Chrome Enterprise release notes

Chrome Browser updates

• All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 

  This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.
  
  CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.
  
  Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.
  
  Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

• Roll back to Chrome 72 or later on Windows

  Chrome 75 on Microsoft^® Windows^® will allow administrators to roll back to Chrome 72 or a later version.

  To make sure that users are protected by the latest security updates, we recommend that users are on the latest version of Chrome Browser. Running earlier versions of Chrome Browser exposes your users to known security issues. Before using this policy, see Roll back Chrome Browser to a previous version for important information about preserving user data.

• Use policy to remove extensions (rather than just disable)

  Starting in Chrome 75, extensions can now be removed by modifying the installation_mode setting in the Extension Settings policy and setting the "removed" flag. For details, see Chromium. 

• PacHttpsUrlStrippingEnabled policy removed

  As we announced in the Chrome 74 release notes, the PacHttpsUrlStrippingEnabled policy has now been removed. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  PAC HTTPS URL stripping removes privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/. This behavior will now be enforced in Chrome 75.

• EnableSymantecLegacyInfrastructure policy removed

  As we announced in the Chrome 74 release notes, the EnableSymantecLegacyInfrastructure policy has now been removed. The policy was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. The workaround allowed time to migrate any internal certificates that are not used on the public internet.

  Certificates issued from the Legacy PKI Infrastructure should have been replaced with certificates issued by public or enterprise-trusted Certificate Authorities (CAs). 

• SSLVersionMax policy removed

  As we announced in Chrome 74 release notes, the SSLVersionMax policy has now been removed. This policy was used as a short-term workaround while TLS 1.3 was rolled out to allow time for middleware vendors to update their TLS implementations.

• Policy to control Signed HTTP Exchange

  You can use Signed HTTP Exchange to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences

  Starting in Chrome 75, you can enable or disable Signed HTTP Exchange using the SignedHTTPExchangeEnabled policy.

• CompanyName and LegalCopyright fields updated

  Chrome 75 changes the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll). "Google Inc." is now  "Google LLC" and "Copyright 2018 Google Inc. All rights reserved." is now "Copyright 2019 Google LLC. All rights reserved."

• Control precedence between Chrome Browser Cloud Management and platform policies

  You can use CloudPolicyOverridesPlatformPolicy to control how policies from Chrome Browser Cloud Management interact with policies set at the platform level (for example, through the Group Policy Management Editor). This policy can be useful if you’re transitioning from managing browsers through Group Policy Object (GPO) to Chrome Browser Cloud Management.
  
  When set to false (default), the order of precedence is Machine platform > Machine cloud > User platform > User cloud.
  
  With the policy set to true, the order of precedence is Machine cloud > Machine platform > User platform > User cloud.
  
  The policy can only be set as a machine platform policy. For more details, see Chromium. 

• Merge list policies from multiple sources

  You can now merge policies that take a list of values that are set from multiple sources, including the cloud and by platform and Microsoft^® Active Directory^®. Before, if multiple lists from different sources conflicted, only one list was applied. For details, see PolicyListMultipleSourceMergeList.

• Chrome Remote Desktop on the web now available 

  You can now use Chrome Remote Desktop on the web. In turn, the Chrome Remote Desktop app will not be supported after June 30, 2019. New and existing users can switch to the new version on the web.

  To set it up:

  1. Go to Chrome Remote Desktop.
  2. In the upper-right corner, click Remote Access.
  3. Click Remote Support to get support from a trusted friend or family member, or to give support to someone else.

  You can control whether users can access other computers from Chrome using Chrome Remote Desktop. For details, see Control use of Chrome Remote Desktop.

• Improved tab life cycle management

  Some users will start to see improved CPU and memory usage as Chrome 75 rolls out. The TabLifeCyclesEnabled policy reduces the CPU usage on browser tabs that haven’t been used for a long time. Set the policy to true or leave it unspecified to enable it. For details, see Chromium. 

• Users can check Chrome Browser and OS management

  In Chrome 75 we’re enhancing the visibility features for both browser and OS with transparency view, a new view which shows users the extent to which their device and account are managed by their administrators in enterprise environments. The new transparency view focuses on reporting functionality (“Which data is visible to my administrator?”) as well as force-installed extensions (“Which data may be accessed by force-installed extensions?”).

Chrome OS updates

• Linux on Chromebooks: 

  Support for VPN connections—Linux applications can now utilize VPN connections through an existing Android or Chrome OS VPN connection. All traffic from the Linux VM will automatically be routed through an existing (established) VPN connection.
  
  Support for Android devices over USB—Android devices connected over USB can now be accessed by Linux apps. Users must choose to share the USB device with Linux before they can access it.

• Add support for PIN code with native printers

  PIN code printing will be available which will allow users to enter a pin code when sending the print job, and release the print job for printing when they enter the pin code into the printer keypad.  This gives users more control over when a print job is printed so documents aren’t lying unattended at the printer. And because a user has to actively request their print job be released, it also reduces waste. 
  
  PIN printing will be enabled if the user’s Chrome device is managed, and the printer supports IPPS communication and the IPP attribute for “job-password”.
  

• Add support for Document Providers in Files app

  To expand support for third-party file providers on Chrome OS, when users install the app of a third-party file provider that implements the DocumentsProvider API, a root for the third-party file provider will appear in the side navigation of the Chrome Files app. For more details, see Documents Provider. 

• Extending protected content on secondary displays

  Digital rights management (DRM)-protected content can now be shown on an external display. 

• BLE advertising in Chrome apps flag removed

  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. If you or any developers use BLE Advertising APIs, you should debug the functionality in a kiosk session, rather than in a regular user session.

Admin console updates

• Force devices to automatically re-enroll after wiping (change to forced re-enrollment behavior)

  Starting in June 2019 (with an incremental rollout), you can automatically re-enroll devices if they’re wiped.  Previously, forced re-enrollment required a user to enter their username and password to complete re-enrollment A few weeks after the roll out is complete, automatic re-enrollment will be the default for new customers as well as existing customers who have not changed the default forced re-enrollment setting. To control the setting, see Force wiped Chrome devices to re-enroll.

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
AlternativeBrowserParameters Chrome Browser only	Controls command-line parameters to launch to an alternative browser
AlternativeBrowserPath Chrome Browser only	Controls which command to use to open URLs in an alternative browser
CloudPolicyOverridesPlatformPolicy Chrome Browser only	Cloud policy that overrides Platform policy
PolicyListMultipleSourceMergeList	Allows merging list policies from different sources
SignedHTTPExchangeEnabled	Enables support for Signed HTTP Exchange (SXG)
SpellcheckLanguageBlacklist Windows, Linux, Chrome OS only	Disables unrecognized spellcheck languages

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Users can manually switch back to ASK ("Ask first") before running Flash. This change won’t impact existing policy settings for Flash. You can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

• Site isolation enforced in Chrome 76

  In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Drive integration in the address bar

  Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

  

• Removing --disable-infobars in Chrome 76

  Chrome 76 will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy will be added to allow you to disable some security warnings.

• Policy atomic groups introduced in Chrome 76 

  In order to ensure predictable behavior from policies that are tightly coupled with other policies, some policies will be regrouped in atomic policy groups. These groups will help ensure that all the applied policies from a single group come from the same source, which is the source with the highest priority. This change will help prevent unpredictable behavior when mixing multiple sources of policies.

• Merge policies with dictionary of values in Chrome 76

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Flag removal, starting with Chrome 76

  Many flags in chrome://flags will be removed in upcoming Chrome versions. You should not use flags to configure Chrome Browser because they are not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Improvements to version rollback

  A future version of Chrome will improve the rollback experience on Windows by preserving some user data during the rollback process.

Upcoming Chrome OS changes

• Print jobs to include user account and file name

  If the printer or print service support IPPS with IPP attributes for requesting-user-name and document-name, you will be able to have print jobs include the user account and file name to help with print tracking and follow-me printing. 

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen

  You will be able to set up a requirement for users to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

• Linux apps USB devices
  From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook, so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management (device settings)

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

• New default policies for printing (CUPS)

  There will be new controls for you to manage 2-sided and color printing.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests
  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome Browser updates

• Chrome Browser Cloud Management

  Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows^®, Mac^®, and Linux^®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.

• Pop-ups will not be allowed on page unload

  Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.

• Legacy Browser Support will no longer need an extension

  In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer^®. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.

Chrome OS updates

• Annotations in PDF Viewer

  When viewing an Adobe PDF document in Chrome, you’ll be able to tap a button to annotate the PDF with pen and highlighter tools.

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• External camera support for Google Camera app

  External USB cameras, such as webcams, USB microscopes, and document cameras, are now supported by the Google Camera app.

• Support for files and new folders in the “My files” root

  Users can save files locally and create new folders under the “My files” root outside of the default Downloads folder.

• ChromeVox developer log options

  As of version 74, we added a new section of ChromeVox developer options within the ChromeVox options page to give developers access to ChromeVox logs, which will help debugging. This allows developers to enable logs for speech, earcons, braille, and event streams.

• Linux apps on Chrome OS (Crostini) now support audio output

  Starting with Chrome 74, Linux apps on Chrome OS (Crostini) can now play audio.

Admin console updates

• Policy to enable native Active Directory integration

  You can now configure an existing domain to manage your Chrome devices with a Microsoft^® Active Directory^® server. If enabled, Chrome devices are domain joined to AD so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices with GPO. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials.

  To manage integrated devices, set the policy to enable Chrome Enterprise Active Directory integration in your Admin console. Visit Manage Chrome devices with Active Directory.

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
AllowPopupsDuringPageUnload	Allows a page to show pop-ups during its unloading.
AuthNegotiateDelegateByKdcPolicy​ Chrome OS, Mac, and Linux only	Use key distribution center (KDC) policy to delegate credentials on machines using Active Directory Kerberos authentication. Controls whether approval by KDC policy is respected, to delegate Kerberos tickets.
BrowserSwitcherChromeParameters Windows only	Command-line parameters for switching from the alternative browser.
BrowserSwitcherChromePath Windows only	Path to Chrome for switching from the alternative browser.
BrowserSwitcherDelay​	Delay before launching alternative browser (milliseconds).
BrowserSwitcherEnabled​	Enable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrl​	URL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherKeepLastChromeTab​	Keep last tab open in Chrome.
BrowserSwitcherUrlGreylist​	Websites that should never trigger a browser switch.
BrowserSwitcherUrlList​	Websites to open in alternative browser.
BrowserSwitcherUseIeSitelist Windows only	Use Internet Explorer's SiteList policy for Legacy Browser Support.
RemoteAccessHostAllowFileTransfer Browser only	Allow remote access users to transfer files to/from the host. Controls the ability of a user connected to a remote access host to transfer files between the client and the host. This doesn’t apply to remote assistance connections, which don’t support file transfer.
WebUsbAllowDevicesForUrls	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Google Cloud Next recap

Chrome Enterprise product managers and customer engineers presented a number of talks at the Google Cloud Next conference in San Francisco the week of April 8, 2019. You can watch on YouTube recordings of the 18 Mobility & Devices Sessions.

The talks below should be specifically of interest to Chrome Enterprise IT admins:

Browser-focused talks

• What's New in Chrome Browser
• Manage Chrome Browser from the Cloud
• How Google IT Manages Enterprise Extensions

Chrome OS-focused talks

• Managing Chromebooks and Apps With Chrome Enterprise
• How Google IT Supports its Scaling Global Workforce with Chromebooks
• Changing End User Computing: Seven Facts You Should Know About Chrome Enterprise

New Chrome OS administrator credential

We're now offering a new Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 75 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 75

  EnableSymantecLegacyInfrastructure was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted CAs.

• Policy rollback to a previous version in Chrome 75

  Chrome 75 on Windows will include a policy that allows administrators to roll back to a previous version of Chrome. Note that only the latest release of Chrome is officially supported, so if an admin rolls back to an older version of Chrome, they do so at their own risk. This policy is meant as an emergency mechanism and should be used with caution. A future version of Chrome on Windows will improve the rollback experience by preserving user states during the rollback process.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later. Please provide feedback on this feature.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Blacklisted extensions can be removed (rather than just disabled) by policy in Chrome 75

  A new policy will be made available to specify that Chrome Browser shouldn’t just disable blacklisted extensions, but remove them completely.

• Policy to control signed HTTP exchange in Chrome 75

  Signed HTTP exchange enables publishers to safely make their content portable, or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences. In Chrome 75, the SignedHTTPExchangeEnabled policy will control whether signed HTTP exchange is enabled or not.

• CompanyName and LegalCopyright fields will be updated in Chrome 75

  Chrome 75 will change the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll) from "Google Inc." and "Copyright 2018 Google Inc. All rights reserved." to "Google LLC" and "Copyright 2019 Google LLC. All rights reserved."

• Flash will be blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Flash is to be blocked by default in Chrome 76 (Stable release beginning end of July 2019). Users can still switch it back to ASK by default. This change won’t impact enterprises that already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy. 

Upcoming Chrome OS changes

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier for the unlikely case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen 

  When looking for notifications, a message saying that notifications are hidden will show up. Next to it, a button will appear to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. Full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• BLE advertising in Chrome apps flag being removed
  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. This feature is designed to work with Chrome apps operating within kiosk sessions. Any developers leveraging BLE Advertising APIs should debug functionality in kiosk session, rather than use a regular user session.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Admin console. If you’re interested in testing this out, join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for 2-sided and color printing. Admins will be able to set defaults or restrict these print options.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Managed by your organization menu item

  Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More  menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

  

• Changes to the Chrome sign-in flow

  In Chrome 73, we're rolling out the following changes to Chrome Browser settings:

  • When a user turns Chrome sync on, they now get additional features, including an enhanced spellchecker and extended reporting for safe browsing.

  • Sync and Google services—A new section that lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously in the Privacy section.

  • Make searches and browsing better—A new setting in the Sync and Google services section that allows users to control whether features in Chrome Browser can collect anonymous URLs.

    

• Chrome Browser binaries signed with new digital certificate

  Chrome Browser binaries and installer are now signed with a digital certificate issued to Google LLC (rather than Google Inc). There are no changes to the Certificate Authority (CA).

• Password Manager enterprise policy for Android now aligned to desktop

  The PasswordManagerEnabled policy controls whether the password manager offers to save passwords. On Android, this policy prevented users from viewing passwords that were already saved. Starting with Chrome 73, Chrome Browser on Android will behave like other platforms and allow the user to view their saved passwords.

• Progressive Web App support on Mac

  In Chrome 73, Progressive Web Apps (PWAs) can now be installed on Apple^® Mac^®. For details, see Desktop Progressive Web Apps.

• Dark mode for Mac

  In Chrome 73, if the system theme is set to dark, Chrome Browser on Mac computers will also use a dark theme. Support for Microsoft^® Windows^® is planned for a future release. 

• Accessibility improvements

  A number of improvements have been made to accessibility in Chrome Browser, including greater contrast and compatibility with screen readers. Some of the improvements include:

  • Improved contrast in pop-up boxes, the search box, and tabs (especially when a tab is not active).
  • More pop-up boxes correctly report titles to screen-reader software.
  • Tabs are now keyboard-accessible.
  • Fixes to the way pressing the F6 or Tab key moves through the order of the Chrome Browser toolbar, and other controls, including access to some new UI elements.
  • Screen reader now announces additional information, such as the page zoom level when it’s changed and the number of Find results.
  • Misleading screen-reader prompts are fixed to reflect current functionality. For example, the correct key combination is now reported when you want to zoom in on a page.
  • If a user draws around an element in the UI, there are now improvements in the contrast and appearance of focus rings.

• New policy to force networking code to run in the browser process

  The network code we use for Chrome Browser is being moved to a separate process. It’s an internal architectural change that wasn't expected to interact with other products. However, we're aware of one report of the move breaking a third-party product that used to inject code into Chrome Browser's process. If this move is causing any issues in your environment, you can temporarily use the ForceNetworkInProcess policy to force networking to run in the browser process. This is a temporary policy that will be removed in the future; there is currently no specific timeline, but we plan to provide 4 milestones notice before removal.

• Notice for web developers: Flexbox rendering

  Chrome Browser now follows the recommendation from the World Wide Web Consortium for the box model that’s optimized for a UI. Flex items now get the correct minimum size. If you’re a web developer, we recommend that you set the CSS on your webpages with flex items to min-height: auto. For details on the change, see Chromium and the Consortium specification.

• Notice for developers: Changes to cross-origin requests in extension content scripts

  Chrome 73 includes changes to the behavior of cross-origin requests from content scripts. These changes help site Isolation protect Chrome users even if a renderer is compromised, but these changes may break extensions that have not yet adapted to the new security model. For instructions on how to verify if a Chrome extension you’re using is affected or to request adding an extension to a temporary allowlist, see Chromium.org.

Chrome OS updates

• Managed guest sessions to replace public sessions

  In Chrome 73, public sessions are being replaced with managed guest sessions, which provide additional capabilities. Depending on the configuration of the organizational unit that has managed guest session devices, an existing public session device might have the capabilities automatically activated. If so, all certificates, policies, and extensions of the organization will be applied to the managed guest session of this device in the future and no manual changes are required. Learn more about how to manage guest session devices.

• eSpeak for Chrome OS

  You can set up text-to-speech in dozens of languages on devices running Chrome OS to enhance  accessibility. For details, see eSpeak NG.

• Pair Bluetooth braille displays with Chromebooks

  In addition to supporting USB-refreshable braille displays, you now have the ability to pair braille displays through Bluetooth^®. For details, see Use a braille device with your Chromebook.

• Camera app 5.3 update

  Users can now take photos and videos with a 3 or 10-second timer, line up shots with grid options, and use a mirror button that’s helpful when using external cameras, such as USB microscopes or document cameras.

Admin console updates

• Enable managed Chrome devices to run Linux apps

  Last year we announced that consumer users can run Linux apps, including Android Studio on these Chrome devices. With Chrome 73, we’re making this feature available on managed devices. Admins can now enable or disable the use of virtual machines that are required to use Linux apps on managed Chrome OS devices. The policy is disabled by default. Admins who want to enable this policy, see Virtual Machines in Set Chrome device policies. Users need to follow the steps in Set up Linux (Beta) on your Chromebook.

  

• New default policy for black & white printing (CUPS)

  There are new controls for administrators to manage black and white printing capabilities for their users. Controls for 2-sided and color printing are coming soon.  If you’re interested in getting early access to test printing features, please complete the trusted tester application.

  

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
ExtensionAllowInsecureUpdates	Allows insecure algorithms in integrity checks on extension updates and installations. Starting in Chrome 77, this policy will be ignored and treated as disabled.
DeviceGpoCacheLifetime Chrome OS only	Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache.
DeviceAuthDataCacheLifetime Chrome OS only	Specifies the lifetime (in hours) of the authentication data cache.
ForceNetworkInProcess Windows only	Forces networking code to run in the browser process. This policy is disabled by default. If enabled, it leaves users open to potential security issues when the networking process is sandboxed.
ReportDevicePowerStatus Chrome OS only	Reports hardware statistics and identifiers related to power.
ReportDeviceStorageStatus Chrome OS only	Reports hardware statistics and identifiers for storage devices.
ReportDeviceBoardStatus Chrome OS only	Reports hardware statistics for system on a chip (SoC) components.
CloudManagementEnrollmentToken Browser only	Enrollment token used for enrolling in cloud management. This replaces the MachineLevelUserCloudPolicyEnrollmentToken policy.
PluginVmLicenseKey Chrome OS only	Specifies a PluginVm license key for a device.
ParentAccessCodeConfig Chrome OS only	Specifies the configuration that’s used to generate and verify a parent access code.

New Chrome OS administrator credential

We are excited to announce the Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe^® Flash^® is planned to be blocked by default in Chrome 76 (stable release beginning end of July 2019). Users will still be able to switch it back to Ask to use Flash by default. This change will not impact enterprises who already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy as before. 

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome Browser on Windows computers will also use a dark theme in the UI. 

• Use a policy to roll back to a previous version of Chrome Browser

  We are working on a policy to roll back a Chrome Browser version while retaining account and profile data. The new policy will allow administrators to roll back in conjunction with the existing TargetVersionPrefix ADMX policy. You can send feedback on this feature in the Chromium bug tracker.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later 

• Deprecated policies will remain in the ADMX templates

  The ADM and ADMX templates will be modified to keep deprecated and unsupported policies in the output. They will be placed in a dedicated folder and have the same description. The update will make it easier to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy can be used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed in Chrome 74. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• ThirdPartyBlockingEnabled deprecation

  In the Chrome Enterprise 68 release notes published in July 2018, we announced that the ThirdPartyBlockingEnabled policy will be deprecated in approximately one year (Chrome 77). This announcement was intended as a general deprecation date at some point in the future, but due to feedback and in order to give the ecosystem more time to adapt to the change, the deprecation is currently not targeted for Chrome 77. When a date is set for deprecation, we will announce it in the release notes. We plan to provide 4 notices before removal.

• TLS 1.3 downgrade hardening

  Chrome Browser enabled TLS 1.3 in Chrome 70. However, due to bugs in some enterprise TLS proxies, a hardening mechanism was temporarily disabled. A future version of Chrome Browser will re-enable this measure. To test networks in Chrome 73:

  1. Set chrome://flags/#enforce-tls13-downgrade Enabled.
  2. Visit a TLS-1.3-enabled server, such as https://mail.google.com. 
  3. If the connection fails with ERR_TLS13_DOWNGRADE_DETECTED, some proxy on the network has the hardening mechanism temporarily disabled.

  You should upgrade affected proxies to fixed versions or contact vendors if no fix is available. The following list contains the minimum firmware versions for affected products that we're aware of:

  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.
• Legacy browser support planned to be incorporated into Chrome 75

  Legacy browser support functionality is being incorporated into Chrome Browser, and the separate extension will no longer be needed. We will keep the extension in the Chrome Web Store for the foreseeable future so customers on older versions of Chrome Browser can continue to use legacy browser support. If you’re interested in getting early access to test legacy browser support integration, please complete this interest form.

• Pop-ups will not be allowed on page unload

  In Chrome 74, we will no longer allow pop-ups during page unload. See the removal notice. We’ve been notified that this might break some enterprise apps so a temporary policy will be made available to allow pop-ups on page unload when Chrome 74 launches. This temporary policy is planned to be removed in Chrome 76. 

Upcoming Chrome OS changes

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• Adding print server support for CUPS

  We are working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen 

  Coming soon, when looking for notifications, a message saying that notifications are hidden will show up. Next to the message, users can click a button to enable notifications. Users must authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Annotations in PDF viewer

  When viewing a PDF on a device running Chrome OS, you will be able to tap a button to annotate the PDF with pen and highlighter tools.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• External camera support for the Camera app
  External USB cameras will be supported by the Camera app. 

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  Soon, the 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console. If you’re interested in testing the new feature, please join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for duplex printing. Admins will be able to set defaults or restrict whether users can or cannot use duplex printing. 

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• New search result types

  In Chrome 72, you’ll get 2 new types of search results when you search from the address bar. You’ll get results based on entities—people, things, places, and so on. These results will contain the search text, an image of the entity you’re searching for, and a short description.

  

  You’ll also get suggestions to complete the end of a search string. For example, if you search for “widget sale best prac…”, you’ll get a suggestion for “practice” as a completion to your search.

  

• Cleanup tool quarantines—instead of deleting—files it detects as malicious

  If you use the Chrome Cleanup tool on Microsoft^® Windows^® computers, files detected as malicious will now be quarantined rather than deleted. This update will help lessen the risk of safe files being mistakenly deleted. Learn more about removing unwanted programs and the Chrome Cleanup tool policy.

• Save payment information to a Google Account

  In Chrome 72, users who are signed in to their managed Google Account will now see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy.

• Support for Windows 10 U2F and web authentication APIs

  If you use the most recent version of Windows 10, you’ll have added support for Universal 2nd Factor (U2F) and WebAuthn—standards that enable web authentication through security keys instead of passwords. U2F and WebAuthn are only supported on the most recent versions of Windows 10: either current Insider Preview builds or the forthcoming 19H1 release (“Redstone 6”). Integration with these APIs enables Windows Hello support through WebAuthn and support for NFC tokens. USB and Bluetooth Low Energy (BLE) devices should continue to work, although Windows UI will now be displayed. Any organizations that depend on U2F or WebAuthn, and are using sufficiently recent Windows builds, should verify that this feature works correctly before rolling it out.

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. This support has now been removed in Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• New welcome experience (Windows)

  When you start Chrome Browser for the first time on Windows, you’ll see a new welcome page, unless you’re on a device that’s joined to a Microsoft^® Active Directory^® domain.

• Changes to sign-in behavior with Chrome 72

  In Chrome 72, a small percentage of users will now see the following changes to the Chrome sign-in behavior. A wider roll-out of these features will happen in Chrome 73:

  • When a user turns Chrome sync on, they now get additional features, including “Enhanced spell check” and “Safe browsing extended reporting.”
  • The Chrome settings page includes a new section—Sync and Google services—which lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously under “Privacy”.
  • A new setting, “Make searches and browsing better” will appear under “Sync and Google services” on the settings page. This allows users to control whether features within Chrome can collect anonymized URLs.

Chrome OS updates

• USB connections on locked devices

  Chrome 72 will offer initial support to ignore some types of USB connections on locked devices that are running Chrome OS including printers, scanners, and storage devices. USBGuard is on by default beginning with Chrome 72. If issues are detected, admins can disable this feature through chrome://flags.

• Android app shortcuts in launcher search

  Users can now search for app shortcuts in the launcher search. For example, users can search for Compose and be taken to the exact related app, such as a new blank message in Gmail.

• New drawing app for Chromebooks

  Chromebook users now have the Canvas app for drawing.

• ChromeVox screen reader update

  ChromeVox users with low vision can now opt to have the screen reader read anything under their mouse cursor. This feature can be enabled through the setting “Speak text under the mouse” in the ChromeVox options page.

  

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. We’ll include more information in future release notes when it comes available.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including Google Sheets, Docs, Slides, and PDFs.

  

• Roll back Chrome Browser version with policy

  Many enterprise customers have asked Google to provide a version rollback mechanism. We are working on a policy to roll back Chrome Browser while retaining account and profile information. This will allow administrators to enable a rollback in conjunction with the existing TargetVersionPrefix ADMX policy. If the Chrome version updater cannot rollback the browser, the chrome://policy page will contain an error message and the existing release will continue to function. Only the latest release of Chrome is officially supported, so if an admin rolls back to an older version they do so at their own risk. You can provide feedback to the engineering team on this feature on Chromium.

• Deprecated policies will remain in the ADMX templates

  Deprecated policies will be placed in a dedicated folder in the ADMX templates and have the same description. This change will make it easier for administrators to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• Changes to the sign-in behavior with Chrome 73

  The updates described above in Changes to the sign-in behavior with Chrome 72 will be rolled out for all users in Chrome 73.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74

  The PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/. If you set this policy to True or leave it on its default value, then there will be no change. However, in Chrome 74, you will no longer be able to set it to False.

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74. This policy is intended as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public Internet. This policy will be removed in Chrome 74. Certificates issued from Legacy PKI Infrastructure should have replacement certificates issued by public or Enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy was a short-term work-around while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.This change has been made because CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

• Site isolation will be enforced on Chrome 75 (Desktop)

  Before shipping Site Isolation in Chrome 67, we introduced enterprise policies that enterprises could use to opt in to Site Isolation early or opt out of Site Isolation if they encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of Site Isolation using the SitePerProcess or IsolateOrigins policies on desktop. We tentatively plan to move Chrome 75 to the stable channel in June 2019.

  Notes:

  • This change only applies to desktop platforms. On Android, SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable Site Isolation.
  • If you run into any issues with the SitePerProcess or IsolateOrigins policies, file a bug in Chromium.

Upcoming Chrome OS changes

• External camera support for Camera app

  External USB cameras will be supported by the Google Camera app.

• Users can allow notifications on lock screen

  When looking for notifications, a message saying that notifications are hidden will show up. Next to it is a button to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as a PIN or fingerprint, are available.

• Always-on VPN for managed Google Play

  Currently, Admins can install Android VPN apps on Chromebooks, however, users have to start the VPN app manually. Soon, admins will be able to set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection.

• User account / Filename in IPP Headers

  If enabled by policy, all print jobs can include the requesting user account and file name printed in the IPP header. This new feature will provide additional information about print jobs that enable third-party printing features, such as secure printing and print-usage tracking.

• Annotations in PDF Viewer

  When viewing a PDF in Chrome, you will be able to tap a button to add notes to the PDF with a pen and highlighter tools.

• Linux container support for USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux running on Chrome devices (Crostini) so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Native printing (CUPS) improvements
  • Printing limit lifted—The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.
  • Set default for 2-sided and black and white printing—Controls are coming for administrators to manage printing capabilities for their users around 2-sided printing and black and white printing. Admins will be able to set defaults or restrict these print options with CUPS (native printing).

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Change to using PAC scripts to configure proxy settings in Chrome

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. This is especially so if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/.

  This policy will change the default value from False to True to improve security. If you already set this policy to True, there’s no impact. If you set it to False, there’s no immediate impact. If you haven’t set this policy and are relying on the default, test this change to see how your PAC scripts operate.

  This policy will be removed in a future release when PAC stripping becomes the default for Chrome.

• Deprecate trust in remaining Legacy Symantec PKI Infrastructure

  This change is present in all release channels: Canary, Dev, Beta, and Stable. Users observing the distrust in Chrome 70 should experience the exact same behavior in Chrome 71 and later. For a small percentage of users, Chrome 71 will be the first time they experience the distrust, which could result in more problems involving related errors.

  Find instructions on how to determine whether a site is affected and any corrective action needed, as well as a description of past changes.

Chrome OS updates

• Fingerprint and PIN enrollment in Chrome device Out of Box Experience (OOBE)

  For tablets that support fingerprint and/or PIN, users can enroll a fingerprint or set up a PIN while signing in to the device for the first time.

• Connect to your Android phone

  Users can connect with their Android phone using a single setup flow to enable Smart Lock, instant tethering, and Android Messages PWA. Android Messages PWA gives users the ability to see, reply to, and start text messages.

• Android Messages for Chrome OS

  Users can text from their Chrome OS by connecting with their Android phone. 

• Print multiple pages per sheet on native (CUPS) printing

  Native printers using CUPS now support rendering multiple pages of content onto a single sheet of paper. Previously only available for Cloud Print printers, this is now available for all printing destinations.

Admin console updates

• Managing site isolation policies

  Site isolation policies on the desktop get updated to reflect that they’re on by default. (They include controls to turn off site isolation or add specific site rules.) New policies are added to the Admin console for Chrome on Android. For more, see Protect your data with site isolation.

New and updated policies

Policy	Description
AllowWakeLocks Chrome OS only	Specifies whether wake locks are allowed. Wake locks can be requested by extensions through the power management extension API and by ARC apps.
NetworkFileSharesPreconfiguredShares Chrome OS only	List of preconfigured network file shares.
NTLMShareAuthenticationEnabled Chrome OS only	Network File Share feature. This policy controls enabling NTLM as an authentication protocol for SMB mounts.
SmartLockSigninAllowed Chrome OS only	Allow Smart Lock Sign-in to be used.
VpnConfigAllowed Chrome OS only	Allow the user to manage VPN connections.
WebUsbAllowDevicesForUrls All operating systems	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Deprecations

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an Enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. Support would be removed in January 2019 at the latest, which corresponds to Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• SupervisedUserCreationEnabled policy (deprecated in Chrome 70)

  Read about consumer supervised users.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• The Chrome Cleanup Tool will quarantine—instead of deleting—files it detects as malicious

  The Chrome Cleanup Tool helps users remove unwanted software on their computers. The removal process includes deleting malicious files in the system. However, to lessen the risk of safe files being erroneously deleted, files will be moved into quarantine instead of getting deleted permanently. For more, learn about removing unwanted programs and the Chrome Cleanup Tool policy.

• PacHttpsUrlStrippingEnabled policy (scheduled to be deprecated in Chrome 74) 

  See the above note on Change to using PAC scripts to configure proxy settings in Chrome.

• SSLVersionMax policy (scheduled to be deprecated in Chrome 75)

  SSLVersionMax can be used as a short-term workaround while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• Third-party code injection

  The Chrome 70 release notes stated that in Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users. However, due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Upcoming Chrome OS features

• Always-on VPN for managed Google Play

  Admins can install Android VPN apps on Chromebooks. However, users have to start the VPN app manually.

  Soon, admins can set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection. If the connection fails, all user traffic is blocked until the VPN connection is re-established. VPNs in Chrome OS don’t apply to any system traffic, such as OS and policy updates to prevent security exploits.

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices haven’t been announced. We’ll include more information in future release notes when it comes available.

Upcoming Admin console features

• Native printer-management improvements

  The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
BrowserSignin	Controls the sign-in behavior of Chrome Browser.
DeviceLocalAccountManagedSessionEnabled Chrome OS only	Allows managed session behavior on a device configured for public sessions.
NetBiosShareDiscoveryEnabled Chrome OS only	Controls Network File Share discovery through NetBIOS.
NetworkFileSharesAllowed Chrome OS only	Controls whether the Network File Share feature for Chrome OS is allowed for a user.
PowerSmartDimEnabled Chrome OS only	Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed
PrintHeaderFooter	Specifies whether users can print headers and footers.
ReportMachineIDData Desktop only	Controls whether to report information that can be used to identify machines. Learn more about reporting on Chrome.
ReportPolicyData Desktop only	Controls whether to report policy data and the time of a policy fetch. Learn more about reporting on Chrome.
ReportUserIDData Desktop only	Controls whether to report information that can be used to identify users. Learn more about reporting on Chrome.
ReportVersionData Desktop only	Controls whether to report Chrome OS version information. Learn more about reporting on Chrome.
WebRtcEventLogCollectionAllowed	Specifies whether to allow or block Chrome OS from collecting WebRTC event logs from Google services.

Chrome Browser updates

• Sign-in policy change

  Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.

  If the policy is set to "Disable browser sign-in", then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.

  If the policy is set to "Enable browser sign-in", then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.

  If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy. 

  If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

• Cookie behavior change

  With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

• Reduce Chrome crashes caused by third-party software

  Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.

  Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:

  

  The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

  In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

  In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

  To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

• Deprecate trust in remaining legacy Symantec PKI infrastructure

  Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.

  Beginning with Chrome 70:

  • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
  • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
  • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

  What you need to do:

  • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
  • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.

• Update to TLS 1.3

  We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco^® Firepower^® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

• New UI support for WebAuthn

  Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

• Form autofill policy changes

  The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).

  Autofill policies

  The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

  If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

  If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

  If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

• Native SMB file share support

  SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft^® Active Directory^®, and NTLM version 2. To initiate an SMB file share:

  1. Open a Chrome Browser window and at the top right, click  Settings.
  2. Next to Network file shares, click Add File Share.
  3. Enter the required information and click Add.
  4. Open the Files app and browse the shared folder.
• 
• Camera app updates

  The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.

• Enable key remapping for external keyboards

  Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

• Floating virtual keyboard

  For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

• Restriction policy for native CUPS printing

  Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

• Manage sign-ins in Chrome Browser and Chrome OS

  In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

• Support for certificate transparency enforcement exceptions

  A collection of 3 new user policies have been added to allow enterprises to provide exceptions to certificate transparency requirements. The policies can be found in the Admin console under Device management  Chrome management  User settings  Security.

  These settings are from the Chrome policies:

  • CertificateTransparencyEnforcementDisabledForCas
  • CertificateTransparencyEnforcementDisabledForLegacyCas
  • CertificateTransparencyEnforcementDisabledForUrls

• Improved developer tools policy

  You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

• Auto-updates over LTE policy control

  You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management  Chrome management  Device settings  Device Update Settings  Auto Update Settings.

• Lock screen control

  After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management  Chrome management  User settings  Security  Idle Settings.

Deprecations

• AutoFillEnabled policy deprecation

  The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

• UnsafelyTreatInsecureOriginAsSecure policy deprecation

  The UnsafelyTreatInsecureOriginAsSecure policy was deprecated in Chrome 69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

• Gmail Offline app discontinued

  In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.

  Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Change to using PAC scripts to configure proxy settings in Chrome Browser

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.

  In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.

  Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

• CRX2 deprecation

  For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

• Android 9.0 Pie

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

• Always-on VPN for managed Google Play

  Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
AllowedUILocales Chrome OS only	Configures the allowed UI locales in a user session. This policy replaces the AllowedLocales policy.
OverrideSecurityRestrictionsOnInsecureOrigin	Specifies a list of origins (URLs) for which security restrictions on insecure origins will not apply. This policy replaces UnsafelyTreatInsecureOriginAsSecure. The policy now applies to Chrome OS and Android.
PasswordProtectionChangePasswordURL	Configures the change password URL.
PasswordProtectionLoginURLs	Configures the list of enterprise sign-in URLs where the password protection service should capture password fingerprints for reuse detection.
PasswordProtectionWarningTrigger	Configures the password protection warning trigger.
UsageTimeLimit Chrome OS only	Configure the time limit for a user session or device usage per day.

Chrome Browser updates

• Password Alert policy

  Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

• Reduce Chrome crashes caused by third-party software

  Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  Here is the warning users will see on their computers when this policy is enabled:

  

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

• On-premise reporting

  You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk^® or Sumo Logic^®. For details, see Track Chrome Browser usage and events.

• Browser interface changes

  Chrome Browser will have a new design across all operating systems. Highlights include Microsoft^® Windows 10^® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

• Flash deprecation

  Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

• Update to Legacy Browser Support extension

  The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft^® Internet Explorer^® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

• Improvements to Chrome management with Intune

  Policies that are only available on Microsoft^® Windows^® instances that are joined to a Microsoft^® Active Directory^® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

• Linux (Beta) for Chromebooks

  Important:

  Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

  To try this out on an unmanaged device:

  • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
  • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
  1. Go to Settings  Linux (Beta).
  2. Click Turn on.
     Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
  3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

• Voice dictation from anywhere

  Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  

• Global text-to-speech settings

  In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

• Files app improvements

  Native support for Drive in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

• Visual updates for enterprise device enrollment

  The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

• Support for enterprise mobility management (EMM) coexistence for Android

  Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

• Android app installation improvements

  The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

• SigninAllowed policy deprecation

  The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M70 and later)

• Enable key remapping for external keyboards

  This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Manage sign-ins within Chrome Browser and on Chrome OS

  A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

  Note: This Admin console setting combines these policies:

  • AllowedDomainsForApps
  • SecondaryGoogleAccountSigninAllowed

• Public-session support for managed Google Play on Chrome OS

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcBackupRestoreServiceEnabled Chrome OS only	Controls Android backup and restore service
ArcGoogleLocationServicesEnabled Chrome OS only	Controls Android Google location services
ChromeCleanupEnabled Windows only	Enables Chrome Browser Cleanup on Windows
ChromeCleanupReportingEnabled Windows only	Controls how Chrome Browser Cleanup reports data to Google
DeveloperToolsAvailability	Controls where Developer Tools can be used
IsolateOriginsAndroid Android only	Enables Site Isolation on Chrome Browser for specified origins on Android devices
SafeBrowsingWhitelistDomains	For configuring the list of domains which will not trigger Safe Browsing warnings
SitePerProcessAndroid Android only	Enables Site Isolation for every site
WebUsbAskForUrls	Allows WebUSB on these sites
WebUsbBlockedForUrls	Blocks WebUSB on these sites

Chrome Browser updates

• Unencrypted sites to show “not secure” indicator

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome offers a policy to control this warning on your domain.

  

• Chrome Canary on Mac policy list update

  Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

• Block a locally installed, hardcoded CA for Mitel VoIP products

  In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency

  M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

• PIN sign-in support

  Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

• Video capture service

  Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

• 802.11v and 802.11r Fast BSS Transition support added

  These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

• Accessibility improvements

  Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

  1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
  2. Continue holding. The screen reader will start speaking. 

  Additionally, we’re launching new shortcuts to toggle accessibility features:

  • Select Ctrl + Search + M to enable/disable the full screen magnifier.
  • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

  We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

  With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

  With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

• Introduction of display size and refresh rates to display settings

  As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

  • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
  • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

  The goal of these changes is to give users more control over UI scale and look.

Admin console updates

• Automatic re-enrollment (Forced re-enrollment enhancement)

  A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

  Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

• Native printer-management improvements

  A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

• CRX2 deprecation (M69)

  Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

• Reduce Chrome crashes caused by third-party software (M69)

  In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

  

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• Voice dictation from anywhere (M69)

  Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

• Enable key remapping for external keyboards (M69)

  The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

• Files app improvements (M69)

  Native support for Drive in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

• Policy to show PIN pad on sign-in and lock screen for TouchView devices

  The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

• Visual updates for enterprise device enrollment flow

  The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

• Native printer-management improvements

  A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

• Sign-in Within the Browser policy

  Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

• Public session support for managed Google Play on Chrome OS

  A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcAppInstallEventLoggingEnabled	Logs events for Android app installs (Chrome OS)
AutoplayWhitelist	Allows media autoplay on a whitelist of URL patterns
CertificateTransparencyEnforcementDisabledForCas	Disables Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas	Disables Certificate Transparency enforcement for a list of Legacy Certificate Authorities
DefaultWebUsbGuardSetting	Controls use of the WebUSB API
DeviceRollbackAllowedMilestones	Specifies the number of milestone rollbacks allowed (Chrome OS)
DeviceRollbackToTargetVersion	Specifies a rollback to a target version (Chrome OS)
MediaRouterCastAllowAllIPs	Allows Google Cast to connect to Cast-ready devices on all IP addresses
RelaunchNotificationPeriod	Sets the period for update relaunch notifications
SafeBrowsingExtendedReportingEnabled	Enables extended reporting for Safe Browsing (added in M66)
TabUnderAllowed	Allows sites to simultaneously navigate and open notifications

Chrome Browser updates

• SAML SSO interstitial

  Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

  If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

  To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

  If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

  For more details, see the G Suite Updates blog.

• Site Isolation

  You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

  Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

• Desktop Progressive Web Apps (PWAs)

  Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft^® Windows^® and Apple^® Mac^®. For more information, see our developer site.

• Detachable-base swap detection

  Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

• Block symlink traversal

  This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

  This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

• EAP-TLS device-level support

  Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

• Managed Google Play on Chrome OS policy update

  With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

• Admins can block apps from installation
  Currently not available for the Chrome Education service

  As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

• Android app installation reporting

  In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

• Android app bulk purchasing on Education service

  As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

• Unencrypted sites to show “not secure” indicator (M68)

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome will offer a policy to control this warning on a per-domain basis.

  

• Canary release channel on Mac update (M68)

  This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

• Reduce Chrome crashes caused by third-party software (M68)

  In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

  

• Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

  In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel^® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency (M68)

  M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• PIN sign-in support (M68)

  Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

• Video capture service (M68)

  Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

• Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

  A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

  Admins can still require users to sign in to re-enroll wiped or recovered devices.

• Native printer management improvements

  There will be 2 new improvements for native printer management:

  • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
  • A new policy to block users from manually adding printers is targeted for M68.

• Sign-in Within the Browser policy

  Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

• Public session support for managed Google Play on Chrome OS

  You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Security updates

• Continuation of distrust of Symantec Certificates 

  Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

  The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.
  
  For details, see Migrate from Symantec certificates.

• Site Isolation Trial

  Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

  If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

  If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

• Chrome relaunch policy: RelaunchNotificationPeriod (M67)

  This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

• Click to open PDF 

  For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

• Force sign-in policy: Support for Mac

  The ForceBrowserSignin policy is supported on Mac.

Chrome policies

Changes in this release:

Policy	Notes
AutoplayAllowed	This policy allows you to control whether videos with audio content can autoplay (without user consent) in Chrome.
EnableCommonNameFallbackForLocalAnchors	This policy has been deprecated.
EnableSymantecLegacyInfrastructure	When this setting is enabled, Chrome allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
ForceBrowserSignin	Force users to sign in to the profile before using Chrome. Added support for Mac.
RelaunchNotification	Notify users to relaunch Chrome to apply a pending update.
SafeBrowsingExtendedReportingEnabled	This setting enables Chrome's Safe Browsing Extended Reporting and prevents users from changing it.
SSLVersionMin	If this policy isn't configured, Chrome uses the default minimum version of TLS 1.0.

 

UI changes

• Changes to autoplay 

  Chrome is changing the policy for when sites can autoplay media with sound. Admins will be able to use the AutoplayAllowed policy to control whether Chrome defaults to allowing media to autoplay. For details, see the Autoplay Policy Changes.

• Reducing Chrome crashes caused by third-party software

  Chrome will begin showing a warning to users after a crash that displays third-party software injecting code into Chrome. It guides them to update or remove that software.

  

Deprecations

• Enable CommonName fallback for local anchors policy

  The EnableCommonNameFallbackForLocalAnchors policy was offered to give admins more time to update their local certificates. It removes the ability to allow certificates on sites using a certificate issued by local trust anchors that are missing the subjectAlternativeName extension.
  
  As of Chrome M66, we will be deprecating this policy. If a user running Chrome 66 tries to access a site where the certificate isn't allowed, they will see a warning indicating they can't trust the certificate.

 

Corrections

• Previously listed as launching with Chrome 66, SafeBrowsingWhitelistDomains will now launch in Chrome 67. This policy allows you to configure the list of domains Safe Browsing trusts. Safe Browsing won't check for dangerous resources (for example, phishing, malware, or unwanted software) for URLs that match these domains.

 

↑ back to top

Security updates

• Support for TLS 1.3

  This release comes with the latest version of the Transport Layer Security (TLS) protocol (TLS 1.3 draft 23) turned on. Users of Cisco Firepower devices configured to perform TLS man-in-the-middle interception in Decrypt-Resign/SSL Decryption Enabled mode should see Cisco's documentation.

Chrome policies

Changes in this release:

Policy	Notes
AlwaysAuthorizePlugins	This policy was deprecated.
AbusiveExperience InterventionEnforce	Prevent pages with abusive experiences from opening new windows or tabs.
AdsSettingForIntrusive AdsSites	Set whether ads should be blocked on sites with intrusive ads.
DeviceLoginScreenAutoSelect CertificateForUrls	Automatically select client certificates for these sites on the sign-in screen (available on Chrome OS).
DisablePluginFinder	This policy was deprecated.
RestrictAccountsToPatterns	Restrict accounts that are visible in Chrome (available on Android.)
SecondaryGoogleAccountSign inAllowed	Allow multiple sign-in access within the browser (available on Chrome OS).
SecurityKeyPermitAttestation	URLs/domains are automatically permitted direct Security Key attestation.
SpellcheckEnabled	If this policy is on, the user is allowed to use spellcheck.
SpellcheckLanguage	This policy force enables spellcheck languages.
ThirdPartyBlockingEnabled	This policy enables third-party software injection blocking (available on Windows).
UnsafelyTreatInsecureOriginA sSecure	This policy specifies a list of origins (URLs) to be treated as secure context. Learn more about secure contexts.
WebDriverOverrides IncompatiblePolicies	This policy allows users of the WebDriver feature to override policies that can interfere with its operation.

Developer changes

• Ignore <a download> for cross-origin URLs

  To avoid user-mediated information leakage, Chrome starts to ignore the presence of the download attribute on anchor elements with cross-origin attributes. See more details on Chromium.org.

Deprecations

• Mac OS X 10.9 Support 

  Chrome won't support Mac OS X 10.9. Chrome on Mac OS X 10.9 does not autoupdate. If you have Mac OS X 10.9, upgrade to a newer Mac OS.

 

↑ back to top

Security updates

The Chrome Releases Blog lists all the latest Chrome security changes. Chrome 64 also mitigates against speculative side-channel attacks.

• Site isolation improvements  

  With M64, we fixed known issues and made improvements with site isolation.

Enterprise features

• Forced sign-in  

  This feature allows admins to force a user to sign in with their Google account before using Chrome. It ensures Chrome can only be used when under management by cloud-based policies configured in the Admin console. See Force users to sign in to Chrome.

UI changes

• Site muting 

  You can mute/unmute sites by interacting with the tab options or by clicking Lock  to the left of the URL (desktop only). The Sound settings page (for the desktop, chrome://settings/content/sound) lets you add exceptions for individual sites, as well as turn on/off audio for all sites. If you mute a site through this feature, all open tabs for that site are muted.

 

• Stronger pop-up blocker 

  One out of every 5 user feedback reports submitted on Chrome for desktop mention some type of unwanted content. Examples include links to third-party websites disguised as play buttons or transparent overlays on websites that capture all clicks and open new tabs or windows. In this release, Chrome's pop-up blocker now prevents sites with these types of abusive experiences from opening new tabs or windows. Site owners can use the Abusive Experiences Report in Google Search Console to see if any of these abusive experiences have been found on their site and improve their user experience.

• Change to JavaScript dialogs 

  We are changing the way Chrome handles JavaScript dialogs window.alert(), window.confirm(), window.prompt() to improve user experience and better align with other modern browser's behaviors. Background tabs are no longer brought to the foreground when a dialog is triggered. Instead, the tab header shows a small visual indicator.

  Sites can still show browser notifications if permitted by the user or admin. Users can allow browser notifications by interacting with the pop-up permission prompt or changing site permissions. Admins can use the NotificationsAllowedForUrls policy through GPO or the Admin console to list site URLs they want to allow to display notifications to users (for example, calendar.google.com).

Developer changes

• Resize Observer 

  Traditionally, responsive web applications have used CSS media queries or window.onresize to build responsive components that adapt content to different viewport sizes. However, both of these are global signals and require the overall viewport to change in order for the site to respond accordingly. Chrome now supports the Resize Observer API to give web applications finer control to observe changes to sizes of elements on a page.

This code snippet uses the Resize Observer API to observe changes to an element:

const ro = new ResizeObserver((entries) => { for (const entry of entries) { const cr = entry.contentRect; console.log('Element:', entry.target); console.log(`Element size: ${cr.width}px × ${cr.height}px`); console.log(`Element padding: ${cr.top}px / ${cr.left}px`); } }) // Observe one or multiple elements ro.observe(someElement);

• import.meta 

  Developers writing JavaScript modules often want access to host-specific metadata about the current module. To make this easier, Chrome now supports the import.meta property within modules that exposes the module URL via import.meta.url. Library authors might want to access the URL of the module being bundled into the library to more easily resolve resources relative to the module file as opposed to the current HTML document. In the future, Chrome plans to add more properties to import.meta.

Deprecations

• SharedArrayBuffer (M63)

  In line with other browsers, starting on January 5, 2018, Chrome disabled SharedArrayBuffer on Chrome 63. To help reduce the efficacy of speculative side-channel attacks, Chrome will modify the behavior of other APIs, such as performance.now. This is intended as a temporary measure until other mitigations are in place.

• Enable CommonName fallback for local anchors policy (M66)

  Chrome offered the EnableCommonNameFallbackForLocalAnchors policy to give IT admins more time to update their local certificates. As of Chrome 66, targeted for Stable Channel on April 2018, we will start deprecating this policy, which removes the ability to allow certificates on sites using a certificate issued by local trust anchors that is missing the subjectAlternativeName extension. If an end-user running Chrome 66 attempts to access a site where the certificate isn't allowed, they will see a warning that the certificate cannot be trusted.

 

↑ back to top

Security updates

See the latest Chrome security improvements in the Chrome Releases Blog.

• Enabling TLS 1.3 

  TLS 1.3 is enabled starting in Chrome 63. At this time, the only Google service with TLS 1.3 enabled is Gmail, but this expands to the broader web in 2018. End users should not be impacted by this change. If you are aware of any systems that don't work with TLS 1.3, post your feedback in the admin forum. As you prepare for wider use of TLS 1.3, you can configure this policy for network software or hardware in your enterprise that will not transit TLS 1.3 connections. See more information on Chromium.org.

• Support for NTLMv2 authentication protocol 

  Chrome 63 also includes support for NTLMv2 authentication protocol on Mac, Android, Linux, and Chrome OS. We are expanding on a previous release that supported NTLMv2 for Windows. With versions prior to Chrome 63, this must be manually enabled via chrome://flags. In 2018, we set NTLMv2 as the default NTLM protocol. For enterprises that need to extend support for NTLMv1, a new policy is available to allow you to force the older NTLMv1 protocol as needed.

• Site isolation 

  Site isolation is available in Chrome 63. With site isolation enabled, Chrome renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome's existing sandboxing technology. Read more at Manage site isolation.

UI changes

• Material design bookmarks

  Chrome's Bookmarks Manager has now been refreshed with new Material Design UI. Take a look by visiting chrome://bookmarks.

  

Deprecations

 

↑ back to top

Security updates

• Warning for untrusted Symantec certificates

  Chrome 62 introduces a console warning for sites using certificates from Symantec or Symantec brands that may not be trusted in future versions of Chrome. For more information, see this blog post.

Enterprise features

• Change to update-check URL

  We are changing our main update-check URL host on Chrome for desktop from tools.google.com to update.googleapis.com. You might need to update your enterprise's firewall whitelist to the our new update-check URL to ensure that Chrome continues to update. Learn more.

• Manage extensions by permission

  The permission-based management of extensions is a new enterprise-focused set of controls implemented via Chrome policy and used to prevent extensions that request undesirable permissions from running. Example: Set or modify a proxy (proxy), Capture audio/video of the desktop (desktopCapture), etc. Learn more.

UI changes

• Chrome Cleanup tool 

  On Chrome for Windows, the Chrome Cleanup feature alerts users when it detects unwanted software. It offers a quick way to remove the software and return Chrome to its default settings. We recently completed a full redesign of Chrome Cleanup. The new interface is simpler, has a native Chrome interface, and makes it easier to see what software will be removed.

  

• Edit username when saving passwords

  You can now edit your username when prompted to store a password for a website you visit. When you see the pop-up to save a password (or click the key icon in the address bar after signing in to a page), simply click Edit  and make any edits needed.

  

• Introducing Site settings page

  Starting M62, you will see a new Site settings button. The Site settings page provides per-origin permissions, rather than per-permission exceptions.

  

Deprecations

 

↑ back to top

Security updates

To learn about the latest Chrome security changes, see the Chrome Releases Blog.

• Final removal of trust in WoSign and StartCom certificates

  Chrome 61 or later won't trust website authentication certificates issued by WoSign or StartCom. This is the culmination of a multi-release distrust process.

Enterprise features

• Side-by-side Chrome channels on Windows

  Chrome supports multiple release channels with varying degrees of stability and support. Most users browse with the Stable channel of Chrome. In addition to Stable, Google also ships early-access Chrome channels (Dev, Beta) to get early feedback on features and changes, directly from users and developers. Early-access channels allow developers and admins to try cutting-edge features and validate that business critical applications continue to function as Chrome changes.
  
  Currently, you can't install and run Dev or Beta Chrome on the same computer as the Stable version of Chrome. Starting M61, users can install and run Dev, Beta, and Stable versions concurrently on the same Windows computer. For more details, see the blog post.

UI changes

• Material Design for New Tab Page (NTP)

  We applied a modernized Material Design look to the Desktop NTP. The search bar has been updated to a lighter drop-shadow style that is consistent with Google Web Search. Most visited sites has also been updated to use the same lighter style and refined hover, focus, and active states.

  

• New messaging for installing extensions that modify New Tab Page (NTP)

  Extensions can modify the main site shown on a new tab, called the new tab page (NTP). Users often install extensions that modify NTP but aren't fully aware of how their experience will change. Starting in M61, there is a new permission warning shown at extension install time, which will indicate that the extension can change the default NTP to a custom site. The goal of these changes is to improve user awareness about extensions that will change their Chrome defaults, once installed.

Deprecations

To see all of the changes that are in Chrome 61, visit the commit log.

 

↑ back to top

Security updates

Learn more about the latest Chrome security updates in the Chrome Releases Blog.

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle, as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, and Windows Server platforms. See the announcement.

Deprecations

To see all of the changes in Chrome 60, visit the commit log.

 

↑ back to top

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, Windows Server platforms. See the announcement.

UI changes

• Material Design comes to Chrome settings

  Chrome Settings has updated to Material Design with a new look with the same ease of use and functionality.
  
  Notable changes:

  • Larger and more prominent search bar
  • New menu icon  to the top left of Settings that gives you an easy way to jump to specific sections, like People, Appearance, and Search Engine
  • Combined and simplified Sign In and People sections
  • Streamlined Content Settings section
  • Search section renamed Search Engine
  • Privacy section renamed Privacy and Security
  • Proxy settings moved under the System section
  • Font sizes and page zoom settings moved to the Appearance section
  • HTTPS/SSL Manage Certificates settings moved under Privacy and Security section

To see all of the changes in Chrome 59, visit the commit log.

 

↑ back to top

UI changes

• Material Design coming soon to the Chrome settings page (59)

  For those already on Chrome's Dev or Canary channels, the Chrome settings (chrome://settings) page has updated to Material Design. The updated design is planned to launch in Chrome 59.

• New desktop welcome page (Windows 10)

  We redesigned Chrome's first-run experience in M58. On Windows 10 platforms, we display a welcome page, which explains how to set Chrome as the default browser or pin it to the Windows taskbar. For Windows 7 and Windows 8 platforms, we display a Material Design page that promotes the Sign in to Chrome feature. This page launched to Mac and Linux during the Chrome 57 release.

Deprecations

• Changes to website certificate handling

  After many years of the practice being discouraged, Chrome 58 removes support for the commonName field in website certificates. Only the subjectAltName extension will be used when matching certificates to host names. The EnableCommonNameFallbackForLocalAnchors policy can be used to re-enable old behavior for locally installed roots. Organizations are strongly encouraged to migrate to modern certificate standards and not rely on the continued presence of this policy.

  Chrome 56 stopped trusting certificates issued by WoSign and StartCom after October 21, 2016 in response to various incidents, and included a whitelist of certificates that would continue to work. Chrome 58 continues reducing the size of that whitelist.

  As a reminder, since Chrome 56, the use of SHA-1 website certificates is no longer supported unless configured via policy: EnableSha1ForLocalAnchors. This policy can be used to re-enable old behavior for locally installed roots, which gives organizations more time to move away from SHA-1 certificates. Chrome strongly encourages organizations to migrate to modern certificate standards and not rely on the continued presence of this policy, because it will be removed in January 2019.

To see all of the changes that are in Chrome 58, visit the commit log.

 

↑ back to top

Security updates

• Form Not Secure warning UI (M56)

  To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. As part of a long-term plan to mark all HTTP sites as non-secure, beginning in January 2017 (Chrome 56), we mark HTTP pages that collect passwords or credit cards as non-secure. Read about Moving toward a more secure web.

• Chrome chip and icon

  Chrome security chip and icon for Chrome internal pages (Settings, History, Downloads...) indicate and verify that page is a secure internal Chrome page.

  

• Extension name chips

  Chrome will begin showing the extension name if the page URL is a chrome-extension:// URL. The extension name is displayed in the same style as security indicator URL-bar strings, but without any animations.

Enterprise features

• Windows roaming profiles support

  We are launching initial support for roaming profiles on Windows. It enables users to have a Chrome Sync experience anywhere they sign in to Windows with their domain accounts if roaming profiles are enabled without the need to sign in to Chrome. For more information, see Using Chrome on roaming user profile.

• Legacy Browser Support: Update 4.7

  Bug fixes and performance improvements from 4.6:

  • Improved window management in Chrome, including proper handling of pop-up windows triggering browsing transition.

  • Fixed issues with link corruption when navigating to an already open Internet Explorer window.

• Migrating capable 32-bit Chrome users to 64-bit Chrome

  To improve stability, performance, and security, users who are currently on the 32-bit version of Chrome and 64-bit Windows with 4 GB or more memory will be automatically migrated to 64-bit Chrome during the Chrome 57 rollout. The 32-bit Chrome will still be available via the Chrome download page.

UI changes

• Revamp first-run and onboarding experience

  We redesigned Chrome's first-run experience in 57. On non-Windows 10 platforms, we display a Material Design page which promotes the Sign in to Chrome feature. For Windows 10, this feature will be launched in the Chrome 58 release.

  

• Requiring explicit user action to enable sideloaded extensions on Mac

  In some instances, Chrome extensions can be bundled with Mac software and added during the software download and installation process.
  
  Extensions that are bundled with Mac applications will be added to Chrome in a disabled state. The user will be prompted to either enable the extension or remove it from Chrome.

  

Deprecations

• chrome://plugins

  The Chrome plugins page was used to allow management of plugin settings within Chrome. But as the web has evolved, there have been fewer plugins to manage over time. In this update, the team moved the controls for the remaining components to a more standard and discoverable location: Chrome's content settings, which can be easily accessed at chrome://settings/content.
  
  A list of where common settings went:

  • Chrome PDF viewer options moved under Privacy  Content settings  PDF documents.
  • Adobe Flash Player options moved under Privacy  Content settings  Flash.
  • Widevine Content Decryption Module (which enables Widevine licenses for playback of HTML audio/video content) can be adjusted under Privacy  Content settings  Protected Content.

• Deprecating insecure certificate types

  Since 56, Chrome has not trusted server certificates that use the insecure SHA-1 hash algorithm if they chain to publicly trusted roots. In Chrome 57, that is also true for enterprise or locally installed roots, unless the EnableSha1ForLocalAnchors policy has been set.
  
  Note that a collision attack has now been demonstrated against SHA-1. This policy should only be enabled after consulting your security team. Read more about setting Chrome policies for devices and SHA-1 Certificates in Chrome.

  Chrome 58 won't consider a certificate's common name when performing trust evaluation and will rely on subject alternative name only, unless the EnableCommonNameFallbackForLocalAnchors policy is set. Turn this policy on only after consulting your security team.

• Distrusting WoSign and StartCom certificates

  Chrome 57 continues to reduce the number of whitelisted sites that can use WoSign or StartCom issued certificates, as Google discontinues trust for these certificates. Learn more in this blog post and on Chromium.org.

To see all of the changes in Chrome 57, visit the commit log.

 

↑ back to top