are available under Chrome managementDevice settingsScreen settings.

• Dinosaur game policy

  When Chrome cannot connect to the internet it displays a “Dinosaur game” for users to play.  This game is disabled by default for domain-enrolled Chrome OS devices, but admins can enable it under Chrome managementUser settingsDinosaur game.

• Ignore proxy on captive portals policy

  Chrome OS can open captive portal authentication pages in a separate window that ignores all policies for the current user, including proxy settings. This policy only takes effect if a proxy is configured through policy in chrome://settings or by extensions. This policy is available under Chrome managementUser settingsIgnore proxy on captive portals.

• Display system info on the sign-in screen

  Your users can view system information such as serial numbers and OS versions on the sign-in screen by pressing Alt+V. Admins can allow or not allow access to this feature under Chrome managementDevice settingsSystem info on sign-in screen.

• Device accessibility policies

  In addition to the launch of advanced accessibility controls for users, a similar set of controls for the login screen allows admins to enable accessibility features remotely or restrict them when necessary. For example, restricting dictation features in hospitals or blocking certain features in classrooms to prevent disruption. See the full list of features below:

  • Spoken feedback
  • Select to speak
  • High contrast
  • Screen magnifier
  • Sticky keys
  • Virtual keyboard
  • Dictation
  • Keyboard focus highlighting
  • Caret highlight
  • Auto-click enabled
  • Large cursor
  • Cursor highlight
  • Primary mouse button
  • Mono audio
  • Accessibility shortcuts

New and updated policies (Chrome Browser and Chrome OS)

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Wildcards no longer supported in PluginsAllowedForUrls in Chrome 85

  In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (e.g., “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

• Compiler optimization performance improvements in Chrome 85

  Chrome will use an improved compiler optimization technique on Mac and Windows in Chrome 85. Enterprises aren't expected to notice any changes, but software interacting with Chrome in unexpected or unsupported ways such as, code injection, may not function as expected with Chrome 85.

  To ensure compatibility, you can test your environment with the Chrome 85 beta channel, starting July 23, 2020.

• The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

  Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. If you run into issues using the built-in LBS policies please file a new issue report at http://crbug.com/new.

• Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

  As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

  Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

  --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

  During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS.  If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect  fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

• Improved resource consumption for background tabs in Chrome 85

  To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

  You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

• Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

  The new AutoLaunchProtocolsFromOrigins policy will allow you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

• The SafeBrowsingExtendedReportingOptInAllowed policy will no longer take effect in Chrome 85

  The support of SafeBrowsingExtendedReportingOptInAllowed policy will be removed in Chrome 85. Please use SafeBrowsingExtendedReportingEnabled policy instead. You can find the migration instructions on the deprecated policy page.

• Chrome on MacOS will have additional protection for sensitive enterprise policies in Chrome 85

  Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

• Single words will not be treated as intranet locations by default in Chrome 86

  By default, Chrome 86 will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar, which could theoretically be read by a malicious actor. However, this change to default behavior will likely interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

  You will be able to control the behavior of Chrome via policy. In addition to preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site), you can also set the intranet site as Chrome's first action.

• Chrome will warn about mixed content forms in Chrome 86

  Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 will show a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

  You will be able to control this behavior using the DisableMixedFormsWarning enterprise policy.

• The address bar will show the registrable domain rather than the full URL for some users in Chrome 86

  To protect your users from some common phishing strategies, Chrome will begin showing only the registrable domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://google-secure.example.com/secure-google-sign-in/ will appear only as example.com to the user.

  Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

• DTLS 1.0 will be removed in Chrome 86

  DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

  --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

  If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

• Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

  Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

• Chrome extensions will not be able to inject Flash content settings in Chrome 86

  Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.   

• More inclusive policy names will be introduced in Chrome 86

  Chrome will be moving to more inclusive policy names in Chrome 86. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

• Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

  Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

  For enterprises that need extra time to adjust to these changes, policies will be made available.

• The Chrome Browser Cloud Management reporting extension will cease functionality in Chrome 86

  The Chrome Browser Cloud Management reporting extension is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

  The extension will no longer function in Chrome 86.

Upcoming Admin console changes

• New Version Report and Update Controls

  There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.