Chrome Enterprise release notes

Chrome Browser updates

• Drive integration in the address bar

  Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.
  
  This behavior is on by default and can be controlled from the G Suite admin console or by individual users in their Chrome settings, under Sync and Google services. You can see more details in this G Suite announcement.
  

• HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

  In Chrome 79, we’re introducing a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. End users can switch this setting by clicking the lock icon on any https:// page and clicking Site Settings. 
  
  In Chrome 80, mixed audio and video resources will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.
  
  In Chrome 81, mixed images will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://.
  
  The breaking changes coming in Chrome 80 and 81 will be controllable by enterprise policy.  Enterprise policies to control this feature will be StricterMixedContentTreatmentEnabled which disables autoupgrades for audio and video, and the warning for images, this one will be temporary and we'll remove it on Chrome 84. 
  
  InsecureContentAllowedForUrls/InsecureContentBlockedForUrls will control the setting described above. More information on these changes is available in the Chromium blog. Admins should begin ensuring that resources in pages under their control are fetched over HTTPS. Exceptions can be managed through policy. 

• Better password and phishing protections in Chrome

  For more details on how these work, see this blog post.

  • Users warned if credentials are leaked: Starting in Chrome 79, users will be notified if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. Administrators will be able to enable or disable this feature for your users using the PasswordLeakDetectionEnabled policy. 

  • Realtime phishing detection: We'll also be offering enhanced protection against quick-changing sites, by inspecting page URLs with Safe Browsing's servers in real-time, resulting in a 30% increase in protections. We will initially be rolling out this protection for users who have already opted into the ‘Make searches and browsing better’ option in Chrome. Enterprises administrators can manage this setting directly using the UrlKeyedAnonymizedDataCollectionEnabled policy.

  • Expanding predictive phishing protection: With this latest release, we’re also expanding Chrome Safe Browsing’s predictive phishing protections to everyone signed in to Chrome, even if they have not enabled Sync. In addition, this feature will now work for all the passwords users have stored in Chrome’s password manager. This protection will not be enabled if users are not signed into Chrome and have not enabled Chrome Password Manager. Administrators can also choose to disable Chrome Safe Browsing using the SafeBrowsingEnabled policy. We discourage doing this as it will disable all built-in anti-abuse protections in Chrome.

• CORS implementation is more secure  

  Chrome is modifying its Cross-Origin Resource Sharing (CORS) implementation to be more secure. As a result, the following changes will be introduced incrementally, starting on January 6th, 2020. This gradual rollout will happen over the following several weeks:

  • Extensions’ webRequest API—Before this change, extensions that have the webRequest permission could modify any network request headers and they would be ignored by the CORS protocol. However, in Chrome 79, the CORS protocol inspects modified headers and will trigger a CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. If users are using a Chrome extension that’s affected by this change, the extension author will need to update the extension to specify ‘extraHeaders’ in opt_extraInfoSpec, or update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

  • Headers injected by Chrome—Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. However, in Chrome 79, this will trigger a CORS preflight request. Server implementations might need to be updated to handle CORS preflight requests.

  If administrators need extra time to adapt to this CORS migration, there are two enterprise policies available. These are temporary policies which will only be available until Chrome 82.

  • CorsLegacyModeEnabled—Enable the old CORS implementation, which is compatible with Chrome 78 and earlier versions. Admins can use this policy to opt-out of this gradual rollout.

  • CorsMitigationList—sets the ‘extraHeaders’ in opt_extraInfoSpec internally so that any extension that is not ready for this CORS migration can work without modifications. Admins can also specify customized headers that should be ignored by CORS checks.

  The OOR-CORS Troubleshooting page will help investigate incompatibility issues and customize these policies.

• Trial of autoupgrade for DNS-over-HTTPS

  The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.
  
  You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

• Click-to-call

  Users will now be able to click on a phone number in Chrome to send it to their Android phone. To send the number, users need to have Chrome Browser installed and be signed in on both devices with the same account. The number is end-to-end encrypted and Google can’t see the contents. You can control this behavior with the ClickToCallEnabled enterprise policy.

• Audio sandbox

  The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox using the AudioSandboxEnabled policy.

• New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

  The Chrome team recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting in January 2020 in Chrome 79, we will mark sites that do not support TLS >=1.2 as "Not Secure" and no longer show the lock icon for them.
  
  In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure. 
  
  If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021. More details are available in our blog post.

• New policy for controlling memory

  We’re introducing a new policy to give admins more control over Chrome's memory usage, which allows better management of shared virtual sessions. The TotalMemoryLimitMb policy configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it.

  If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that Chrome will always run under the limit—for example, the active tab is never discarded. Any value under 1,024 will be rounded up to 1,024. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

• On Linux, server certificate verification will use the built-in certificate verifier instead of NSS

  Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79. The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change. However there are some cases where differences might occur:

  • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.

  • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.

  The verifier can be toggled using the BuiltinCertificateVerifierEnabled policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.

• Chrome Browser Cloud Management Reporting Companion is no longer required

  The functionality previously provided by the "Chrome Cloud Management - Reporting Companion" extension has been integrated directly into Chrome. If Admins are using Chrome Browser Cloud Management, some users will no longer see the extension on their fleet when reporting is enabled. It will be completely removed for all users in Chrome 80. No action is required from Admins or their users.

• Chrome Renderer Integrity protects users

  Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

  Chrome 78 enabled this feature, but it was rolled back due to unforeseen incompatibilities with other software. Those issues have been addressed, and this will be rolled out again in Chrome 79. Affected software and mitigations are listed in this support thread.

  To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

Chrome OS updates

• Continued improvements to Virtual Desks

  With Chrome 79, we are rolling out new improvements for virtual desktops, which are called Virtual Desks in Chrome OS. In Chrome 79, when a user opens a link, it will always open on their current desk. This will help users keep their workspaces separated.

• New Overview mode for tablets
  When in tablet mode, there's an updated Overview mode. It makes it easy to scroll through open windows, and works well on smaller screens. For split screen, just long press on a window to drag it to the left or right side to start split screen. The new Overview is available in tablet mode only on slates, convertibles, and detachables.

• Lock Screen Media Controls

  We are adding media controls to the Chrome OS lock screen. This will allow users to see what is playing and control playback while the device is locked.

• Unified App Management for end users in Settings

  Basic settings and permissions of apps in Chrome OS can now be managed from the new App Management feature, available in Settings. 

• Broader Crostini support for arbitrary ports on localhost

  Previously, web developers using Linux Beta (aka Crostini) could only access local servers in Chrome if they were running on a small number of whitelisted ports. This restriction has been lifted, and now it no longer matters what port the local server is using.

• Printing Metrics API

  New printingMetrics API is now available for forced installed extensions to see a managed user’s print history when printing to a native printer.

• SAML default on for Enterprise

  Currently, SAML SSO is deactivated for Chromebooks by default. This means that if you are using a SAML provider your users are able to access their accounts and their G Suite services on any device other than a Chromebook. From January 2020, we will activate SAML SSO for Chromebooks of new accounts, meaning your users will no longer be restricted to non-Chrome OS devices.

• Simplifying the Out of Box experience for Android apps

  Currently, Google Play is deactivated by default. When activated, the Managed mode, which allows you to restrict the apps that users can install, is selected by default. Starting on December 2, 2019, we activated Google Play by default in All Access Mode (for all managed accounts, except Education users). This means that enterprise users will be granted full access to the managed Google Play store; allowing them to search and install any app on their Chrome devices, including apps administrators haven’t approved. 

Admin Console updates

• New managed guest session settings page rolling out soon

  The new managed guest session settings page is rolling out and will be available for all customers soon. The new page features a redesigned search interface, more information about policy inheritance, and a few new policies. 
  

• Remote configuration of driverless printers
  Driverless printers are now supported from the Printer Management page in the Admin console. Administrators can now remotely assign printers that rely on auto discovery (using IPP to query the printer and set job attributes for the print job) to connect. Previously, only PPD based printers could be configured from the admin console.

• Initiate remote desktop connection for kiosk devices from Admin console
  IT admins can now remotely initiate a Chrome Remote Desktop connection into a kiosk device and take control of the device for support and troubleshooting from the Device Details page in the Admin console.

New and updated policies (Chrome Browser and Chrome OS)

Policy	Description
AudioSandboxEnabled Browser Only	Allow the audio sandbox to run. If third-party software is interfering with Chrome's audio, setting this policy to false may resolve the issue.
ClickToCallEnabled	Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in.
CorsLegacyModeEnabled	Use the legacy CORS implementation rather than new CORS
CorsMitigationList	Enable CORS check mitigations in the new CORS implementation
DefaultInsecureContentSetting	Control use of insecure content exceptions
ExternalProtocolDialogShowAlwaysOpenCheckbox Browser Only	Show an "Always open" checkbox in external protocol dialog
InsecureContentAllowedForUrls	Allow insecure content on these sites
InsecureContentBlockedForUrls	Block insecure content on these sites
LegacySameSiteCookieBehaviorEnabled	Default legacy SameSite cookie behavior setting
LegacySameSiteCookieBehaviorEnabledForDomainList	Revert to legacy SameSite behavior for cookies on these sites
SharedClipboardEnabled	Enable the Shared Clipboard Feature
TLS13HardeningForLocalAnchorsEnabled	Enable a TLS 1.3 security feature for local trust anchors
WebRtcLocalIpsAllowedUrls	URLs for which local IPs are exposed in WebRTC ICE candidates

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• SyncTypesListDisabled policy in Chrome 80

  Chrome users have the ability to granularly enable or disable each type of sync data. In Chrome 80, this control will also be an enterprise policy, so that admins can control the sync types across their organization.

• PaymentMethodQueryEnabled in Chrome 80

  We are working on an enterprise policy that allows you to set whether websites are allowed to check if your user has payment methods saved. If the setting is enabled or not set, then websites are allowed to check if the user has payment methods saved. If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.

• Tab freezing on desktop in Chrome 80

  Chrome 80 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial. You will be able to disable this behavior with the TabFreezingEnabled policy.

• Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

  Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82:

  • Allow pop-ups on page unload: AllowPopupsDuringPageUnload

  • Allow synchronous XHRs on page unload: AllowSyncXHRInPageDismissal

• FTP support will be removed in Chrome 80

  FTP won’t be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

• Updates to cookies with SameSite in Chrome 80

  Starting in Chrome 80 on the Stable channel, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS.
  
  This new behavior will also take effect in Chrome 79 on the Beta channel only. Because this change might be disruptive, we recommend you test critical sites on the Chrome 79 Beta channel, which will be available starting Oct. 31. See instructions for testing.
  
  You will be able to revert to the legacy cookie behavior using policies, starting in Chrome 79 in Beta. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

• Tab groups will be introduced in Chrome 80

  Starting in Chrome 80, some users will be able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name, to help your users keep track of their different tasks and workflows. A wider rollout is planned for Chrome 81.

• Web Components v0 removed in Chrome 80

  The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80.  You can find more information in the Web Components update.
  
  If you need additional time to adjust to this removal, you will be able to use the WebComponentsV0Enabled policy to re-enable web components v0 for a limited time.

• Policy to block external extensions in Chrome 80

  In Chrome 80, you will be able to use the BlockExternalExtensions enterprise policy to stop external extensions from being installed on your fleet. It will not block kiosk apps, or extensions provided by recommended policies.

• TLS 1.3 hardening measure implemented in Chrome 81

  TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some noncompliant, TLS-terminating proxies.
  
  The following list contains the minimum firmware versions for affected products that we're aware of:
  
  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

  Starting in Chrome 79, you will be able to opt in to the new measure to test it and confirm if your proxy is affected, using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

  Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need extra time to upgrade affected proxies. This proxy will be available until Chrome 86.

• Shared clipboard between computers and Android devices in Chrome 81
  Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync enabled. 
  
  The text is end-to-end encrypted, and Google can’t see the contents. This feature will be controllable with the SharedClipboardEnabled policy.

Upcoming Chrome OS changes

• Adding print server support for CUPS

  We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

• Updates for USB devices with Linux

  From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Update blackout windows
  The DeviceAutoUpdateTimeRestrictions policy will be in the Admin console. This policy allows admins to set time blocks when automatic update checks are not to be performed.  This policy only affects devices configured to auto-launch a kiosk app.

Chrome Browser updates

• Drive integration in the address bar

  Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.
  
  
  This behavior is on by default and can be controlled with the "Google Drive search suggestions" setting in the G Suite admin console.

• Flags are being cleaned up starting in Chrome 78

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, don’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Shared clipboard between computers and Android devices

  A limited number of users might see the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome installed, sign in on both devices with the same account, and enable Chrome Sync.
  
  The text is end-to-end encrypted, and Google can’t see the contents.
  
  This functionality will be released to all users in a future version of Chrome. In the full release, admins will be able to control it with an enterprise policy.

• Forward a call from Chrome Browser to your Android device

  Users will now be able to highlight and right-click a phone number link in Chrome Browser and forward the call to their Android device.

• Chrome Renderer Integrity protects users

  Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

  Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and earlier). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or later). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

• Atomic policy groups introduced

  Some admins set policies from multiple sources, but need policies that are tightly coupled to all be set together. For example, you might want all of your extension management policies to be applied from the same source to ensure they're working together as planned.
  
  To achieve this, some policies have been regrouped based on atomic policy groups. You can enable atomic policy groups using PolicyAtomicGroupsEnabled. If you do, policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.
  
  You can see whether there are any conflicting policies from different sources at chrome://policy. If you have multiple policies in the same policy group from different sources, this feature will affect them. For more details, see Atomic Policy Groups and Understand Chrome policy management.

• ExtensionAllowInsecureUpdates policy is no longer supported

  From Chrome 78, the policy to allow extensions to update using the previous CRX2 packaging will no longer work. All extensions will need to be packaged in the new CRX3 format to ensure secure delivery of updates to your browsers and devices.

• Windows 8-specific welcome page removed

  We have removed the Windows 8-specific welcome page, along with support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting. For more about master preferences, see Use master preferences for Chrome Browser.

• Legacy Browser Support is integrated; the extension is no longer required

  We have integrated Legacy Browser Support functionality directly into Chrome. As a result, you no longer need the Legacy Browser Support extension and no further updates will be provided for the extension. Admins can deploy the integrated version of the Legacy Browser support policy and manage it either through GPO or Chrome Browser Cloud Management’s User Settings.

• Update to Chrome 78

  On October 31, we communicated a known vulnerability in Chrome 78. This previous version of Chrome has now been updated to 78.0.3904.87, which resolves the issue. As always, you should ensure Chrome is updated and is running on an updated operating system.

Chrome OS updates

• Virtual Desks

  Virtual Desks will arrive on Chrome OS in Chrome 78. Users can now create up to 4 separate work spaces to help them focus on a single project or quickly switching between multiple sets of windows. Users can create their first desk by opening Overview  and tapping New Desk.

• Wake from sleep on USB attach for docking use cases
  
  Chromebook users in an office or home office environment often use some combination of peripherals along with a USB-C+Display docking station to work more productively.  This feature will make the transition from sleeping mode directly into a docked mode with external monitors smooth for the user, removing the requirement to wake by lid open.

• Crostini backup & restore

  Users of Linux apps on a Chromebook can now easily back up all of their apps and files. The backup can be saved to their Chromebook’s local storage, an external drive, or Google Drive. They can then restore that backup on the same machine to return to a previous state or on a different machine to bring their whole workspace with them.

• Crostini GPU support on by default

  Linux apps will now be able to use the GPU to provide a crisp, lower-latency experience.

• Crostini IME/VK warning

  Linux apps do not yet support certain input methods (IMEs) or the virtual keyboard when in tablet mode. This feature will display a message warning if users if they try to use a Linux app with an unsupported input method or the virtual keyboard.

• Files app Visual Signals UX update

  We have implemented visual improvements to the Files app progress center, moving the information from the lower left-hand corner to a feedback area in the main window of the app. If appropriate, Admins should update their internal support documentation to reflect the new UI.

• Update printer setting landing page UI

  The printer settings page has been updated to streamline the printer setup experience. Users can now view available printers on the landing page and save printers (compatible with IPP/IPPS) with one click.

• ChromeVox Dynamic Rich Text Output

  There is now an option in ChromeVox that supports the ability to announce text styling.  Users have the ability to enable and disable this feature through the ChromeVox Options page.

• Chrome OS and Chrome Browser settings split

  Settings on Chrome OS now have a more native OS settings experience housed in the Settings app (available through App Launcher or  in the Quick Settings menu), with Chrome Browser settings available through More in the top-right corner of the app (or at chrome://settings in the address bar). If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings (chrome://os-settings).

• YouTube Picture in Picture on ARC++

  Picture in Picture (PiP) is now available with the YouTube Android app. This allows users to watch a video while doing other tasks, such as taking notes during a meeting.

New and updated policies (Chrome Browser and Chrome OS)

Policy	Description
PasswordLeakDetectionEnabled	Enable leak detection for entered credentials
PolicyAtomicGroupsEnabled	Enables the concept of policy atomic groups
RendererCodeIntegrityEnabled Windows Only	Enable Renderer Code Integrity
HSTSPolicyBypassList	List of names that will bypass the HSTS policy check
AllowSyncXHRInPageDismissal	Allows a page to perform synchronous XHR requests during page dismissal

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Trial of autoupgrade for DNS-over-HTTPS in Chrome 79

  The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.
  
  You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

• Users warned if credentials are leaked in Chrome 79

  We will notify users if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

• New policy for controlling memory will be introduced in Chrome 79

  We’ll introduce a new policy to give admins more control over Chrome's memory usage. It configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it. If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that the browser is always running under the limit. (For example, the active tab is never discarded.) Any value under 2,048 will be rounded up to 2,048. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

• Tab freezing will be introduced in Chrome 79 on the desktop

  Chrome 79 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial.
  
  You will be able to disable this behavior with the TabFreezingEnabled policy.

• New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

  Chrome recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting on January 13, 2020 in Chrome 79, we will mark sites that use TLS 1.0 or 1.1 as "Not Secure" and no longer show the lock icon for them.
  
  In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure.
  
  If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021.

• CORS implementation will be more secure in Chrome 79

  We will switch CORS implementation to be more secure and strict. As a result, the following behavior changes will be introduced:
  
  Behavior changes on Extensions’ webRequest API — Before this change, extensions that have the webRequest permission can modify any network request headers and they’re ignored by CORS protocol. But after Chrome 79, the CORS protocol inspects modified headers and will trigger CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. Response header modifications also couldn’t deceive the CORS checks. Additionally, webRequest API will stop seeing Origin header. Extensions can specify ‘extraHeaders’ in opt_extraInfoSpec to keep the original behaviors. If enterprise users are using a Chrome extension that’s affected by this change, one of the following changes will need to be made:

  • Ask the Extension author to upgrade the extension to specify ‘extraHeaders’ in opt_extraInfoSpec.

  • Update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

  Behavior changes for headers injected by Chrome — Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. But after this change, it will start to be verified by the CORS protocol and will trigger CORS preflight requests. Server implementations might need to be updated to handle CORS preflight requests.

• Shared clipboard between computers and Android devices in Chrome 79

  Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync enabled.
  
  The text is end-to-end encrypted, and Google can’t see the contents. This feature will be controllable with an enterprise policy.

• Audio sandbox in Chrome 79

  The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox with the AudioSandboxEnabled policy.

• HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

  In Chrome 79, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can switch this setting by clicking on any https:// page and clicking Site Settings.

  In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.

  In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

  More information on these changes is available in the Chromium blog.

• On Linux, server certificate verification will use the built-in certificate verifier instead of NSS, starting in Chrome 79

  Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79.  The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change change. However there are some cases where differences might occur:

  • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.
  • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.
  The verifier can be toggled using the BuiltinCertificateVerifierEnabled enterprise policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.
• Ambient authentication disabled by default in Incognito mode in Chrome 80

  Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

• Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

  Note: These changes were originally planned for Chrome 78.
  
  Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82:

  • Allow pop-ups on page unload: AllowPopupsDuringPageUnload
  • Allow synchronous XHRs on page unload: AllowSyncXHRInPageDismissal
     
• FTP support will be removed in Chrome 80

  FTP won’t be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

• TLS 1.3 hardening measure implemented in Chrome 81

  TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.
  
  The following list contains the minimum firmware versions for affected products that we're aware of:
  
  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later
  
  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later
     

  Starting in Chrome 79, you will be able to opt in to the new measure to test it and confirm if your proxy is affected, using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

  Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need extra time to upgrade affected proxies. This proxy will be available until Chrome 86.

• Updates to cookies with SameSite in Chrome 80

  Starting in Chrome 80 on the Stable channel, cookies that don't specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS.
  
  This new behavior will also take effect in Chrome 79 on the Beta channel only. Because this change might be disruptive, we recommend you test critical sites on the Chrome 79 Beta channel, which will be available starting Oct. 31. See instructions for testing.
  
  You will be able to revert to the legacy cookie behavior using policies, starting in Chrome 79 in Beta. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

• Tab groups will be introduced in Chrome 80
  
  Users will be able to organize their tabs by grouping them on the tab strip. Groups can have colors and names. They’ll help your users keep track of their different tasks and workflows.

• Web Components v0 removed in Chrome 80

  The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

Upcoming Chrome OS changes

• Adding print server support for CUPS

  We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

• Updates for USB devices with Linux

  From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  Device host name in DHCP requests

  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.

Admin console updates

• Faster and simpler Admin console for Chrome Enterprise

  We’ve rolled out a major redesign of the Google Admin console for Chrome Enterprise administrators.  Expect to see improvements in page load times, a new unified app-management page for managing Android, Chrome, and web apps together, and many new policies. For details, see the Admin Insider blog.

• Prevent password reuse

  In the Admin console, you can now specify the URL where users are redirected to change their password if they reuse it on a non-whitelisted website or are a victim of phishing. If this policy is unset, users are directed to their Google Account sign-in page to change their password. For details, see Prevent password reuse and read more in our white paper.

• New default policies for printing (CUPS)

  New native print policies help you manage your users’ printing options more closely—set defaults and restrictions on duplex and color.

• Unified native printer management (CUPS)

  Use a new interface for managing thousands of native (CUPS-based) printers for users, devices, and managed guests. The 20-printer maximum cap has been raised to allow for thousands of printers for each organizational unit in the Google Admin console. Support has also been extended beyond user policy to include device and managed guest policy.

Chrome Browser updates

• Site isolation improvements

  Chrome Browser now protects cross-site data, such as cookies and HTTP resources, in attacker-controlled websites. Site isolation works even if an attacker finds a bug in an untrusted renderer process and tries to execute arbitrary code in it.
  
  Site isolation will also now be enabled on some Android devices to protect websites and data where mobile users enter passwords.

• Legacy Browser Support updates

  You can now define the URL of an XML file that will never trigger a browser switch using the BrowserSwitcherExternalGreylistUrl policy with Legacy Browser Support. You can also use the new chrome://browser-switch/internals page to verify that Legacy Browser Support rules are being followed. Please try it out and send feedback.

• The First Run Experience has been updated

  Chrome Browser now has a new flow to welcome users, get them set up with popular Google services, and set a default web browser. You can disable the new flow with the PromotionalTabsEnabled policy.

• Launch guest browsing by default

  You can now immediately launch Chrome Browser in guest browsing mode using the --guest command line flag or the new BrowserGuestModeEnforced policy. With guest browsing, browsing activity is not written to the disk and does not persist between browser sessions.

Chrome OS updates

• More secure built-in certificate verifier

  Updates to the certificate verifier now provide better isolation of trust settings between different contexts. Users with valid certificates should not have any issues. In rare instances, the legacy Network Security Services (NSS) implementation tolerated some classes of invalid certificates which are now no longer tolerated. You can issue new, valid certificates or contact Chrome Enterprise support for help. 

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header over a secure IPPS connection. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking. 

• Automatic shutdown after extended standby

  With Linux kernel 4.4 and later, devices will automatically go from standby to shutdown after 3 days to increase battery life. To find the kernel version, go to chrome://system and search for uname. The kernel version is the first set of digits. 

• HD copy-protected content support for ARC++ apps

  In Android apps, you can now play high-definition (HD) copy protected HDMI 1.4 content. This update is useful for externally connected displays, such as televisions. 

• Volume control based on orientation for convertibles

  On devices running Chrome OS, the volume button on the top or right will always increase the volume, whether the device is in laptop mode or tablet mode. 

• Chromebook accessibility enhancements with Automatic Clicks

  Automatic Clicks remove the need to physically click the touchpad or mouse. Instead, you can point to an  item and the Chromebook will click, right-click, left-click, or drag for you after a certain amount of time. With Chrome 77, you can now point to an item and the device will automatically scroll up, down, left, or right. For details, see Turn on Chromebook accessibility features. 

• Enhanced formatting support of external drives

  When formatting a FAT32, exFAT, or NTFS external drive, users will now be able to pick a file system and label for their drive. 

• Chrome OS file selector now the default for Android apps

  For a consistent user experience, Android apps now open the Chrome OS file selector. This change provides a consistent file-selection experience across apps. 

New and updated policies (Chrome Browser and Chrome OS)

Policy	Description
BrowserGuestModeEnforced	Enforces guest browsing mode when a user launches Chrome Browser
SafeBrowsingRealTimeLookupEnabled	Checks Safe Browsing reputation of visited URLs in real time
UserFeedbackAllowed	Allows users to send feedback to Google

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• G Suite add-ons and extensions moving to G Suite Marketplace

  In the coming weeks, all G Suite apps and extensions will be moved from the Chrome Web Store to the G Suite Marketplace. Developers need to migrate their unmigrated add-ons so that new users can install them. Existing users can continue to use unmigrated add-ons. However, if they uninstall Google Docs Editor add-ons or Google Drive apps, they will not be able to reinstall them. And, if an existing user creates a template with one of the add-ons, users who do not already have the add-on installed will not be able to use the add-on in the template. Have your developers review the background and what they need to do. To check whether an add-on has been migrated, search for it in the G Suite Marketplace. For details on the move to the G Suite Marketplace, see the Google Cloud blog.

• ExtensionAllowInsecureUpdates policy will stop working in Chrome 78

  The policy to allow extensions to update using the previous CRX2 packaging will stop working in Chrome 78, as previously communicated. In Chrome 78, all extensions must be repackaged into the new CRX3 format to ensure secure delivery of updates to your browsers and devices. 

• Trial of auto-upgrade for DoH in Chrome 78

  Starting in Chrome 78, the DNS requests of some users will auto-upgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy. A new group policy, DnsOverHttpsMode, will also be available. Setting it to "off" will ensure users are not affected by DoH.

• Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 78

  Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. While disruption is expected to be minimal, you will be able to revert to behavior matching Chrome 77 and below using the following policies, which will be available until Chrome 82:

  • Allow popups on page unload: AllowPopupsDuringPageUnload
  • Allow synchronous XHRs on page unload: AllowSyncXHRInPageDismissal

• Flags will be cleaned up starting in Chrome 78

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, flags should not be used to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Atomic policy groups introduced in Chrome 78

  To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. If you enable atomic policy groups,  policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.
  
  If you set policies from multiple sources, such as the Admin console and the Group Policy Management Editor, you will be able to enable atomic policy groups in Chrome 78. You can also see if there are any conflicting policies at chrome://policy. If you have multiple policies in the same policy group from different sources, they will be affected by this change. For more details, see Atomic Policy Groups and Understand Chrome policy management.

• Users warned if credentials are leaked in Chrome 78

  Beginning in Chrome 78, users will be notified if their credentials are part of a known data breach. This detection occurs without plain-text passwords being sent to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

• Chrome Renderer Integrity to protect users in Chrome 78

  In Chrome 78, Chrome Renderer Integrity will be enabled by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents loading of unsigned modules in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.
  
  Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and below). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or above). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity.

• Send a call from Chrome Browser to your Android device in Chrome 78

  In Chrome 78, users will be able to highlight and right-click a phone number link in Chrome Browser and send the call to their Android device.

• Windows 8-specific welcome page removed in Chrome 78

  The Windows 8-specific welcome page will be removed in Chrome 78. Support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting will be removed as well. For more about master preferences, see Use master preferences for Chrome Browser.

• Ambient authentication disabled by default in Incognito mode in Chrome 79

  Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

• FTP support removed in Chrome 80

  Beginning in Chrome 80,  FTP will not be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

• TLS 1.3 hardening measure implemented in Chrome 80

  TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.
  
  Starting in Chrome 78, you will be able to opt in to the new measure to test it and confirm if your proxy is affected. The following list contains the minimum firmware versions for affected products that we're aware of:
  
  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later
  
  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
   
  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later

  
  You should upgrade affected proxies to fixed versions.

  Starting in Chrome 80, the new measure will become the default. However, you  can use a policy to opt out if you need extra time to upgrade affected proxies.

• Updates to cookies with SameSite in Chrome 80

  Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS. We will provide policies if you need to configure Chrome Browser to temporarily revert to legacy SameSite behavior.

• Web Components v0 removed in Chrome 80

  The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

• Drive integration in the address bar

  In the future, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program. For more details and to apply, see Search Google Drive files in Chrome URL bar BETA.

 

Upcoming Chrome OS changes

• Chrome OS and Chrome Browser settings split in Chrome 78

  Starting in Chrome 78, Chrome OS settings will be in a new window and use a new URL that’s separate from Chrome Browser settings. If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings, which is chrome://os-settings.

• Adding print server support for CUPS

  We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

• Updates for USB devices with Linux

  From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests

  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.​

Chrome Browser updates

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe^® Flash^® will be blocked by default in Chrome 76. Administrators can manually switch back to ASK ("Dialog to Ask first before running Flash") before running Flash. This change won’t impact existing policy settings for Flash. IT admins can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

• All privately hosted extensions must be packaged with CRX3 format in Chrome 76.

  This change was originally planned for Chrome 75, but we delayed it to Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.
  
  CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.
  
  Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. This policy is only meant to provide extra time to repackage extensions, and will stop working in Chrome 78. For the CRX2 deprecation timeline, see Chromium.
  
  Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

• A new page for documenting enterprise policies is available

  Chrome's policies are now listed on a new Chrome Enterprise policy list. This documentation allows you to filter by platform and Chrome version to see which policies are available for your fleet.
  
  
   

• A new layout engine is being used

  LayoutNG is a new layout engine with several improvements such as:

  • Improved performance isolation
  • Better support for scripts other than Latin
  • Many issues around floats and margins fixed
  • Numerous web-compatibility issues fixed

  Although the impact to the user should be minimal, LayoutNG changes some behavior in very subtle ways, fixes hundreds of tests, and improves compatibility with other browsers. Despite our best efforts, it is likely that this will cause some sites and applications to render or behave slightly differently.

  If you suspect that WNG caused a website to break, please file a bug report, and we'll investigate.

• Site isolation enforced in Chrome 76

  In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues. Starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms (including Chrome OS). On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• --disable-infobars is no longer supported

  Chrome will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy was added to allow you to disable some security warnings.

• Policies with a dictionary value type can be merged 

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only the dictionary from the highest priority source will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Legacy Browser Support has been improved
  A new page at chrome://browser-switch/internals makes it easier to debug and troubleshoot Legacy Browser Support. We also fixed a bug where LBS wouldn't switch during the first minute of a browser session (when using XML site lists).

• New version of the On-Prem Chrome Reporting Extension
  Version 2.0 of the Chrome Reporting Extension will soon ship in the Chrome Web Store. Download the corresponding native component MSI.
  
  If you have user browsing data reporting turned on, you will start seeing a new piece of data for each visited site: "legacy_technologies." It’s an array of strings that will initially contain one value, "Flash." This means this site requires Adobe Flash and might soon stop working correctly (see paragraph above). Future releases will list other obsolete web technologies such as Java Applets, Silverlight, and more.
  
  The output file has changed from a single file called chrome_reporting_log.json to a daily rotated file with file name in the format chrome_reporting_log_YYYY_MM_DD.json. This will make it simpler to manage the disk usage of the application and clear obsolete data.

• “https” scheme and “www” subdomain will be hidden

  To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We will hide the “https” scheme and the special-case subdomain “www” in Chrome omnibox on Chrome desktop and Chrome-on-Android. After the site loads, the full URL can still be revealed by clicking twice in the URL bar (desktop) or tapping once (mobile).

  The Chrome team has also worked to build a Chrome extension to help power users recognize suspicious sites and report them to Safe Browsing. Power users can use this extension to display the full URL with no scheme or subdomain hiding, and report suspicious sites to Safe Browsing.

Chrome OS updates

• Enhancements to automatic clicks accessibility feature

  Chromebooks have had a feature called Automatic clicks in accessibility settings for years, which has given users with motor and dexterity challenges the ability to hover over an item and have Chrome OS click it (without pressing the touchpad or mouse). In Chrome OS version 76, we have expanded this feature to not only be able to click, but also right-click, double-click, and click and drag by simply hovering. 

• Built-in FIDO security key is now supported

  In this release, most latest-generation Chromebooks will gain support for built-in FIDO security keys backed by the Titan M chip. This feature is disabled by default, but an admin can enable the built-in security key by changing the Chrome OS policy called DeviceSecondFactorAuthentication to U2F.

• Account consistency between the Chrome content area and the ARC++ container

  We are rolling out a single sign-on experience for Chrome and Android applications on Chrome OS over several weeks, beginning August 21, 2019, to simplify user management of Google Accounts on Chrome OS. We added a new section to Settings: "Google Accounts."
  
  From here, a user can manage all signed-in Google Accounts. This includes reauthenticating or removing some secondary accounts and adding others. Attempts to add secondary accounts from Chrome or ARC++ will be redirected to this unified flow. Users that previously had a secondary account signed in to Chrome or ARC++ will need to reauthenticate following the update, which will add their account to Account Manager.

Admin console updates

• Updates to the Chrome device list and device details
  • Search and filter devices and organizational units directly from the device list.
  • Customize your preferred view with auto-update expiration date, Chrome OS version, and device model.
  • Long-running tasks such as screenshot, log capture, and reboot will now complete in the background, so you don’t need to wait for them

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
BrowserSwitcherExternalGreylistUrl Browser only Chrome 77+	URL of an XML file that contains URLs that should never trigger a browser switch
CommandLineFlagSecurityWarningsEnabled Browser only	Enable security warnings for command-line flags
PolicyDictionaryMultipleSourceMergeList	Allows the selected policies to be merged when they come from different sources, with the same scopes and level

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Flags will be cleaned up from chrome://flags, starting in Chrome 77

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 77. You shouldn’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Atomic policy groups will be introduced in Chrome 77

  To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. These groups ensure that all applied policies from a single group come from the same source—the one with the highest priority—to prevent unpredictable behavior when mixing policies from multiple sources. The order of precedence for Chrome Policies is documented here. 

  This may be a breaking change if you set GPOs from multiple sources (e.g. the Admin Console and via Windows Group Policy). You can check if any GPOs are in conflict by visiting chrome://policy in Chrome browser. If you have multiple policies in the same policy group from different sources, update your policies to ensure that all policies in a given policy group come from the same source.

• The First Run Experience will be updated in Chrome 77

  Chrome 77 will no longer show the single page welcome. It will instead have a new flow to welcome users, get them set up with popular Google services, and set a default web browser. The same policy that was used to disable the previous First Run Experience can be used to disable the new flow: PromotionalTabsEnabled. 

• It will be possible to make guest browsing the default in Chrome 77

  You will be able to set Chrome to launch immediately into guest mode by using a --guest command line flag or a new policy called BrowserGuestModeEnforced. In this mode, your users won't see or change any other Chrome profile. When they exit guest browsing, their browsing activity is deleted from the computer.

• Merge policies with dictionary of values in Chrome 76

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Microsoft^® Active Directory^®. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Experiment for DNS-over-HTTPS (DoH) in Chrome 78

  Starting in Chrome 78, the DNS requests of some users will autoupgrade to DNS-over-HTTPS if they are using a DNS provider that supports it. This is part of ongoing work to bring secure DNS options to Chrome. Individual users can opt out by disabling this experiment at chrome://flags. Admins can opt out their enterprise from this experiment by policy. Instructions will be provided in a future Chromium blog post and release notes.

• Pop-ups and synchronous XHR requests will not be allowed in Chrome 78

  Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload to improve page load time and make code paths simpler and more reliable. Admins will be able to revert to the old behavior using enterprise policies, which will be available until Chrome 82.

• Ambient authentication will be disabled by default in Incognito sessions in Chrome 79
  Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito sessions. Admins will be able to revert to the old behavior, allowing ambient authentication using an enterprise policy.

• Cookies with SameSite by default, and Secure SameSite=None cookies in Chrome 80
  Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. They must also be marked Secure and delivered over HTTPS. Policies will be made available for enterprises that need to configure Chrome to temporarily revert to legacy SameSite behavior.

• Drive integration in the address bar

  Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

  

 

• Extension User Data Policy Updated
  As part of Project Strobe, Google is updating its User Data Policy, and these changes go into effect starting October 15, 2019. For more information, see the blog post.

  • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged for developers, now we’re making this a requirement for all extensions.
  • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data.

Upcoming Chrome OS changes

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

• User account and file name in IPP Header in Chrome 77

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

• Linux apps USB devices

  From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux applications running on a Chromebook, so that Linux apps can access the Linux instance.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management (device settings)

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

• New default policies for printing (CUPS)

  There will be new controls for you to manage 2-sided and color printing.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests
  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome Browser updates

• All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 

  This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.
  
  CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.
  
  Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.
  
  Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

• Roll back to Chrome 72 or later on Windows

  Chrome 75 on Microsoft^® Windows^® will allow administrators to roll back to Chrome 72 or a later version.

  To make sure that users are protected by the latest security updates, we recommend that users are on the latest version of Chrome Browser. Running earlier versions of Chrome Browser exposes your users to known security issues. Before using this policy, see Roll back Chrome Browser to a previous version for important information about preserving user data.

• Use policy to remove extensions (rather than just disable)

  Starting in Chrome 75, extensions can now be removed by modifying the installation_mode setting in the Extension Settings policy and setting the "removed" flag. For details, see Chromium. 

• PacHttpsUrlStrippingEnabled policy removed

  As we announced in the Chrome 74 release notes, the PacHttpsUrlStrippingEnabled policy has now been removed. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  PAC HTTPS URL stripping removes privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/. This behavior will now be enforced in Chrome 75.

• EnableSymantecLegacyInfrastructure policy removed

  As we announced in the Chrome 74 release notes, the EnableSymantecLegacyInfrastructure policy has now been removed. The policy was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. The workaround allowed time to migrate any internal certificates that are not used on the public internet.

  Certificates issued from the Legacy PKI Infrastructure should have been replaced with certificates issued by public or enterprise-trusted Certificate Authorities (CAs). 

• SSLVersionMax policy removed

  As we announced in Chrome 74 release notes, the SSLVersionMax policy has now been removed. This policy was used as a short-term workaround while TLS 1.3 was rolled out to allow time for middleware vendors to update their TLS implementations.

• Policy to control Signed HTTP Exchange

  You can use Signed HTTP Exchange to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences

  Starting in Chrome 75, you can enable or disable Signed HTTP Exchange using the SignedHTTPExchangeEnabled policy.

• CompanyName and LegalCopyright fields updated

  Chrome 75 changes the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll). "Google Inc." is now  "Google LLC" and "Copyright 2018 Google Inc. All rights reserved." is now "Copyright 2019 Google LLC. All rights reserved."

• Control precedence between Chrome Browser Cloud Management and platform policies

  You can use CloudPolicyOverridesPlatformPolicy to control how policies from Chrome Browser Cloud Management interact with policies set at the platform level (for example, through the Group Policy Management Editor). This policy can be useful if you’re transitioning from managing browsers through Group Policy Object (GPO) to Chrome Browser Cloud Management.
  
  When set to false (default), the order of precedence is Machine platform > Machine cloud > User platform > User cloud.
  
  With the policy set to true, the order of precedence is Machine cloud > Machine platform > User platform > User cloud.
  
  The policy can only be set as a machine platform policy. For more details, see Chromium. 

• Merge list policies from multiple sources

  You can now merge policies that take a list of values that are set from multiple sources, including the cloud and by platform and Microsoft^® Active Directory^®. Before, if multiple lists from different sources conflicted, only one list was applied. For details, see PolicyListMultipleSourceMergeList.

• Chrome Remote Desktop on the web now available 

  You can now use Chrome Remote Desktop on the web. In turn, the Chrome Remote Desktop app will not be supported after June 30, 2019. New and existing users can switch to the new version on the web.

  To set it up:

  1. Go to Chrome Remote Desktop.
  2. In the upper-right corner, click Remote Access.
  3. Click Remote Support to get support from a trusted friend or family member, or to give support to someone else.

  You can control whether users can access other computers from Chrome using Chrome Remote Desktop. For details, see Control use of Chrome Remote Desktop.

• Improved tab life cycle management

  Some users will start to see improved CPU and memory usage as Chrome 75 rolls out. The TabLifeCyclesEnabled policy reduces the CPU usage on browser tabs that haven’t been used for a long time. Set the policy to true or leave it unspecified to enable it. For details, see Chromium. 

• Users can check Chrome Browser and OS management

  In Chrome 75 we’re enhancing the visibility features for both browser and OS with transparency view, a new view which shows users the extent to which their device and account are managed by their administrators in enterprise environments. The new transparency view focuses on reporting functionality (“Which data is visible to my administrator?”) as well as force-installed extensions (“Which data may be accessed by force-installed extensions?”).

Chrome OS updates

• Linux on Chromebooks: 

  Support for VPN connections—Linux applications can now utilize VPN connections through an existing Android or Chrome OS VPN connection. All traffic from the Linux VM will automatically be routed through an existing (established) VPN connection.
  
  Support for Android devices over USB—Android devices connected over USB can now be accessed by Linux apps. Users must choose to share the USB device with Linux before they can access it.

• Add support for PIN code with native printers

  PIN code printing will be available which will allow users to enter a pin code when sending the print job, and release the print job for printing when they enter the pin code into the printer keypad.  This gives users more control over when a print job is printed so documents aren’t lying unattended at the printer. And because a user has to actively request their print job be released, it also reduces waste. 
  
  PIN printing will be enabled if the user’s Chrome device is managed, and the printer supports IPPS communication and the IPP attribute for “job-password”.
  

• Add support for Document Providers in Files app

  To expand support for third-party file providers on Chrome OS, when users install the app of a third-party file provider that implements the DocumentsProvider API, a root for the third-party file provider will appear in the side navigation of the Chrome Files app. For more details, see Documents Provider. 

• Extending protected content on secondary displays

  Digital rights management (DRM)-protected content can now be shown on an external display. 

• BLE advertising in Chrome apps flag removed

  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. If you or any developers use BLE Advertising APIs, you should debug the functionality in a kiosk session, rather than in a regular user session.

Admin console updates

• Force devices to automatically re-enroll after wiping (change to forced re-enrollment behavior)

  Starting in June 2019 (with an incremental rollout), you can automatically re-enroll devices if they’re wiped.  Previously, forced re-enrollment required a user to enter their username and password to complete re-enrollment A few weeks after the roll out is complete, automatic re-enrollment will be the default for new customers as well as existing customers who have not changed the default forced re-enrollment setting. To control the setting, see Force wiped Chrome devices to re-enroll.

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
AlternativeBrowserParameters Chrome Browser only	Controls command-line parameters to launch to an alternative browser
AlternativeBrowserPath Chrome Browser only	Controls which command to use to open URLs in an alternative browser
CloudPolicyOverridesPlatformPolicy Chrome Browser only	Cloud policy that overrides Platform policy
PolicyListMultipleSourceMergeList	Allows merging list policies from different sources
SignedHTTPExchangeEnabled	Enables support for Signed HTTP Exchange (SXG)
SpellcheckLanguageBlacklist Windows, Linux, Chrome OS only	Disables unrecognized spellcheck languages

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Users can manually switch back to ASK ("Ask first") before running Flash. This change won’t impact existing policy settings for Flash. You can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

• Site isolation enforced in Chrome 76

  In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Drive integration in the address bar

  Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

  

• Removing --disable-infobars in Chrome 76

  Chrome 76 will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy will be added to allow you to disable some security warnings.

• Policy atomic groups introduced in Chrome 76 

  In order to ensure predictable behavior from policies that are tightly coupled with other policies, some policies will be regrouped in atomic policy groups. These groups will help ensure that all the applied policies from a single group come from the same source, which is the source with the highest priority. This change will help prevent unpredictable behavior when mixing multiple sources of policies.

• Merge policies with dictionary of values in Chrome 76

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Flag removal, starting with Chrome 76

  Many flags in chrome://flags will be removed in upcoming Chrome versions. You should not use flags to configure Chrome Browser because they are not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Improvements to version rollback

  A future version of Chrome will improve the rollback experience on Windows by preserving some user data during the rollback process.

Upcoming Chrome OS changes

• Print jobs to include user account and file name

  If the printer or print service support IPPS with IPP attributes for requesting-user-name and document-name, you will be able to have print jobs include the user account and file name to help with print tracking and follow-me printing. 

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen

  You will be able to set up a requirement for users to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

• Linux apps USB devices
  From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook, so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management (device settings)

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

• New default policies for printing (CUPS)

  There will be new controls for you to manage 2-sided and color printing.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests
  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome Browser updates

• Chrome Browser Cloud Management

  Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows^®, Mac^®, and Linux^®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.

• Pop-ups will not be allowed on page unload

  Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.

• Legacy Browser Support will no longer need an extension

  In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer^®. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.

Chrome OS updates

• Annotations in PDF Viewer

  When viewing an Adobe PDF document in Chrome, you’ll be able to tap a button to annotate the PDF with pen and highlighter tools.

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• External camera support for Google Camera app

  External USB cameras, such as webcams, USB microscopes, and document cameras, are now supported by the Google Camera app.

• Support for files and new folders in the “My files” root

  Users can save files locally and create new folders under the “My files” root outside of the default Downloads folder.

• ChromeVox developer log options

  As of version 74, we added a new section of ChromeVox developer options within the ChromeVox options page to give developers access to ChromeVox logs, which will help debugging. This allows developers to enable logs for speech, earcons, braille, and event streams.

• Linux apps on Chrome OS (Crostini) now support audio output

  Starting with Chrome 74, Linux apps on Chrome OS (Crostini) can now play audio.

Admin console updates

• Policy to enable native Active Directory integration

  You can now configure an existing domain to manage your Chrome devices with a Microsoft^® Active Directory^® server. If enabled, Chrome devices are domain joined to AD so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices with GPO. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials.

  To manage integrated devices, set the policy to enable Chrome Enterprise Active Directory integration in your Admin console. Visit Manage Chrome devices with Active Directory.

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
AllowPopupsDuringPageUnload	Allows a page to show pop-ups during its unloading.
AuthNegotiateDelegateByKdcPolicy​ Chrome OS, Mac, and Linux only	Use key distribution center (KDC) policy to delegate credentials on machines using Active Directory Kerberos authentication. Controls whether approval by KDC policy is respected, to delegate Kerberos tickets.
BrowserSwitcherChromeParameters Windows only	Command-line parameters for switching from the alternative browser.
BrowserSwitcherChromePath Windows only	Path to Chrome for switching from the alternative browser.
BrowserSwitcherDelay​	Delay before launching alternative browser (milliseconds).
BrowserSwitcherEnabled​	Enable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrl​	URL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherKeepLastChromeTab​	Keep last tab open in Chrome.
BrowserSwitcherUrlGreylist​	Websites that should never trigger a browser switch.
BrowserSwitcherUrlList​	Websites to open in alternative browser.
BrowserSwitcherUseIeSitelist Windows only	Use Internet Explorer's SiteList policy for Legacy Browser Support.
RemoteAccessHostAllowFileTransfer Browser only	Allow remote access users to transfer files to/from the host. Controls the ability of a user connected to a remote access host to transfer files between the client and the host. This doesn’t apply to remote assistance connections, which don’t support file transfer.
WebUsbAllowDevicesForUrls	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Google Cloud Next recap

Chrome Enterprise product managers and customer engineers presented a number of talks at the Google Cloud Next conference in San Francisco the week of April 8, 2019. You can watch on YouTube recordings of the 18 Mobility & Devices Sessions.

The talks below should be specifically of interest to Chrome Enterprise IT admins:

Browser-focused talks

• What's New in Chrome Browser
• Manage Chrome Browser from the Cloud
• How Google IT Manages Enterprise Extensions

Chrome OS-focused talks

• Managing Chromebooks and Apps With Chrome Enterprise
• How Google IT Supports its Scaling Global Workforce with Chromebooks
• Changing End User Computing: Seven Facts You Should Know About Chrome Enterprise

New Chrome OS administrator credential

We're now offering a new Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 75 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 75

  EnableSymantecLegacyInfrastructure was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted CAs.

• Policy rollback to a previous version in Chrome 75

  Chrome 75 on Windows will include a policy that allows administrators to roll back to a previous version of Chrome. Note that only the latest release of Chrome is officially supported, so if an admin rolls back to an older version of Chrome, they do so at their own risk. This policy is meant as an emergency mechanism and should be used with caution. A future version of Chrome on Windows will improve the rollback experience by preserving user states during the rollback process.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later. Please provide feedback on this feature.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Blacklisted extensions can be removed (rather than just disabled) by policy in Chrome 75

  A new policy will be made available to specify that Chrome Browser shouldn’t just disable blacklisted extensions, but remove them completely.

• Policy to control signed HTTP exchange in Chrome 75

  Signed HTTP exchange enables publishers to safely make their content portable, or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences. In Chrome 75, the SignedHTTPExchangeEnabled policy will control whether signed HTTP exchange is enabled or not.

• CompanyName and LegalCopyright fields will be updated in Chrome 75

  Chrome 75 will change the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll) from "Google Inc." and "Copyright 2018 Google Inc. All rights reserved." to "Google LLC" and "Copyright 2019 Google LLC. All rights reserved."

• Flash will be blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Flash is to be blocked by default in Chrome 76 (Stable release beginning end of July 2019). Users can still switch it back to ASK by default. This change won’t impact enterprises that already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy. 

Upcoming Chrome OS changes

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier for the unlikely case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen 

  When looking for notifications, a message saying that notifications are hidden will show up. Next to it, a button will appear to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. Full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• BLE advertising in Chrome apps flag being removed
  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. This feature is designed to work with Chrome apps operating within kiosk sessions. Any developers leveraging BLE Advertising APIs should debug functionality in kiosk session, rather than use a regular user session.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Admin console. If you’re interested in testing this out, join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for 2-sided and color printing. Admins will be able to set defaults or restrict these print options.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Managed by your organization menu item

  Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More  menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

  

• Changes to the Chrome sign-in flow

  In Chrome 73, we're rolling out the following changes to Chrome Browser settings:

  • When a user turns Chrome sync on, they now get additional features, including an enhanced spellchecker and extended reporting for safe browsing.

  • Sync and Google services—A new section that lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously in the Privacy section.

  • Make searches and browsing better—A new setting in the Sync and Google services section that allows users to control whether features in Chrome Browser can collect anonymous URLs.

    

• Chrome Browser binaries signed with new digital certificate

  Chrome Browser binaries and installer are now signed with a digital certificate issued to Google LLC (rather than Google Inc). There are no changes to the Certificate Authority (CA).

• Password Manager enterprise policy for Android now aligned to desktop

  The PasswordManagerEnabled policy controls whether the password manager offers to save passwords. On Android, this policy prevented users from viewing passwords that were already saved. Starting with Chrome 73, Chrome Browser on Android will behave like other platforms and allow the user to view their saved passwords.

• Progressive Web App support on Mac

  In Chrome 73, Progressive Web Apps (PWAs) can now be installed on Apple^® Mac^®. For details, see Desktop Progressive Web Apps.

• Dark mode for Mac

  In Chrome 73, if the system theme is set to dark, Chrome Browser on Mac computers will also use a dark theme. Support for Microsoft^® Windows^® is planned for a future release. 

• Accessibility improvements

  A number of improvements have been made to accessibility in Chrome Browser, including greater contrast and compatibility with screen readers. Some of the improvements include:

  • Improved contrast in pop-up boxes, the search box, and tabs (especially when a tab is not active).
  • More pop-up boxes correctly report titles to screen-reader software.
  • Tabs are now keyboard-accessible.
  • Fixes to the way pressing the F6 or Tab key moves through the order of the Chrome Browser toolbar, and other controls, including access to some new UI elements.
  • Screen reader now announces additional information, such as the page zoom level when it’s changed and the number of Find results.
  • Misleading screen-reader prompts are fixed to reflect current functionality. For example, the correct key combination is now reported when you want to zoom in on a page.
  • If a user draws around an element in the UI, there are now improvements in the contrast and appearance of focus rings.

• New policy to force networking code to run in the browser process

  The network code we use for Chrome Browser is being moved to a separate process. It’s an internal architectural change that wasn't expected to interact with other products. However, we're aware of one report of the move breaking a third-party product that used to inject code into Chrome Browser's process. If this move is causing any issues in your environment, you can temporarily use the ForceNetworkInProcess policy to force networking to run in the browser process. This is a temporary policy that will be removed in the future; there is currently no specific timeline, but we plan to provide 4 milestones notice before removal.

• Notice for web developers: Flexbox rendering

  Chrome Browser now follows the recommendation from the World Wide Web Consortium for the box model that’s optimized for a UI. Flex items now get the correct minimum size. If you’re a web developer, we recommend that you set the CSS on your webpages with flex items to min-height: auto. For details on the change, see Chromium and the Consortium specification.

• Notice for developers: Changes to cross-origin requests in extension content scripts

  Chrome 73 includes changes to the behavior of cross-origin requests from content scripts. These changes help site Isolation protect Chrome users even if a renderer is compromised, but these changes may break extensions that have not yet adapted to the new security model. For instructions on how to verify if a Chrome extension you’re using is affected or to request adding an extension to a temporary allowlist, see Chromium.org.

Chrome OS updates

• Managed guest sessions to replace public sessions

  In Chrome 73, public sessions are being replaced with managed guest sessions, which provide additional capabilities. Depending on the configuration of the organizational unit that has managed guest session devices, an existing public session device might have the capabilities automatically activated. If so, all certificates, policies, and extensions of the organization will be applied to the managed guest session of this device in the future and no manual changes are required. Learn more about how to manage guest session devices.

• eSpeak for Chrome OS

  You can set up text-to-speech in dozens of languages on devices running Chrome OS to enhance  accessibility. For details, see eSpeak NG.

• Pair Bluetooth braille displays with Chromebooks

  In addition to supporting USB-refreshable braille displays, you now have the ability to pair braille displays through Bluetooth^®. For details, see Use a braille device with your Chromebook.

• Camera app 5.3 update

  Users can now take photos and videos with a 3 or 10-second timer, line up shots with grid options, and use a mirror button that’s helpful when using external cameras, such as USB microscopes or document cameras.

Admin console updates

• Enable managed Chrome devices to run Linux apps

  Last year we announced that consumer users can run Linux apps, including Android Studio on these Chrome devices. With Chrome 73, we’re making this feature available on managed devices. Admins can now enable or disable the use of virtual machines that are required to use Linux apps on managed Chrome OS devices. The policy is disabled by default. Admins who want to enable this policy, see Virtual Machines in Set Chrome device policies. Users need to follow the steps in Set up Linux (Beta) on your Chromebook.

  

• New default policy for black & white printing (CUPS)

  There are new controls for administrators to manage black and white printing capabilities for their users. Controls for 2-sided and color printing are coming soon.  If you’re interested in getting early access to test printing features, please complete the trusted tester application.

  

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy	Description
ExtensionAllowInsecureUpdates	Allows insecure algorithms in integrity checks on extension updates and installations. Starting in Chrome 77, this policy will be ignored and treated as disabled.
DeviceGpoCacheLifetime Chrome OS only	Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache.
DeviceAuthDataCacheLifetime Chrome OS only	Specifies the lifetime (in hours) of the authentication data cache.
ForceNetworkInProcess Windows only	Forces networking code to run in the browser process. This policy is disabled by default. If enabled, it leaves users open to potential security issues when the networking process is sandboxed.
ReportDevicePowerStatus Chrome OS only	Reports hardware statistics and identifiers related to power.
ReportDeviceStorageStatus Chrome OS only	Reports hardware statistics and identifiers for storage devices.
ReportDeviceBoardStatus Chrome OS only	Reports hardware statistics for system on a chip (SoC) components.
CloudManagementEnrollmentToken Browser only	Enrollment token used for enrolling in cloud management. This replaces the MachineLevelUserCloudPolicyEnrollmentToken policy.
PluginVmLicenseKey Chrome OS only	Specifies a PluginVm license key for a device.
ParentAccessCodeConfig Chrome OS only	Specifies the configuration that’s used to generate and verify a parent access code.

New Chrome OS administrator credential

We are excited to announce the Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe^® Flash^® is planned to be blocked by default in Chrome 76 (stable release beginning end of July 2019). Users will still be able to switch it back to Ask to use Flash by default. This change will not impact enterprises who already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy as before. 

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome Browser on Windows computers will also use a dark theme in the UI. 

• Use a policy to roll back to a previous version of Chrome Browser

  We are working on a policy to roll back a Chrome Browser version while retaining account and profile data. The new policy will allow administrators to roll back in conjunction with the existing TargetVersionPrefix ADMX policy. You can send feedback on this feature in the Chromium bug tracker.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later 

• Deprecated policies will remain in the ADMX templates

  The ADM and ADMX templates will be modified to keep deprecated and unsupported policies in the output. They will be placed in a dedicated folder and have the same description. The update will make it easier to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy can be used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed in Chrome 74. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• ThirdPartyBlockingEnabled deprecation

  In the Chrome Enterprise 68 release notes published in July 2018, we announced that the ThirdPartyBlockingEnabled policy will be deprecated in approximately one year (Chrome 77). This announcement was intended as a general deprecation date at some point in the future, but due to feedback and in order to give the ecosystem more time to adapt to the change, the deprecation is currently not targeted for Chrome 77. When a date is set for deprecation, we will announce it in the release notes. We plan to provide 4 notices before removal.

• TLS 1.3 downgrade hardening

  Chrome Browser enabled TLS 1.3 in Chrome 70. However, due to bugs in some enterprise TLS proxies, a hardening mechanism was temporarily disabled. A future version of Chrome Browser will re-enable this measure. To test networks in Chrome 73:

  1. Set chrome://flags/#enforce-tls13-downgrade Enabled.
  2. Visit a TLS-1.3-enabled server, such as https://mail.google.com. 
  3. If the connection fails with ERR_TLS13_DOWNGRADE_DETECTED, some proxy on the network has the hardening mechanism temporarily disabled.

  You should upgrade affected proxies to fixed versions or contact vendors if no fix is available. The following list contains the minimum firmware versions for affected products that we're aware of:

  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.
• Legacy browser support planned to be incorporated into Chrome 75

  Legacy browser support functionality is being incorporated into Chrome Browser, and the separate extension will no longer be needed. We will keep the extension in the Chrome Web Store for the foreseeable future so customers on older versions of Chrome Browser can continue to use legacy browser support. If you’re interested in getting early access to test legacy browser support integration, please complete this interest form.

• Pop-ups will not be allowed on page unload

  In Chrome 74, we will no longer allow pop-ups during page unload. See the removal notice. We’ve been notified that this might break some enterprise apps so a temporary policy will be made available to allow pop-ups on page unload when Chrome 74 launches. This temporary policy is planned to be removed in Chrome 76. 

Upcoming Chrome OS changes

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• Adding print server support for CUPS

  We are working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• Notifications on lock screen 

  Coming soon, when looking for notifications, a message saying that notifications are hidden will show up. Next to the message, users can click a button to enable notifications. Users must authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint are available.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Annotations in PDF viewer

  When viewing a PDF on a device running Chrome OS, you will be able to tap a button to annotate the PDF with pen and highlighter tools.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• External camera support for the Camera app
  External USB cameras will be supported by the Camera app. 

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  Soon, the 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console. If you’re interested in testing the new feature, please join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for duplex printing. Admins will be able to set defaults or restrict whether users can or cannot use duplex printing. 

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• New search result types

  In Chrome 72, you’ll get 2 new types of search results when you search from the address bar. You’ll get results based on entities—people, things, places, and so on. These results will contain the search text, an image of the entity you’re searching for, and a short description.

  

  You’ll also get suggestions to complete the end of a search string. For example, if you search for “widget sale best prac…”, you’ll get a suggestion for “practice” as a completion to your search.

  

• Cleanup tool quarantines—instead of deleting—files it detects as malicious

  If you use the Chrome Cleanup tool on Microsoft^® Windows^® computers, files detected as malicious will now be quarantined rather than deleted. This update will help lessen the risk of safe files being mistakenly deleted. Learn more about removing unwanted programs and the Chrome Cleanup tool policy.

• Save payment information to a Google Account

  In Chrome 72, users who are signed in to their managed Google Account will now see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy.

• Support for Windows 10 U2F and web authentication APIs

  If you use the most recent version of Windows 10, you’ll have added support for Universal 2nd Factor (U2F) and WebAuthn—standards that enable web authentication through security keys instead of passwords. U2F and WebAuthn are only supported on the most recent versions of Windows 10: either current Insider Preview builds or the forthcoming 19H1 release (“Redstone 6”). Integration with these APIs enables Windows Hello support through WebAuthn and support for NFC tokens. USB and Bluetooth Low Energy (BLE) devices should continue to work, although Windows UI will now be displayed. Any organizations that depend on U2F or WebAuthn, and are using sufficiently recent Windows builds, should verify that this feature works correctly before rolling it out.

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. This support has now been removed in Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• New welcome experience (Windows)

  When you start Chrome Browser for the first time on Windows, you’ll see a new welcome page, unless you’re on a device that’s joined to a Microsoft^® Active Directory^® domain.

• Changes to sign-in behavior with Chrome 72

  In Chrome 72, a small percentage of users will now see the following changes to the Chrome sign-in behavior. A wider roll-out of these features will happen in Chrome 73:

  • When a user turns Chrome sync on, they now get additional features, including “Enhanced spell check” and “Safe browsing extended reporting.”
  • The Chrome settings page includes a new section—Sync and Google services—which lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously under “Privacy”.
  • A new setting, “Make searches and browsing better” will appear under “Sync and Google services” on the settings page. This allows users to control whether features within Chrome can collect anonymized URLs.

Chrome OS updates

• USB connections on locked devices

  Chrome 72 will offer initial support to ignore some types of USB connections on locked devices that are running Chrome OS including printers, scanners, and storage devices. USBGuard is on by default beginning with Chrome 72. If issues are detected, admins can disable this feature through chrome://flags.

• Android app shortcuts in launcher search

  Users can now search for app shortcuts in the launcher search. For example, users can search for Compose and be taken to the exact related app, such as a new blank message in Gmail.

• New drawing app for Chromebooks

  Chromebook users now have the Canvas app for drawing.

• ChromeVox screen reader update

  ChromeVox users with low vision can now opt to have the screen reader read anything under their mouse cursor. This feature can be enabled through the setting “Speak text under the mouse” in the ChromeVox options page.

  

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. We’ll include more information in future release notes when it comes available.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including Google Sheets, Docs, Slides, and PDFs.

  

• Roll back Chrome Browser version with policy

  Many enterprise customers have asked Google to provide a version rollback mechanism. We are working on a policy to roll back Chrome Browser while retaining account and profile information. This will allow administrators to enable a rollback in conjunction with the existing TargetVersionPrefix ADMX policy. If the Chrome version updater cannot rollback the browser, the chrome://policy page will contain an error message and the existing release will continue to function. Only the latest release of Chrome is officially supported, so if an admin rolls back to an older version they do so at their own risk. You can provide feedback to the engineering team on this feature on Chromium.

• Deprecated policies will remain in the ADMX templates

  Deprecated policies will be placed in a dedicated folder in the ADMX templates and have the same description. This change will make it easier for administrators to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• Changes to the sign-in behavior with Chrome 73

  The updates described above in Changes to the sign-in behavior with Chrome 72 will be rolled out for all users in Chrome 73.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74

  The PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/. If you set this policy to True or leave it on its default value, then there will be no change. However, in Chrome 74, you will no longer be able to set it to False.

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74. This policy is intended as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public Internet. This policy will be removed in Chrome 74. Certificates issued from Legacy PKI Infrastructure should have replacement certificates issued by public or Enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy was a short-term work-around while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.This change has been made because CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

• Site isolation will be enforced on Chrome 75 (Desktop)

  Before shipping Site Isolation in Chrome 67, we introduced enterprise policies that enterprises could use to opt in to Site Isolation early or opt out of Site Isolation if they encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of Site Isolation using the SitePerProcess or IsolateOrigins policies on desktop. We tentatively plan to move Chrome 75 to the stable channel in June 2019.

  Notes:

  • This change only applies to desktop platforms. On Android, SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable Site Isolation.
  • If you run into any issues with the SitePerProcess or IsolateOrigins policies, file a bug in Chromium.

Upcoming Chrome OS changes

• External camera support for Camera app

  External USB cameras will be supported by the Google Camera app.

• Users can allow notifications on lock screen

  When looking for notifications, a message saying that notifications are hidden will show up. Next to it is a button to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as a PIN or fingerprint, are available.

• Always-on VPN for managed Google Play

  Currently, Admins can install Android VPN apps on Chromebooks, however, users have to start the VPN app manually. Soon, admins will be able to set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection.

• User account / Filename in IPP Headers

  If enabled by policy, all print jobs can include the requesting user account and file name printed in the IPP header. This new feature will provide additional information about print jobs that enable third-party printing features, such as secure printing and print-usage tracking.

• Annotations in PDF Viewer

  When viewing a PDF in Chrome, you will be able to tap a button to add notes to the PDF with a pen and highlighter tools.

• Linux container support for USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux running on Chrome devices (Crostini) so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Native printing (CUPS) improvements
  • Printing limit lifted—The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.
  • Set default for 2-sided and black and white printing—Controls are coming for administrators to manage printing capabilities for their users around 2-sided printing and black and white printing. Admins will be able to set defaults or restrict these print options with CUPS (native printing).

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Change to using PAC scripts to configure proxy settings in Chrome

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. This is especially so if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/.

  This policy will change the default value from False to True to improve security. If you already set this policy to True, there’s no impact. If you set it to False, there’s no immediate impact. If you haven’t set this policy and are relying on the default, test this change to see how your PAC scripts operate.

  This policy will be removed in a future release when PAC stripping becomes the default for Chrome.

• Deprecate trust in remaining Legacy Symantec PKI Infrastructure

  This change is present in all release channels: Canary, Dev, Beta, and Stable. Users observing the distrust in Chrome 70 should experience the exact same behavior in Chrome 71 and later. For a small percentage of users, Chrome 71 will be the first time they experience the distrust, which could result in more problems involving related errors.

  Find instructions on how to determine whether a site is affected and any corrective action needed, as well as a description of past changes.

Chrome OS updates

• Fingerprint and PIN enrollment in Chrome device Out of Box Experience (OOBE)

  For tablets that support fingerprint and/or PIN, users can enroll a fingerprint or set up a PIN while signing in to the device for the first time.

• Connect to your Android phone

  Users can connect with their Android phone using a single setup flow to enable Smart Lock, instant tethering, and Android Messages PWA. Android Messages PWA gives users the ability to see, reply to, and start text messages.

• Android Messages for Chrome OS

  Users can text from their Chrome OS by connecting with their Android phone. 

• Print multiple pages per sheet on native (CUPS) printing

  Native printers using CUPS now support rendering multiple pages of content onto a single sheet of paper. Previously only available for Cloud Print printers, this is now available for all printing destinations.

Admin console updates

• Managing site isolation policies

  Site isolation policies on the desktop get updated to reflect that they’re on by default. (They include controls to turn off site isolation or add specific site rules.) New policies are added to the Admin console for Chrome on Android. For more, see Protect your data with site isolation.

New and updated policies

Policy	Description
AllowWakeLocks Chrome OS only	Specifies whether wake locks are allowed. Wake locks can be requested by extensions through the power management extension API and by ARC apps.
NetworkFileSharesPreconfiguredShares Chrome OS only	List of preconfigured network file shares.
NTLMShareAuthenticationEnabled Chrome OS only	Network File Share feature. This policy controls enabling NTLM as an authentication protocol for SMB mounts.
SmartLockSigninAllowed Chrome OS only	Allow Smart Lock Sign-in to be used.
VpnConfigAllowed Chrome OS only	Allow the user to manage VPN connections.
WebUsbAllowDevicesForUrls All operating systems	Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Deprecations

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an Enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. Support would be removed in January 2019 at the latest, which corresponds to Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• SupervisedUserCreationEnabled policy (deprecated in Chrome 70)

  Read about consumer supervised users.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• The Chrome Cleanup Tool will quarantine—instead of deleting—files it detects as malicious

  The Chrome Cleanup Tool helps users remove unwanted software on their computers. The removal process includes deleting malicious files in the system. However, to lessen the risk of safe files being erroneously deleted, files will be moved into quarantine instead of getting deleted permanently. For more, learn about removing unwanted programs and the Chrome Cleanup Tool policy.

• PacHttpsUrlStrippingEnabled policy (scheduled to be deprecated in Chrome 74) 

  See the above note on Change to using PAC scripts to configure proxy settings in Chrome.

• SSLVersionMax policy (scheduled to be deprecated in Chrome 75)

  SSLVersionMax can be used as a short-term workaround while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• Third-party code injection

  The Chrome 70 release notes stated that in Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users. However, due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Upcoming Chrome OS features

• Always-on VPN for managed Google Play

  Admins can install Android VPN apps on Chromebooks. However, users have to start the VPN app manually.

  Soon, admins can set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection. If the connection fails, all user traffic is blocked until the VPN connection is re-established. VPNs in Chrome OS don’t apply to any system traffic, such as OS and policy updates to prevent security exploits.

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices haven’t been announced. We’ll include more information in future release notes when it comes available.

Upcoming Admin console features

• Native printer-management improvements

  The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
BrowserSignin	Controls the sign-in behavior of Chrome Browser.
DeviceLocalAccountManagedSessionEnabled Chrome OS only	Allows managed session behavior on a device configured for public sessions.
NetBiosShareDiscoveryEnabled Chrome OS only	Controls Network File Share discovery through NetBIOS.
NetworkFileSharesAllowed Chrome OS only	Controls whether the Network File Share feature for Chrome OS is allowed for a user.
PowerSmartDimEnabled Chrome OS only	Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed
PrintHeaderFooter	Specifies whether users can print headers and footers.
ReportMachineIDData Desktop only	Controls whether to report information that can be used to identify machines. Learn more about reporting on Chrome.
ReportPolicyData Desktop only	Controls whether to report policy data and the time of a policy fetch. Learn more about reporting on Chrome.
ReportUserIDData Desktop only	Controls whether to report information that can be used to identify users. Learn more about reporting on Chrome.
ReportVersionData Desktop only	Controls whether to report Chrome OS version information. Learn more about reporting on Chrome.
WebRtcEventLogCollectionAllowed	Specifies whether to allow or block Chrome OS from collecting WebRTC event logs from Google services.

Chrome Browser updates

• Sign-in policy change

  Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.

  If the policy is set to "Disable browser sign-in", then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.

  If the policy is set to "Enable browser sign-in", then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.

  If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy. 

  If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

• Cookie behavior change

  With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

• Reduce Chrome crashes caused by third-party software

  Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.

  Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:

  

  The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

  In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

  In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

  To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

• Deprecate trust in remaining legacy Symantec PKI infrastructure

  Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.

  Beginning with Chrome 70:

  • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
  • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
  • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

  What you need to do:

  • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
  • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.

• Update to TLS 1.3

  We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco^® Firepower^® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

• New UI support for WebAuthn

  Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

• Form autofill policy changes

  The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).

  Autofill policies

  The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

  If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

  If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

  If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

• Native SMB file share support

  SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft^® Active Directory^®, and NTLM version 2. To initiate an SMB file share:

  1. Open a Chrome Browser window and at the top right, click  Settings.
  2. Next to Network file shares, click Add File Share.
  3. Enter the required information and click Add.
  4. Open the Files app and browse the shared folder.
• 
• Camera app updates

  The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.

• Enable key remapping for external keyboards

  Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

• Floating virtual keyboard

  For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

• Restriction policy for native CUPS printing

  Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

• Manage sign-ins in Chrome Browser and Chrome OS

  In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

• Support for certificate transparency enforcement exceptions

  A collection of 3 new user policies have been added to allow enterprises to provide exceptions to certificate transparency requirements. The policies can be found in the Admin console under Device management  Chrome management  User settings  Security.

  These settings are from the Chrome policies:

  • CertificateTransparencyEnforcementDisabledForCas
  • CertificateTransparencyEnforcementDisabledForLegacyCas
  • CertificateTransparencyEnforcementDisabledForUrls

• Improved developer tools policy

  You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

• Auto-updates over LTE policy control

  You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management  Chrome management  Device settings  Device Update Settings  Auto Update Settings.

• Lock screen control

  After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management  Chrome management  User settings  Security  Idle Settings.

Deprecations

• AutoFillEnabled policy deprecation

  The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

• UnsafelyTreatInsecureOriginAsSecure policy deprecation

  The UnsafelyTreatInsecureOriginAsSecure policy was deprecated in Chrome 69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

• Gmail Offline app discontinued

  In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.

  Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Change to using PAC scripts to configure proxy settings in Chrome Browser

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.

  In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.

  Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

• CRX2 deprecation

  For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

• Android 9.0 Pie

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

• Always-on VPN for managed Google Play

  Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
AllowedUILocales Chrome OS only	Configures the allowed UI locales in a user session. This policy replaces the AllowedLocales policy.
OverrideSecurityRestrictionsOnInsecureOrigin	Specifies a list of origins (URLs) for which security restrictions on insecure origins will not apply. This policy replaces UnsafelyTreatInsecureOriginAsSecure. The policy now applies to Chrome OS and Android.
PasswordProtectionChangePasswordURL	Configures the change password URL.
PasswordProtectionLoginURLs	Configures the list of enterprise sign-in URLs where the password protection service should capture password fingerprints for reuse detection.
PasswordProtectionWarningTrigger	Configures the password protection warning trigger.
UsageTimeLimit Chrome OS only	Configure the time limit for a user session or device usage per day.

Chrome Browser updates

• Password Alert policy

  Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

• Reduce Chrome crashes caused by third-party software

  Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  Here is the warning users will see on their computers when this policy is enabled:

  

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

• On-premise reporting

  You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk^® or Sumo Logic^®. For details, see Track Chrome Browser usage and events.

• Browser interface changes

  Chrome Browser will have a new design across all operating systems. Highlights include Microsoft^® Windows 10^® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

• Flash deprecation

  Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

• Update to Legacy Browser Support extension

  The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft^® Internet Explorer^® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

• Improvements to Chrome management with Intune

  Policies that are only available on Microsoft^® Windows^® instances that are joined to a Microsoft^® Active Directory^® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

• Linux (Beta) for Chromebooks

  Important:

  Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

  To try this out on an unmanaged device:

  • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
  • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
  1. Go to Settings  Linux (Beta).
  2. Click Turn on.
     Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
  3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

• Voice dictation from anywhere

  Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  

• Global text-to-speech settings

  In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

• Files app improvements

  Native support for Drive in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

• Visual updates for enterprise device enrollment

  The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

• Support for enterprise mobility management (EMM) coexistence for Android

  Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

• Android app installation improvements

  The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

• SigninAllowed policy deprecation

  The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M70 and later)

• Enable key remapping for external keyboards

  This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Manage sign-ins within Chrome Browser and on Chrome OS

  A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

  Note: This Admin console setting combines these policies:

  • AllowedDomainsForApps
  • SecondaryGoogleAccountSigninAllowed

• Public-session support for managed Google Play on Chrome OS

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcBackupRestoreServiceEnabled Chrome OS only	Controls Android backup and restore service
ArcGoogleLocationServicesEnabled Chrome OS only	Controls Android Google location services
ChromeCleanupEnabled Windows only	Enables Chrome Browser Cleanup on Windows
ChromeCleanupReportingEnabled Windows only	Controls how Chrome Browser Cleanup reports data to Google
DeveloperToolsAvailability	Controls where Developer Tools can be used
IsolateOriginsAndroid Android only	Enables Site Isolation on Chrome Browser for specified origins on Android devices
SafeBrowsingWhitelistDomains	For configuring the list of domains which will not trigger Safe Browsing warnings
SitePerProcessAndroid Android only	Enables Site Isolation for every site
WebUsbAskForUrls	Allows WebUSB on these sites
WebUsbBlockedForUrls	Blocks WebUSB on these sites

Chrome Browser updates

• Unencrypted sites to show “not secure” indicator

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome offers a policy to control this warning on your domain.

  

• Chrome Canary on Mac policy list update

  Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

• Block a locally installed, hardcoded CA for Mitel VoIP products

  In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency

  M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

• PIN sign-in support

  Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

• Video capture service

  Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

• 802.11v and 802.11r Fast BSS Transition support added

  These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

• Accessibility improvements

  Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

  1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
  2. Continue holding. The screen reader will start speaking. 

  Additionally, we’re launching new shortcuts to toggle accessibility features:

  • Select Ctrl + Search + M to enable/disable the full screen magnifier.
  • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

  We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

  With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

  With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

• Introduction of display size and refresh rates to display settings

  As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

  • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
  • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

  The goal of these changes is to give users more control over UI scale and look.

Admin console updates

• Automatic re-enrollment (Forced re-enrollment enhancement)

  A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

  Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

• Native printer-management improvements

  A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

• CRX2 deprecation (M69)

  Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

• Reduce Chrome crashes caused by third-party software (M69)

  In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

  

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• Voice dictation from anywhere (M69)

  Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

• Enable key remapping for external keyboards (M69)

  The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

• Files app improvements (M69)

  Native support for Drive in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

• Policy to show PIN pad on sign-in and lock screen for TouchView devices

  The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

• Visual updates for enterprise device enrollment flow

  The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

• Native printer-management improvements

  A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

• Sign-in Within the Browser policy

  Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

• Public session support for managed Google Play on Chrome OS

  A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcAppInstallEventLoggingEnabled	Logs events for Android app installs (Chrome OS)
AutoplayWhitelist	Allows media autoplay on a whitelist of URL patterns
CertificateTransparencyEnforcementDisabledForCas	Disables Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas	Disables Certificate Transparency enforcement for a list of Legacy Certificate Authorities
DefaultWebUsbGuardSetting	Controls use of the WebUSB API
DeviceRollbackAllowedMilestones	Specifies the number of milestone rollbacks allowed (Chrome OS)
DeviceRollbackToTargetVersion	Specifies a rollback to a target version (Chrome OS)
MediaRouterCastAllowAllIPs	Allows Google Cast to connect to Cast-ready devices on all IP addresses
RelaunchNotificationPeriod	Sets the period for update relaunch notifications
SafeBrowsingExtendedReportingEnabled	Enables extended reporting for Safe Browsing (added in M66)
TabUnderAllowed	Allows sites to simultaneously navigate and open notifications

Chrome Browser updates

• SAML SSO interstitial

  Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

  If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

  To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

  If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

  For more details, see the G Suite Updates blog.

• Site Isolation

  You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

  Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

• Desktop Progressive Web Apps (PWAs)

  Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft^® Windows^® and Apple^® Mac^®. For more information, see our developer site.

• Detachable-base swap detection

  Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

• Block symlink traversal

  This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

  This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

• EAP-TLS device-level support

  Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

• Managed Google Play on Chrome OS policy update

  With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

• Admins can block apps from installation
  Currently not available for the Chrome Education service

  As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

• Android app installation reporting

  In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

• Android app bulk purchasing on Education service

  As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

• Unencrypted sites to show “not secure” indicator (M68)

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome will offer a policy to control this warning on a per-domain basis.

  

• Canary release channel on Mac update (M68)

  This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

• Reduce Chrome crashes caused by third-party software (M68)

  In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

  

• Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

  In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel^® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency (M68)

  M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• PIN sign-in support (M68)

  Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

• Video capture service (M68)

  Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

• Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

  A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

  Admins can still require users to sign in to re-enroll wiped or recovered devices.

• Native printer management improvements

  There will be 2 new improvements for native printer management:

  • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
  • A new policy to block users from manually adding printers is targeted for M68.

• Sign-in Within the Browser policy

  Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

• Public session support for managed Google Play on Chrome OS

  You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Security updates

• Continuation of distrust of Symantec Certificates 

  Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

  The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.
  
  For details, see Migrate from Symantec certificates.

• Site Isolation Trial

  Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

  If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

  If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

• Chrome relaunch policy: RelaunchNotificationPeriod (M67)

  This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

• Click to open PDF 

  For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

• Force sign-in policy: Support for Mac

  The ForceBrowserSignin policy is supported on Mac.

Chrome policies

Changes in this release:

Policy	Notes
AutoplayAllowed	This policy allows you to control whether videos with audio content can autoplay (without user consent) in Chrome.
EnableCommonNameFallbackForLocalAnchors	This policy has been deprecated.
EnableSymantecLegacyInfrastructure	When this setting is enabled, Chrome allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
ForceBrowserSignin	Force users to sign in to the profile before using Chrome. Added support for Mac.
RelaunchNotification	Notify users to relaunch Chrome to apply a pending update.
SafeBrowsingExtendedReportingEnabled	This setting enables Chrome's Safe Browsing Extended Reporting and prevents users from changing it.
SSLVersionMin	If this policy isn't configured, Chrome uses the default minimum version of TLS 1.0.

 

UI changes

• Changes to autoplay 

  Chrome is changing the policy for when sites can autoplay media with sound. Admins will be able to use the AutoplayAllowed policy to control whether Chrome defaults to allowing media to autoplay. For details, see the Autoplay Policy Changes.

• Reducing Chrome crashes caused by third-party software

  Chrome will begin showing a warning to users after a crash that displays third-party software injecting code into Chrome. It guides them to update or remove that software.

  

Deprecations

• Enable CommonName fallback for local anchors policy

  The EnableCommonNameFallbackForLocalAnchors policy was offered to give admins more time to update their local certificates. It removes the ability to allow certificates on sites using a certificate issued by local trust anchors that are missing the subjectAlternativeName extension.
  
  As of Chrome M66, we will be deprecating this policy. If a user running Chrome 66 tries to access a site where the certificate isn't allowed, they will see a warning indicating they can't trust the certificate.

 

Corrections

• Previously listed as launching with Chrome 66, SafeBrowsingWhitelistDomains will now launch in Chrome 67. This policy allows you to configure the list of domains Safe Browsing trusts. Safe Browsing won't check for dangerous resources (for example, phishing, malware, or unwanted software) for URLs that match these domains.

 

↑ back to top

Security updates

• Support for TLS 1.3

  This release comes with the latest version of the Transport Layer Security (TLS) protocol (TLS 1.3 draft 23) turned on. Users of Cisco Firepower devices configured to perform TLS man-in-the-middle interception in Decrypt-Resign/SSL Decryption Enabled mode should see Cisco's documentation.

Chrome policies

Changes in this release:

Policy	Notes
AlwaysAuthorizePlugins	This policy was deprecated.
AbusiveExperience InterventionEnforce	Prevent pages with abusive experiences from opening new windows or tabs.
AdsSettingForIntrusive AdsSites	Set whether ads should be blocked on sites with intrusive ads.
DeviceLoginScreenAutoSelect CertificateForUrls	Automatically select client certificates for these sites on the sign-in screen (available on Chrome OS).
DisablePluginFinder	This policy was deprecated.
RestrictAccountsToPatterns	Restrict accounts that are visible in Chrome (available on Android.)
SecondaryGoogleAccountSign inAllowed	Allow multiple sign-in access within the browser (available on Chrome OS).
SecurityKeyPermitAttestation	URLs/domains are automatically permitted direct Security Key attestation.
SpellcheckEnabled	If this policy is on, the user is allowed to use spellcheck.
SpellcheckLanguage	This policy force enables spellcheck languages.
ThirdPartyBlockingEnabled	This policy enables third-party software injection blocking (available on Windows).
UnsafelyTreatInsecureOriginA sSecure	This policy specifies a list of origins (URLs) to be treated as secure context. Learn more about secure contexts.
WebDriverOverrides IncompatiblePolicies	This policy allows users of the WebDriver feature to override policies that can interfere with its operation.

Developer changes

• Ignore <a download> for cross-origin URLs

  To avoid user-mediated information leakage, Chrome starts to ignore the presence of the download attribute on anchor elements with cross-origin attributes. See more details on Chromium.org.

Deprecations

• Mac OS X 10.9 Support 

  Chrome won't support Mac OS X 10.9. Chrome on Mac OS X 10.9 does not autoupdate. If you have Mac OS X 10.9, upgrade to a newer Mac OS.

 

↑ back to top

Security updates

The Chrome Releases Blog lists all the latest Chrome security changes. Chrome 64 also mitigates against speculative side-channel attacks.

• Site isolation improvements  

  With M64, we fixed known issues and made improvements with site isolation.

Enterprise features

• Forced sign-in  

  This feature allows admins to force a user to sign in with their Google account before using Chrome. It ensures Chrome can only be used when under management by cloud-based policies configured in the Admin console. See Force users to sign in to Chrome.

UI changes

• Site muting 

  You can mute/unmute sites by interacting with the tab options or by clicking Lock  to the left of the URL (desktop only). The Sound settings page (for the desktop, chrome://settings/content/sound) lets you add exceptions for individual sites, as well as turn on/off audio for all sites. If you mute a site through this feature, all open tabs for that site are muted.

 

• Stronger pop-up blocker 

  One out of every 5 user feedback reports submitted on Chrome for desktop mention some type of unwanted content. Examples include links to third-party websites disguised as play buttons or transparent overlays on websites that capture all clicks and open new tabs or windows. In this release, Chrome's pop-up blocker now prevents sites with these types of abusive experiences from opening new tabs or windows. Site owners can use the Abusive Experiences Report in Google Search Console to see if any of these abusive experiences have been found on their site and improve their user experience.

• Change to JavaScript dialogs 

  We are changing the way Chrome handles JavaScript dialogs window.alert(), window.confirm(), window.prompt() to improve user experience and better align with other modern browser's behaviors. Background tabs are no longer brought to the foreground when a dialog is triggered. Instead, the tab header shows a small visual indicator.

  Sites can still show browser notifications if permitted by the user or admin. Users can allow browser notifications by interacting with the pop-up permission prompt or changing site permissions. Admins can use the NotificationsAllowedForUrls policy through GPO or the Admin console to list site URLs they want to allow to display notifications to users (for example, calendar.google.com).

Developer changes

• Resize Observer 

  Traditionally, responsive web applications have used CSS media queries or window.onresize to build responsive components that adapt content to different viewport sizes. However, both of these are global signals and require the overall viewport to change in order for the site to respond accordingly. Chrome now supports the Resize Observer API to give web applications finer control to observe changes to sizes of elements on a page.

This code snippet uses the Resize Observer API to observe changes to an element:

const ro = new ResizeObserver((entries) => { for (const entry of entries) { const cr = entry.contentRect; console.log('Element:', entry.target); console.log(`Element size: ${cr.width}px × ${cr.height}px`); console.log(`Element padding: ${cr.top}px / ${cr.left}px`); } }) // Observe one or multiple elements ro.observe(someElement);

• import.meta 

  Developers writing JavaScript modules often want access to host-specific metadata about the current module. To make this easier, Chrome now supports the import.meta property within modules that exposes the module URL via import.meta.url. Library authors might want to access the URL of the module being bundled into the library to more easily resolve resources relative to the module file as opposed to the current HTML document. In the future, Chrome plans to add more properties to import.meta.

Deprecations

• SharedArrayBuffer (M63)

  In line with other browsers, starting on January 5, 2018, Chrome disabled SharedArrayBuffer on Chrome 63. To help reduce the efficacy of speculative side-channel attacks, Chrome will modify the behavior of other APIs, such as performance.now. This is intended as a temporary measure until other mitigations are in place.

• Enable CommonName fallback for local anchors policy (M66)

  Chrome offered the EnableCommonNameFallbackForLocalAnchors policy to give IT admins more time to update their local certificates. As of Chrome 66, targeted for Stable Channel on April 2018, we will start deprecating this policy, which removes the ability to allow certificates on sites using a certificate issued by local trust anchors that is missing the subjectAlternativeName extension. If an end-user running Chrome 66 attempts to access a site where the certificate isn't allowed, they will see a warning that the certificate cannot be trusted.

 

↑ back to top

Security updates

See the latest Chrome security improvements in the Chrome Releases Blog.

• Enabling TLS 1.3 

  TLS 1.3 is enabled starting in Chrome 63. At this time, the only Google service with TLS 1.3 enabled is Gmail, but this expands to the broader web in 2018. End users should not be impacted by this change. If you are aware of any systems that don't work with TLS 1.3, post your feedback in the admin forum. As you prepare for wider use of TLS 1.3, you can configure this policy for network software or hardware in your enterprise that will not transit TLS 1.3 connections. See more information on Chromium.org.

• Support for NTLMv2 authentication protocol 

  Chrome 63 also includes support for NTLMv2 authentication protocol on Mac, Android, Linux, and Chrome OS. We are expanding on a previous release that supported NTLMv2 for Windows. With versions prior to Chrome 63, this must be manually enabled via chrome://flags. In 2018, we set NTLMv2 as the default NTLM protocol. For enterprises that need to extend support for NTLMv1, a new policy is available to allow you to force the older NTLMv1 protocol as needed.

• Site isolation 

  Site isolation is available in Chrome 63. With site isolation enabled, Chrome renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome's existing sandboxing technology. Read more at Manage site isolation.

UI changes

• Material design bookmarks

  Chrome's Bookmarks Manager has now been refreshed with new Material Design UI. Take a look by visiting chrome://bookmarks.

  

Deprecations

 

↑ back to top

Security updates

• Warning for untrusted Symantec certificates

  Chrome 62 introduces a console warning for sites using certificates from Symantec or Symantec brands that may not be trusted in future versions of Chrome. For more information, see this blog post.

Enterprise features

• Change to update-check URL

  We are changing our main update-check URL host on Chrome for desktop from tools.google.com to update.googleapis.com. You might need to update your enterprise's firewall whitelist to the our new update-check URL to ensure that Chrome continues to update. Learn more.

• Manage extensions by permission

  The permission-based management of extensions is a new enterprise-focused set of controls implemented via Chrome policy and used to prevent extensions that request undesirable permissions from running. Example: Set or modify a proxy (proxy), Capture audio/video of the desktop (desktopCapture), etc. Learn more.

UI changes

• Chrome Cleanup tool 

  On Chrome for Windows, the Chrome Cleanup feature alerts users when it detects unwanted software. It offers a quick way to remove the software and return Chrome to its default settings. We recently completed a full redesign of Chrome Cleanup. The new interface is simpler, has a native Chrome interface, and makes it easier to see what software will be removed.

  

• Edit username when saving passwords

  You can now edit your username when prompted to store a password for a website you visit. When you see the pop-up to save a password (or click the key icon in the address bar after signing in to a page), simply click Edit  and make any edits needed.

  

• Introducing Site settings page

  Starting M62, you will see a new Site settings button. The Site settings page provides per-origin permissions, rather than per-permission exceptions.

  

Deprecations

 

↑ back to top

Security updates

To learn about the latest Chrome security changes, see the Chrome Releases Blog.

• Final removal of trust in WoSign and StartCom certificates

  Chrome 61 or later won't trust website authentication certificates issued by WoSign or StartCom. This is the culmination of a multi-release distrust process.

Enterprise features

• Side-by-side Chrome channels on Windows

  Chrome supports multiple release channels with varying degrees of stability and support. Most users browse with the Stable channel of Chrome. In addition to Stable, Google also ships early-access Chrome channels (Dev, Beta) to get early feedback on features and changes, directly from users and developers. Early-access channels allow developers and admins to try cutting-edge features and validate that business critical applications continue to function as Chrome changes.
  
  Currently, you can't install and run Dev or Beta Chrome on the same computer as the Stable version of Chrome. Starting M61, users can install and run Dev, Beta, and Stable versions concurrently on the same Windows computer. For more details, see the blog post.

UI changes

• Material Design for New Tab Page (NTP)

  We applied a modernized Material Design look to the Desktop NTP. The search bar has been updated to a lighter drop-shadow style that is consistent with Google Web Search. Most visited sites has also been updated to use the same lighter style and refined hover, focus, and active states.

  

• New messaging for installing extensions that modify New Tab Page (NTP)

  Extensions can modify the main site shown on a new tab, called the new tab page (NTP). Users often install extensions that modify NTP but aren't fully aware of how their experience will change. Starting in M61, there is a new permission warning shown at extension install time, which will indicate that the extension can change the default NTP to a custom site. The goal of these changes is to improve user awareness about extensions that will change their Chrome defaults, once installed.

Deprecations

To see all of the changes that are in Chrome 61, visit the commit log.

 

↑ back to top

Security updates

Learn more about the latest Chrome security updates in the Chrome Releases Blog.

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle, as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, and Windows Server platforms. See the announcement.

Deprecations

To see all of the changes in Chrome 60, visit the commit log.

 

↑ back to top

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, Windows Server platforms. See the announcement.

UI changes

• Material Design comes to Chrome settings

  Chrome Settings has updated to Material Design with a new look with the same ease of use and functionality.
  
  Notable changes:

  • Larger and more prominent search bar
  • New menu icon  to the top left of Settings that gives you an easy way to jump to specific sections, like People, Appearance, and Search Engine
  • Combined and simplified Sign In and People sections
  • Streamlined Content Settings section
  • Search section renamed Search Engine
  • Privacy section renamed Privacy and Security
  • Proxy settings moved under the System section
  • Font sizes and page zoom settings moved to the Appearance section
  • HTTPS/SSL Manage Certificates settings moved under Privacy and Security section

To see all of the changes in Chrome 59, visit the commit log.

 

↑ back to top

UI changes

• Material Design coming soon to the Chrome settings page (59)

  For those already on Chrome's Dev or Canary channels, the Chrome settings (chrome://settings) page has updated to Material Design. The updated design is planned to launch in Chrome 59.

• New desktop welcome page (Windows 10)

  We redesigned Chrome's first-run experience in M58. On Windows 10 platforms, we display a welcome page, which explains how to set Chrome as the default browser or pin it to the Windows taskbar. For Windows 7 and Windows 8 platforms, we display a Material Design page that promotes the Sign in to Chrome feature. This page launched to Mac and Linux during the Chrome 57 release.

Deprecations

• Changes to website certificate handling

  After many years of the practice being discouraged, Chrome 58 removes support for the commonName field in website certificates. Only the subjectAltName extension will be used when matching certificates to host names. The EnableCommonNameFallbackForLocalAnchors policy can be used to re-enable old behavior for locally installed roots. Organizations are strongly encouraged to migrate to modern certificate standards and not rely on the continued presence of this policy.

  Chrome 56 stopped trusting certificates issued by WoSign and StartCom after October 21, 2016 in response to various incidents, and included a whitelist of certificates that would continue to work. Chrome 58 continues reducing the size of that whitelist.

  As a reminder, since Chrome 56, the use of SHA-1 website certificates is no longer supported unless configured via policy: EnableSha1ForLocalAnchors. This policy can be used to re-enable old behavior for locally installed roots, which gives organizations more time to move away from SHA-1 certificates. Chrome strongly encourages organizations to migrate to modern certificate standards and not rely on the continued presence of this policy, because it will be removed in January 2019.

To see all of the changes that are in Chrome 58, visit the commit log.

 

↑ back to top

Security updates

• Form Not Secure warning UI (M56)

  To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. As part of a long-term plan to mark all HTTP sites as non-secure, beginning in January 2017 (Chrome 56), we mark HTTP pages that collect passwords or credit cards as non-secure. Read about Moving toward a more secure web.

• Chrome chip and icon

  Chrome security chip and icon for Chrome internal pages (Settings, History, Downloads...) indicate and verify that page is a secure internal Chrome page.

  

• Extension name chips

  Chrome will begin showing the extension name if the page URL is a chrome-extension:// URL. The extension name is displayed in the same style as security indicator URL-bar strings, but without any animations.

Enterprise features

• Windows roaming profiles support

  We are launching initial support for roaming profiles on Windows. It enables users to have a Chrome Sync experience anywhere they sign in to Windows with their domain accounts if roaming profiles are enabled without the need to sign in to Chrome. For more information, see Using Chrome on roaming user profile.

• Legacy Browser Support: Update 4.7

  Bug fixes and performance improvements from 4.6:

  • Improved window management in Chrome, including proper handling of pop-up windows triggering browsing transition.

  • Fixed issues with link corruption when navigating to an already open Internet Explorer window.

• Migrating capable 32-bit Chrome users to 64-bit Chrome

  To improve stability, performance, and security, users who are currently on the 32-bit version of Chrome and 64-bit Windows with 4 GB or more memory will be automatically migrated to 64-bit Chrome during the Chrome 57 rollout. The 32-bit Chrome will still be available via the Chrome download page.

UI changes

• Revamp first-run and onboarding experience

  We redesigned Chrome's first-run experience in 57. On non-Windows 10 platforms, we display a Material Design page which promotes the Sign in to Chrome feature. For Windows 10, this feature will be launched in the Chrome 58 release.

  

• Requiring explicit user action to enable sideloaded extensions on Mac

  In some instances, Chrome extensions can be bundled with Mac software and added during the software download and installation process.
  
  Extensions that are bundled with Mac applications will be added to Chrome in a disabled state. The user will be prompted to either enable the extension or remove it from Chrome.

  

Deprecations

• chrome://plugins

  The Chrome plugins page was used to allow management of plugin settings within Chrome. But as the web has evolved, there have been fewer plugins to manage over time. In this update, the team moved the controls for the remaining components to a more standard and discoverable location: Chrome's content settings, which can be easily accessed at chrome://settings/content.
  
  A list of where common settings went:

  • Chrome PDF viewer options moved under Privacy  Content settings  PDF documents.
  • Adobe Flash Player options moved under Privacy  Content settings  Flash.
  • Widevine Content Decryption Module (which enables Widevine licenses for playback of HTML audio/video content) can be adjusted under Privacy  Content settings  Protected Content.

• Deprecating insecure certificate types

  Since 56, Chrome has not trusted server certificates that use the insecure SHA-1 hash algorithm if they chain to publicly trusted roots. In Chrome 57, that is also true for enterprise or locally installed roots, unless the EnableSha1ForLocalAnchors policy has been set.
  
  Note that a collision attack has now been demonstrated against SHA-1. This policy should only be enabled after consulting your security team. Read more about setting Chrome policies for devices and SHA-1 Certificates in Chrome.

  Chrome 58 won't consider a certificate's common name when performing trust evaluation and will rely on subject alternative name only, unless the EnableCommonNameFallbackForLocalAnchors policy is set. Turn this policy on only after consulting your security team.

• Distrusting WoSign and StartCom certificates

  Chrome 57 continues to reduce the number of whitelisted sites that can use WoSign or StartCom issued certificates, as Google discontinues trust for these certificates. Learn more in this blog post and on Chromium.org.

To see all of the changes in Chrome 57, visit the commit log.

 

↑ back to top