Chrome Enterprise release notes

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
AllowedUILocales Chrome OS only	Configures the allowed UI locales in a user session. This policy replaces the AllowedLocales policy.
OverrideSecurityRestrictionsOnInsecureOrigin	Specifies a list of origins (URLs) for which security restrictions on insecure origins will not apply. This policy replaces UnsafelyTreatInsecureOriginAsSecure. The policy now applies to Chrome OS and Android.
PasswordProtectionChangePasswordURL	Configures the change password URL.
PasswordProtectionLoginURLs	Configures the list of enterprise sign-in URLs where the password protection service should capture password fingerprints for reuse detection.
PasswordProtectionWarningTrigger	Configures the password protection warning trigger.
UsageTimeLimit Chrome OS only	Configure the time limit for a user session or device usage per day.

Chrome Browser updates

• Password Alert policy

  Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

• Reduce Chrome crashes caused by third-party software

  Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  Here is the warning users will see on their computers when this policy is enabled:

  

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

• On-premise reporting

  You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk^® or Sumo Logic^®. For details, see Track Chrome Browser usage and events.

• Browser interface changes

  Chrome Browser will have a new design across all operating systems. Highlights include Microsoft^® Windows 10^® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

• Flash deprecation

  Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

• Update to Legacy Browser Support extension

  The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft^® Internet Explorer^® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

• Improvements to Chrome management with Intune

  Policies that are only available on Microsoft^® Windows^® instances that are joined to a Microsoft^® Active Directory^® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

• Linux (Beta) for Chromebooks

  Important:

  Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

  To try this out on an unmanaged device:

  • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
  • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
  1. Go to Settings  Linux (Beta).
  2. Click Turn on.
     Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
  3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

• Voice dictation from anywhere

  Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  

• Global text-to-speech settings

  In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

• Files app improvements

  Native support for Team Drives in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

• Visual updates for enterprise device enrollment

  The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

• Support for enterprise mobility management (EMM) coexistence for Android

  Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

• Android app installation improvements

  The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

• SigninAllowed policy deprecation

  The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

• CRX2 deprecation

  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M70 and later)

• Enable key remapping for external keyboards

  This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

• Native printer-management improvements

  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Manage sign-ins within Chrome Browser and on Chrome OS

  A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

  Note: This Admin console setting combines these policies:

  • AllowedDomainsForApps
  • SecondaryGoogleAccountSigninAllowed

• Public-session support for managed Google Play on Chrome OS

  Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcBackupRestoreServiceEnabled Chrome OS only	Controls Android backup and restore service
ArcGoogleLocationServicesEnabled Chrome OS only	Controls Android Google location services
ChromeCleanupEnabled Windows only	Enables Chrome Browser Cleanup on Windows
ChromeCleanupReportingEnabled Windows only	Controls how Chrome Browser Cleanup reports data to Google
DeveloperToolsAvailability	Controls where Developer Tools can be used
IsolateOriginsAndroid Android only	Enables Site Isolation on Chrome Browser for specified origins on Android devices
SafeBrowsingWhitelistDomains	For configuring the list of domains which will not trigger Safe Browsing warnings
SitePerProcessAndroid Android only	Enables Site Isolation for every site
WebUsbAskForUrls	Allows WebUSB on these sites
WebUsbBlockedForUrls	Blocks WebUSB on these sites

Chrome Browser updates

• Unencrypted sites to show “not secure” indicator

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome offers a policy to control this warning on your domain.

  

• Chrome Canary on Mac policy list update

  Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

• Block a locally installed, hardcoded CA for Mitel VoIP products

  In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency

  M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

• PIN sign-in support

  Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

• Video capture service

  Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

• 802.11v and 802.11r Fast BSS Transition support added

  These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

• Accessibility improvements

  Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

  1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
  2. Continue holding. The screen reader will start speaking. 

  Additionally, we’re launching new shortcuts to toggle accessibility features:

  • Select Ctrl + Search + M to enable/disable the full screen magnifier.
  • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

  We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

  With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

  With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

• Introduction of display size and refresh rates to display settings

  As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

  • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
  • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

  The goal of these changes is to give users more control over UI scale and look.

Admin console updates

• Automatic re-enrollment (Forced re-enrollment enhancement)

  A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

  Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

• Native printer-management improvements

  A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

• CRX2 deprecation (M69)

  Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

• Reduce Chrome crashes caused by third-party software (M69)

  In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

  Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

  

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• Voice dictation from anywhere (M69)

  Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

• Enable key remapping for external keyboards (M69)

  The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

• Files app improvements (M69)

  Native support for Team Drives in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

• Policy to show PIN pad on sign-in and lock screen for TouchView devices

  The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

• Visual updates for enterprise device enrollment flow

  The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

• Night Light support on Chromebooks

  To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

• Native printer-management improvements

  A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

• Sign-in Within the Browser policy

  Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

• Public session support for managed Google Play on Chrome OS

  A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy	Description
ArcAppInstallEventLoggingEnabled	Logs events for Android app installs (Chrome OS)
AutoplayWhitelist	Allows media autoplay on a whitelist of URL patterns
CertificateTransparencyEnforcementDisabledForCas	Disables Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas	Disables Certificate Transparency enforcement for a list of Legacy Certificate Authorities
DefaultWebUsbGuardSetting	Controls use of the WebUSB API
DeviceRollbackAllowedMilestones	Specifies the number of milestone rollbacks allowed (Chrome OS)
DeviceRollbackToTargetVersion	Specifies a rollback to a target version (Chrome OS)
MediaRouterCastAllowAllIPs	Allows Google Cast to connect to Cast-ready devices on all IP addresses
RelaunchNotificationPeriod	Sets the period for update relaunch notifications
SafeBrowsingExtendedReportingEnabled	Enables extended reporting for Safe Browsing (added in M66)
TabUnderAllowed	Allows sites to simultaneously navigate and open notifications

Chrome Browser updates

• SAML SSO interstitial

  Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

  If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

  To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

  If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

  For more details, see the G Suite Updates blog.

• Site Isolation

  You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

  Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

• Desktop Progressive Web Apps (PWAs)

  Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft^® Windows^® and Apple^® Mac^®. For more information, see our developer site.

• Detachable-base swap detection

  Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

• Block symlink traversal

  This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

  This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

• EAP-TLS device-level support

  Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

• Managed Google Play on Chrome OS policy update

  With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

• Admins can block apps from installation
  Currently not available for the Chrome Education service

  As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

• Android app installation reporting

  In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

• Android app bulk purchasing on Education service

  As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

• Unencrypted sites to show “not secure” indicator (M68)

  For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

  Chrome will offer a policy to control this warning on a per-domain basis.

  

• Canary release channel on Mac update (M68)

  This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

• Reduce Chrome crashes caused by third-party software (M68)

  In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

  You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

  

• Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

  In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel^® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

• Certificate transparency (M68)

  M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

• Redirect protection

  We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

  

Upcoming Chrome OS features (targeted for M68 and later)

• PIN sign-in support (M68)

  Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

• Video capture service (M68)

  Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

• Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

  A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

  Admins can still require users to sign in to re-enroll wiped or recovered devices.

• Native printer management improvements

  There will be 2 new improvements for native printer management:

  • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
  • A new policy to block users from manually adding printers is targeted for M68.

• Sign-in Within the Browser policy

  Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

• Device off-hours feature

  Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

• Public session support for managed Google Play on Chrome OS

  You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Security updates

• Continuation of distrust of Symantec Certificates 

  Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

  The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.
  
  For details, see Migrate from Symantec certificates.

• Site Isolation Trial

  Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

  If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

  If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

• Chrome relaunch policy: RelaunchNotification 

  If set to 1, or recommended, the user sees a prompt after days 2, 4, 7, and every 3 days after that. If set to 2, or required, the user sees a prompt at days 2, 4, and 7, with a forced relaunch 3 minutes after the final prompt. The RelaunchNotificationPeriod policy feature will make the period configurable.

• Chrome relaunch policy: RelaunchNotificationPeriod (M67)

  This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

• Click to open PDF 

  For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

• Force sign-in policy: Support for Mac

  The ForceBrowserSignin policy is supported on Mac.

Chrome policies

Changes in this release:

Policy	Notes
AutoplayAllowed	This policy allows you to control whether videos with audio content can autoplay (without user consent) in Chrome.
EnableCommonNameFallbackForLocalAnchors	This policy has been deprecated.
EnableSymantecLegacyInfrastructure	When this setting is enabled, Chrome allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
ForceBrowserSignin	Force users to sign in to the profile before using Chrome. Added support for Mac.
RelaunchNotification	Notify users to relaunch Chrome to apply a pending update.
SafeBrowsingExtendedReportingEnabled	This setting enables Chrome's Safe Browsing Extended Reporting and prevents users from changing it.
SSLVersionMin	If this policy isn't configured, Chrome uses the default minimum version of TLS 1.0.

 

UI changes

• Changes to autoplay 

  Chrome is changing the policy for when sites can autoplay media with sound. Admins will be able to use the AutoplayAllowed policy to control whether Chrome defaults to allowing media to autoplay. For details, see the Autoplay Policy Changes.

• Reducing Chrome crashes caused by third-party software

  Chrome will begin showing a warning to users after a crash that displays third-party software injecting code into Chrome. It guides them to update or remove that software.

  

Deprecations

• Enable CommonName fallback for local anchors policy

  The EnableCommonNameFallbackForLocalAnchors policy was offered to give admins more time to update their local certificates. It removes the ability to allow certificates on sites using a certificate issued by local trust anchors that are missing the subjectAlternativeName extension.
  
  As of Chrome M66, we will be deprecating this policy. If a user running Chrome 66 tries to access a site where the certificate isn't allowed, they will see a warning indicating they can't trust the certificate.

 

Corrections

• Previously listed as launching with Chrome 66, SafeBrowsingWhitelistDomains will now launch in Chrome 67. This policy allows you to configure the list of domains Safe Browsing trusts. Safe Browsing won't check for dangerous resources (for example, phishing, malware, or unwanted software) for URLs that match these domains.

 

↑ back to top

Security updates

• Support for TLS 1.3

  This release comes with the latest version of the Transport Layer Security (TLS) protocol (TLS 1.3 draft 23) turned on. Users of Cisco Firepower devices configured to perform TLS man-in-the-middle interception in Decrypt-Resign/SSL Decryption Enabled mode should see Cisco's documentation.

Chrome policies

Changes in this release:

Policy	Notes
AlwaysAuthorizePlugins	This policy was deprecated.
AbusiveExperience InterventionEnforce	Prevent pages with abusive experiences from opening new windows or tabs.
AdsSettingForIntrusive AdsSites	Set whether ads should be blocked on sites with intrusive ads.
DeviceLoginScreenAutoSelect CertificateForUrls	Automatically select client certificates for these sites on the sign-in screen (available on Chrome OS).
DisablePluginFinder	This policy was deprecated.
RestrictAccountsToPatterns	Restrict accounts that are visible in Chrome (available on Android.)
SecondaryGoogleAccountSign inAllowed	Allow multiple sign-in access within the browser (available on Chrome OS).
SecurityKeyPermitAttestation	URLs/domains are automatically permitted direct Security Key attestation.
SpellcheckEnabled	If this policy is on, the user is allowed to use spellcheck.
SpellcheckLanguage	This policy force enables spellcheck languages.
ThirdPartyBlockingEnabled	This policy enables third-party software injection blocking (available on Windows).
UnsafelyTreatInsecureOriginA sSecure	This policy specifies a list of origins (URLs) to be treated as secure context. Learn more about secure contexts.
WebDriverOverrides IncompatiblePolicies	This policy allows users of the WebDriver feature to override policies that can interfere with its operation.

Developer changes

• Ignore <a download> for cross-origin URLs

  To avoid user-mediated information leakage, Chrome starts to ignore the presence of the download attribute on anchor elements with cross-origin attributes. See more details on Chromium.org.

Deprecations

• Mac OS X 10.9 Support 

  Chrome won't support Mac OS X 10.9. Chrome on Mac OS X 10.9 does not autoupdate. If you have Mac OS X 10.9, upgrade to a newer Mac OS.

 

↑ back to top

Security updates

The Chrome Releases Blog lists all the latest Chrome security changes. Chrome 64 also mitigates against speculative side-channel attacks.

• Site isolation improvements  

  With M64, we fixed known issues and made improvements with site isolation.

Enterprise features

• Forced sign-in  

  This feature allows admins to force a user to sign in with their Google account before using Chrome. It ensures Chrome can only be used when under management by cloud-based policies configured in the Admin console. See Force users to sign in to Chrome.

UI changes

• Site muting 

  You can mute/unmute sites by interacting with the tab options or by clicking Lock  to the left of the URL (desktop only). The Sound settings page (for the desktop, chrome://settings/content/sound) lets you add exceptions for individual sites, as well as turn on/off audio for all sites. If you mute a site through this feature, all open tabs for that site are muted.

 

• Stronger pop-up blocker 

  One out of every 5 user feedback reports submitted on Chrome for desktop mention some type of unwanted content. Examples include links to third-party websites disguised as play buttons or transparent overlays on websites that capture all clicks and open new tabs or windows. In this release, Chrome's pop-up blocker now prevents sites with these types of abusive experiences from opening new tabs or windows. Site owners can use the Abusive Experiences Report in Google Search Console to see if any of these abusive experiences have been found on their site and improve their user experience.

• Change to JavaScript dialogs 

  We are changing the way Chrome handles JavaScript dialogs window.alert(), window.confirm(), window.prompt() to improve user experience and better align with other modern browser's behaviors. Background tabs are no longer brought to the foreground when a dialog is triggered. Instead, the tab header shows a small visual indicator.

  Sites can still show browser notifications if permitted by the user or admin. Users can allow browser notifications by interacting with the pop-up permission prompt or changing site permissions. Admins can use the NotificationsAllowedForUrls policy through GPO or the Admin console to list site URLs they want to allow to display notifications to users (for example, calendar.google.com).

Developer changes

• Resize Observer 

  Traditionally, responsive web applications have used CSS media queries or window.onresize to build responsive components that adapt content to different viewport sizes. However, both of these are global signals and require the overall viewport to change in order for the site to respond accordingly. Chrome now supports the Resize Observer API to give web applications finer control to observe changes to sizes of elements on a page.

This code snippet uses the Resize Observer API to observe changes to an element:

const ro = new ResizeObserver((entries) => { for (const entry of entries) { const cr = entry.contentRect; console.log('Element:', entry.target); console.log(`Element size: ${cr.width}px × ${cr.height}px`); console.log(`Element padding: ${cr.top}px / ${cr.left}px`); } }) // Observe one or multiple elements ro.observe(someElement);

• import.meta 

  Developers writing JavaScript modules often want access to host-specific metadata about the current module. To make this easier, Chrome now supports the import.meta property within modules that exposes the module URL via import.meta.url. Library authors might want to access the URL of the module being bundled into the library to more easily resolve resources relative to the module file as opposed to the current HTML document. In the future, Chrome plans to add more properties to import.meta.

Deprecations

• SharedArrayBuffer (M63)

  In line with other browsers, starting on January 5, 2018, Chrome disabled SharedArrayBuffer on Chrome 63. To help reduce the efficacy of speculative side-channel attacks, Chrome will modify the behavior of other APIs, such as performance.now. This is intended as a temporary measure until other mitigations are in place.

• Enable CommonName fallback for local anchors policy (M66)

  Chrome offered the EnableCommonNameFallbackForLocalAnchors policy to give IT admins more time to update their local certificates. As of Chrome 66, targeted for Stable Channel on April 2018, we will start deprecating this policy, which removes the ability to allow certificates on sites using a certificate issued by local trust anchors that is missing the subjectAlternativeName extension. If an end-user running Chrome 66 attempts to access a site where the certificate isn't allowed, they will see a warning that the certificate cannot be trusted.

 

↑ back to top

Security updates

See the latest Chrome security improvements in the Chrome Releases Blog.

• Enabling TLS 1.3 

  TLS 1.3 is enabled starting in Chrome 63. At this time, the only Google service with TLS 1.3 enabled is Gmail, but this expands to the broader web in 2018. End users should not be impacted by this change. If you are aware of any systems that don't work with TLS 1.3, post your feedback in the admin forum. As you prepare for wider use of TLS 1.3, you can configure this policy for network software or hardware in your enterprise that will not transit TLS 1.3 connections. See more information on Chromium.org.

• Support for NTLMv2 authentication protocol 

  Chrome 63 also includes support for NTLMv2 authentication protocol on Mac, Android, Linux, and Chrome OS. We are expanding on a previous release that supported NTLMv2 for Windows. With versions prior to Chrome 63, this must be manually enabled via chrome://flags. In 2018, we set NTLMv2 as the default NTLM protocol. For enterprises that need to extend support for NTLMv1, a new policy is available to allow you to force the older NTLMv1 protocol as needed.

• Site isolation 

  Site isolation is available in Chrome 63. With site isolation enabled, Chrome renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome's existing sandboxing technology. Read more at Manage site isolation.

UI changes

• Material design bookmarks

  Chrome's Bookmarks Manager has now been refreshed with new Material Design UI. Take a look by visiting chrome://bookmarks.

  

Deprecations

 

↑ back to top

Security updates

• Warning for untrusted Symantec certificates

  Chrome 62 introduces a console warning for sites using certificates from Symantec or Symantec brands that may not be trusted in future versions of Chrome. For more information, see this blog post.

Enterprise features

• Change to update-check URL

  We are changing our main update-check URL host on Chrome for desktop from tools.google.com to update.googleapis.com. You might need to update your enterprise's firewall whitelist to the our new update-check URL to ensure that Chrome continues to update. Learn more.

• Manage extensions by permission

  The permission-based management of extensions is a new enterprise-focused set of controls implemented via Chrome policy and used to prevent extensions that request undesirable permissions from running. Example: Set or modify a proxy (proxy), Capture audio/video of the desktop (desktopCapture), etc. Learn more.

UI changes

• Chrome Cleanup tool 

  On Chrome for Windows, the Chrome Cleanup feature alerts users when it detects unwanted software. It offers a quick way to remove the software and return Chrome to its default settings. We recently completed a full redesign of Chrome Cleanup. The new interface is simpler, has a native Chrome interface, and makes it easier to see what software will be removed.

  

• Edit username when saving passwords

  You can now edit your username when prompted to store a password for a website you visit. When you see the pop-up to save a password (or click the key icon in the address bar after signing in to a page), simply click Edit  and make any edits needed.

  

• Introducing Site settings page

  Starting M62, you will see a new Site settings button. The Site settings page provides per-origin permissions, rather than per-permission exceptions.

  

Deprecations

 

↑ back to top

Security updates

To learn about the latest Chrome security changes, see the Chrome Releases Blog.

• Final removal of trust in WoSign and StartCom certificates

  Chrome 61 or later won't trust website authentication certificates issued by WoSign or StartCom. This is the culmination of a multi-release distrust process.

Enterprise features

• Side-by-side Chrome channels on Windows

  Chrome supports multiple release channels with varying degrees of stability and support. Most users browse with the Stable channel of Chrome. In addition to Stable, Google also ships early-access Chrome channels (Dev, Beta) to get early feedback on features and changes, directly from users and developers. Early-access channels allow developers and admins to try cutting-edge features and validate that business critical applications continue to function as Chrome changes.
  
  Currently, you can't install and run Dev or Beta Chrome on the same computer as the Stable version of Chrome. Starting M61, users can install and run Dev, Beta, and Stable versions concurrently on the same Windows computer. For more details, see the blog post.

UI changes

• Material Design for New Tab Page (NTP)

  We applied a modernized Material Design look to the Desktop NTP. The search bar has been updated to a lighter drop-shadow style that is consistent with Google Web Search. Most visited sites has also been updated to use the same lighter style and refined hover, focus, and active states.

  

• New messaging for installing extensions that modify New Tab Page (NTP)

  Extensions can modify the main site shown on a new tab, called the new tab page (NTP). Users often install extensions that modify NTP but aren't fully aware of how their experience will change. Starting in M61, there is a new permission warning shown at extension install time, which will indicate that the extension can change the default NTP to a custom site. The goal of these changes is to improve user awareness about extensions that will change their Chrome defaults, once installed.

Deprecations

To see all of the changes that are in Chrome 61, visit the commit log.

 

↑ back to top

Security updates

Learn more about the latest Chrome security updates in the Chrome Releases Blog.

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle, as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, and Windows Server platforms. See the announcement.

Deprecations

To see all of the changes in Chrome 60, visit the commit log.

 

↑ back to top

Enterprise features

• Chrome Enterprise Bundle (May 23, 2017)

  Google announced the release of the Chrome Enterprise Bundle as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, Windows Server platforms. See the announcement.

UI changes

• Material Design comes to Chrome settings

  Chrome Settings has updated to Material Design with a new look with the same ease of use and functionality.
  
  Notable changes:

  • Larger and more prominent search bar
  • New menu icon  to the top left of Settings that gives you an easy way to jump to specific sections, like People, Appearance, and Search Engine
  • Combined and simplified Sign In and People sections
  • Streamlined Content Settings section
  • Search section renamed Search Engine
  • Privacy section renamed Privacy and Security
  • Proxy settings moved under the System section
  • Font sizes and page zoom settings moved to the Appearance section
  • HTTPS/SSL Manage Certificates settings moved under Privacy and Security section

To see all of the changes in Chrome 59, visit the commit log.

 

↑ back to top

UI changes

• Material Design coming soon to the Chrome settings page (59)

  For those already on Chrome's Dev or Canary channels, the Chrome settings (chrome://settings) page has updated to Material Design. The updated design is planned to launch in Chrome 59.

• New desktop welcome page (Windows 10)

  We redesigned Chrome's first-run experience in M58. On Windows 10 platforms, we display a welcome page, which explains how to set Chrome as the default browser or pin it to the Windows taskbar. For Windows 7 and Windows 8 platforms, we display a Material Design page that promotes the Sign in to Chrome feature. This page launched to Mac and Linux during the Chrome 57 release.

Deprecations

• Changes to website certificate handling

  After many years of the practice being discouraged, Chrome 58 removes support for the commonName field in website certificates. Only the subjectAltName extension will be used when matching certificates to host names. The EnableCommonNameFallbackForLocalAnchors policy can be used to re-enable old behavior for locally installed roots. Organizations are strongly encouraged to migrate to modern certificate standards and not rely on the continued presence of this policy.

  Chrome 56 stopped trusting certificates issued by WoSign and StartCom after October 21, 2016 in response to various incidents, and included a whitelist of certificates that would continue to work. Chrome 58 continues reducing the size of that whitelist.

  As a reminder, since Chrome 56, the use of SHA-1 website certificates is no longer supported unless configured via policy: EnableSha1ForLocalAnchors. This policy can be used to re-enable old behavior for locally installed roots, which gives organizations more time to move away from SHA-1 certificates. Chrome strongly encourages organizations to migrate to modern certificate standards and not rely on the continued presence of this policy, because it will be removed in January 2019.

To see all of the changes that are in Chrome 58, visit the commit log.

 

↑ back to top

Security updates

• Form Not Secure warning UI (M56)

  To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. As part of a long-term plan to mark all HTTP sites as non-secure, beginning in January 2017 (Chrome 56), we mark HTTP pages that collect passwords or credit cards as non-secure. Read about Moving toward a more secure web.

• Chrome chip and icon

  Chrome security chip and icon for Chrome internal pages (Settings, History, Downloads...) indicate and verify that page is a secure internal Chrome page.

  

• Extension name chips

  Chrome will begin showing the extension name if the page URL is a chrome-extension:// URL. The extension name is displayed in the same style as security indicator URL-bar strings, but without any animations.

Enterprise features

• Windows roaming profiles support

  We are launching initial support for roaming profiles on Windows. It enables users to have a Chrome Sync experience anywhere they sign in to Windows with their domain accounts if roaming profiles are enabled without the need to sign in to Chrome. For more information, see Using Chrome on roaming user profile.

• Legacy Browser Support: Update 4.7

  Bug fixes and performance improvements from 4.6:

  • Improved window management in Chrome, including proper handling of pop-up windows triggering browsing transition.

  • Fixed issues with link corruption when navigating to an already open Internet Explorer window.

• Migrating capable 32-bit Chrome users to 64-bit Chrome

  To improve stability, performance, and security, users who are currently on the 32-bit version of Chrome and 64-bit Windows with 4 GB or more memory will be automatically migrated to 64-bit Chrome during the Chrome 57 rollout. The 32-bit Chrome will still be available via the Chrome download page.

UI changes

• Revamp first-run and onboarding experience

  We redesigned Chrome's first-run experience in 57. On non-Windows 10 platforms, we display a Material Design page which promotes the Sign in to Chrome feature. For Windows 10, this feature will be launched in the Chrome 58 release.

  

• Requiring explicit user action to enable sideloaded extensions on Mac

  In some instances, Chrome extensions can be bundled with Mac software and added during the software download and installation process.
  
  Extensions that are bundled with Mac applications will be added to Chrome in a disabled state. The user will be prompted to either enable the extension or remove it from Chrome.

  

Deprecations

• chrome://plugins

  The Chrome plugins page was used to allow management of plugin settings within Chrome. But as the web has evolved, there have been fewer plugins to manage over time. In this update, the team moved the controls for the remaining components to a more standard and discoverable location: Chrome's content settings, which can be easily accessed at chrome://settings/content.
  
  A list of where common settings went:

  • Chrome PDF viewer options moved under Privacy  Content settings  PDF documents.
  • Adobe Flash Player options moved under Privacy  Content settings  Flash.
  • Widevine Content Decryption Module (which enables Widevine licenses for playback of HTML audio/video content) can be adjusted under Privacy  Content settings  Protected Content.

• Deprecating insecure certificate types

  Since 56, Chrome has not trusted server certificates that use the insecure SHA-1 hash algorithm if they chain to publicly trusted roots. In Chrome 57, that is also true for enterprise or locally installed roots, unless the EnableSha1ForLocalAnchors policy has been set.
  
  Note that a collision attack has now been demonstrated against SHA-1. This policy should only be enabled after consulting your security team. Read more about setting Chrome policies for devices and SHA-1 Certificates in Chrome.

  Chrome 58 won't consider a certificate's common name when performing trust evaluation and will rely on subject alternative name only, unless the EnableCommonNameFallbackForLocalAnchors policy is set. Turn this policy on only after consulting your security team.

• Distrusting WoSign and StartCom certificates

  Chrome 57 continues to reduce the number of whitelisted sites that can use WoSign or StartCom issued certificates, as Google discontinues trust for these certificates. Learn more in this blog post and on Chromium.org.

To see all of the changes in Chrome 57, visit the commit log.

 

↑ back to top