Chrome Enterprise release notes

Chrome Browser updates

• Drive integration in the address bar

  Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.
  
  
  This behavior is on by default and can be controlled with the "Google Drive search suggestions" setting in the G Suite admin console.

• Flags are being cleaned up starting in Chrome 78

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, don’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Shared clipboard between computers and Android devices

  A limited number of users might see the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome installed, sign in on both devices with the same account, and enable Chrome Sync.
  
  The text is end-to-end encrypted, and Google can’t see the contents.
  
  This functionality will be released to all users in a future version of Chrome. In the full release, admins will be able to control it with an enterprise policy.

• Forward a call from Chrome Browser to your Android device

  Users will now be able to highlight and right-click a phone number link in Chrome Browser and forward the call to their Android device.

• Chrome Renderer Integrity protects users

  Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

  Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and earlier). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or later). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

• Atomic policy groups introduced

  Some admins set policies from multiple sources, but need policies that are tightly coupled to all be set together. For example, you might want all of your extension management policies to be applied from the same source to ensure they're working together as planned.
  
  To achieve this, some policies have been regrouped based on atomic policy groups. You can enable atomic policy groups using PolicyAtomicGroupsEnabled. If you do, policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.
  
  You can see whether there are any conflicting policies from different sources at chrome://policy. If you have multiple policies in the same policy group from different sources, this feature will affect them. For more details, see Atomic Policy Groups and Understand Chrome policy management.

• ExtensionAllowInsecureUpdates policy is no longer supported

  From Chrome 78, the policy to allow extensions to update using the previous CRX2 packaging will no longer work. All extensions will need to be packaged in the new CRX3 format to ensure secure delivery of updates to your browsers and devices.

• Windows 8-specific welcome page removed

  We have removed the Windows 8-specific welcome page, along with support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting. For more about master preferences, see Use master preferences for Chrome Browser.

• Legacy Browser Support is integrated; the extension is no longer required

  We have integrated Legacy Browser Support functionality directly into Chrome. As a result, you no longer need the Legacy Browser Support extension and no further updates will be provided for the extension. Admins can deploy the integrated version of the Legacy Browser support policy and manage it either through GPO or Chrome Browser Cloud Management’s User Settings.

• Update to Chrome 78

  On October 31, we communicated a known vulnerability in Chrome 78. This previous version of Chrome has now been updated to 78.0.3904.87, which resolves the issue. As always, you should ensure Chrome is updated and is running on an updated operating system.

Chrome OS updates

• Virtual Desks

  Virtual Desks will arrive on Chrome OS in Chrome 78. Users can now create up to 4 separate work spaces to help them focus on a single project or quickly switching between multiple sets of windows. Users can create their first desk by opening Overview  and tapping New Desk.

• Wake from sleep on USB attach for docking use cases
  
  Chromebook users in an office or home office environment often use some combination of peripherals along with a USB-C+Display docking station to work more productively.  This feature will make the transition from sleeping mode directly into a docked mode with external monitors smooth for the user, removing the requirement to wake by lid open.

• Crostini backup & restore

  Users of Linux apps on a Chromebook can now easily back up all of their apps and files. The backup can be saved to their Chromebook’s local storage, an external drive, or Google Drive. They can then restore that backup on the same machine to return to a previous state or on a different machine to bring their whole workspace with them.

• Crostini GPU support on by default

  Linux apps will now be able to use the GPU to provide a crisp, lower-latency experience.

• Crostini IME/VK warning

  Linux apps do not yet support certain input methods (IMEs) or the virtual keyboard when in tablet mode. This feature will display a message warning if users if they try to use a Linux app with an unsupported input method or the virtual keyboard.

• Files app Visual Signals UX update

  We have implemented visual improvements to the Files app progress center, moving the information from the lower left-hand corner to a feedback area in the main window of the app. If appropriate, Admins should update their internal support documentation to reflect the new UI.

• Update printer setting landing page UI

  The printer settings page has been updated to streamline the printer setup experience. Users can now view available printers on the landing page and save printers (compatible with IPP/IPPS) with one click.

• ChromeVox Dynamic Rich Text Output

  There is now an option in ChromeVox that supports the ability to announce text styling.  Users have the ability to enable and disable this feature through the ChromeVox Options page.

• Chrome OS and Chrome Browser settings split

  Settings on Chrome OS now have a more native OS settings experience housed in the Settings app (available through App Launcher or  in the Quick Settings menu), with Chrome Browser settings available through More in the top-right corner of the app (or at chrome://settings in the address bar). If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings (chrome://os-settings).

• YouTube Picture in Picture on ARC++

  Picture in Picture (PiP) is now available with the YouTube Android app. This allows users to watch a video while doing other tasks, such as taking notes during a meeting.

New and updated policies (Chrome Browser and Chrome OS)

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Trial of autoupgrade for DNS-over-HTTPS in Chrome 79

  The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.
  
  You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

• Users warned if credentials are leaked in Chrome 79

  We will notify users if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

• New policy for controlling memory will be introduced in Chrome 79

  We’ll introduce a new policy to give admins more control over Chrome's memory usage. It configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it. If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that the browser is always running under the limit. (For example, the active tab is never discarded.) Any value under 2,048 will be rounded up to 2,048. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

• Tab freezing will be introduced in Chrome 79 on the desktop

  Chrome 79 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial.
  
  You will be able to disable this behavior with the TabFreezingEnabled policy.

• New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

  Chrome recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting on January 13, 2020 in Chrome 79, we will mark sites that use TLS 1.0 or 1.1 as "Not Secure" and no longer show the lock icon for them.
  
  In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure.
  
  If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021.

• CORS implementation will be more secure in Chrome 79

  We will switch CORS implementation to be more secure and strict. As a result, the following behavior changes will be introduced:
  
  Behavior changes on Extensions’ webRequest API — Before this change, extensions that have the webRequest permission can modify any network request headers and they’re ignored by CORS protocol. But after Chrome 79, the CORS protocol inspects modified headers and will trigger CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. Response header modifications also couldn’t deceive the CORS checks. Additionally, webRequest API will stop seeing Origin header. Extensions can specify ‘extraHeaders’ in opt_extraInfoSpec to keep the original behaviors. If enterprise users are using a Chrome extension that’s affected by this change, one of the following changes will need to be made:

  • Ask the Extension author to upgrade the extension to specify ‘extraHeaders’ in opt_extraInfoSpec.

  • Update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

  Behavior changes for headers injected by Chrome — Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. But after this change, it will start to be verified by the CORS protocol and will trigger CORS preflight requests. Server implementations might need to be updated to handle CORS preflight requests.

• Shared clipboard between computers and Android devices in Chrome 79

  Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync enabled.
  
  The text is end-to-end encrypted, and Google can’t see the contents. This feature will be controllable with an enterprise policy.

• Audio sandbox in Chrome 79

  The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox with the AudioSandboxEnabled policy.

• HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

  In Chrome 79, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can switch this setting by clicking on any https:// page and clicking Site Settings.

  In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.

  In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

  More information on these changes is available in the Chromium blog.

• On Linux, server certificate verification will use the built-in certificate verifier instead of NSS, starting in Chrome 79

  Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79.  The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change change. However there are some cases where differences might occur:

  • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.
  • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.
  The verifier can be toggled using the BuiltinCertificateVerifierEnabled enterprise policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.
• Ambient authentication disabled by default in Incognito mode in Chrome 80

  Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

• Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

  Note: These changes were originally planned for Chrome 78.
  
  Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82:

  • Allow pop-ups on page unload: AllowPopupsDuringPageUnload
  • Allow synchronous XHRs on page unload: AllowSyncXHRInPageDismissal
     
• FTP support will be removed in Chrome 80

  FTP won’t be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

• TLS 1.3 hardening measure implemented in Chrome 81

  TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.
  
  The following list contains the minimum firmware versions for affected products that we're aware of:
  
  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later
  
  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later
     

  Starting in Chrome 79, you will be able to opt in to the new measure to test it and confirm if your proxy is affected, using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

  Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need extra time to upgrade affected proxies. This proxy will be available until Chrome 86.

• Updates to cookies with SameSite in Chrome 80

  Starting in Chrome 80 on the Stable channel, cookies that don't specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS.
  
  This new behavior will also take effect in Chrome 79 on the Beta channel only. Because this change might be disruptive, we recommend you test critical sites on the Chrome 79 Beta channel, which will be available starting Oct. 31. See instructions for testing.
  
  You will be able to revert to the legacy cookie behavior using policies, starting in Chrome 79 in Beta. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

• Tab groups will be introduced in Chrome 80
  
  Users will be able to organize their tabs by grouping them on the tab strip. Groups can have colors and names. They’ll help your users keep track of their different tasks and workflows.

• Web Components v0 removed in Chrome 80

  The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

Upcoming Chrome OS changes

• Adding print server support for CUPS

  We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

• Updates for USB devices with Linux

  From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  Device host name in DHCP requests

  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.

Admin console updates

• Faster and simpler Admin console for Chrome Enterprise

  We’ve rolled out a major redesign of the Google Admin console for Chrome Enterprise administrators.  Expect to see improvements in page load times, a new unified app-management page for managing Android, Chrome, and web apps together, and many new policies. For details, see the Admin Insider blog.

• Prevent password reuse

  In the Admin console, you can now specify the URL where users are redirected to change their password if they reuse it on a non-whitelisted website or are a victim of phishing. If this policy is unset, users are directed to their Google Account sign-in page to change their password. For details, see Prevent password reuse and read more in our white paper.

• New default policies for printing (CUPS)

  New native print policies help you manage your users’ printing options more closely—set defaults and restrictions on duplex and color.

• Unified native printer management (CUPS)

  Use a new interface for managing thousands of native (CUPS-based) printers for users, devices, and managed guests. The 20-printer maximum cap has been raised to allow for thousands of printers for each organizational unit in the Google Admin console. Support has also been extended beyond user policy to include device and managed guest policy.

Chrome Browser updates

• Site isolation improvements

  Chrome Browser now protects cross-site data, such as cookies and HTTP resources, in attacker-controlled websites. Site isolation works even if an attacker finds a bug in an untrusted renderer process and tries to execute arbitrary code in it.
  
  Site isolation will also now be enabled on some Android devices to protect websites and data where mobile users enter passwords.

• Legacy Browser Support updates

  You can now define the URL of an XML file that will never trigger a browser switch using the BrowserSwitcherExternalGreylistUrl policy with Legacy Browser Support. You can also use the new chrome://browser-switch/internals page to verify that Legacy Browser Support rules are being followed. Please try it out and send feedback.

• The First Run Experience has been updated

  Chrome Browser now has a new flow to welcome users, get them set up with popular Google services, and set a default web browser. You can disable the new flow with the PromotionalTabsEnabled policy.

• Launch guest browsing by default

  You can now immediately launch Chrome Browser in guest browsing mode using the --guest command line flag or the new BrowserGuestModeEnforced policy. With guest browsing, browsing activity is not written to the disk and does not persist between browser sessions.

Chrome OS updates

• More secure built-in certificate verifier

  Updates to the certificate verifier now provide better isolation of trust settings between different contexts. Users with valid certificates should not have any issues. In rare instances, the legacy Network Security Services (NSS) implementation tolerated some classes of invalid certificates which are now no longer tolerated. You can issue new, valid certificates or contact Chrome Enterprise support for help. 

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header over a secure IPPS connection. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking. 

• Automatic shutdown after extended standby

  With Linux kernel 4.4 and later, devices will automatically go from standby to shutdown after 3 days to increase battery life. To find the kernel version, go to chrome://system and search for uname. The kernel version is the first set of digits. 

• HD copy-protected content support for ARC++ apps

  In Android apps, you can now play high-definition (HD) copy protected HDMI 1.4 content. This update is useful for externally connected displays, such as televisions. 

• Volume control based on orientation for convertibles

  On devices running Chrome OS, the volume button on the top or right will always increase the volume, whether the device is in laptop mode or tablet mode. 

• Chromebook accessibility enhancements with Automatic Clicks

  Automatic Clicks remove the need to physically click the touchpad or mouse. Instead, you can point to an  item and the Chromebook will click, right-click, left-click, or drag for you after a certain amount of time. With Chrome 77, you can now point to an item and the device will automatically scroll up, down, left, or right. For details, see Turn on Chromebook accessibility features. 

• Enhanced formatting support of external drives

  When formatting a FAT32, exFAT, or NTFS external drive, users will now be able to pick a file system and label for their drive. 

• Chrome OS file selector now the default for Android apps

  For a consistent user experience, Android apps now open the Chrome OS file selector. This change provides a consistent file-selection experience across apps. 

New and updated policies (Chrome Browser and Chrome OS)

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• G Suite add-ons and extensions moving to G Suite Marketplace

  In the coming weeks, all G Suite apps and extensions will be moved from the Chrome Web Store to the G Suite Marketplace. Developers need to migrate their unmigrated add-ons so that new users can install them. Existing users can continue to use unmigrated add-ons. However, if they uninstall Google Docs Editor add-ons or Google Drive apps, they will not be able to reinstall them. And, if an existing user creates a template with one of the add-ons, users who do not already have the add-on installed will not be able to use the add-on in the template. Have your developers review the background and what they need to do. To check whether an add-on has been migrated, search for it in the G Suite Marketplace. For details on the move to the G Suite Marketplace, see the Google Cloud blog.

• ExtensionAllowInsecureUpdates policy will stop working in Chrome 78

  The policy to allow extensions to update using the previous CRX2 packaging will stop working in Chrome 78, as previously communicated. In Chrome 78, all extensions must be repackaged into the new CRX3 format to ensure secure delivery of updates to your browsers and devices. 

• Trial of auto-upgrade for DoH in Chrome 78

  Starting in Chrome 78, the DNS requests of some users will auto-upgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy. A new group policy, DnsOverHttpsMode, will also be available. Setting it to "off" will ensure users are not affected by DoH.

• Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 78

  Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. While disruption is expected to be minimal, you will be able to revert to behavior matching Chrome 77 and below using the following policies, which will be available until Chrome 82:

  • Allow popups on page unload: AllowPopupsDuringPageUnload
  • Allow synchronous XHRs on page unload: AllowSyncXHRInPageDismissal

• Flags will be cleaned up starting in Chrome 78

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, flags should not be used to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Atomic policy groups introduced in Chrome 78

  To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. If you enable atomic policy groups,  policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.
  
  If you set policies from multiple sources, such as the Admin console and the Group Policy Management Editor, you will be able to enable atomic policy groups in Chrome 78. You can also see if there are any conflicting policies at chrome://policy. If you have multiple policies in the same policy group from different sources, they will be affected by this change. For more details, see Atomic Policy Groups and Understand Chrome policy management.

• Users warned if credentials are leaked in Chrome 78

  Beginning in Chrome 78, users will be notified if their credentials are part of a known data breach. This detection occurs without plain-text passwords being sent to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

• Chrome Renderer Integrity to protect users in Chrome 78

  In Chrome 78, Chrome Renderer Integrity will be enabled by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents loading of unsigned modules in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.
  
  Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and below). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or above). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity.

• Send a call from Chrome Browser to your Android device in Chrome 78

  In Chrome 78, users will be able to highlight and right-click a phone number link in Chrome Browser and send the call to their Android device.

• Windows 8-specific welcome page removed in Chrome 78

  The Windows 8-specific welcome page will be removed in Chrome 78. Support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting will be removed as well. For more about master preferences, see Use master preferences for Chrome Browser.

• Ambient authentication disabled by default in Incognito mode in Chrome 79

  Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

• FTP support removed in Chrome 80

  Beginning in Chrome 80,  FTP will not be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

• TLS 1.3 hardening measure implemented in Chrome 80

  TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.
  
  Starting in Chrome 78, you will be able to opt in to the new measure to test it and confirm if your proxy is affected. The following list contains the minimum firmware versions for affected products that we're aware of:
  
  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later
  
  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
   
  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later

  
  You should upgrade affected proxies to fixed versions.

  Starting in Chrome 80, the new measure will become the default. However, you  can use a policy to opt out if you need extra time to upgrade affected proxies.

• Updates to cookies with SameSite in Chrome 80

  Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS. We will provide policies if you need to configure Chrome Browser to temporarily revert to legacy SameSite behavior.

• Web Components v0 removed in Chrome 80

  The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

• Drive integration in the address bar

  In the future, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program. For more details and to apply, see Search Google Drive files in Chrome URL bar BETA.

Upcoming Chrome OS changes

• Chrome OS and Chrome Browser settings split in Chrome 78

  Starting in Chrome 78, Chrome OS settings will be in a new window and use a new URL that’s separate from Chrome Browser settings. If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings, which is chrome://os-settings.

• Adding print server support for CUPS

  We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

• Updates for USB devices with Linux

  From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests

  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.​

Chrome Browser updates

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe^® Flash^® will be blocked by default in Chrome 76. Administrators can manually switch back to ASK ("Dialog to Ask first before running Flash") before running Flash. This change won’t impact existing policy settings for Flash. IT admins can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

• All privately hosted extensions must be packaged with CRX3 format in Chrome 76.

  This change was originally planned for Chrome 75, but we delayed it to Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.
  
  CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.
  
  Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. This policy is only meant to provide extra time to repackage extensions, and will stop working in Chrome 78. For the CRX2 deprecation timeline, see Chromium.
  
  Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

• A new page for documenting enterprise policies is available

  Chrome's policies are now listed on a new Chrome Enterprise policy list. This documentation allows you to filter by platform and Chrome version to see which policies are available for your fleet.
  
  
   

• A new layout engine is being used

  LayoutNG is a new layout engine with several improvements such as:

  • Improved performance isolation
  • Better support for scripts other than Latin
  • Many issues around floats and margins fixed
  • Numerous web-compatibility issues fixed

  Although the impact to the user should be minimal, LayoutNG changes some behavior in very subtle ways, fixes hundreds of tests, and improves compatibility with other browsers. Despite our best efforts, it is likely that this will cause some sites and applications to render or behave slightly differently.

  If you suspect that WNG caused a website to break, please file a bug report, and we'll investigate.

• Site isolation enforced in Chrome 76

  In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues. Starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms (including Chrome OS). On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• --disable-infobars is no longer supported

  Chrome will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy was added to allow you to disable some security warnings.

• Policies with a dictionary value type can be merged 

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only the dictionary from the highest priority source will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Legacy Browser Support has been improved
  A new page at chrome://browser-switch/internals makes it easier to debug and troubleshoot Legacy Browser Support. We also fixed a bug where LBS wouldn't switch during the first minute of a browser session (when using XML site lists).

• New version of the On-Prem Chrome Reporting Extension
  Version 2.0 of the Chrome Reporting Extension will soon ship in the Chrome Web Store. Download the corresponding native component MSI.
  
  If you have user browsing data reporting turned on, you will start seeing a new piece of data for each visited site: "legacy_technologies." It’s an array of strings that will initially contain one value, "Flash." This means this site requires Adobe Flash and might soon stop working correctly (see paragraph above). Future releases will list other obsolete web technologies such as Java Applets, Silverlight, and more.
  
  The output file has changed from a single file called chrome_reporting_log.json to a daily rotated file with file name in the format chrome_reporting_log_YYYY_MM_DD.json. This will make it simpler to manage the disk usage of the application and clear obsolete data.

• “https” scheme and “www” subdomain will be hidden

  To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We will hide the “https” scheme and the special-case subdomain “www” in Chrome omnibox on Chrome desktop and Chrome-on-Android. After the site loads, the full URL can still be revealed by clicking twice in the URL bar (desktop) or tapping once (mobile).

  The Chrome team has also worked to build a Chrome extension to help power users recognize suspicious sites and report them to Safe Browsing. Power users can use this extension to display the full URL with no scheme or subdomain hiding, and report suspicious sites to Safe Browsing.

Chrome OS updates

• Enhancements to automatic clicks accessibility feature

  Chromebooks have had a feature called Automatic clicks in accessibility settings for years, which has given users with motor and dexterity challenges the ability to hover over an item and have Chrome OS click it (without pressing the touchpad or mouse). In Chrome OS version 76, we have expanded this feature to not only be able to click, but also right-click, double-click, and click and drag by simply hovering. 

• Built-in FIDO security key is now supported

  In this release, most latest-generation Chromebooks will gain support for built-in FIDO security keys backed by the Titan M chip. This feature is disabled by default, but an admin can enable the built-in security key by changing the Chrome OS policy called DeviceSecondFactorAuthentication to U2F.

• Account consistency between the Chrome content area and the ARC++ container

  We are rolling out a single sign-on experience for Chrome and Android applications on Chrome OS over several weeks, beginning August 21, 2019, to simplify user management of Google Accounts on Chrome OS. We added a new section to Settings: "Google Accounts."
  
  From here, a user can manage all signed-in Google Accounts. This includes reauthenticating or removing some secondary accounts and adding others. Attempts to add secondary accounts from Chrome or ARC++ will be redirected to this unified flow. Users that previously had a secondary account signed in to Chrome or ARC++ will need to reauthenticate following the update, which will add their account to Account Manager.

Admin console updates

• Updates to the Chrome device list and device details
  • Search and filter devices and organizational units directly from the device list.
  • Customize your preferred view with auto-update expiration date, Chrome OS version, and device model.
  • Long-running tasks such as screenshot, log capture, and reboot will now complete in the background, so you don’t need to wait for them

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Flags will be cleaned up from chrome://flags, starting in Chrome 77

  Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 77. You shouldn’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Atomic policy groups will be introduced in Chrome 77

  To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. These groups ensure that all applied policies from a single group come from the same source—the one with the highest priority—to prevent unpredictable behavior when mixing policies from multiple sources. The order of precedence for Chrome Policies is documented here. 

  This may be a breaking change if you set GPOs from multiple sources (e.g. the Admin Console and via Windows Group Policy). You can check if any GPOs are in conflict by visiting chrome://policy in Chrome browser. If you have multiple policies in the same policy group from different sources, update your policies to ensure that all policies in a given policy group come from the same source.

• The First Run Experience will be updated in Chrome 77

  Chrome 77 will no longer show the single page welcome. It will instead have a new flow to welcome users, get them set up with popular Google services, and set a default web browser. The same policy that was used to disable the previous First Run Experience can be used to disable the new flow: PromotionalTabsEnabled. 

• It will be possible to make guest browsing the default in Chrome 77

  You will be able to set Chrome to launch immediately into guest mode by using a --guest command line flag or a new policy called BrowserGuestModeEnforced. In this mode, your users won't see or change any other Chrome profile. When they exit guest browsing, their browsing activity is deleted from the computer.

• Merge policies with dictionary of values in Chrome 76

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Microsoft^® Active Directory^®. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Experiment for DNS-over-HTTPS (DoH) in Chrome 78

  Starting in Chrome 78, the DNS requests of some users will autoupgrade to DNS-over-HTTPS if they are using a DNS provider that supports it. This is part of ongoing work to bring secure DNS options to Chrome. Individual users can opt out by disabling this experiment at chrome://flags. Admins can opt out their enterprise from this experiment by policy. Instructions will be provided in a future Chromium blog post and release notes.

• Pop-ups and synchronous XHR requests will not be allowed in Chrome 78

  Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload to improve page load time and make code paths simpler and more reliable. Admins will be able to revert to the old behavior using enterprise policies, which will be available until Chrome 82.

• Ambient authentication will be disabled by default in Incognito sessions in Chrome 79
  Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito sessions. Admins will be able to revert to the old behavior, allowing ambient authentication using an enterprise policy.

• Cookies with SameSite by default, and Secure SameSite=None cookies in Chrome 80
  Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. They must also be marked Secure and delivered over HTTPS. Policies will be made available for enterprises that need to configure Chrome to temporarily revert to legacy SameSite behavior.

• Drive integration in the address bar

  Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

  

• Extension User Data Policy Updated
  As part of Project Strobe, Google is updating its User Data Policy, and these changes go into effect starting October 15, 2019. For more information, see the blog post.

  • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged for developers, now we’re making this a requirement for all extensions.
  • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data.

Upcoming Chrome OS changes

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

• User account and file name in IPP Header in Chrome 77

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

• Linux apps USB devices

  From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux applications running on a Chromebook, so that Linux apps can access the Linux instance.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management (device settings)

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

• New default policies for printing (CUPS)

  There will be new controls for you to manage 2-sided and color printing.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests
  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome Browser updates

• All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 

  This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.
  
  CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.
  
  Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.
  
  Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

• Roll back to Chrome 72 or later on Windows

  Chrome 75 on Microsoft^® Windows^® will allow administrators to roll back to Chrome 72 or a later version.

  To make sure that users are protected by the latest security updates, we recommend that users are on the latest version of Chrome Browser. Running earlier versions of Chrome Browser exposes your users to known security issues. Before using this policy, see Roll back Chrome Browser to a previous version for important information about preserving user data.

• Use policy to remove extensions (rather than just disable)

  Starting in Chrome 75, extensions can now be removed by modifying the installation_mode setting in the Extension Settings policy and setting the "removed" flag. For details, see Chromium. 

• PacHttpsUrlStrippingEnabled policy removed

  As we announced in the Chrome 74 release notes, the PacHttpsUrlStrippingEnabled policy has now been removed. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  PAC HTTPS URL stripping removes privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/. This behavior will now be enforced in Chrome 75.

• EnableSymantecLegacyInfrastructure policy removed

  As we announced in the Chrome 74 release notes, the EnableSymantecLegacyInfrastructure policy has now been removed. The policy was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. The workaround allowed time to migrate any internal certificates that are not used on the public internet.

  Certificates issued from the Legacy PKI Infrastructure should have been replaced with certificates issued by public or enterprise-trusted Certificate Authorities (CAs). 

• SSLVersionMax policy removed

  As we announced in Chrome 74 release notes, the SSLVersionMax policy has now been removed. This policy was used as a short-term workaround while TLS 1.3 was rolled out to allow time for middleware vendors to update their TLS implementations.

• Policy to control Signed HTTP Exchange

  You can use Signed HTTP Exchange to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences

  Starting in Chrome 75, you can enable or disable Signed HTTP Exchange using the SignedHTTPExchangeEnabled policy.

• CompanyName and LegalCopyright fields updated

  Chrome 75 changes the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll). "Google Inc." is now  "Google LLC" and "Copyright 2018 Google Inc. All rights reserved." is now "Copyright 2019 Google LLC. All rights reserved."

• Control precedence between Chrome Browser Cloud Management and platform policies

  You can use CloudPolicyOverridesPlatformPolicy to control how policies from Chrome Browser Cloud Management interact with policies set at the platform level (for example, through the Group Policy Management Editor). This policy can be useful if you’re transitioning from managing browsers through Group Policy Object (GPO) to Chrome Browser Cloud Management.
  
  When set to false (default), the order of precedence is Machine platform > Machine cloud > User platform > User cloud.
  
  With the policy set to true, the order of precedence is Machine cloud > Machine platform > User platform > User cloud.
  
  The policy can only be set as a machine platform policy. For more details, see Chromium. 

• Merge list policies from multiple sources

  You can now merge policies that take a list of values that are set from multiple sources, including the cloud and by platform and Microsoft^® Active Directory^®. Before, if multiple lists from different sources conflicted, only one list was applied. For details, see PolicyListMultipleSourceMergeList.

• Chrome Remote Desktop on the web now available 

  You can now use Chrome Remote Desktop on the web. In turn, the Chrome Remote Desktop app will not be supported after June 30, 2019. New and existing users can switch to the new version on the web.

  To set it up:

  1. Go to Chrome Remote Desktop.
  2. In the upper-right corner, click Remote Access.
  3. Click Remote Support to get support from a trusted friend or family member, or to give support to someone else.

  You can control whether users can access other computers from Chrome using Chrome Remote Desktop. For details, see Control use of Chrome Remote Desktop.

• Improved tab life cycle management

  Some users will start to see improved CPU and memory usage as Chrome 75 rolls out. The TabLifeCyclesEnabled policy reduces the CPU usage on browser tabs that haven’t been used for a long time. Set the policy to true or leave it unspecified to enable it. For details, see Chromium. 

• Users can check Chrome Browser and OS management

  In Chrome 75 we’re enhancing the visibility features for both browser and OS with transparency view, a new view which shows users the extent to which their device and account are managed by their administrators in enterprise environments. The new transparency view focuses on reporting functionality (“Which data is visible to my administrator?”) as well as force-installed extensions (“Which data may be accessed by force-installed extensions?”).

Chrome OS updates

• Linux on Chromebooks: 

  Support for VPN connections—Linux applications can now utilize VPN connections through an existing Android or Chrome OS VPN connection. All traffic from the Linux VM will automatically be routed through an existing (established) VPN connection.
  
  Support for Android devices over USB—Android devices connected over USB can now be accessed by Linux apps. Users must choose to share the USB device with Linux before they can access it.

• Add support for PIN code with native printers

  PIN code printing will be available which will allow users to enter a pin code when sending the print job, and release the print job for printing when they enter the pin code into the printer keypad.  This gives users more control over when a print job is printed so documents aren’t lying unattended at the printer. And because a user has to actively request their print job be released, it also reduces waste. 
  
  PIN printing will be enabled if the user’s Chrome device is managed, and the printer supports IPPS communication and the IPP attribute for “job-password”.
  

• Add support for Document Providers in Files app

  To expand support for third-party file providers on Chrome OS, when users install the app of a third-party file provider that implements the DocumentsProvider API, a root for the third-party file provider will appear in the side navigation of the Chrome Files app. For more details, see Documents Provider. 

• Extending protected content on secondary displays

  Digital rights management (DRM)-protected content can now be shown on an external display. 

• BLE advertising in Chrome apps flag removed

  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. If you or any developers use BLE Advertising APIs, you should debug the functionality in a kiosk session, rather than in a regular user session.

Admin console updates

• Force devices to automatically re-enroll after wiping (change to forced re-enrollment behavior)

  Starting in June 2019 (with an incremental rollout), you can automatically re-enroll devices if they’re wiped.  Previously, forced re-enrollment required a user to enter their username and password to complete re-enrollment A few weeks after the roll out is complete, automatic re-enrollment will be the default for new customers as well as existing customers who have not changed the default forced re-enrollment setting. To control the setting, see Force wiped Chrome devices to re-enroll.

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Users can manually switch back to ASK ("Ask first") before running Flash. This change won’t impact existing policy settings for Flash. You can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

• Site isolation enforced in Chrome 76

  In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Drive integration in the address bar

  Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

  

• Removing --disable-infobars in Chrome 76

  Chrome 76 will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy will be added to allow you to disable some security warnings.

• Policy atomic groups introduced in Chrome 76 

  In order to ensure predictable behavior from policies that are tightly coupled with other policies, some policies will be regrouped in atomic policy groups. These groups will help ensure that all the applied policies from a single group come from the same source, which is the source with the highest priority. This change will help prevent unpredictable behavior when mixing multiple sources of policies.

• Merge policies with dictionary of values in Chrome 76

  In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

• Flag removal, starting with Chrome 76

  Many flags in chrome://flags will be removed in upcoming Chrome versions. You should not use flags to configure Chrome Browser because they are not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

• Improvements to version rollback

  A future version of Chrome will improve the rollback experience on Windows by preserving some user data during the rollback process.

Upcoming Chrome OS changes

• Print jobs to include user account and file name

  If the printer or print service support IPPS with IPP attributes for requesting-user-name and document-name, you will be able to have print jobs include the user account and file name to help with print tracking and follow-me printing. 

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

• Linux apps USB devices
  From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook, so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management (device settings)

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

• New default policies for printing (CUPS)

  There will be new controls for you to manage 2-sided and color printing.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

• Device host name in DHCP requests
  You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome Browser updates

• Chrome Browser Cloud Management

  Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows^®, Mac^®, and Linux^®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.

• Pop-ups will not be allowed on page unload

  Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.

• Legacy Browser Support will no longer need an extension

  In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer^®. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.

Chrome OS updates

• Annotations in PDF Viewer

  When viewing an Adobe PDF document in Chrome, you’ll be able to tap a button to annotate the PDF with pen and highlighter tools.

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• External camera support for Google Camera app

  External USB cameras, such as webcams, USB microscopes, and document cameras, are now supported by the Google Camera app.

• Support for files and new folders in the “My files” root

  Users can save files locally and create new folders under the “My files” root outside of the default Downloads folder.

• ChromeVox developer log options

  As of version 74, we added a new section of ChromeVox developer options within the ChromeVox options page to give developers access to ChromeVox logs, which will help debugging. This allows developers to enable logs for speech, earcons, braille, and event streams.

• Linux apps on Chrome OS (Crostini) now support audio output

  Starting with Chrome 74, Linux apps on Chrome OS (Crostini) can now play audio.

Admin console updates

• Policy to enable native Active Directory integration

  You can now configure an existing domain to manage your Chrome devices with a Microsoft^® Active Directory^® server. If enabled, Chrome devices are domain joined to AD so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices with GPO. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials.

  To manage integrated devices, set the policy to enable Chrome Enterprise Active Directory integration in your Admin console. Visit Manage Chrome devices with Active Directory.

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Google Cloud Next recap

Chrome Enterprise product managers and customer engineers presented a number of talks at the Google Cloud Next conference in San Francisco the week of April 8, 2019. You can watch on YouTube recordings of the 18 Mobility & Devices Sessions.

The talks below should be specifically of interest to Chrome Enterprise IT admins:

Browser-focused talks

• What's New in Chrome Browser
• Manage Chrome Browser from the Cloud
• How Google IT Manages Enterprise Extensions

Chrome OS-focused talks

• Managing Chromebooks and Apps With Chrome Enterprise
• How Google IT Supports its Scaling Global Workforce with Chromebooks
• Changing End User Computing: Seven Facts You Should Know About Chrome Enterprise

New Chrome OS administrator credential

We're now offering a new Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 75 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 75

  EnableSymantecLegacyInfrastructure was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted CAs.

• Policy rollback to a previous version in Chrome 75

  Chrome 75 on Windows will include a policy that allows administrators to roll back to a previous version of Chrome. Note that only the latest release of Chrome is officially supported, so if an admin rolls back to an older version of Chrome, they do so at their own risk. This policy is meant as an emergency mechanism and should be used with caution. A future version of Chrome on Windows will improve the rollback experience by preserving user states during the rollback process.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later. Please provide feedback on this feature.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• Blacklisted extensions can be removed (rather than just disabled) by policy in Chrome 75

  A new policy will be made available to specify that Chrome Browser shouldn’t just disable blacklisted extensions, but remove them completely.

• Policy to control signed HTTP exchange in Chrome 75

  Signed HTTP exchange enables publishers to safely make their content portable, or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences. In Chrome 75, the SignedHTTPExchangeEnabled policy will control whether signed HTTP exchange is enabled or not.

• CompanyName and LegalCopyright fields will be updated in Chrome 75

  Chrome 75 will change the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll) from "Google Inc." and "Copyright 2018 Google Inc. All rights reserved." to "Google LLC" and "Copyright 2019 Google LLC. All rights reserved."

• Flash will be blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Flash is to be blocked by default in Chrome 76 (Stable release beginning end of July 2019). Users can still switch it back to ASK by default. This change won’t impact enterprises that already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy. 

Upcoming Chrome OS changes

• New certificate verification engine and fallback enterprise policy

  Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier for the unlikely case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

• Adding print server support for CUPS

  We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• BLE advertising in Chrome apps flag being removed
  The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. This feature is designed to work with Chrome apps operating within kiosk sessions. Any developers leveraging BLE Advertising APIs should debug functionality in kiosk session, rather than use a regular user session.

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Admin console. If you’re interested in testing this out, join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for 2-sided and color printing. Admins will be able to set defaults or restrict these print options.

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Managed by your organization menu item

  Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More  menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

  

• Changes to the Chrome sign-in flow

  In Chrome 73, we're rolling out the following changes to Chrome Browser settings:

  • When a user turns Chrome sync on, they now get additional features, including an enhanced spellchecker and extended reporting for safe browsing.

  • Sync and Google services—A new section that lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously in the Privacy section.

  • Make searches and browsing better—A new setting in the Sync and Google services section that allows users to control whether features in Chrome Browser can collect anonymous URLs.

    

• Chrome Browser binaries signed with new digital certificate

  Chrome Browser binaries and installer are now signed with a digital certificate issued to Google LLC (rather than Google Inc). There are no changes to the Certificate Authority (CA).

• Password Manager enterprise policy for Android now aligned to desktop

  The PasswordManagerEnabled policy controls whether the password manager offers to save passwords. On Android, this policy prevented users from viewing passwords that were already saved. Starting with Chrome 73, Chrome Browser on Android will behave like other platforms and allow the user to view their saved passwords.

• Progressive Web App support on Mac

  In Chrome 73, Progressive Web Apps (PWAs) can now be installed on Apple^® Mac^®. For details, see Desktop Progressive Web Apps.

• Dark mode for Mac

  In Chrome 73, if the system theme is set to dark, Chrome Browser on Mac computers will also use a dark theme. Support for Microsoft^® Windows^® is planned for a future release. 

• Accessibility improvements

  A number of improvements have been made to accessibility in Chrome Browser, including greater contrast and compatibility with screen readers. Some of the improvements include:

  • Improved contrast in pop-up boxes, the search box, and tabs (especially when a tab is not active).
  • More pop-up boxes correctly report titles to screen-reader software.
  • Tabs are now keyboard-accessible.
  • Fixes to the way pressing the F6 or Tab key moves through the order of the Chrome Browser toolbar, and other controls, including access to some new UI elements.
  • Screen reader now announces additional information, such as the page zoom level when it’s changed and the number of Find results.
  • Misleading screen-reader prompts are fixed to reflect current functionality. For example, the correct key combination is now reported when you want to zoom in on a page.
  • If a user draws around an element in the UI, there are now improvements in the contrast and appearance of focus rings.

• New policy to force networking code to run in the browser process

  The network code we use for Chrome Browser is being moved to a separate process. It’s an internal architectural change that wasn't expected to interact with other products. However, we're aware of one report of the move breaking a third-party product that used to inject code into Chrome Browser's process. If this move is causing any issues in your environment, you can temporarily use the ForceNetworkInProcess policy to force networking to run in the browser process. This is a temporary policy that will be removed in the future; there is currently no specific timeline, but we plan to provide 4 milestones notice before removal.

• Notice for web developers: Flexbox rendering

  Chrome Browser now follows the recommendation from the World Wide Web Consortium for the box model that’s optimized for a UI. Flex items now get the correct minimum size. If you’re a web developer, we recommend that you set the CSS on your webpages with flex items to min-height: auto. For details on the change, see Chromium and the Consortium specification.

• Notice for developers: Changes to cross-origin requests in extension content scripts

  Chrome 73 includes changes to the behavior of cross-origin requests from content scripts. These changes help site Isolation protect Chrome users even if a renderer is compromised, but these changes may break extensions that have not yet adapted to the new security model. For instructions on how to verify if a Chrome extension you’re using is affected or to request adding an extension to a temporary allowlist, see Chromium.org.

Chrome OS updates

• Managed guest sessions to replace public sessions

  In Chrome 73, public sessions are being replaced with managed guest sessions, which provide additional capabilities. Depending on the configuration of the organizational unit that has managed guest session devices, an existing public session device might have the capabilities automatically activated. If so, all certificates, policies, and extensions of the organization will be applied to the managed guest session of this device in the future and no manual changes are required. Learn more about how to manage guest session devices.

• eSpeak for Chrome OS

  You can set up text-to-speech in dozens of languages on devices running Chrome OS to enhance  accessibility. For details, see eSpeak NG.

• Pair Bluetooth braille displays with Chromebooks

  In addition to supporting USB-refreshable braille displays, you now have the ability to pair braille displays through Bluetooth^®. For details, see Use a braille device with your Chromebook.

• Camera app 5.3 update

  Users can now take photos and videos with a 3 or 10-second timer, line up shots with grid options, and use a mirror button that’s helpful when using external cameras, such as USB microscopes or document cameras.

Admin console updates

• Enable managed Chrome devices to run Linux apps

  Last year we announced that consumer users can run Linux apps, including Android Studio on these Chrome devices. With Chrome 73, we’re making this feature available on managed devices. Admins can now enable or disable the use of virtual machines that are required to use Linux apps on managed Chrome OS devices. The policy is disabled by default. Admins who want to enable this policy, see Virtual Machines in Set Chrome device policies. Users need to follow the steps in Set up Linux (Beta) on your Chromebook.

  

• New default policy for black & white printing (CUPS)

  There are new controls for administrators to manage black and white printing capabilities for their users. Controls for 2-sided and color printing are coming soon.  If you’re interested in getting early access to test printing features, please complete the trusted tester application.

  

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

New Chrome OS administrator credential

We are excited to announce the Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

• Create, delete, and administer users for a domain
• Configure and manage organizational units
• Manage Chrome devices in the Google Admin console
• Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Flash blocked by default in Chrome 76

  As communicated in the Chromium Flash Roadmap, Adobe^® Flash^® is planned to be blocked by default in Chrome 76 (stable release beginning end of July 2019). Users will still be able to switch it back to Ask to use Flash by default. This change will not impact enterprises who already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy as before. 

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

  

• Dark mode for Windows in Chrome 74

  In Chrome 74, if the system theme is set to dark, Chrome Browser on Windows computers will also use a dark theme in the UI. 

• Use a policy to roll back to a previous version of Chrome Browser

  We are working on a policy to roll back a Chrome Browser version while retaining account and profile data. The new policy will allow administrators to roll back in conjunction with the existing TargetVersionPrefix ADMX policy. You can send feedback on this feature in the Chromium bug tracker.

  Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

  Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

  Note: You can only roll back to Chrome Browser version 72 or later 

• Deprecated policies will remain in the ADMX templates

  The ADM and ADMX templates will be modified to keep deprecated and unsupported policies in the output. They will be placed in a dedicated folder and have the same description. The update will make it easier to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74 

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

• EnableSymantecLegacyInfrastructure policy removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy can be used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed in Chrome 74. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

• All extensions must be packaged with CRX3 format in Chrome 75

  CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

• Site isolation enforced on desktop in Chrome 75

  Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

• ThirdPartyBlockingEnabled deprecation

  In the Chrome Enterprise 68 release notes published in July 2018, we announced that the ThirdPartyBlockingEnabled policy will be deprecated in approximately one year (Chrome 77). This announcement was intended as a general deprecation date at some point in the future, but due to feedback and in order to give the ecosystem more time to adapt to the change, the deprecation is currently not targeted for Chrome 77. When a date is set for deprecation, we will announce it in the release notes. We plan to provide 4 notices before removal.

• TLS 1.3 downgrade hardening

  Chrome Browser enabled TLS 1.3 in Chrome 70. However, due to bugs in some enterprise TLS proxies, a hardening mechanism was temporarily disabled. A future version of Chrome Browser will re-enable this measure. To test networks in Chrome 73:

  1. Set chrome://flags/#enforce-tls13-downgrade Enabled.
  2. Visit a TLS-1.3-enabled server, such as https://mail.google.com. 
  3. If the connection fails with ERR_TLS13_DOWNGRADE_DETECTED, some proxy on the network has the hardening mechanism temporarily disabled.

  You should upgrade affected proxies to fixed versions or contact vendors if no fix is available. The following list contains the minimum firmware versions for affected products that we're aware of:

  Palo Alto Networks:

  • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
  • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
  • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

  Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

  • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
  • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
  • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.
• Legacy browser support planned to be incorporated into Chrome 75

  Legacy browser support functionality is being incorporated into Chrome Browser, and the separate extension will no longer be needed. We will keep the extension in the Chrome Web Store for the foreseeable future so customers on older versions of Chrome Browser can continue to use legacy browser support. If you’re interested in getting early access to test legacy browser support integration, please complete this interest form.

• Pop-ups will not be allowed on page unload

  In Chrome 74, we will no longer allow pop-ups during page unload. See the removal notice. We’ve been notified that this might break some enterprise apps so a temporary policy will be made available to allow pop-ups on page unload when Chrome 74 launches. This temporary policy is planned to be removed in Chrome 76. 

Upcoming Chrome OS changes

• New search feature in Chrome 74

  We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

• Adding print server support for CUPS

  We are working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

• User account and file name in IPP Header

  If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

• Annotations in PDF viewer

  When viewing a PDF on a device running Chrome OS, you will be able to tap a button to annotate the PDF with pen and highlighter tools.

• Linux apps USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

• External camera support for the Camera app
  External USB cameras will be supported by the Camera app. 

Upcoming Admin console changes

• Remove 20-printer limit for CUPS print management

  Soon, the 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console. If you’re interested in testing the new feature, please join our trusted tester program.

• New default policies for printing (CUPS)

  Soon, there will be new controls for administrators to manage printing capabilities for their users for duplex printing. Admins will be able to set defaults or restrict whether users can or cannot use duplex printing. 

• Managed guest session support for managed Google Play

  A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• New search result types

  In Chrome 72, you’ll get 2 new types of search results when you search from the address bar. You’ll get results based on entities—people, things, places, and so on. These results will contain the search text, an image of the entity you’re searching for, and a short description.

  

  You’ll also get suggestions to complete the end of a search string. For example, if you search for “widget sale best prac…”, you’ll get a suggestion for “practice” as a completion to your search.

  

• Cleanup tool quarantines—instead of deleting—files it detects as malicious

  If you use the Chrome Cleanup tool on Microsoft^® Windows^® computers, files detected as malicious will now be quarantined rather than deleted. This update will help lessen the risk of safe files being mistakenly deleted. Learn more about removing unwanted programs and the Chrome Cleanup tool policy.

• Save payment information to a Google Account

  In Chrome 72, users who are signed in to their managed Google Account will now see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy.

• Support for Windows 10 U2F and web authentication APIs

  If you use the most recent version of Windows 10, you’ll have added support for Universal 2nd Factor (U2F) and WebAuthn—standards that enable web authentication through security keys instead of passwords. U2F and WebAuthn are only supported on the most recent versions of Windows 10: either current Insider Preview builds or the forthcoming 19H1 release (“Redstone 6”). Integration with these APIs enables Windows Hello support through WebAuthn and support for NFC tokens. USB and Bluetooth Low Energy (BLE) devices should continue to work, although Windows UI will now be displayed. Any organizations that depend on U2F or WebAuthn, and are using sufficiently recent Windows builds, should verify that this feature works correctly before rolling it out.

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. This support has now been removed in Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• New welcome experience (Windows)

  When you start Chrome Browser for the first time on Windows, you’ll see a new welcome page, unless you’re on a device that’s joined to a Microsoft^® Active Directory^® domain.

• Changes to sign-in behavior with Chrome 72

  In Chrome 72, a small percentage of users will now see the following changes to the Chrome sign-in behavior. A wider roll-out of these features will happen in Chrome 73:

  • When a user turns Chrome sync on, they now get additional features, including “Enhanced spell check” and “Safe browsing extended reporting.”
  • The Chrome settings page includes a new section—Sync and Google services—which lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously under “Privacy”.
  • A new setting, “Make searches and browsing better” will appear under “Sync and Google services” on the settings page. This allows users to control whether features within Chrome can collect anonymized URLs.

Chrome OS updates

• USB connections on locked devices

  Chrome 72 will offer initial support to ignore some types of USB connections on locked devices that are running Chrome OS including printers, scanners, and storage devices. USBGuard is on by default beginning with Chrome 72. If issues are detected, admins can disable this feature through chrome://flags.

• Android app shortcuts in launcher search

  Users can now search for app shortcuts in the launcher search. For example, users can search for Compose and be taken to the exact related app, such as a new blank message in Gmail.

• New drawing app for Chromebooks

  Chromebook users now have the Canvas app for drawing.

• ChromeVox screen reader update

  ChromeVox users with low vision can now opt to have the screen reader read anything under their mouse cursor. This feature can be enabled through the setting “Speak text under the mouse” in the ChromeVox options page.

  

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. We’ll include more information in future release notes when it comes available.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Drive search results in the address bar

  Users will see Google Drive results when entering a search in the address bar, including Google Sheets, Docs, Slides, and PDFs.

  

• Roll back Chrome Browser version with policy

  Many enterprise customers have asked Google to provide a version rollback mechanism. We are working on a policy to roll back Chrome Browser while retaining account and profile information. This will allow administrators to enable a rollback in conjunction with the existing TargetVersionPrefix ADMX policy. If the Chrome version updater cannot rollback the browser, the chrome://policy page will contain an error message and the existing release will continue to function. Only the latest release of Chrome is officially supported, so if an admin rolls back to an older version they do so at their own risk. You can provide feedback to the engineering team on this feature on Chromium.

• Deprecated policies will remain in the ADMX templates

  Deprecated policies will be placed in a dedicated folder in the ADMX templates and have the same description. This change will make it easier for administrators to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

• Changes to the sign-in behavior with Chrome 73

  The updates described above in Changes to the sign-in behavior with Chrome 72 will be rolled out for all users in Chrome 73.

• PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74

  The PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/. If you set this policy to True or leave it on its default value, then there will be no change. However, in Chrome 74, you will no longer be able to set it to False.

• EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74

  The EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74. This policy is intended as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public Internet. This policy will be removed in Chrome 74. Certificates issued from Legacy PKI Infrastructure should have replacement certificates issued by public or Enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

• SSLVersionMax policy will be removed in Chrome 75

  The SSLVersionMax policy was a short-term work-around while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.This change has been made because CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

• Site isolation will be enforced on Chrome 75 (Desktop)

  Before shipping Site Isolation in Chrome 67, we introduced enterprise policies that enterprises could use to opt in to Site Isolation early or opt out of Site Isolation if they encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of Site Isolation using the SitePerProcess or IsolateOrigins policies on desktop. We tentatively plan to move Chrome 75 to the stable channel in June 2019.

  Notes:

  • This change only applies to desktop platforms. On Android, SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable Site Isolation.
  • If you run into any issues with the SitePerProcess or IsolateOrigins policies, file a bug in Chromium.

Upcoming Chrome OS changes

• External camera support for Camera app

  External USB cameras will be supported by the Google Camera app.

• Always-on VPN for managed Google Play

  Currently, Admins can install Android VPN apps on Chromebooks, however, users have to start the VPN app manually. Soon, admins will be able to set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection.

• User account / Filename in IPP Headers

  If enabled by policy, all print jobs can include the requesting user account and file name printed in the IPP header. This new feature will provide additional information about print jobs that enable third-party printing features, such as secure printing and print-usage tracking.

• Annotations in PDF Viewer

  When viewing a PDF in Chrome, you will be able to tap a button to add notes to the PDF with a pen and highlighter tools.

• Linux container support for USB devices

  From the Chrome Shell (crosh), you will be able to attach a USB device to Linux running on Chrome devices (Crostini) so that Linux applications can access the Linux instance.

Upcoming Admin console changes

• Native printing (CUPS) improvements
  • Printing limit lifted—The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.
  • Set default for 2-sided and black and white printing—Controls are coming for administrators to manage printing capabilities for their users around 2-sided printing and black and white printing. Admins will be able to set defaults or restrict these print options with CUPS (native printing).

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome Browser updates

• Change to using PAC scripts to configure proxy settings in Chrome

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. This is especially so if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/.

  This policy will change the default value from False to True to improve security. If you already set this policy to True, there’s no impact. If you set it to False, there’s no immediate impact. If you haven’t set this policy and are relying on the default, test this change to see how your PAC scripts operate.

  This policy will be removed in a future release when PAC stripping becomes the default for Chrome.

• Deprecate trust in remaining Legacy Symantec PKI Infrastructure

  This change is present in all release channels: Canary, Dev, Beta, and Stable. Users observing the distrust in Chrome 70 should experience the exact same behavior in Chrome 71 and later. For a small percentage of users, Chrome 71 will be the first time they experience the distrust, which could result in more problems involving related errors.

  Find instructions on how to determine whether a site is affected and any corrective action needed, as well as a description of past changes.

Chrome OS updates

• Fingerprint and PIN enrollment in Chrome device Out of Box Experience (OOBE)

  For tablets that support fingerprint and/or PIN, users can enroll a fingerprint or set up a PIN while signing in to the device for the first time.

• Connect to your Android phone

  Users can connect with their Android phone using a single setup flow to enable Smart Lock, instant tethering, and Android Messages PWA. Android Messages PWA gives users the ability to see, reply to, and start text messages.

• Android Messages for Chrome OS

  Users can text from their Chrome OS by connecting with their Android phone. 

• Print multiple pages per sheet on native (CUPS) printing

  Native printers using CUPS now support rendering multiple pages of content onto a single sheet of paper. Previously only available for Cloud Print printers, this is now available for all printing destinations.

Admin console updates

• Managing site isolation policies

  Site isolation policies on the desktop get updated to reflect that they’re on by default. (They include controls to turn off site isolation or add specific site rules.) New policies are added to the Admin console for Chrome on Android. For more, see Protect your data with site isolation.

New and updated policies

Deprecations

• EnableSha1ForLocalAnchors policy

  Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an Enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. Support would be removed in January 2019 at the latest, which corresponds to Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

• SupervisedUserCreationEnabled policy (deprecated in Chrome 70)

  Read about consumer supervised users.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• The Chrome Cleanup Tool will quarantine—instead of deleting—files it detects as malicious

  The Chrome Cleanup Tool helps users remove unwanted software on their computers. The removal process includes deleting malicious files in the system. However, to lessen the risk of safe files being erroneously deleted, files will be moved into quarantine instead of getting deleted permanently. For more, learn about removing unwanted programs and the Chrome Cleanup Tool policy.

• PacHttpsUrlStrippingEnabled policy (scheduled to be deprecated in Chrome 74) 

  See the above note on Change to using PAC scripts to configure proxy settings in Chrome.

• SSLVersionMax policy (scheduled to be deprecated in Chrome 75)

  SSLVersionMax can be used as a short-term workaround while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

• Third-party code injection

  The Chrome 70 release notes stated that in Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users. However, due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs.

• All extensions must be packaged with CRX3 format by Chrome 75

  Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Upcoming Chrome OS features

• Always-on VPN for managed Google Play

  Admins can install Android VPN apps on Chromebooks. However, users have to start the VPN app manually.

  Soon, admins can set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection. If the connection fails, all user traffic is blocked until the VPN connection is re-established. VPNs in Chrome OS don’t apply to any system traffic, such as OS and policy updates to prevent security exploits.

• Android 9.0 support coming to certain Chrome devices

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices haven’t been announced. We’ll include more information in future release notes when it comes available.

Upcoming Admin console features

• Native printer-management improvements

  The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Chrome Browser updates

• Sign-in policy change

  Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.

  If the policy is set to "Disable browser sign-in", then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.

  If the policy is set to "Enable browser sign-in", then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.

  If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy. 

  If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

• Cookie behavior change

  With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

• Reduce Chrome crashes caused by third-party software

  Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.

  Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:

  

  The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

  In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

  In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

  To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

• Deprecate trust in remaining legacy Symantec PKI infrastructure

  Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.

  Beginning with Chrome 70:

  • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
  • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
  • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

  What you need to do:

  • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
  • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.

• Update to TLS 1.3

  We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco^® Firepower^® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

• New UI support for WebAuthn

  Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

• Form autofill policy changes

  The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).

  Autofill policies

  The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

  If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

  If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

  If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

• Native SMB file share support

  SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft^® Active Directory^®, and NTLM version 2. To initiate an SMB file share:

  1. Open a Chrome Browser window and at the top right, click  Settings.
  2. Next to Network file shares, click Add File Share.
  3. Enter the required information and click Add.
  4. Open the Files app and browse the shared folder.
• 
• Camera app updates

  The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.

• Enable key remapping for external keyboards

  Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

• Floating virtual keyboard

  For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

• Restriction policy for native CUPS printing

  Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

• Manage sign-ins in Chrome Browser and Chrome OS

  In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

• Support for certificate transparency enforcement exceptions

  A collection of 3 new user policies have been added to allow enterprises to provide exceptions to certificate transparency requirements. The policies can be found in the Admin console under Device management  Chrome management  User settings  Security.

  These settings are from the Chrome policies:

  • CertificateTransparencyEnforcementDisabledForCas
  • CertificateTransparencyEnforcementDisabledForLegacyCas
  • CertificateTransparencyEnforcementDisabledForUrls

• Improved developer tools policy

  You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

• Auto-updates over LTE policy control

  You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management  Chrome management  Device settings  Device Update Settings  Auto Update Settings.

• Lock screen control

  After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management  Chrome management  User settings  Security  Idle Settings.

Deprecations

• AutoFillEnabled policy deprecation

  The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

• UnsafelyTreatInsecureOriginAsSecure policy deprecation

  The UnsafelyTreatInsecureOriginAsSecure policy was deprecated in Chrome 69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

• Gmail Offline app discontinued

  In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.

  Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

  If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.

  Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Change to using PAC scripts to configure proxy settings in Chrome Browser

  If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

  The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.

  In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.

  Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

• CRX2 deprecation

  For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

• Android 9.0 Pie

  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

• Always-on VPN for managed Google Play

  Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Chrome Browser updates

• Password Alert policy

  Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

• Reduce Chrome crashes caused by third-party software

  Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  Here is the warning users will see on their computers when this policy is enabled:

  

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

• On-premise reporting

  You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk^® or Sumo Logic^®. For details, see Track Chrome Browser usage and events.

• Browser interface changes

  Chrome Browser will have a new design across all operating systems. Highlights include Microsoft^® Windows 10^® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

• Flash deprecation

  Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

• Update to Legacy Browser Support extension

  The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft^® Internet Explorer^® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

• Improvements to Chrome management with Intune

  Policies that are only available on Microsoft^® Windows^® instances that are joined to a Microsoft^® Active Directory^® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

• Linux (Beta) for Chromebooks

  Important:

  Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

  To try this out on an unmanaged device:

  • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
  • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
  1. Go to Settings  Linux (Beta).
  2. Click Turn on.
     Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
  3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

• Voice dictation from anywhere

  Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  

• Global text-to-speech settings

  In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

• Files app improvements

  Native support for Drive in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

• Visual updates for enterprise device enrollment

  The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

• Support for enterprise mobility management (EMM) coexistence for Android

  Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

• Android app installation improvements

  The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

• SigninAllowed policy deprecation

  The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M70 and later)

• Enable key remapping for external keyboards

  This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Manage sign-ins within Chrome Browser and on Chrome OS

  A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

  Note: This Admin console setting combines these policies:

  • AllowedDomainsForApps
  • SecondaryGoogleAccountSigninAllowed

• Public-session support for managed Google Play on Chrome OS

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Chrome Browser updates

• Unencrypted sites to show “not secure” indicator

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome offers a policy to control this warning on your domain.

  

• Chrome Canary on Mac policy list update

  Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

• Block a locally installed, hardcoded CA for Mitel VoIP products

  In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency

  M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

• PIN sign-in support

  Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

• Video capture service

  Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

• 802.11v and 802.11r Fast BSS Transition support added

  These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

• Accessibility improvements

  Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

  1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
  2. Continue holding. The screen reader will start speaking. 

  Additionally, we’re launching new shortcuts to toggle accessibility features:

  • Select Ctrl + Search + M to enable/disable the full screen magnifier.
  • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

  We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

  With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

  With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

• Introduction of display size and refresh rates to display settings

  As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

  • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
  • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

  The goal of these changes is to give users more control over UI scale and look.

Admin console updates

• Automatic re-enrollment (Forced re-enrollment enhancement)

  A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

  Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

• Native printer-management improvements

  A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

• CRX2 deprecation (M69)

  Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

• Reduce Chrome crashes caused by third-party software (M69)

  In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

  

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• Voice dictation from anywhere (M69)

  Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

• Enable key remapping for external keyboards (M69)

  The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple^® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

• Files app improvements (M69)

  Native support for Drive in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

• Policy to show PIN pad on sign-in and lock screen for TouchView devices

  The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

• Visual updates for enterprise device enrollment flow

  The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

• Native printer-management improvements

  A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

• Sign-in Within the Browser policy

  Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

• Public session support for managed Google Play on Chrome OS

  A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Chrome Browser updates

• SAML SSO interstitial

  Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

  If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

  To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

  If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

  For more details, see the G Suite Updates blog.

• Site Isolation

  You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

  Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

• Desktop Progressive Web Apps (PWAs)

  Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft^® Windows^® and Apple^® Mac^®. For more information, see our developer site.

• Detachable-base swap detection

  Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

• Block symlink traversal

  This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

  This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

• EAP-TLS device-level support

  Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

• Managed Google Play on Chrome OS policy update

  With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

• Admins can block apps from installation
  Currently not available for the Chrome Education service

  As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

• Android app installation reporting

  In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

• Android app bulk purchasing on Education service

  As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

• Unencrypted sites to show “not secure” indicator (M68)

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome will offer a policy to control this warning on a per-domain basis.

  

• Canary release channel on Mac update (M68)

  This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

• Reduce Chrome crashes caused by third-party software (M68)

  In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

  

• Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

  In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel^® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency (M68)

  M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• PIN sign-in support (M68)

  Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

• Video capture service (M68)

  Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

• Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

  A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

  Admins can still require users to sign in to re-enroll wiped or recovered devices.

• Native printer management improvements

  There will be 2 new improvements for native printer management:

  • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
  • A new policy to block users from manually adding printers is targeted for M68.

• Sign-in Within the Browser policy

  Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

• Public session support for managed Google Play on Chrome OS

  You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Security updates

• Continuation of distrust of Symantec Certificates 

  Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

  The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.
  
  For details, see Migrate from Symantec certificates.

• Site Isolation Trial

  Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

  If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

  If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

• Chrome relaunch policy: RelaunchNotificationPeriod (M67)

  This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

• Click to open PDF 

  For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

• Force sign-in policy: Support for Mac

  The ForceBrowserSignin policy is supported on Mac.

Chrome policies

Changes in this release:

UI changes

• Changes to autoplay 

  Chrome is changing the policy for when sites can autoplay media with sound. Admins will be able to use the AutoplayAllowed policy to control whether Chrome defaults to allowing media to autoplay. For details, see the Autoplay Policy Changes.

• Reducing Chrome crashes caused by third-party software

  Chrome will begin showing a warning to users after a crash that displays third-party software injecting code into Chrome. It guides them to update or remove that software.

  

Deprecations

• Enable CommonName fallback for local anchors policy

  The EnableCommonNameFallbackForLocalAnchors policy was offered to give admins more time to update their local certificates. It removes the ability to allow certificates on sites using a certificate issued by local trust anchors that are missing the subjectAlternativeName extension.
  
  As of Chrome M66, we will be deprecating this policy. If a user running Chrome 66 tries to access a site where the certificate isn't allowed, they will see a warning indicating they can't trust the certificate.

Corrections

• Previously listed as launching with Chrome 66, SafeBrowsingWhitelistDomains will now launch in Chrome 67. This policy allows you to configure the list of domains Safe Browsing trusts. Safe Browsing won't check for dangerous resources (for example, phishing, malware, or unwanted software) for URLs that match these domains.

↑ back to top

Security updates

• Support for TLS 1.3

  This release comes with the latest version of the Transport Layer Security (TLS) protocol (TLS 1.3 draft 23) turned on. Users of Cisco Firepower devices configured to perform TLS man-in-the-middle interception in Decrypt-Resign/SSL Decryption Enabled mode should see Cisco's documentation.

Chrome policies

Changes in this release: