Chrome Enterprise release notes

Last updated on: October 6, 2020

For administrators who manage Chrome Browser or Chrome devices for a business or school.

In the following notes, the stable release or milestone number (M##) refers to the version of the scheduled feature launch. For example, M75 indicates a feature scheduled to launch with the stable version of Chrome 75. See below for a changelog and version history of Chrome.
 

Current Chrome version release notes

Open all   |   Close all Chrome 86

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 should use a HARMAN solution with Legacy Browser Support.

Chrome Browser updates

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88 
    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind computer warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific URLs to download insecure files. You can read more details in our blog post.

  • New lookalikes policy and request flow

    Chrome is introducing a new "safety tip" for sites with URLs that look very similar to those of other sites. This UI, as well as the existing lookalike interstitial warning, uses client-side heuristics to warn users about sites that might be spoofing other sites (For example, goog0le.com spoofing google.com):

    Chrome is adding the LookalikeWarningAllowlistDomains enterprise policy to give you control of this behavior. This policy suppresses both the full-page interstitial warning and the smaller "safety tip" in the domains indicated.

    In addition, if you think a site is triggering a warning incorrectly, you can file a request here.
  • Improved resource consumption when a window is not visible

    To save on CPU and power consumption, Chrome detects when a window is covered by another window and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software, resulting in Chrome rendering blank white pages. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users have already seen this change since Chrome 85, however this feature is fully rolled out in Chrome 86.

  • User-Agent Client Hints is fully rolled out in Chrome 86

    As part of an ongoing effort to reduce the ability of bad actors to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additional change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers as part of the broader Structured Headers  emerging standard. If the addition of this header causes problems with servers that can't be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers.

    This is a temporary policy that will be removed in Chrome 88.

  • Chrome warns about mixed content forms

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome 86 shows an interstitial warning when the form is submitted, which stops any data transmission, and the user is able to choose whether to proceed or cancel the submission.

     

     You are able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

  • The address bar shows the domain rather than the full URL for some users

    To protect your users from some common phishing strategies, Chrome shows only the domain in the address bar. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users’ credentials safe, you are now able to revert to the old behavior through the ShowFullUrlsInAddressBar policy.

    This change is initially only rolled out to some users, however a full rollout is planned for a later release.

  • Chrome has a new way to show you it’s time to update your browser

    To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update," replacing the colored arrow that users see today.

     

 

  • Chrome extensions are not able to inject Flash content settings

    Extensions will not be able to inject content settings for Flash. If you're using an extension to control Flash behavior in Chrome, you should instead use PluginsAllowedForUrls. Otherwise, users will see the default Flash behavior, which will require them to allow Flash to run on each site.

  • The Chrome Browser Cloud Management - Reporting Companion extension no longer functions

    The Chrome Browser Cloud Management - Reporting Companion extension ID, oempjldejiginopiohodkdoklcjklbaa is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

  • The TLS13HardeningForLocalAnchorsEnabled enterprise policy no longer functions

    As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks. 

    The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

  • More inclusive policy names are introduced

    Chrome is moving to more inclusive policy names. The terms "whitelist" and "blacklist" have been replaced with "allowlist" and "blocklist". If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

    The following policies will be deprecated (but will still work), and equivalent policies will be introduced for each:

    Deprecated Policy Name New Policy Name Version
    NativeMessagingBlacklist NativeMessagingBlocklist 86
    NativeMessagingWhitelist NativeMessagingAllowlist 86
    AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist 86
    AuthServerWhitelist AuthServerAllowlist 86
    SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist 86
    AutoplayWhitelist AutoplayAllowlist 86
    SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains 86
    ExternalPrintServersWhitelist ExternalPrintServersAllowlist 86
    NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist 86
    PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist 86
    URLWhitelist URLAllowlist 86
    URLBlacklist URLBlocklist 86
    ExtensionInstallWhitelist ExtensionInstallAllowlist 86
    ExtensionInstallBlacklist ExtensionInstallBlocklist 86
    UserNativePrintersAllowed UserPrintersAllowed 86
    NativePrinters Printers 86
    NativePrintersBulkConfiguration PrintersBulkConfiguration 86
    NativePrintersBulkAccessMode PrintersBulkAccessMode 86
    NativePrintersBulkBlacklist PrintersBulkBlocklist 86
    NativePrintersBulkWhitelist PrintersBulkAllowlist 86
    DeviceNativePrintersBlacklist DevicePrintersBlocklist 87
    DeviceNativePrintersWhitelist DevicePrintersAllowlist 87
    DeviceNativePrintersAccessMode DevicePrintersAccessMode 87
    DeviceNativePrinters DevicePrinters 87
    UsbDetachableWhitelist UsbDetachableAllowlist 87
    QuickUnlockModeWhitelist QuickUnlockModeAllowlist 87
    AttestationExtensionWhitelist AttestationExtensionAllowlist 87
    DeviceUserWhitelist DeviceUserAllowlist 87

Chrome OS updates

  • Family Link and school account support for Android apps

    Enables Family Link users to sign in to Android apps like Google Classroom using a school account to do schoolwork under parent supervision.

  • Smartcard support on the login screen

    As an admin, you can enable users to sign in using smart cards on the managed Chrome devices in your organization. The solution builds upon SAML SSO identity providers (IdP) that supports smart cards. Learn more.

  • Guide Parents to Set Up Devices for Children during OOBE/Add Person flow

    Simplifies device setup for families that want to create parental controls for their kids on Chromebooks.

  • Redesigned Update Screen during OOBE

    The update page during OOBE has been redesigned to include time/battery estimates and a progress tracker so users don't have to sit in front of the computer while it updates. We have also included educational cards on the screen; users who choose to wait in front of the computer or choose to check in during the update will learn more about the unique values that Chrome OS offers.   

  • Option to view password/PIN on start screen and lock screen

    Have a long password that you often type incorrectly? Need to refer to a password manager on your phone to log into your Chromebook? This is now easier as the login screen has a new button to let you review your password/PIN. Simply click the eye-shaped icon to show password/PIN in clear text, review or compare with your password manager, and then submit. For security, we will turn the clear text into ***** after 5 seconds of inactivity and clear the entire input after 30 seconds of inactivity.

  • Display Identification on multi-monitor setups

    Managing multiple displays on Chrome OS has never been easier. We improved the ability for users to quickly identify which tab in the Display settings corresponds to a user's external display, and we've made it easier to align displays via a first-of-its-kind alignment overlay. These options are available for anyone using 2 or more displays.    

  • Autocorrect UI improvements

    For users with autocorrect enabled, we have improved the user interface with visual indicators which let you know that autocorrects have happened, as well as a new visual way to undo them.

  • Linux upgrade flow to Debian 10

    If you have been using Linux (Beta) with Debian 9, you will now see an option to upgrade to Debian 10. You can start the upgrade at any time by going to Linux settings.

  • Virtual machine USB support beyond Android devices

    You can now use more types of devices with Linux (Beta), including Arduino and EdgeTPU. Attach a device to your Chromebook and share it through Linux settings.

Admin console updates

  • Website icons and names on the Apps & extensions configuration page

    Websites will now display their name and icon in addition to the URL in the Admin console.  Admins can search by either name or URL to find websites.  This change does not affect how website shortcuts display on the Chrome OS shelf.

  • Flash deprecation warnings

    Flash Player will no longer be supported after December 2020 (roadmap). The Admin console no longer allows the configuration of Flash using wildcards. There are also additional reminders about the upcoming deprecation.

  • Always-on VPN for Android

    Always-on VPN allows you to specify an Android VPN app that handles Android and Chrome OS user traffic as soon as users start their devices. For security reasons, virtual private networks (VPNs) don’t apply to system traffic such as OS and policy updates. If the VPN connection fails, all user traffic is blocked until the VPN connection is re-established.

  • Remotely factory reset a managed device

    You can now perform a full remote factory reset for managed devices, which can be useful for deprovisioning a device for RMA, clearing data on a disabled device that has been misplaced or stolen, and clearing data for troubleshooting purposes.  

    Note: After a device has been factory reset, it must go through the initial setup again.  For a lighter touch reset, you can clear a user’s profile instead.

  • Device-level system log export

    This feature extends existing kiosk functionality to any managed device, allowing you to remotely capture device-level system log files. Once the LogUploadEnabled policy is enabled, you can manually request and download logs directly from the device details page, and fetch them through the Chrome Directory API.

  • Additional policies in the Admin console

    Many new policies are available in the Admin console, including:

    Policy control Admin console location Description
    Metrics reporting User & browser settingsand thenOther settingsand thenMetrics reporting Controls anonymous reporting of usage and crash-related data about Google Chrome to Google.
    External extensions Apps & extensionsand thenAdditional application settingsand thenExternal extensions Controls installation of external extensions
    Chrome Cleanup User & browser settingsand thenSecurityand thenChrome Cleanup Controls whether Chrome Cleanup periodically scans the system for unwanted software on browsers enrolled with Chrome Browser Cloud Management on Windows.
    Disabled system features User & browser settingsand thenUser experienceand thenDisabled system features Controls whether users can access the camera, OS settings, and browser settings on Chrome OS devices
    Privacy screen on sign-in screen Device settingsand thenSign-in settingsand thenPrivacy screen on sign-in screen Controls whether the privacy screen is enabled on devices supporting an electronic privacy screen
    Disk cache size User & browser settingsand thenOther settingsand thenDisk cache size Controls the cache size used by Chrome browser
    PDF files User & browser settingsand thenContentand thenPDF files Controls whether PDF files open in Chrome or using the system default application
    Suggested content User & browser settingsand thenUser experienceand thenSuggested content Enables suggestions for new content to explore on Chrome OS. Includes apps, webpages, and more.  This policy is disabled by default for managed users
    Default browser check User & browser settingsand thenStartupand thenDefault browser check Controls whether Chrome checks if it is the default browser at startup
    Background mode User & browser settingsand thenOther settingsand thenBackground mode Controls whether Chrome keeps running when the last browser window is closed, allowing background apps to remain active
    Third party code User & browser settingsand thenSecurityand thenThird party code Controls whether third party software will be allowed to inject executable code into Chrome's processes on Windows
    Relaunch notification User & browser settingsand thenChrome updatesand thenRelaunch notification Controls the notifications shown to users reminding them to update Chrome

 

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • ITP will block third party cookies in Chrome on iOS14

    All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Single words will not be treated as intranet locations by default in Chrome 87 

    By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. This change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome using the IntranetRedirectBehavior enterprise policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

  • Improved resource consumption for background tabs in Chrome 87

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • DTLS 1.0 will be removed in Chrome 87

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, the WebRtcAllowLegacyTLSProtocols enterprise policy will be made available to temporarily extend the removal.

  • New PDF UI in Chrome 87

    Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations.

  • The CORB/CORS allowlist will be removed in Chrome 87

    Chrome will remove the CORB/CORS allowlist in Chrome 87. Please test Chrome extensions that your business depends on to make sure they work with the new behavior.

    Please test Chrome 87.0.4266.0 or later and run through critical workflows with your extension. Watch for fetches or XHRs that are initiated by content scripts and blocked by CORB or CORS. Typical error messages are shown below:

If the extension's content scripts create requests that don’t work when Chrome is launched with the chrome://flags listed above, then make sure you keep the extension updated so that it continues to work in Chrome 87 and above. In particular, the extensions must be updated to initiate cross-origin fetches from the extension background page (instead of from a content script).

For more details please see: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 88

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. You will be able to control this behavior using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.

  • Chrome will introduce a new permission chip UI in Chrome 88

    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes will be considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other. We recommend testing critical sites using the testing instructions.

    You may revert to the previous, legacy behavior, by using the LegacySameSiteCookieBehaviorEnabledForDomainList and LegacySameSiteCookieBehaviorEnabled policies. For more detail please see Cookie Legacy SameSite Policies.

  • Chrome 88 on Mac will not support OS X 10.10 (Yosemite)

    Chrome 88 will not support OS X 10.10 (OS X Yosemite). Chrome on Mac will require OS X 10.11 or later.

  • SyncXHR and Popup on page unload policies will no longer be supported on Chrome 88

    The AllowPopupsDuringPageUnload and AllowSyncXHRInPageDismissal enterprise policies will be removed in Chrome 88, as previously communicated. For any apps that rely on the legacy web platform behavior, be sure to update them before Chrome 88.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 88

    Legacy Browser Support (LBS) is built into Chrome, and the old extension is no longer needed. The Chrome team unpublished LBS from the Chrome Web Store in Chrome 85, and it will be disabled in Chrome 88. Legacy Browser Support will still be supported, please migrate away from the extension and towards using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer function, and you won't be able to force install the extension once it's been disabled.

  • Chrome 89 will require SSE3 for Chrome on x86

    Chrome 89 and above will require x86 processors with SSE3 support. This change does not impact devices with non-x86 (ARM) processors. Chrome will not install and run on x86 processors that do not support SSE3. SSE3 was introduced on Intel CPUs in 2003, and on AMD CPUs in 2005.

  • The SSLVersionMin policy will not allow TLS 1.0 or TLS 1.1 in Chrome 91

    The SSLVersionMin enterprise policy allows you to bypass Chrome's interstitial warnings for legacy versions of TLS. This will be possible until Chrome 91 (May 2021), then the policy will no longer allow TLS 1.0 or TLS 1.1 to be set as the minimum.

    We previously communicated that this would happen as early as January 2021, but the deadline has since been extended.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
 

Previous release notes 

Chrome 85
 

 

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020. Therefore, after this date, all versions of Chrome will stop supporting Flash content. You can read more about Adobe's plans to discontinue Flash player and your options in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 should use a HARMAN solution with Legacy Browser Support.

Chrome Browser updates

  • User-Agent Client Hints will be introduced in Chrome 85 
    As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we introduced User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. This is a temporary policy that will be removed in Chrome 88.

    A full rollout of this change is planned in Chrome 85.

  • The default referrer policy will change in Chrome 85 
    The HTTP referrer header provides the full URL of the initiating document alongside many navigation and subresource requests. In practice, it can reveal users’ browsing habits or identities. Chrome will improve user privacy and security by switching to strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade. Web developers may specify a referrer policy on their documents if they need a different policy.

    The expected long-term fix is to update all web apps to preferably not depend on the full URL for the referrer, and where unavoidable, specify a referrer policy when they require something other than strict-origin-when-cross-origin. However, to help with the transition, enterprises will be able to use the ForceLegacyDefaultReferrerPolicy enterprise policy to revert to the old default behavior until Chrome 88. 

    See more info and best practices.

  • Chrome 64-bit on Windows will be installed in "Program Files" instead of "Program Files (x86)" 

    New installations of 64-bit Chrome will be installed in "%ProgramFiles%" on Windows instead of "%ProgramFiles(x86)%". Existing installations won't be impacted.

  • Improvements to user productivity in Chrome 85

    Chrome will be making several improvements to user productivity, including collapsible tab groups, tab previews, saving inputs in PDFs, and QR code sharing. You can read more about these improvements on the Keyword.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique called PGO (Profile-guided optimization) on Mac and Windows. Enterprises aren't expected to notice any changes, except how software interacts with Chrome in unexpected or unsupported ways. For example, code injection may not function as expected with this version of Chrome.

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

     

  • Executables—Users were warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (For example, PDFs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Wildcards are no longer supported in PluginsAllowedForUrls in Chrome 85

    In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (For example, “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure that you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. 

    The Beta version of the extension (Extension ID ebojbgfomggiamdflnhekjfkmdbeblpb) will be removed in Chrome 85.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS. If extensions you depend on are affected, open a bug to add the affected extensions to a temporary allowlist which will exempt them from the change (the allowlist will be deprecated and removed in Chrome 87). The changes only affect fetches or XHRs for content types that are not blocked by CORB (such as images, JavaScript, and CSS) and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

  • Improved resource consumption when a window is not visible in Chrome 85

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had incompatibility issues with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users will see the change in Chrome 85, with a full rollout planned for Chrome 86.

  • Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

    The new AutoLaunchProtocolsFromOrigins policy allows you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

  • Chrome on MacOS has additional protections for sensitive enterprise policies in Chrome 85

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

  • Cross-Origin Resource Setting (CORS) enterprise policies are no longer available

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

  • The ForceNetworkInProcess policy is now deprecated

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ended in Chrome 84, and the policy is no longer available.

  • Certificates issued on or after September 01, 2020 must have a lifetime of 398 days or less in Chrome 85

    As part of our ongoing commitment to ensuring user security, Google is reducing the maximum allowed lifetimes of TLS certificates. More details here.

  • Chrome 85 uses the Windows-native spell checker for some users

    For Windows users that have the corresponding language packs installed on their system, Chrome will use the Windows-native spell checker. Users without the corresponding language pack will default to the Chrome spell checker.

    Some users will see this change in Chrome 85, with a full rollout planned in Chrome 86.

  • The Chrome Web Store tells users if an extension has been blocked by their admin in Chrome 85

    If you block an extension by policy, the Chrome Web Store extension listing will now show “Blocked by Admin” to the user.

  • Chrome-on-iOS enterprise policies in Chrome 85

    Chrome supports a limited set of policies on iOS, configurable with unified endpoint management systems.

Chrome OS updates

  • Separating Display Resolution and Refresh Rate for external monitors

    The "Displays" page in Settings has been updated to allow independent configuration of the resolution and the refresh rate for external monitors. This setting will be split automatically and users do not need to take any action.

     

 

  • Sync Wi-Fi settings between devices

    To help users avoid repeatedly joining the same set of networks and typing in the same difficult-to-remember passwords on each of their Chrome OS devices, Wi-Fi Sync helps keep known networks in sync between a user's devices. This can be controlled using the SyncTypesListDisabled policy.

  • Option for improved visuals for Select to Speak

    Select to speak lets users drag a box around a given area of text to have text in that area spoken aloud. We’ve now added the option to turn on screen shading behind the selected region of the screen. This screen shading will reduce distraction and help to enhance the user's focus on the core content being spoken aloud.

  • Improved gesture support for handwriting keyboard

    When entering text using the handwriting keyboard, you can now use familiar gestures to edit your handwriting. Drawing a strikethrough will delete text, and a caret will give you space to insert text.

  • Improved Print management UI

    Users can now manage their ongoing print jobs and view what has been completed.

     

  • PIN printing for Hewlett-Packard®, Ricoh®, and Sharp® printers

    Extended PIN printing is now available for all supported Hewlett-Packard®, Ricoh®, and Sharp® printers that require a PIN to release the print job to a printer.

     

 

Admin console updates

  • Updated Admin consoleand thenDevices hub page

    The Devices hub in the Admin console is refreshed with a new look and feel, faster load times, and a brand new navigation structure on the left side of the page.

  • View apps & extensions that are configured across all organizational units

    The apps & extensions page in the Admin console now supports “Include all organizational units.” Selecting this view will display all apps configured across all modes (User & browser, Devices, and Managed guest session) and all organizational units.

  • Expanded ability to block system features

    Admins can now block system features at a granular level directly, without URL blocking. The Camera app, Chrome browser settings and Chrome OS settings are all configurable through policy.

  • Connected devices policies for Android phones + Chrome OS devices

    User settingsand thenConnected devices is a suite of features that allows Android phones and Chrome devices to work together seamlessly. Education organizations can enable Smart Lock and Click to Call. In addition, Enterprise organizations can enable Instant Tethering and Messages.

  • Multi-select devices for clearing user profiles

    From the Chromeand thenDevices list, admins can now multi-select devices to clear user profiles from all devices at the same time.

  • Additional policies now available in the Admin console

    Many additional new policies are available in the Admin console, including:

    • PrintingMaxSheetsAllowed

      User settingsand thenPrintingand thenMaximum sheets - Set a maximum number of pages for a single print job.

    • PrintingMaxSheetsAllowed and PrintingPaperSizeDefault

      User settingsand thenPrintingand thenDefault printing page size - Set a default paper page size for print jobs. 

    • AppCacheForceEnabled

      User settingsand thenContentand thenAppCache - Allow websites to use the deprecated AppCache browser feature.

    • HardwareAccelerationModeEnabled

      User settingsand thenHardwareand thenGPU - Enable or disable GPU hardware acceleration

    • ScrollToTextFragmentEnabled

      User settingsand thenContentand thenScroll to text fragment - Allow sites to scroll directly to a text fragment via URL

    • HideWebStoreIcon

      Apps & extensionsand thenAdditional settingsand thenChrome Web Store app icon - Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AutoLaunchProtocolsFromOrigins Defines a list of protocols that can launch an external application from listed origins without prompting the user.
CloudExtensionRequestEnabled Enables Google Chrome extension installation requests.
DefaultSearchProviderContextMenuAccessAllowed Enables the use of a default search provider on the context menu.
EnableExperimentalPolicies Enables experimental policies.
IntensiveWakeUpThrottlingEnabled When enabled, the IntensiveWakeUpThrottling feature causes Javascript timers in the background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been in the background for 5 minutes or more.
UserAgentClientHintsEnabled Controls the User-Agent Client Hints feature.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • ITP will block third party cookies in Chrome on iOS14

    All Chrome versions on iOS14 will be subject to the new ITP (Intelligent Tracking Prevention) restriction in WebKit, which blocks third party cookies. Apple has provided more information on the changes here: 

  • Single words will not be treated as intranet locations by default in Chrome 87 

    By default, Chrome will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar. However, this change to default behavior may interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome via policy, including preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site).

  • Chrome will warn about mixed content forms in Chrome 86

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 showed a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

    You will be able to control this behavior using the InsecureFormsWarningsEnabled enterprise policy.

  • The address bar will show the domain rather than the full URL for some users in Chrome 86

    To protect your users from some common phishing strategies, Chrome will begin showing only the domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

  • Improved resource consumption for background tabs in Chrome 86

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Chrome 86 will have a new way of indicating it should be updated

    To make it more clear that Chrome should be restarted to apply an update, users will see a new UI, with the word "Update."

      ​​​​​ ​

 

  • Chrome extensions will not be able to inject Flash content settings in Chrome 86

    Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.

  • The Chrome Cloud Management - Reporting Companion extension will cease functionality in Chrome 86

    The Chrome Cloud Management - Reporting Companion extension (ID oempjldejiginopiohodkdoklcjklbaa) is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

    The extension will no longer function in Chrome 86.

  • The TLS13HardeningForLocalAnchorsEnabled enterprise policy will no longer function in Chrome 86

    As documented in the policy description, support for the TLS13HardeningForLocalAnchorsEnabled enterprise policy will be removed in Chrome 86. As a result, the security feature will be enabled for all users, protecting your environment from certain TLS downgrade attacks.

    The policy was introduced as a temporary measure to mitigate implementation flaws with some TLS-intercepting proxies. If you had previously set this policy to take advantage of the migration period, please ensure your TLS-intercepting policies are up to date and compliant. You can test Chrome by ensuring it works without this policy set.

  • More inclusive policy names will be introduced in Chrome 86 and 87

    Chrome will be moving to more inclusive policy names. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

Deprecated policy name New policy name Version
NativeMessagingBlacklist NativeMessagingBlocklist 86
NativeMessagingWhitelist NativeMessagingAllowlist 86
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist 86
AuthServerWhitelist AuthServerAllowlist 86
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist 86
AutoplayWhitelist AutoplayAllowlist 86
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains 86
ExternalPrintServersWhitelist ExternalPrintServersAllowlist 86
NoteTakingAppsLockScreenWhitelist NoteTakingAppsLockScreenAllowlist 86
PerAppTimeLimitsWhitelist PerAppTimeLimitsAllowlist 86
URLWhitelist URLAllowlist 86
URLBlacklist URLBlocklist 86
ExtensionInstallWhitelist ExtensionInstallAllowlist 86
ExtensionInstallBlacklist ExtensionInstallBlocklist 86
UserNativePrintersAllowed UserPrintersAllowed 86
DeviceNativePrintersBlacklist DevicePrintersBlocklist 87
DeviceNativePrintersWhitelist DevicePrintersAllowlist 87
DeviceNativePrintersAccessMode DevicePrintersAccessMode 87
DeviceNativePrinters DevicePrinters 87
NativePrinters Printers 86
NativePrintersBulkConfiguration PrintersBulkConfiguration 86
NativePrintersBulkAccessMode PrintersBulkAccessMode 86
NativePrintersBulkBlacklist PrintersBulkBlocklist 86
NativePrintersBulkWhitelist PrintersBulkAllowlist 86
UsbDetachableWhitelist UsbDetachableAllowlist 87
QuickUnlockModeWhitelist QuickUnlockModeAllowlist 87
AttestationExtensionWhitelist AttestationExtensionAllowlist 87
DeviceUserWhitelist DeviceUserAllowlist 87

 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  • DTLS 1.0 will be removed in Chrome 87

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/

    If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • Chrome will introduce a new permission chip UI in Chrome 87

    Permission requests can feel disruptive and intrusive when they lack context – which often happens when prompts appear as soon as a page loads or without prior priming. This leads to a common reaction where end users dismiss the prompt in order to avoid making a decision.

    Chrome is experimenting with a permissions chip in the address bar next to the lock, which is less intrusive overall. Since the prompt doesn't intrude in the content area, users who don't want to grant the permission no longer need to actively dismiss the prompt. Users who wish to grant permission can click on the chip to bring up the permission prompt.

  • New PDF UI in Chrome 87

    Chrome will have an updated PDF viewer, including toolbar updates, table of contents, thumbnails, two-up view, and annotations viewing.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
Chrome 84

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020, therefore Chrome will no longer support Flash content. You can read more about Adobe's plans to discontinue Flash player in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner, to provide support for Flash Player in legacy browsers.

Chrome is designed to meet the needs of Chrome Enterprise customers, including integration with legacy web content. Companies that need to use a legacy browser to run Flash content after December 31, 2020 can get set up with HARMAN and Legacy Browser Support.

Chrome Browser updates

  • Updates to cookies with SameSite

    Starting on July 14, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context must explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies until Chrome 91. You can specify domains accessing cookies that require legacy semantics using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

    This change started with Chrome 80, but was temporarily on hold in light of the COVID-19 pandemic. It’s being set in motion again, and will take effect in Chrome 80 and more recent versions of Chrome.

  • Insecure downloads will be blocked from secure pages in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:     

  • Executables—Users will be warned in Chrome 84, and files will be blocked in Chrome 85.
  • Archives —Users will be warned in the Chrome developer console in Chrome 85, and files will be blocked in Chrome 86.
  • Other non-safe types (e.g. pdfs)—Users will be warned in the Chrome developer console in Chrome 86, and files will be blocked in Chrome 87.
  • Other files—Users will be warned in the Chrome developer console in Chrome 87, and files will be blocked in Chrome 88.

Warnings on Android will lag behind Desktop warnings by one release. For example, executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Improved resource consumption when window is not visible

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    Some users will see this feature in Chrome 84, with a full release planned in Chrome 85.

  • Chrome remembers user preferences when launching external protocols

    As requested by IT admins, users are able to select "always allow for this site" when opening an external protocol in Chrome 84. The approval is scoped to the current origin, and is only available for secure origins.

  • The URLWhitelist policy only allows external protocols for domain joined devices

    A recent release of Chrome changed the behavior of the URLWhitelist policy which lets you allow external protocols such as “callto:” or “ms-calendar”. To improve security on Windows®, this policy only allows external protocols for devices joined to an Active Directory domain.

  • Deprecation of TLS 1.0 and TLS 1.1

    The Chrome team announced in October 2019, plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1). In Chrome 84, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to turn off the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Improvements to Chrome downgrades

    When a managed Chrome browser updates to the next version, it will retain a snapshot of User Data. This is useful for admins when Sync is turned off and they need to rollback to a previous version of Chrome. The number of snapshots can be controlled using the UserDataSnapshotRetentionLimit policy and Chrome can function as it did before by setting UserDataSnapshotRetentionLimit to 0. For more details, visit Downgrade your Chrome version.

  • Stronger consent for the search and new tab page

    Chrome will protect against extensions that attempt to change the user's preferences without their consent. After an extension changes the default search engine or the new tab page, Chrome will confirm the change with the user, and allow them to keep the change or revert back to the old settings.

    As an admin, you can control your employees' default search provider directly using the Default Search Provider and NewTabPageLocation policies. They will not trigger a confirmation dialog.

  • User-Agent Client Hints

    As part of an ongoing effort to reduce bad actors’ ability to track users, Chrome plans to reduce the granularity of information that is part of the user agent string and expose that information through User-Agent Client Hints. In Chrome 84, we are introducing User-Agent Client Hints for some users. This is an additive change only, and should not have any negative effect when interacting with any standards-compliant server.

    However, some servers may not be able to accept all characters in the User-Agent Client Hints headers, part of the broader Structured Headers emerging standard. If the addition of this header causes problems with servers that cannot be fixed quickly, you will be able to use the UserAgentClientHintsEnabled policy to disable the added headers. Although, this is a temporary policy that will be removed in Chrome 88.

    You can test your environment by enabling the "experimental web platform features" flag in Chrome. A wider rollout of this change is planned in Chrome 85.

  • Cross-Origin Resource Sharing (CORS) enterprise policies will no longer take effect

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies have been removed in Chrome 84, as previously communicated.

  • The ForceNetworkInProcess policy is now deprecated

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that were injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change ends in Chrome 84, and the policy is no longer available.

Chrome OS updates

  • Camera app supports MP4 (H.264)

    Videos captured in the Chrome OS Camera app will now save as MP4 (H.264) videos. This makes it easier to use your recorded videos in other apps.

  • Window management improvements for multiple monitors and split screen

    When in Overview mode you can now drag a window to the left or right edge to quickly set up a split screen. If you use multiple monitors, you can drag windows to other displays while in Overview mode.

  • Adding search functionality to the ChromeVox menu

    For screen reader users, the ChromeVox menu is a one-stop-shop for learning about ChromeVox and accessing key information and commands. When ChromeVox is turned on, press Search + Period at any time to open the menu and explore options such as jump commands, speech options, and much more. As of Chrome 84, it's now possible to search within the ChromeVox menu to find what you are looking for even faster! Simply open the menu and your mouse cursor will automatically be placed in the Search field. You can either search for a given item, or use the arrow keys to navigate the menu options.

  • Sheet Limit Policy for Native Printing

    Many organizations would like to limit the amount of paper used when printing. With the PrintingMaxSheetsAllowed policy, admins can limit the number of sheets used in a single print job for their managed devices users. For example, placing a limit on printing excessively large documents such as an entire digital textbook, ebook, or accidental print requests, prevents ink and paper waste.

  • Chrome OS login/lock screen enterprise disclosure

    On the login screen, Chrome OS now shows an enterprise badge on managed profiles. This allows users to see at first glance whether their profile is managed or not.

  • Crostini mic permission

    You can now give Crostini access to your microphone through Settings. If you're developing an Android app, you can test the microphone feature using the Android emulator.

Admin console updates

  • Update controls are available for managed browsers

    In the Admin console, admins can now configure additional update policies for Chrome browsers that are managed by Chrome Browser Cloud Management. For example, you might want to allow or disable updates, pin a specific version of Chrome, roll back to a previous version of Chrome, set relaunch notifications, or control when Chrome checks for updates. The configuration details are further described in this help center article.

  • Network file shares policy

    Admins can now configure network file shares for users under Chrome managementand thenUser settingsand thenNetwork file shares. These policies include configuration of SMB settings for NetBIOS discovery, NTLM authentication, and preconfiguring file shares so users can see them within the Files app on Chrome OS.

  • Readable data in the devices export

    Timestamps in the device list’s CSV export file are now in a “human-readable” format. This format helps to make the timestamps easy for users to read. Previously, these columns contained the same value as reported through the Directory API.

  • Domain-restricted apps & extensions from the Chrome Web Store

    In the Google Admin console, admins can now add domain-restricted apps & extensions from the Chrome Web Store. These apps are available under Chrome managementand thenAppsand thenAdd from Chrome Web Storeand thenView private apps.

  • Device screen resolution

    Admins can now configure the screen resolution and UI scaling for displays.  These settings are available under Chrome managementand thenDevice settingsand thenScreen settings.

  • Dinosaur game policy

    When Chrome cannot connect to the internet it displays a “Dinosaur game” for users to play.  This game is disabled by default for domain-enrolled Chrome OS devices, but admins can enable it under Chrome managementand thenUser settingsand thenDinosaur game.

  • Ignore proxy on captive portals policy

    Chrome OS can open captive portal authentication pages in a separate window that ignores all policies for the current user, including proxy settings. This policy only takes effect if a proxy is configured through policy in chrome://settings or by extensions. This policy is available under Chrome managementand thenUser settingsand thenIgnore proxy on captive portals.

  • Display system info on the sign-in screen

    Your users can view system information such as serial numbers and OS versions on the sign-in screen by pressing Alt+V. Admins can allow or not allow access to this feature under Chrome managementand thenDevice settingsand thenSystem info on sign-in screen.

  • Device accessibility policies

    In addition to the launch of advanced accessibility controls for users, a similar set of controls for the login screen allows admins to enable accessibility features remotely or restrict them when necessary. For example, restricting dictation features in hospitals or blocking certain features in classrooms to prevent disruption. See the full list of features below:

    • Spoken feedback
    • Select to speak
    • High contrast
    • Screen magnifier
    • Sticky keys
    • Virtual keyboard
    • Dictation
    • Keyboard focus highlighting
    • Caret highlight
    • Auto-click enabled
    • Large cursor
    • Cursor highlight
    • Primary mouse button
    • Mono audio
    • Accessibility shortcuts

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AccessibilityImageLabelsEnabled Enables Get Image Descriptions from Google
AppCacheForceEnabled Allows the AppCache feature to be re-enabled even if it is turned off by default
AutoOpenAllowedForURLs List of URLs specifying which urls AutoOpenFileTypes will apply to
AutoOpenFileTypes List of file types that should be automatically opened on download

PrintRasterizationModeWindows only

Controls how Google Chrome prints on Windows

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 85

    In preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define entries with wildcards in hostnames (e.g., “https://*” or “https://[*.]mysite.foo”) for the PluginsAllowedForUrls policy. If you're using hostname wildcards, you will need to explicitly specify which hostnames still require Flash. For example, “https://[*.]mysite.foo” would need to be updated to match explicit entries like “https://flash.mysite.foo”. This change is intended to help determine which sites still require updating, with time to make an adjustment before support for Flash is removed completely in December, 2020.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique on Mac and Windows in Chrome 85. Enterprises aren't expected to notice any changes, but software interacting with Chrome in unexpected or unsupported ways such as, code injection, may not function as expected with Chrome 85.

    To ensure compatibility, you can test your environment with the Chrome 85 beta channel, starting July 23, 2020.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from browsers in Chrome 86. To continue using Legacy Browser Support, ensure you're using Chrome's built-in policies, documented here.  The old policies set through the extension will no longer take effect when the extension is removed. If you run into issues using the built-in LBS policies please file a new issue report at http://crbug.com/new.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS.  If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect  fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

  • Improved resource consumption for background tabs in Chrome 85

    To save on CPU and power consumption, Chrome will throttle the amount of CPU that background tabs can use. With this change, Chrome will only allow background tabs to wake up once per minute and to only use 1% CPU time.

    You will be able to control this behavior using the IntensiveWakeUpThrottlingEnabled policy.

  • Introduction of AutoLaunchProtocolsFromOrigins policy in Chrome 85

    The new AutoLaunchProtocolsFromOrigins policy will allow you to specify combinations of external protocols and origins that should be launched automatically, without requiring user confirmation.

  • The SafeBrowsingExtendedReportingOptInAllowed policy will no longer take effect in Chrome 85

    The support of SafeBrowsingExtendedReportingOptInAllowed policy will be removed in Chrome 85. Please use SafeBrowsingExtendedReportingEnabled policy instead. You can find the migration instructions on the deprecated policy page.

  • Chrome on MacOS will have additional protection for sensitive enterprise policies in Chrome 85

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore sensitive enterprise policies that may be set by malware. This check already happens for sensitive policies on Windows, and will apply to the same set of policies on MacOS.

  • Single words will not be treated as intranet locations by default in Chrome 86

    By default, Chrome 86 will improve user privacy by avoiding DNS lookups for single keywords entered into the address bar, which could theoretically be read by a malicious actor. However, this change to default behavior will likely interfere with enterprises that use single-word domains in their intranet. That is, a user typing "helpdesk" will no longer be directed to "https://helpdesk/".

    You will be able to control the behavior of Chrome via policy. In addition to preserving the existing behavior (which will perform a search immediately and then ask the user if they're trying to reach the intranet site), you can also set the intranet site as Chrome's first action.

  • Chrome will warn about mixed content forms in Chrome 86

    Web forms that load via HTTPS but submit their content via HTTP (unsecured) pose a potential risk to users' privacy. Chrome 85 will show a warning on such forms, telling the user that the form is insecure. Chrome will show an interstitial warning when the form is submitted, which will stop any data transmission, and the user will be able to choose to proceed or cancel the submission.

    You will be able to control this behavior using the DisableMixedFormsWarning enterprise policy.

  • The address bar will show the registrable domain rather than the full URL for some users in Chrome 86

    To protect your users from some common phishing strategies, Chrome will begin showing only the registrable domain in the address bar in Chrome 86. This change makes it more difficult for malicious actors to trick users with misleading URLs. For example, https://google-secure.example.com/secure-google-sign-in/ will appear only as example.com to the user.

    Although this change is designed to keep your users' credentials safe, you will be able to revert to the old behavior through the ShowFullUrls policy. This change will initially only roll out to some users, with a full rollout planned for a later release.

  • DTLS 1.0 will be removed in Chrome 86

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. You can test if any of your applications will be impacted using the following command line flag when launching Chrome:

    --force-fieldtrials=WebRTC-LegacyTlsProtocols/Disabled/ 

    If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 86

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to turn off this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Chrome extensions will not be able to inject Flash content settings in Chrome 86

    Extensions will not be able to inject content settings for Flash. Admins should instead use policies to control Flash behavior on Chrome. See PluginsAllowedForUrls.   

  • More inclusive policy names will be introduced in Chrome 86

    Chrome will be moving to more inclusive policy names in Chrome 86. The terms "whitelist" and "blacklist" will be replaced with "allowlist" and "blocklist". The following policies will be deprecated, and equivalent policies will be introduced for each: 

Deprecated policy name New policy name
ExtensionInstallWhitelist ExtensionInstallAllowlist
ExtensionInstallBlacklist ExtensionInstallBlocklist
NativeMessagingBlacklist NativeMessagingBlocklist
URLBlacklist URLBlocklist
URLWhitelist URLAllowlist
AuthNegotiateDelegateWhitelist AuthNegotiateDelegateAllowlist
AuthServerWhitelist AuthServerAllowlist
SpellcheckLanguageBlacklist SpellcheckLanguageBlocklist
AutoplayWhitelist AutoplayAllowlist
SafeBrowsingWhitelistDomains SafeBrowsingAllowlistDomains
DeviceNativePrintersWhitelist DeviceNativePrintersAllowlist
ExternalPrintServersWhitelist ExternalPrintServersAllowlist
NativePrintersBulkWhitelist NativePrintersBulkAllowlist

 

If you're already using the existing policies, they will continue to work, though you will see warnings in chrome://policy stating that they're deprecated.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 88

    Chrome 88 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

  • The Chrome Browser Cloud Management reporting extension will cease functionality in Chrome 86

    The Chrome Browser Cloud Management reporting extension is no longer necessary, as its functionality has been integrated into Chrome browser. If you are manually force-installing this extension, you can safely stop doing so. Please ensure that you've set "Enable managed browser cloud reporting" in the admin console instead.

    The extension will no longer function in Chrome 86.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in the Admin console. These features give increased visibility into the Chrome versions deployed in your enterprise and allows you to more granularly control how managed Chrome browsers update. If you would like to sign up to be a Trusted Tester for these features please enter your test domain and a contact email into this form.

 
Chrome 83

Important: Adobe will no longer update and distribute Flash Player after December 31, 2020, therefore Chrome will no longer support Flash content. You can read more about Adobe's plans to discontinue Flash player in Adobe's blog post. Adobe is working with HARMAN, their exclusive licensing/distribution partner to provide support for Flash Player in legacy browsers.

Chrome is designed to meet Chrome Enterprise customer needs, including integration with legacy web content. For companies that need to use a legacy browser to run Flash content after December 31, 2020, HARMAN and Legacy Browser Supportcan get you up and running.

Chrome Browser updates

  • Secure DNS

    The DNS requests of all users will autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available (based on a list of known DoH-capable servers). This change will roll out gradually throughout Chrome 83. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy with Group Policy or in the Google Admin Console. Setting it to off will ensure that your users are not affected by Secure DNS.

  • Flash Dialog Changes

    Chrome is adding the following warning text to the activation prompt for Flash Player, highlighting the industry wide end of support: "Flash Player will no longer be supported after December 2020." Users will see this prompt, even if Flash is enabled by policy. To learn more, please visit Saying goodbye to Flash in Chrome.

  • Legacy Browser Support improvements

    The Legacy Browser Support (LBS) functionality incorporates multiple improvements such as better Kerberos support, interoperability between the LBS extension and the LBS Cloud policies, and reducing the time it takes the user to switch between Chrome and the legacy browser.

  • Introduction of tab groups for all users

    Starting in Chrome 80, some users were able to organize their tabs by grouping them together on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. This has been rolled out to Chrome, Mac®, Windows®, and Linux® users throughout Chrome 83.

  • Changes to the ManagedBookmarks policy

    The ManagedBookmarks policy is subject to strict verification. In Chrome 83, if the name or URL fields are not populated in a string format as described by the policy, this policy might become invalid.

  • If your users have any issues viewing the managed bookmarks, check to see if the policy has an error in chrome://policy, or if you're using Chrome Browser Cloud Management, you can check for errors in the Google Admin console. If you do see an error, make sure the Managed Bookmarks policy is using the string types listed above.

  • Third-party cookies blocked by default for Incognito sessions

    Chrome now blocks third-party cookies by default during Incognito sessions, however you can enable third-party cookies on a site-by-site basis.

    You can control Chrome's behavior using the BlockThirdPartyCookies policy through Group Policy or the Google Admin console:

    • Not set—The user is able to control third-party cookies and they'll be blocked by default in Incognito sessions.
    • True —Third-party cookies blocked in both Incognito and standard sessions.
    • False—Third-party cookies will not be blocked, and the setting cannot be changed.
  • Users can check all of their saved passwords for leaks

    In Chrome 79 we started warning users if their credentials had been compromised in a data leak when they logged into a website. Chrome 83 builds on this feature, allowing users to check on all of their saved passwords at once. This feature uses the same privacy-preserving system introduced in Chrome 79; it does not send plain-text passwords to Google.

    If you wish, you can prevent your users from accessing this feature by preventing Chrome from saving passwords using the Password​Manager​Enabled policy through Group Policy or the Google Admin console.

  • Control over the variations framework

    Admins have more granular control over the update behaviors in Chrome 83. In addition to the version controls that exist today, Chrome 83 allows you to configure Chrome variations with the ChromeVariations (Mac®, Windows®, and Linux®) and DeviceChromeVariations (Chrome OS) policies. You can choose between:

    • Variations enabled—The default setting that allows all variations in Chrome.
    • Critical fixes only—Disables all experiments and progressive rollouts, but will still apply variations with immediate and important security or compatibility improvements.
    • Variations disabled—No changes will be deployed using the variations framework. Choosing this setting significantly increases the risk of security and compatibility issues, and is not recommended.
  • Updated form control elements

    HTML form controls provide the backbone for much of the web's interactivity, however one issue is inconsistency in the styling. Older controls were styled to match the user's operating system, while more the recent controls are designed to match the style most commonly used. This has led to inconsistent accessibility, touch, keyboard support and outdated controls.

    To address these gaps, Chrome 83 introduces a new set of default settings. These settings allow effortless ways for Developers to keep their controls looking great, consistent, and widely usable.

    If you encounter any incompatibility issues with this change, the UseLegacyFormControls policy will revert to the previous default settings.

  • Updated UI for extensions

    Chrome has improved the extension manager UI by making it easier for the user to control their installed extensions. The icons that represent the extensions are now listed underneath the extension menu and can also be pinned beside the address bar for quick access.

  • SameSite cookie changes were rolled back

    With the stable release of Chrome 80 in February, Chrome began enforcing secure-by-default handling of third-party cookies as an ongoing effort to improve privacy and security across the web. 

    However, in light of the extraordinary global circumstances due to COVID-19, we temporarily rolled back the implementation of SameSite cookie labeling. While most of the web ecosystem was prepared for this change, we want to be sure that websites which support our daily lives by providing essential services, like banking, grocery, government services, and healthcare are stable.

    We plan to resume implementation in Chrome 84. The SameSite Updates page will be updated regularly with the latest schedule.

  • New Trusted Tester sign up page available for Chrome Enterprise

    If you're interested in trying new Chrome Enterprise features before they're released and provide feedback, we have an updated sign up form for our Trusted Tester program, available here.

  • More intuitive privacy and security controls for end users in Chrome

    Chrome is launching new tools and a redesign of Chrome’s privacy and security settings on desktop to make them easier for users to understand and control. For details, see the Chrome blog post

  • CORS implementation is more secure for web views on mobile

    Chrome is modifying its Cross-Origin Resource Sharing (CORS) implementation to be more secure. The CORS changes which have already been launched on desktop computers and within Chrome for mobile, will now apply to WebView in Chrome 83.

    If you need extra time to adapt to this migration, the OOR-CORS Troubleshooting page will help with investigating incompatibility issues.

Chrome OS updates

  • Relaunch Notification for Chrome OS Updates

    In Chrome 83, relaunch notifications allow you to recommend or enforce Chrome OS to relaunch within a certain time period after an update has been downloaded.

  • Gesture Navigation & Education

    There are new gestures available for Chromebook tablet mode, that make it easy for users to navigate using touch. Users will now be shown tips on how to use gestures to go Home, Back, and see open apps. For those who need navigation buttons, they can be turned on through the Accessibility setting.

  • Virtual Desks Renaming and Restore

    In Chrome 78, we released Virtual Desks which allowed users to create up to four separate work spaces. This feature helps create boundaries between projects or activities, making it easier to multitask and stay organized.

    Now users are able to choose a unique name for each Virtual Desk, allowing them to choose names know what each desk is for. Also, the desks and their names, will not change after the device reboots or crashes. For more information, see Set up & manage Virtual Desks.

    To enable Virtual Desks, users can tap the overview key on the top of the keyboard or swipe down on the keypad using three fingers; “+ New desk” will appear in the top right hand corner.

  • Idle Settings Changes

    Users can now choose what their Chromebook does when it becomes idle while charging or on battery. Users can find these settings in the Settings app which is available through App Launcher or the cog icon in the Quick Settings menu under Device > Power.

  • Files media views available on all devices

    Media views such as recents, audio, images, videos are now located at the top of the Files app side navigation on all devices. These views allow users to more quickly access their recent files by category.

  • Get device hostname from enterprise.deviceAttributes Extension API

    The enterprise.deviceAttributes extension API has been updated with a new method (getDeviceHostname) to return the hostname that Chrome OS announces for itself in DHCP queries.

  • Improved APK caching (non-library direct installs, split APKS, postpone Play self-update, multiple versions)

    With  Chrome 83, users should see a significant increase in the install reliability of Android apps on Chrome OS. Especially, we released three major changes: (1) We significantly improved the reliability of force install & allow install policies on Chrome OS by the fast policy propagation feature (2) Due to delayed Play self-updates, Android apps get installed before eventual updates of the Play store. (3) By extending caching to allow-installed apps and split-APKs, apps will be installed much quicker for a user if they were already installed by another user before.

Admin console updates

  • Update blackout windows

    The DeviceAutoUpdateTimeRestrictions policy is now available in the Admin console. This policy allows you to create schedules specifying when automatic update checks are not to be performed. This policy only affects devices configured to auto-launch a kiosk app.

  • Manage accessibility settings for user sessions & managed guest sessions

    Advanced accessibility controls allow you to enable the accessibility features remotely or restrict them when necessary. For example, as an administrator, you can restrict dictation features in hospitals or block certain features in classrooms to prevent disruption.

  • Android app installations report

    The new Android app (ARC++) installation report page allows you to view the status and number of Android app installations, providing greater visibility into the app ecosystem health. The redesigned UI has stronger filtering capabilities, streamlined status descriptions, and layout updates such as app icons.     

  • Bulk reboot for devices

    You can now select multiple kiosk devices from the device list and reboot them in bulk. Previously reboot was available on a device-by-device basis only.

  • Deprecation of remote commands for Chrome OS devices running version Chrome 77 and earlier

    Due to a service upgrade, as of May 15, 2020 Chrome devices running Chrome 77 or earlier no longer receive remote commands. Remote commands are mainly used to monitor and control kiosk health, such as taking screenshots or rebooting devices. To continue using remote commands for devices in your organization, make sure that the devices are running Chrome version 78 or later. See Remote commands no longer supported on version 77 or earlier.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
ChromeVariations Configuring this policy allows you to specify which variations are allowed to be applied in Google Chrome
UserDataSnapshotRetentionLimit    Limits the number of user data snapshots retained for use in case of an emergency rollback (Chrome browser)
NativeWindowOcclusionEnabled Enables native window occlusion in Google Chrome (Windows only)
AllowNativeNotifications Configures whether Google Chrome on Linux will use native notifications (Linux only)
UseLegacyFormControls Use Legacy Form Controls until M84
AdvancedProtectionAllowed Enable additional protections for users enrolled in the Advanced Protection program
ScrollToTextFragmentEnabled Enable scrolling to text specified in URL fragments

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Deprecation of TLS 1.0 and TLS 1.1 in Chrome 84

    The Chrome team announced plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1) last October. In Chrome 84, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • DTLS 1.0 will be removed in Chrome 84

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal.

  • CORS enterprise policies will no longer work in Chrome 84

    The CorsMitigationList and Cors​Legacy​Mode​Enabled policies will be removed in Chrome 84, as previously communicated.

  • The URL Whitelist policy will not allow you to whitelist external protocols in Chrome 84

    A recent release of Chrome changed the behavior of the URLWhitelist policy to let you whitelist an external protocol. To improve security, this policy will be changed back to its original behavior. As a result, external protocols will not be whitelisted through the policy.

  • Chrome will be able to remember approval for launching external protocols in Chrome 84

    Users will be able to check "always allow for this site" when opening an external protocol in Chrome 84. The approval will be scoped to the current origin, and will only be available for secure origins.

  • Compiler optimization performance improvements in Chrome 85

    Chrome will use an improved compiler optimization technique on Mac and Windows in Chrome 85. Enterprises aren't expected to notice any changes, but admins should test Chrome 85 Beta in their environment to confirm this change doesn't interfere with any software running in their environment. Software interacting with Chrome in unexpected or unsupported ways (e.g. code injection) may not function as expected with Chrome 85.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

  • Chrome on Mac will have additional protections for sensitive enterprise policies in Chrome 84

    Macs that are not managed by a UEM/EMM/MDM (or legacy MCX) will ignore certain sensitive enterprise policies that may be set by malware, on Chrome 84.

  • Insecure downloads will be blocked from secure pages, with changes in Chrome 84 through Chrome 88

    By Chrome 88, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

   

  • Executables—Users will be warned in Chrome 84, and files will be blocked in Chrome 85
  • Archives—Users will be warned in Chrome 85, and files will be blocked in Chrome 86
  • Other non-safe types—Users will be warned in Chrome 86, and files will be blocked in Chrome 87 
  • Other files—Users will be warned in Chrome 87, and files will be blocked in Chrome 88

Warnings on Android will lag behind Desktop warnings by one release, for example Executables will show a warning starting in Chrome 85.

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 85

    Also in preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define wildcards for PluginsAllowedForUrls policy in Chrome 85. If you're using wildcards in that policy, you will need to switch to specific allowlists for any sites that are still using Flash. This change is intended to help determine which sites still require updating, with time to adjust before support for Flash is removed completely in Dec 2020.

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 85

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). For example, http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to disable this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbWhitelistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS.  If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect  fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

    For more details please see: www.chromium.org.

  • Improved resource consumption when a window is not visible in Chrome 85

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  • The Legacy Browser Support extension will be removed from the Chrome Web Store in Chrome 85

    Legacy Browser Support (LBS) is now built into Chrome, and the old extension is no longer needed. The Chrome team is planning to unpublish LBS from the Chrome Web Store in Chrome 85, and it will be removed from devices in Chrome 86. To continue using Legacy Browser Support, ensure you're using Chrome's built-in policies, documented here.  If you run into issues using the built-in LBS policies please file a new issue report at http://crbug.com/new.

  • Factor in scheme when determining if a request is cross-site (Schemeful Same-Site) in Chrome 86

    Chrome 86 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. For example, http://site.example and https://site.example will be considered cross-site to each other.

    For enterprises that need extra time to adjust to these changes, policies will be made available.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing to print servers from Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

Upcoming Admin console changes

  • New Version Report and Update Controls

    There will be a new Version Report and Update Controls available in Admin Console. These features give increased visibility into the Chrome versions that are deployed in your organization and allow admins more detailed control of how Chrome Browser updates. If you would like to sign up to be a Trusted Tester for these features, please enter your test domain and a contact email into this form.

 
Chrome 81

Chrome Browser updates

  • Chrome’s consumer terms of service will be updated on March 31, 2020

    We are updating the Google Terms of Service effective March 31, 2020, and the improved Terms will now cover Chrome and Chrome OS. See a summary of the key changes and a preview of the new Terms and Additional Terms. Google users have been notified in-product of this change.

  • NTLM / Kerberos authentication disabled by default in Incognito mode and guest sessions

    Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.

  • TLS 1.3 hardening measure

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to noncompliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

    You can opt in to the new measure to test it and confirm if your proxy is affected using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need to upgrade affected proxies. This policy will be available until Chrome 86.

  • Changes to how HTTPS pages load subresources

    In Chrome 81, http:// audio and video resources on https:// pages started getting autoupgraded to https://, and Chrome blocked them by default if they failed to load over https://. Users can unblock affected audio and video resources by clicking on the lock icon in the address bar and selecting Site Settings. Also in Chrome 80, http:// images on https:// pages were still allowed to load, but users started seeing “Not Secure” in the address bar.

    In Chrome 81, http:// images on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

    You can control these changes using the StricterMixedContentTreatmentEnabled policy (Strict treatment for mixed content in the Admin console), which disables autoupgrades for audio and video and the warning for images. This policy is a temporary policy and will be removed in Chrome 84.

    The InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies will control the site setting described above. These policies will eventually be removed, but there is no timeframe for their removal yet.

    You should begin ensuring that resources in pages are fetched over HTTPS and manage exceptions using a policy. For more information, see the Chromium blog

  • FTP support removed

    FTP will no longer be directly supported in Chrome 81. Your users should use a native FTP client instead.

  • Known incompatibility with older versions of Carbon Black Protection (Bit9)

    Carbon Black Protection (previously known as Bit9) has a known incompatibility with Chrome 81, which causes multi-second delays to some page loads. Update to Carbon Black Protection 8.1.8 when it becomes available to fix the incompatibility. Carbon Black has more information about the issue here.

  • Introduction of tab groups for remaining users

    Starting in Chrome 80, some users were able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. This will be rolled out widely to Mac, Windows, and Linux users throughout Chrome 81.

  • Updated form control elements

    A small number of users will see a preview of new form control elements in Chrome 81. These will be launched more broadly with enterprise controls in Chrome 83. If any of your users are having trouble displaying form controls (text boxes, radio buttons, checkboxes, etc), please open a new issue at crbug.com.

  • Developer changes to Chrome Web Store

    The Chrome Web Store charges a $5.00 fee to register as a Chrome Web Store developer. This fee was previously required only before publishing an item to the public, but is now required for all Chrome Web Store developers. For more information, see this blog post.

Chrome OS updates

  • Use websites and Progressive Web Apps (PWAs) on Chrome OS Kiosk

    IT admins can now use the Google Admin console to install websites and Progressive Web Apps (PWAs) on managed Chrome devices in locked-down kiosk mode.

  • Linux (Beta) support for Android emulators

    Developers often need to run virtual machines, such as an Android developer who uses the Android emulator to test their app. While previously Linux for Chromebooks (aka Crostini) did not support virtual machines, this change allows Crostini to run virtual machines on specific boards.

  • Deploy Android apps to your Chromebook from Linux (Beta)

    Android developers using Linux for Chromebooks (aka Crostini) can now build apps with Android Studio and test them natively on their Chromebook using Chrome OS’s built-in Android runtime (ARC++). This feature can be turned on from Linux settings.

  • IP reporting for all managed devices

    Extend support for IP address reporting (LAN and WAN) under “System reporting and troubleshooting” under “Device Details” to include all managed devices with a signed-in, managed user, instead of just single app kiosk devices. This is enabled if “Device state reporting” is enabled under device policy.

  • Gestures in tablet mode

    Try new gesture navigation to to quickly switch between apps and interact with your Chromebook in tablet mode.

    • To get to the Home Screen at any time, swipe up from the bottom.

    • To see all pinned apps, small-swipe up from the bottom.

    • To return to the previous screen, swipe from the left.

    • To see all open windows, swipe up from the bottom and hold.

          

  • End to end support for printers via print servers

    Users are now able to connect to and save printers defined by print servers. IT admins can use this functionality to test print server setups for their organization.

  • Extended caching of Android apps

    So far, APK caching was only applied to force installed apps. From Q1 2020, APK caching is extended to Android apps in allow install mode.

    APK caching significantly reduces the installation time of Android apps if the same app was already installed on the device before. This especially applies to ephemeral sessions which require the re-installation of apps after every login.

    With the extension of APK caching to apps that are marked as "allow install" in the admin console, students and users of Chrome OS devices experience a significantly reduced installation time of their Android apps, helping them to spend more time on relevant tasks.

  • Android on Chrome OS kiosk mode deprecation

    In Chrome 81, you will no longer have access to set new policies for Android apps in kiosk mode. Existing policies for Android apps in kiosk mode will not be impacted and will be supported until June 2021. Websites and PWAs are the replacement technology for Kiosk, now supported in Chrome 81.

Admin console updates

  • Managed guest session settings redesign and idle settings

    The new redesigned settings page for managed guest sessions includes performance improvements, new search filters, and new settings. Admins can now set idle settings and lid close behavior for managed guest sessions.

  • Networks settings redesign

    The new redesigned Networks page for Chrome & mobile device management includes performance improvements and a fresh look.

  • Device list CSV export

    Admins can now export a CSV of the Chrome device list, including serial number, last policy sync time, OS version, latest user, and more. To export, go to the device list and click the download icon at the top right of the table.

  • Simultaneously manage Active Directory and Cloud devices

    Admins can now manage Chrome OS devices with Active Directory and Chrome OS devices with Cloud policy in the same admin console. A new set of enrollment policies support a mixed device environment along with a new Management Mode flag specifying whether the device is managed by cloud or Microsoft® Active Directory® on the device details page.

  • Remotely clear user profiles from device

    Admins can now clear all user profiles from a device remotely for use cases such as getting a device ready for a new user for the coming school year, supporting a rotating internship program and clearing data for troubleshooting without losing device settings.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
LocalDiscoveryEnabled Enable chrome://devices
ScreenCaptureAllowed Allow or deny screen capture

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • DNS-over-HTTPS in Chrome 83

    The DNS requests of some users are being autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available, but DoH is disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    In Chrome 83, DoH will launch by default for all remaining users. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to off will ensure your users are not affected by DoH.

  • Updated form control elements in Chrome 83

    HTML form controls provide the backbone for much of the web's interactivity. One issue, however, is inconsistency in their styling. Older controls were styled to match the user's operating system, while more recent controls were designed to match whatever style was popular at the time. This has led to controls that look mismatched and sometimes outdated. They've also suffered from inconsistent accessibility, touch, and keyboard support.

    To address these gaps, Chrome 83 will introduce a new set of defaults for form controls. Developers will have less work to do to keep their controls looking great, consistent, and broadly usable. 

    If you encounter any incompatibility issues with this change, the UseLegacyFormControls enterprise policy will revert to the old defaults.

  • Deprecation of TLS 1.0 and TLS 1.1 in Chrome 83

    The Chrome team announced plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1) last October. In Chrome 81, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure.

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Third party cookies will be blocked by default for Incognito sessions in Chrome 83

    Chrome 83 will block third-party cookies by default in Incognito sessions, with the ability to enable third party cookies on a site-by-site basis.

    You will be able to control Chrome's behavior with the existing BlockThirdPartyCookies policy:

    • Not set—the user will be able to control third party cookies, and they'll be blocked by default in Incognito sessions
    • True—third party cookies blocked in both Incognito and standard sessions
    • False—third party cookies will not be blocked, and the setting cannot be changed 
  • Changes to the ManagedBookmarks policy in Chrome 83

    The ManagedBookmarks policy will be subject to stricter verification in Chrome 83. This policy might become invalid if any of "name", "toplevel_name", or "url" fields are not of type "string" as described by the policy.

    If your users have any issues seeing managed bookmarks, check to see if the policy has an error in chrome://policy. If you see an error, make sure the ManagedBookmarks policy uses string types for the above fields.

  • CORS enterprise policies will no longer work in Chrome 84

    The CorsMitigationList and Cors Legacy Mode Enabled policies will be removed in Chrome 83, as previously communicated.

  • The URLWhitelist policy will not allow you to whitelist external protocols in Chrome 83

    A recent release of Chrome changed the behavior of the URLWhitelist policy to let you whitelist an external protocol. To improve security, this policy will be changed back to its original behavior. As a result, external protocols will not be whitelisted through the policy.

  • Users will be able to check all their saved passwords for leaks in Chrome 83

    Chrome 79 started warning users if their credentials had been compromised in a data leak when they logged into a website. Chrome 83 will build on this feature, allowing users to check on all their saved passwords at once. This feature uses the same privacy-preserving system introduced in Chrome 79; it does not send plain-text passwords to Google.

    If you wish, you can prevent your users from accessing this feature by preventing Chrome from saving passwords, using the Password Manager Enabled policy.

  • Control over the variations framework in Chrome 83

    Admins will have more granular control over update behavior in Chrome 83. In addition to the version controls that exist today, Chrome 83 will allow admins to configure Chrome variations with the ChromeVariations (Mac, Windows, and Linux) and DeviceChromeVariations (Chrome OS) policies. You will be able to pick between:

    • Variations enabled—this is the default, and allows all variations in Chrome.
    • Critical fixes only—this will disable all experiments and progressive rollouts.
    • Variations disabled—no changes will be deployed using the variations framework. Choosing this setting significantly increases the risk of security and compatibility issues, and is not recommended.
  • Flash Dialog Changes in Chrome 83

    Chrome will add warning text to the activation prompt for Flash Player, highlighting the industry wide end of support date (Dec 2020) with a link to learn more. It is not shown to users who have Flash enabled by policy.

  • Updated UI for extensions in Chrome 83

    Chrome 83 will have an improved extensions area in both the main browser and PWA windows, with an enhanced extensions menu.

  • Updated Tabstrip UI in Chrome 83

    Chrome 83 will feature a way to group related tabs, and will display preview images when hovering over tabs.

  • Improved resource consumption when a window is not visible in Chrome 83

    To save on CPU and power consumption, Chrome will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

    This feature will roll out to some users in Chrome 83.

  • DTLS 1.0 will be removed in Chrome 83

    DTLS 1.0, a protocol used in WebRTC for interactive audio and video, will be removed by default in Chrome 83. Any applications that depend on DTLS 1.0 (most likely gateways to other teleconferencing systems) should update to a more recent protocol. If your enterprise needs additional time to adjust, a policy will be made available to temporarily extend the removal. 

  • Insecure public pages no longer allowed to make requests to private or local URLs in Chrome 83

    Insecure pages will no longer be able to make requests to IPs belonging to a more private address space (as defined in CORS-RFC1918). E.g., http://public.page.example.com will not be able to make requests targeting IP 192.168.0.1 or IP 127.0.0.1. A policy will be provided to disable this mechanism, and another one to allow specific pages to make requests to more private IP Address Spaces.

  • Wildcards no longer supported in PluginsAllowedForUrls in Chrome 83

    Also in preparation for the Flash deprecation later this year, Chrome will be removing the ability for enterprises to define wildcards for PluginsAllowedForUrls policy in Chrome 83. If you're using wildcards in that policy, you will need to switch to specific allowlists for any sites that are still using Flash. This change is intended to help determine which sites still require updating, with time to adjust before support for Flash is removed completely in Dec 2020.

  • Chrome apps deprecation in Chrome 83

    As announced in January, Chrome apps will be phased out and ultimately disabled by June 2022. Beginning in Chrome 81, new public Chrome apps will no longer be accepted by the Chrome Web Store. Beginning in Chrome 83, Chrome will no longer support Chrome apps on Microsoft® Windows®, Apple® Mac®, and Linux®. If your organization needs extra time to adjust, a policy will be available to extend support until Chrome 87.

  • Insecure downloads will be blocked from secure pages, with changes in Chrome 83 through Chrome 86

    By Chrome 86, downloads from insecure sources will no longer be allowed when started from secure pages. This change will be rolled out gradually, with different file types affected in different releases:

    • Executables—users will be warned in Chrome 83, and files will be blocked in Chrome 84
    • Archives—users will be warned in Chrome 83, and files will be blocked in Chrome 84
    • Other non-safe types (e.g. pdfs)—users will be warned in Chrome 84, and files will be blocked in Chrome 85
    • Other files—users will be warned in Chrome 85, and files will be blocked in Chrome 86

The existing InsecureContentAllowedForUrls policy can be used to allow specific page URLs to download insecure files. You can read more details in our blog post.

  • Cross-origin fetches will be disallowed from content scripts in Chrome Extensions in Chrome 85

    As part of an effort to improve Chrome Extension security, cross-origin fetches are being disallowed from content scripts in Chrome Extensions. Cross-Origin Read Blocking (CORB) has already applied to content scripts since M73. We plan to also enable CORS for content script requests starting in M85, which will reach the stable channel around June 9th. We expect most extensions to be unaffected by the CORS change, but there is a chance that some requests initiated from content scripts may start to fail.

    Please test Chrome Extensions that your business depends on, to make sure they work with the new behavior when Chrome is launched with the following cmdline flags (in 81.0.4035.0 or later):

    --enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors

    During the test, watch for fetches or XHRs that are initiated by content scripts and blocked by CORS. If extensions you depend on are affected, then please open bugs to add the affected extensions to a temporary allowlist to exempt them from the change. The changes only affect fetches or XHRs for content types not blocked by CORB (such as images, JavaScript, and CSS), and only if the server does not approve the CORS request with an Access-Control-Allow-Origin response header.

    For more details please see: www.chromium.org

  • Factor in scheme when determining if a request is cross-site in Chrome 84

    Chrome 84 will modify the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will be considered cross-site to each other.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84

    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

 
Chrome 80

Chrome Browser updates

  • Updates to cookies with SameSite

    Starting in Chrome 80, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. Cookies with SameSite=None must also be marked Secure and delivered over HTTPS. To reduce disruption, the updates will be enabled gradually, so different users will see it at different times. We recommend that you test critical sites using the instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies until Chrome 88. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

  • Pop-ups and synchronous XHR requests not allowed on page unload

    Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 88:

  • Control data types in Chrome sync

    Chrome users have the ability to granularly enable or disable each type of data that’s synchronized in the advanced Data from Chrome sync settings. In Chrome 80, you can also control the data types synced using the SyncTypesListDisabled policy.

  • Changes to how HTTPS pages load secure subresources in Chrome 80 and 81

    In Chrome 80, http:// audio and video resources on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources by clicking on the lock icon on the address bar and selecting Site Settings. In Chrome 80, http:// images on https:// pages will still be allowed to load, but users will see  “Not Secure” on the address bar.

    In Chrome 81, http:// images on https:// pages will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

    You can control these changes using the StricterMixedContentTreatmentEnabled policy, which disables autoupgrades for audio and video and the warning for images. This policy is a temporary policy and will be removed in Chrome 84. The InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies will control the site setting described above. 

    You should begin ensuring that resources in pages are fetched over HTTPS and manage exceptions using a policy. For more information, see the Chromium blog.

  • Control if websites can check for user payment methods

    The PaymentMethodQueryEnabled policy allows you to control if websites can check for user payment methods. For details, see PaymentMethodQueryEnabled.

  • Web Components v0 removed

    The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. For more information, see the Web Components update.

    Until Chrome 85, you can use the WebComponentsV0Enabled policy to re-enable web components v0.

  • Introduction of tab groups for some users

    Starting in Chrome 80, some users will be able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name to help your users keep track of their different tasks and workflows. A wider rollout is planned for Chrome 81.

  • Block external extensions

    In Chrome 80, you can use the BlockExternalExtensions policy to stop the installation of external extensions on your devices. The policy will not block kiosk apps or extensions installed by policy.

  • Chrome Browser Cloud Management Reporting Companion no longer required

    The functionality previously provided by the Chrome Browser Cloud Management - Reporting Companion extension has been integrated directly into Chrome Browser. If you’re using Chrome Browser Cloud Management, users will no longer see the extension on their devices when reporting is turned on. No action is required from admins or users.

Chrome OS updates

  • Enable autorotate for tablet devices with connected external inputs

    Autorotation will stay enabled when you connect a mouse to a device in tablet mode. You can pair a mouse with a tablet in portrait mode or a convertible device in tent mode without having to manually rotate your screen.

  • Switch default Linux (Beta) container to Debian 10 (Buster)

    Developers who set up Linux (Beta) for the first time will now receive a container with Debian 10 (Buster). Previously, containers used Debian 9 (Stretch). Existing Debian 9 containers will be upgraded in the future.

  • Policy to show PIN pad on sign-in and lock screen for tablets

    In certain environments, such as K–6 education, you might assign numeric-only passwords when more complex passwords are too cumbersome or hard to remember. To make signing in easier on Chrome OS touchscreen devices, you can now show the PIN pad on the sign-in and lock screens by default. Users can still get to the virtual keyboard to enter a full alphanumeric password if needed. For details, see the DeviceShowNumericKeyboardForPassword policy.

  • New notification for Chromebook Enterprise enrollment

    In Chrome 80, you no longer need to press Ctrl+Alt+E to begin the device enrollment process. At the end of the onboarding process, you'll see a welcome page where you can start enrollment. This is only available for Chromebook Enterprise devices.

Admin console updates

  • Quick switch between pages

    Admins can now quickly switch between each of the Chrome pages in the Admin console. Click the current page name to navigate to the other pages.

 

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AmbientAuthenticationInPrivateModesEnabled Enables ambient authentication for profile types
DNSInterceptionChecksEnabled Enables DNS interception checks
NTPCustomBackgroundEnabled Allows users to customize the background on the New Tab page
PaymentMethodQueryEnabled Allows you to control if websites can check for user payment methods
PrinterTypeDenyList Disables printer types on the deny list
StricterMixedContentTreatmentEnabled Controls treatment for mixed content
SyncTypesListDisabled Controls data types that should be excluded from synchronization

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Known incompatibility with older versions of Carbon Black Protection (Bit9) in Chrome 81

    Carbon Black Protection (previously known as Bit9) has a known incompatibility with Chrome 81, which causes multisecond delays to some page loads. An upcoming version of Carbon Black Protection (8.1.8) will fix the incompatibility.

  • Improved resource consumption when window not visible in Chrome 81

    To save on CPU and power consumption, Chrome 81 will detect when a window is covered by other windows and will suspend work painting pixels. A previous version of this feature had an incompatibility with some virtualization software. Known bugs have been fixed, but if you experience any issues, you will be able to disable this feature using the NativeWindowOcclusionEnabled policy.

  • Ambient authentication disabled by default in Incognito mode and guest sessions in Chrome 81

    Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode and guest sessions in Chrome 81. To revert to the old behavior and allow ambient authentication, use the AmbientAuthenticationInPrivateModesEnabled policy.

  • TLS 1.3 hardening measure implemented in Chrome 81

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some noncompliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

    You can opt in to the new measure to test it and confirm if your proxy is affected using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need to upgrade affected proxies. This policy will be available until Chrome 86.

  • DNS-over-HTTPS in Chrome 81
    The DNS requests of some users are being autoupgraded to their DNS provider’s DNS-over-HTTPS (DoH) service if available, but DoH is disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    In Chrome 81, DoH is expected to launch by default for all remaining users. You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH

  • FTP support will be removed in Chrome 81
    FTP will no longer be directly supported in Chrome 81. Your users should use a native FTP client instead. 

  • New Chrome UI for legacy TLS versions in Chrome 81
    The Chrome team recently announced updated plans for the deprecation of legacy TLS versions (TLS 1.0 and 1.1). In Chrome 81, we will mark sites that do not support TLS 1.2 and above with a full-page warning telling users that the connection is not fully secure. 

    If users have sites affected by these changes and need to opt out, you can use the SSLVersionMin policy to disable the security indicator and warning. To allow TLS 1.0 and later without additional warnings, set the policy to tls1. The SSLVersionMin policy will work until January 2021. More details are available in our blog post.

  • Shared clipboard between computers and Android devices in Chrome 82
    Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync turned on. 

    The text is end-to-end encrypted, and Google can’t see the contents. You can control this feature using the SharedClipboardEnabled policy.

  • Changes to the ManagedBookmarks policy in Chrome 82
    The ManagedBookmarks policy will be subject to stricter verification in Chrome 82. On Android and Apple® macOS®, this policy might become invalid if any of "name", "toplevel_name", or "url" fields are not of type "string" as described by the policy.

  • Chrome apps deprecation in Chrome 83
    As announced in January, Chrome apps will be phased out and ultimately disabled by June 2022. Beginning in Chrome 81, new Chrome apps will no longer be accepted by the Chrome Web Store. Beginning in Chrome 83, Chrome will no longer support Chrome apps on Microsoft® Windows®, Apple® Mac®, and Linux®. If your organization needs extra time to adjust, a policy will be available to extend support until Chrome 87.

  • The ForceNetworkInProcess policy will no longer take effect in Chrome 84
    Chrome 73 introduced a change to move network activity into a separate process. We were aware of known incompatibilities with some third-party software that injected into Chrome's process, so the ForceNetworkInProcess policy was provided as a temporary stop-gap to revert to the old behavior. The transition period for this change will end in Chrome 84, and the policy will no longer have any effect.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

  • Updates for USB devices with Linux

    From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

  • Chrome OS kiosk mode support for web apps

    In a future Chrome OS release, devices in kiosk mode will support Progressive Web Apps and websites. Support will include Auto-Launch App mode.

  • Android on Chrome OS kiosk mode
    In Chrome 81, you will no longer have access to set new policies for Android apps in kiosk mode. Existing policies for Android apps in kiosk mode will not be impacted and will be supported until June 2021.

 

Chrome 79

Chrome Browser updates

  • Drive integration in the address bar

    Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.

    This behavior is on by default and can be controlled from the G Suite admin console or by individual users in their Chrome settings. You can see more details in this G Suite announcement.

  • HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

    In Chrome 79, we’re introducing a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. End users can switch this setting by clicking the lock icon on any https:// page and clicking Site Settings

    In Chrome 80, mixed audio and video resources will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.

    In Chrome 81, mixed images will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://.

    The breaking changes coming in Chrome 80 and 81 will be controllable by enterprise policy.  Enterprise policies to control this feature will be StricterMixedContentTreatmentEnabled which disables autoupgrades for audio and video, and the warning for images, this one will be temporary and we'll remove it on Chrome 84. 

    InsecureContentAllowedForUrls/InsecureContentBlockedForUrls will control the setting described above. More information on these changes is available in the Chromium blog. Admins should begin ensuring that resources in pages under their control are fetched over HTTPS. Exceptions can be managed through policy. 

  • Better password and phishing protections in Chrome

    For more details on how these work, see this blog post.

    • Users warned if credentials are leaked: Starting in Chrome 79, we will notify users if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. You will be able to enable or disable this feature for your users using the PasswordLeakDetectionEnabled policy. 

    • Realtime phishing detection: We'll also be offering enhanced protection against quick-changing sites, by inspecting page URLs with Safe Browsing's servers in real-time, resulting in a 30% increase in protections. We will initially be rolling out this protection for users who have already opted into the ‘Make searches and browsing better’ option in Chrome. Enterprises administrators can manage this setting directly using the UrlKeyedAnonymizedDataCollectionEnabled policy.

    • Expanding predictive phishing protection: With this latest release, we’re also expanding Chrome Safe Browsing’s predictive phishing protections to everyone signed in to Chrome, even if you have not enabled Sync. In addition, this feature will now work for all the passwords you have stored in Chrome’s password manager. This protection will not be enabled if your users are not signed into Chrome and have not enabled Chrome Password Manager. You could also choose to disable Chrome Safe Browsing using the SafeBrowsingEnabled policy. We discourage doing this as it will disable all built-in anti-abuse protections in Chrome.

  • CORS implementation is more secure  

    Chrome is modifying its Cross-Origin Resource Sharing (CORS) implementation to be more secure. As a result, the following changes will be introduced incrementally, starting on January 6th, 2020. This gradual rollout will happen over the following several weeks:

    • Extensions’ webRequest API—Before this change, extensions that have the webRequest permission could modify any network request headers and they would be ignored by the CORS protocol. However, in Chrome 79, the CORS protocol inspects modified headers and will trigger a CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. If enterprise users are using a Chrome extension that’s affected by this change, the extension author will need to update the extension to specify ‘extraHeaders’ in opt_extraInfoSpec, or update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

    • Headers injected by Chrome—Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. However, in Chrome 79, this will trigger a CORS preflight request. Server implementations might need to be updated to handle CORS preflight requests.

    If you need extra time to adapt to this CORS migration, there are two enterprise policies available to you. These are temporary policies which will only be available until Chrome 82.

    • CorsLegacyModeEnabled—Enable the old CORS implementation, which is compatible with Chrome 78 and earlier versions. You can use this policy to opt-out of this gradual rollout.

    • CorsMitigationList—This policy sets the ‘extraHeaders’ in opt_extraInfoSpec internally so that any Extension that is not ready for this CORS migration can work without modifications. You can also specify customized headers that should be ignored by CORS checks.

    The OOR-CORS Troubleshooting page will help investigate incompatibility issues and customize these policies.

  • Trial of autoupgrade for DNS-over-HTTPS

    The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

  • Click-to-call

    Users are able to click on a phone number in Chrome to send it to their Android phone. To send the number, users need to have Chrome Browser installed and be signed in on both devices with the same account. The number is end-to-end encrypted and Google can’t see the contents. You can control this behavior with the ClickToCallEnabled enterprise policy.

  • Audio sandbox

    The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox using the AudioSandboxEnabled policy.

  • New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

    The Chrome team recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting in January 2020 in Chrome 79, we will mark sites that do not support TLS >=1.2 as "Not Secure" and no longer show the lock icon for them.

    In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure. 

    If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021. More details are available in our blog post.

  • New policy for controlling memory

    We’re introducing a new policy to give admins more control over Chrome's memory usage, which allows you to better manage shared virtual sessions. The TotalMemoryLimitMb policy configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it.

    If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that Chrome will always run under the limit—for example, the active tab is never discarded. Any value under 1,024 will be rounded up to 1,024. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

  • On Linux, server certificate verification will use the built-in certificate verifier instead of NSS

    Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79. The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change. However there are some cases where differences might occur:

  • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.

  • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.

  • The verifier can be toggled using the BuiltinCertificateVerifierEnabled policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.

  • Chrome Browser Cloud Management Reporting Companion is no longer required

    The functionality previously provided by the "Chrome Cloud Management - Reporting Companion" extension has been integrated directly into Chrome. If you're using Chrome Browser Cloud Management, some of your users will no longer see this extension on your fleet when you enable reporting. It will be completely removed for all users in Chrome 80. No action is required from you or your users.

  • Chrome Renderer Integrity protects users

    Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

    Chrome 78 enabled this feature, but it was rolled back due to unforeseen incompatibilities with other software. Those issues have been addressed, and this will be rolled out again in Chrome 79. Affected software and mitigations are listed in this support thread.

    To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

Chrome OS updates

  • Continued improvements to Virtual Desks

    With Chrome 79, we are rolling out new improvements for virtual desktops, which are called Virtual Desks in Chrome OS. One improvement is when you open a link, it will always open on your current desk. This helps you keep your workspaces separated.

  • New Overview mode for tablets
    When in tablet mode, there's an updated Overview mode. It makes it easy to scroll through your open windows, and works well on smaller screens. For split screen, just long press on a window to drag it to the left or right side to start split screen. The new Overview is available in tablet mode only on slates, convertibles, and detachables.
  • Lock Screen Media Controls

    We are adding media controls to the Chrome OS lock screen. This will allow users to see what is playing and control playback while the device is locked.

  • Unified App Management for end users in Settings

    Basic settings and permissions of apps in Chrome OS can now be managed from the new App Management feature, available in Settings. 

  • Broader Crostini support for arbitrary ports on localhost

    Previously, web developers using Linux Beta (aka Crostini) could only access local servers in Chrome if they were running on a small number of whitelisted ports. This restriction has been lifted, and now it no longer matters what port the local server is using.

  • General PPD Attribute Support in CUPS

    Advanced printing features are now supported in print preview for native printers under “Advanced Settings”. This includes advanced finishing features like stapling, hole punch, paper tray selection, and many more! Please note, specific printing features will vary based on printer compatibility and how the printer is configured.

  • Printing Metrics API

    New printingMetrics API is now available for forced installed extensions to see a managed user’s print history when printing to a native printer. To learn more about the API, please visit the developer API page.

  • SAML default on for Enterprise

    Currently, SAML SSO is deactivated for Chromebooks by default. This means that if you are using a SAML provider your users are able to access their accounts and their G Suite services on any device other than a Chromebook. From January 2020, we will activate SAML SSO for Chromebooks of new accounts, meaning your users will no longer be restricted to non-Chrome OS devices.

  • Simplifying the Out of Box experience for Android apps

    Currently, Google Play is deactivated by default. When activated, the Managed mode, which allows you to restrict the apps that users can install, is selected by default. Starting on December 2, 2019, we activated Google Play by default in All Access Mode (for all managed accounts, except Education users). This means that enterprise users will be granted full access to the managed Google Play store; allowing them to search and install any app on their Chrome devices, including apps you haven’t approved. 

Admin Console updates

  • New managed guest session settings page rolling out soon

    The new managed guest session settings page is rolling out and will be available for all customers soon. The new page features a redesigned search interface, more information about policy inheritance, and a few new policies. 

  • Remote configuration of driverless printers
    Driverless printers are now supported from the Printer Management page in the Admin console. Administrators can now remotely configure printers that rely on auto discovery (using IPP to query the printer and set job attributes for the print job) to connect. Previously, only PPD based printers could be configured from the admin console.

  • Initiate remote desktop connection for kiosk devices from Admin console
    IT admins can now remotely initiate a Chrome Remote Desktop connection into a kiosk device and take control of the device for support and troubleshooting from the Device Details page in the Admin console.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
AudioSandboxEnabled
Browser Only
Allow the audio sandbox to run. If third-party software is interfering with Chrome's audio, setting this policy to false may resolve the issue.
ClickToCallEnabled Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in.
CorsLegacyModeEnabled Use the legacy CORS implementation rather than new CORS
CorsMitigationList Enable CORS check mitigations in the new CORS implementation
DefaultInsecureContentSetting Control use of insecure content exceptions
ExternalProtocolDialogShowAlwaysOpenCheckbox
Browser Only
Show an "Always open" checkbox in external protocol dialog
InsecureContentAllowedForUrls Allow insecure content on these sites
InsecureContentBlockedForUrls Block insecure content on these sites
LegacySameSiteCookieBehaviorEnabled Default legacy SameSite cookie behavior setting
LegacySameSiteCookieBehaviorEnabledForDomainList Revert to legacy SameSite behavior for cookies on these sites
SharedClipboardEnabled Enable the Shared Clipboard Feature
TLS13HardeningForLocalAnchorsEnabled Enable a TLS 1.3 security feature for local trust anchors
WebRtcLocalIpsAllowedUrls URLs for which local IPs are exposed in WebRTC ICE candidates

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • SyncTypesListDisabled policy in Chrome 80

    Chrome users have the ability to granularly enable or disable each type of sync data. In Chrome 80, this control will also be an enterprise policy, so that admins can control the sync types across their organization.

  • PaymentMethodQueryEnabled in Chrome 80

    We are working on an enterprise policy that allows you to set whether websites are allowed to check if your user has payment methods saved. If the setting is enabled or not set, then websites are allowed to check if the user has payment methods saved. If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.

  • Tab freezing on desktop in Chrome 80

    Chrome 80 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial. You will be able to disable this behavior with the TabFreezingEnabled policy.

  • Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

    Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82:

  • FTP support will be removed in Chrome 80

    FTP won’t be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

  • Updates to cookies with SameSite in Chrome 80

    Starting in Chrome 80 on the Stable channel, cookies that don’t specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS.

    This new behavior will also take effect in Chrome 79 on the Beta channel only. Because this change might be disruptive, we recommend you test critical sites on the Chrome 79 Beta channel, which will be available starting Oct. 31. See instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies, starting in Chrome 79 in Beta. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

  • Tab groups will be introduced in Chrome 80

    Starting in Chrome 80, some users will be able to organize their tabs by grouping them on the tab strip. Each group can have a color and a name, to help your users keep track of their different tasks and workflows. A wider rollout is planned for Chrome 81.

  • Web Components v0 removed in Chrome 80

    The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80.  You can find more information in the Web Components update.

    If you need additional time to adjust to this removal, you will be able to use the WebComponentsV0Enabled policy to re-enable web components v0 for a limited time.

  • Policy to block external extensions in Chrome 80

    In Chrome 80, you will be able to use the BlockExternalExtensions enterprise policy to stop external extensions from being installed on your fleet. It will not block kiosk apps, or extensions provided by recommended policies.

  • TLS 1.3 hardening measure implemented in Chrome 81

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward compatible and doesn’t require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some noncompliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.

    Starting in Chrome 79, you will be able to opt in to the new measure to test it and confirm if your proxy is affected, using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need extra time to upgrade affected proxies. This proxy will be available until Chrome 86.

  • Shared clipboard between computers and Android devices in Chrome 81
    Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync enabled. 

    The text is end-to-end encrypted, and Google can’t see the contents. This feature will be controllable with the SharedClipboardEnabled policy.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

  • Updates for USB devices with Linux

    From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Update blackout windows
    The DeviceAutoUpdateTimeRestrictions policy will be in the Admin console. This policy allows admins to set time blocks when automatic update checks are not to be performed.  This policy only affects devices configured to auto-launch a kiosk app.

Chrome 78

Chrome Browser updates

  • Drive integration in the address bar

    Rolling out in the coming weeks, users will be able to search for Google Drive files that they have access to from the address bar. Their input will search through both titles and document contents and the most relevant documents based on their history will appear.


    This behavior is on by default and can be controlled with the "Google Drive search suggestions" setting in the G Suite admin console.

  • Flags are being cleaned up starting in Chrome 78

    Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, don’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Shared clipboard between computers and Android devices

    A limited number of users might see the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome installed, sign in on both devices with the same account, and enable Chrome Sync.

    The text is end-to-end encrypted, and Google can’t see the contents.

    This functionality will be released to all users in a future version of Chrome. In the full release, admins will be able to control it with an enterprise policy.

  • Forward a call from Chrome Browser to your Android device

    Users will now be able to highlight and right-click a phone number link in Chrome Browser and forward the call to their Android device.

  • Chrome Renderer Integrity protects users

    Chrome Renderer Integrity is on by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents unsigned modules from loading in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

    Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and earlier). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or later). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity using the RendererCodeIntegrityEnabled policy.

  • Atomic policy groups introduced

    Some admins set policies from multiple sources, but need policies that are tightly coupled to all be set together. For example, you might want all of your extension management policies to be applied from the same source to ensure they're working together as planned.

    To achieve this, some policies have been regrouped based on atomic policy groups. You can enable atomic policy groups using PolicyAtomicGroupsEnabled. If you do, policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.

    You can see whether there are any conflicting policies from different sources at chrome://policy. If you have multiple policies in the same policy group from different sources, this feature will affect them. For more details, see Atomic Policy Groups and Understand Chrome policy management.

  • ExtensionAllowInsecureUpdates policy is no longer supported

    From Chrome 78, the policy to allow extensions to update using the previous CRX2 packaging will no longer work. All extensions will need to be packaged in the new CRX3 format to ensure secure delivery of updates to your browsers and devices.

  • Windows 8-specific welcome page removed

    We have removed the Windows 8-specific welcome page, along with support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting. For more about master preferences, see Use master preferences for Chrome Browser.

  • Legacy Browser Support is integrated; the extension is no longer required

    We have integrated Legacy Browser Support functionality directly into Chrome. As a result, you no longer need the Legacy Browser Support extension and no further updates will be provided for the extension. Admins can deploy the integrated version of the Legacy Browser support policy and manage it either through GPO or Chrome Browser Cloud Management’s User Settings.

  • Update to Chrome 78

    On October 31, we communicated a known vulnerability in Chrome 78. This previous version of Chrome has now been updated to 78.0.3904.87, which resolves the issue. As always, you should ensure Chrome is updated and is running on an updated operating system.

Chrome OS updates

  • Virtual Desks

    Virtual Desks will arrive on Chrome OS in Chrome 78. Users can now create up to 4 separate work spaces to help them focus on a single project or quickly switching between multiple sets of windows. Users can create their first desk by opening Overview  and tapping New Desk.

  • Wake from sleep on USB attach for docking use cases

    Chromebook users in an office or home office environment often use some combination of peripherals along with a USB-C+Display docking station to work more productively.  This feature will make the transition from sleeping mode directly into a docked mode with external monitors smooth for the user, removing the requirement to wake by lid open.
  • Crostini backup & restore

    Users of Linux apps on a Chromebook can now easily back up all of their apps and files. The backup can be saved to their Chromebook’s local storage, an external drive, or Google Drive. They can then restore that backup on the same machine to return to a previous state or on a different machine to bring their whole workspace with them.

  • Crostini GPU support on by default

    Linux apps will now be able to use the GPU to provide a crisp, lower-latency experience.

  • Crostini IME/VK warning

    Linux apps do not yet support certain input methods (IMEs) or the virtual keyboard when in tablet mode. This feature will display a message warning if users if they try to use a Linux app with an unsupported input method or the virtual keyboard.

  • Files app Visual Signals UX update

    We have implemented visual improvements to the Files app progress center, moving the information from the lower left-hand corner to a feedback area in the main window of the app. If appropriate, Admins should update their internal support documentation to reflect the new UI.

  • Update printer setting landing page UI

    The printer settings page has been updated to streamline the printer setup experience. Users can now view available printers on the landing page and save printers (compatible with IPP/IPPS) with one click.

  • ChromeVox Dynamic Rich Text Output

    There is now an option in ChromeVox that supports the ability to announce text styling.  Users have the ability to enable and disable this feature through the ChromeVox Options page.

  • Chrome OS and Chrome Browser settings split

    Settings on Chrome OS now have a more native OS settings experience housed in the Settings app (available through App Launcher or Settings in the Quick Settings menu), with Chrome Browser settings available through More in the top-right corner of the app (or at chrome://settings in the address bar). If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings (chrome://os-settings).

  • YouTube Picture in Picture on ARC++

    Picture in Picture (PiP) is now available with the YouTube Android app. This allows users to watch a video while doing other tasks, such as taking notes during a meeting.

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
PasswordLeakDetectionEnabled Enable leak detection for entered credentials
PolicyAtomicGroupsEnabled Enables the concept of policy atomic groups
RendererCodeIntegrityEnabled
Windows Only
Enable Renderer Code Integrity
HSTSPolicyBypassList List of names that will bypass the HSTS policy check
AllowSyncXHRInPageDismissal Allows a page to perform synchronous XHR requests during page dismissal

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Trial of autoupgrade for DNS-over-HTTPS in Chrome 79

    The DNS requests of some users will autoupgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. During this trial, DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy.

    You can disable DNS-over-HTTPS for your users with the DnsOverHttpsMode policy. Setting it to "off" will ensure your users are not affected by DoH.

  • Users warned if credentials are leaked in Chrome 79

    We will notify users if their credentials are part of a known data breach. The system can detect this without sending plain-text passwords to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

  • New policy for controlling memory will be introduced in Chrome 79

    We’ll introduce a new policy to give admins more control over Chrome's memory usage. It configures the amount of memory that a single Chrome instance can use before starting to discard background tabs. When discarded, the memory used by the tab is freed, and the user will have to reload the tab when switching to it. If the policy is set, Chrome will begin to discard tabs to save memory once the user exceeds the limit. However, there is no guarantee that the browser is always running under the limit. (For example, the active tab is never discarded.) Any value under 2,048 will be rounded up to 2,048. If this policy is not set, the browser will only attempt to save memory after it has detected that the amount of physical memory on its machine is low (available on Windows and Mac).

  • Tab freezing will be introduced in Chrome 79 on the desktop

    Chrome 79 will introduce a new feature to save memory, CPU, and battery for Windows, Mac, Linux, and Chrome OS. Tabs that have been in the background for 5 minutes or more will be frozen, as long as Chrome detects that they are freezable (such as not playing audio). Frozen pages are not able to run any tasks. Web developers can opt their pages out of freezing with an origin trial.

    You will be able to disable this behavior with the TabFreezingEnabled policy.

  • New Chrome UI for legacy TLS versions in Chrome 79 and Chrome 81

    Chrome recently announced our updated plans around our deprecation and planned removal of legacy TLS versions (TLS 1.0 and 1.1). Starting on January 13, 2020 in Chrome 79, we will mark sites that use TLS 1.0 or 1.1 as "Not Secure" and no longer show the lock icon for them.

    In Chrome 81, we will start showing a full-page interstitial warning telling users that the connection is not fully secure.

    If enterprise users have sites affected by these changes and need to opt out, admins can use the existing SSLVersionMin policy to disable the security indicator and interstitial warning on all affected sites. Admins should set it to "tls1" to allow TLS 1.0 and later without additional warnings. This policy will work until January 2021.

  • CORS implementation will be more secure in Chrome 79

    We will switch CORS implementation to be more secure and strict. As a result, the following behavior changes will be introduced:

    Behavior changes on Extensions’ webRequest API — Before this change, extensions that have the webRequest permission can modify any network request headers and they’re ignored by CORS protocol. But after Chrome 79, the CORS protocol inspects modified headers and will trigger CORS preflight request to the destination servers when the modified request doesn’t meet the SimpleRequest requirement. Response header modifications also couldn’t deceive the CORS checks. Additionally, webRequest API will stop seeing Origin header. Extensions can specify ‘extraHeaders’ in opt_extraInfoSpec to keep the original behaviors. If enterprise users are using a Chrome extension that’s affected by this change, one of the following changes will need to be made:

    • Ask the Extension author to upgrade the extension to specify ‘extraHeaders’ in opt_extraInfoSpec.

    • Update the server-side logic to accept the CORS requests correctly. See the Extensions API document for more details.

    Behavior changes for headers injected by Chrome — Before this change, headers injected by Chrome for a particular enterprise policy didn't trigger the CORS protocol. But after this change, it will start to be verified by the CORS protocol and will trigger CORS preflight requests. Server implementations might need to be updated to handle CORS preflight requests.

  • Shared clipboard between computers and Android devices in Chrome 79

    Users will have the option to share their clipboard content between their computers and Android devices. To share, they need to have Chrome Browser installed, be signed in on both devices with the same account, and have Chrome sync enabled.

    The text is end-to-end encrypted, and Google can’t see the contents. This feature will be controllable with an enterprise policy.

  • Audio sandbox in Chrome 79

    The audio service on Windows will be sandboxed in Chrome 79 for added security. We have seen incompatibilities with certain configurations of AppLocker in Chrome 77, although these have been fixed in Chrome 78. Other similar products might also have issues with the sandbox. If your users have issues with audio playing in Chrome 79, you can disable the audio sandbox with the AudioSandboxEnabled policy.

  • HTTPS pages will only be able to load secure subresources, with changes from Chrome 79 to Chrome 81

    In Chrome 79, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can switch this setting by clicking Lockon any https:// page and clicking Site Settings.

    In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Users can unblock affected audio and video resources with the setting described above. Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox.

    In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://.

    More information on these changes is available in the Chromium blog.

  • On Linux, server certificate verification will use the built-in certificate verifier instead of NSS, starting in Chrome 79

    Chrome on Linux will perform verification of server certificates using the built-in certificate verifier instead of NSS, starting in Chrome 79.  The built-in verifier will still use the NSS trust store, so we expect that users won’t see this change change. However there are some cases where differences might occur:

    • Certificates with invalid encodings: The built-in verifier is stricter about enforcing spec compliance and might reject some certificates that NSS allowed. This should not affect any publicly trusted certificates, but might affect enterprises with internal PKIs.
    • Directly trusted end-entity (leaf) certificates: The built-in verifier does not support directly marking server certificates as trusted; certificates must be issued by a CA that is trusted.
    The verifier can be toggled using the BuiltinCertificateVerifierEnabled enterprise policy, allowing affected enterprises a chance to update their certificate infrastructure if they are affected by the transition. The policy will be supported through Chrome 82 on Linux to give enterprises sufficient time to update and test their infrastructure. Chrome OS switched to the built-in verifier in Chrome 77, and the policy will be supported on that platform through Chrome 80.
  • Ambient authentication disabled by default in Incognito mode in Chrome 80

    Ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

  • Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 80

    Note: These changes were originally planned for Chrome 78.

    Pop-ups and synchronous XHR requests won’t be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. If you encounter incompatibilities with legacy software, you will be able to revert to behavior matching Chrome 79 and earlier using the following policies, which will be available until Chrome 82:

  • FTP support will be removed in Chrome 80

    FTP won’t be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

  • TLS 1.3 hardening measure implemented in Chrome 81

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.

    The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later
       

    Starting in Chrome 79, you will be able to opt in to the new measure to test it and confirm if your proxy is affected, using the TLS13HardeningForLocalAnchorsEnabled policy. If you encounter problems, you should upgrade affected proxies to fixed versions.

    Starting in Chrome 81, the new measure will become the default. However, you will be able to use the same policy to opt out if you need extra time to upgrade affected proxies. This proxy will be available until Chrome 86.

  • Updates to cookies with SameSite in Chrome 80

    Starting in Chrome 80 on the Stable channel, cookies that don't specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS.

    This new behavior will also take effect in Chrome 79 on the Beta channel only. Because this change might be disruptive, we recommend you test critical sites on the Chrome 79 Beta channel, which will be available starting Oct. 31. See instructions for testing.

    You will be able to revert to the legacy cookie behavior using policies, starting in Chrome 79 in Beta. You can specify trusted domains using LegacySameSiteCookieBehaviorEnabledForDomainList or control the global default with LegacySameSiteCookieBehaviorEnabled. For more details, visit Cookie Legacy SameSite Policies.

  • Tab groups will be introduced in Chrome 80

    Users will be able to organize their tabs by grouping them on the tab strip. Groups can have colors and names. They’ll help your users keep track of their different tasks and workflows.

  • Web Components v0 removed in Chrome 80

    The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

Upcoming Chrome OS changes

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

  • Updates for USB devices with Linux

    From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

    Device host name in DHCP requests

    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.

Chrome 77

Admin console updates

  • Faster and simpler Admin console for Chrome Enterprise

    We’ve rolled out a major redesign of the Google Admin console for Chrome Enterprise administrators.  Expect to see improvements in page load times, a new unified app-management page for managing Android, Chrome, and web apps together, and many new policies. For details, see the Admin Insider blog.

  • Prevent password reuse

    In the Admin console, you can now specify the URL where users are redirected to change their password if they reuse it on a non-whitelisted website or are a victim of phishing. If this policy is unset, users are directed to their Google Account sign-in page to change their password. For details, see Prevent password reuse and read more in our white paper.

  • New default policies for printing (CUPS)

    New native print policies help you manage your users’ printing options more closely—set defaults and restrictions on duplex and color.

  • Unified native printer management (CUPS)

    Use a new interface for managing thousands of native (CUPS-based) printers for users, devices, and managed guests. The 20-printer maximum cap has been raised to allow for thousands of printers for each organizational unit in the Google Admin console. Support has also been extended beyond user policy to include device and managed guest policy.

Chrome Browser updates

  • Site isolation improvements

    Chrome Browser now protects cross-site data, such as cookies and HTTP resources, in attacker-controlled websites. Site isolation works even if an attacker finds a bug in an untrusted renderer process and tries to execute arbitrary code in it.

    Site isolation will also now be enabled on some Android devices to protect websites and data where mobile users enter passwords.

  • Legacy Browser Support updates

    You can now define the URL of an XML file that will never trigger a browser switch using the BrowserSwitcherExternalGreylistUrl policy with Legacy Browser Support. You can also use the new chrome://browser-switch/internals page to verify that Legacy Browser Support rules are being followed. Please try it out and send feedback.

  • The First Run Experience has been updated

    Chrome Browser now has a new flow to welcome users, get them set up with popular Google services, and set a default web browser. You can disable the new flow with the PromotionalTabsEnabled policy.

  • Launch guest browsing by default

    You can now immediately launch Chrome Browser in guest browsing mode using the --guest command line flag or the new BrowserGuestModeEnforced policy. With guest browsing, browsing activity is not written to the disk and does not persist between browser sessions.

Chrome OS updates

  • More secure built-in certificate verifier

    Updates to the certificate verifier now provide better isolation of trust settings between different contexts. Users with valid certificates should not have any issues. In rare instances, the legacy Network Security Services (NSS) implementation tolerated some classes of invalid certificates which are now no longer tolerated. You can issue new, valid certificates or contact Chrome Enterprise support for help. 

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header over a secure IPPS connection. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking. 

  • Automatic shutdown after extended standby

    With Linux kernel 4.4 and later, devices will automatically go from standby to shutdown after 3 days to increase battery life. To find the kernel version, go to chrome://system and search for uname. The kernel version is the first set of digits. 

  • HD copy-protected content support for ARC++ apps

    In Android apps, you can now play high-definition (HD) copy protected HDMI 1.4 content. This update is useful for externally connected displays, such as televisions. 

  • Volume control based on orientation for convertibles

    On devices running Chrome OS, the volume button on the top or right will always increase the volume, whether the device is in laptop mode or tablet mode. 

  • Chromebook accessibility enhancements with Automatic Clicks

    Automatic Clicks remove the need to physically click the touchpad or mouse. Instead, you can point to an  item and the Chromebook will click, right-click, left-click, or drag for you after a certain amount of time. With Chrome 77, you can now point to an item and the device will automatically scroll up, down, left, or right. For details, see Turn on Chromebook accessibility features

  • Enhanced formatting support of external drives

    When formatting a FAT32, exFAT, or NTFS external drive, users will now be able to pick a file system and label for their drive. 

  • Chrome OS file selector now the default for Android apps

    For a consistent user experience, Android apps now open the Chrome OS file selector. This change provides a consistent file-selection experience across apps. 

New and updated policies (Chrome Browser and Chrome OS)

Policy Description
BrowserGuestModeEnforced Enforces guest browsing mode when a user launches Chrome Browser
SafeBrowsingRealTimeLookupEnabled Checks Safe Browsing reputation of visited URLs in real time
UserFeedbackAllowed Allows users to send feedback to Google

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • G Suite add-ons and extensions moving to G Suite Marketplace

    In the coming weeks, all G Suite apps and extensions will be moved from the Chrome Web Store to the G Suite Marketplace. Developers need to migrate their unmigrated add-ons so that new users can install them. Existing users can continue to use unmigrated add-ons. However, if they uninstall Google Docs Editor add-ons or Google Drive apps, they will not be able to reinstall them. And, if an existing user creates a template with one of the add-ons, users who do not already have the add-on installed will not be able to use the add-on in the template. Have your developers review the background and what they need to do. To check whether an add-on has been migrated, search for it in the G Suite Marketplace. For details on the move to the G Suite Marketplace, see the Google Cloud blog.

  • ExtensionAllowInsecureUpdates policy will stop working in Chrome 78

    The policy to allow extensions to update using the previous CRX2 packaging will stop working in Chrome 78, as previously communicated. In Chrome 78, all extensions must be repackaged into the new CRX3 format to ensure secure delivery of updates to your browsers and devices. 

  • Trial of auto-upgrade for DoH in Chrome 78

    Starting in Chrome 78, the DNS requests of some users will auto-upgrade to their DNS provider’s DNS-over-HTTPS (DoH) service if available. DoH will be disabled by default for managed devices running Chrome OS and for desktop Chrome Browser instances that are domain joined or have at least one active policy. A new group policy, DnsOverHttpsMode, will also be available. Setting it to "off" will ensure users are not affected by DoH.

  • Pop-ups and synchronous XHR requests not allowed on page unload in Chrome 78

    Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload. This change will improve page load time and make code paths simpler and more reliable. While disruption is expected to be minimal, you will be able to revert to behavior matching Chrome 77 and below using the following policies, which will be available until Chrome 82:

  • Flags will be cleaned up starting in Chrome 78

    Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 78. As a reminder, flags should not be used to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Atomic policy groups introduced in Chrome 78

    To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. If you enable atomic policy groups,  policies in a single group will all be forced to set their behavior from the same source—the one with the highest priority.

    If you set policies from multiple sources, such as the Admin console and the Group Policy Management Editor, you will be able to enable atomic policy groups in Chrome 78. You can also see if there are any conflicting policies at chrome://policy. If you have multiple policies in the same policy group from different sources, they will be affected by this change. For more details, see Atomic Policy Groups and Understand Chrome policy management.

  • Users warned if credentials are leaked in Chrome 78

    Beginning in Chrome 78, users will be notified if their credentials are part of a known data breach. This detection occurs without plain-text passwords being sent to Google. You will be able to enable or disable this feature using the PasswordLeakDetectionEnabled policy.

  • Chrome Renderer Integrity to protect users in Chrome 78

    In Chrome 78, Chrome Renderer Integrity will be enabled by default for users on Microsoft® Windows® 10 version 1511 and later. It prevents loading of unsigned modules in Chrome Browser’s renderer processes that deal with user content to prevent certain types of malicious attacks.

    Note: There is a known incompatibility between Chrome Renderer Integrity and old versions of Symantec® Endpoint Protection® (14.0.3929.1200 and below). We recommend updating to the latest version of Symantec Endpoint Protection (14.2 or above). For a download of the latest version or more details, refer to the Symantec documentation. To help with any incompatibilities, you can temporarily disable Chrome Renderer Integrity.

  • Send a call from Chrome Browser to your Android device in Chrome 78

    In Chrome 78, users will be able to highlight and right-click a phone number link in Chrome Browser and send the call to their Android device.

  • Windows 8-specific welcome page removed in Chrome 78

    The Windows 8-specific welcome page will be removed in Chrome 78. Support for the distribution.suppress_first_run_default_browser_prompt master_preferences setting will be removed as well. For more about master preferences, see Use master preferences for Chrome Browser.

  • Ambient authentication disabled by default in Incognito mode in Chrome 79

    Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito mode. You will be able to use a policy to revert to the old behavior and allow ambient authentication.

  • FTP support removed in Chrome 80

    Beginning in Chrome 80,  FTP will not be directly supported in Chrome Browser. Your users should use a native FTP client instead. To help with the transition, you will be able to use the FTPProtocolSupport policy to temporarily re-enable FTP until Chrome 82.

  • TLS 1.3 hardening measure implemented in Chrome 80

    TLS 1.3 includes a hardening measure to strengthen the protocol’s protections against a downgrade to TLS 1.2 and earlier. This measure is backward-compatible and does not require that proxies support TLS 1.3. It only requires that proxies correctly implement TLS 1.2. However, last year, we had to partially disable this measure due to bugs in some non-compliant, TLS-terminating proxies.

    Starting in Chrome 78, you will be able to opt in to the new measure to test it and confirm if your proxy is affected. The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):
     
    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later


    You should upgrade affected proxies to fixed versions.

    Starting in Chrome 80, the new measure will become the default. However, you  can use a policy to opt out if you need extra time to upgrade affected proxies.

  • Updates to cookies with SameSite in Chrome 80

    Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. The attributes must also be marked Secure and delivered over HTTPS. We will provide policies if you need to configure Chrome Browser to temporarily revert to legacy SameSite behavior.

  • Web Components v0 removed in Chrome 80

    The Web Components v0 APIs (Shadow DOM v0, Custom Elements v0, and HTML Imports) were supported only by Chrome Browser. To ensure interoperability with other browsers, late last year, we announced that these v0 APIs were deprecated and will be removed in Chrome 80. You can find more information in the Web Components update.

  • Drive integration in the address bar

    In the future, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program. For more details and to apply, see Search Google Drive files in Chrome URL bar BETA.

 

Upcoming Chrome OS changes

  • Chrome OS and Chrome Browser settings split in Chrome 78

    Starting in Chrome 78, Chrome OS settings will be in a new window and use a new URL that’s separate from Chrome Browser settings. If you block Chrome Browser settings by URL (chrome://settings), you might also want to block the new URL for Chrome OS settings, which is chrome://os-settings.

  • Adding print server support for CUPS

    We’re working on a feature to add support for Common UNIX Printing System (CUPS) printing from print servers on Chrome OS. You and your users will be able to configure connections to external print servers and print from the printers on servers using CUPS.

  • Updates for USB devices with Linux

    From the Chrome shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook so that Linux apps can access the Linux instance.

Upcoming Google Admin console changes

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Device host name in DHCP requests

    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, and ${MACHINE_NAME}.​

Chrome 76

Chrome Browser updates

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Administrators can manually switch back to ASK ("Dialog to Ask first before running Flash") before running Flash. This change won’t impact existing policy settings for Flash. IT admins can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

  • All privately hosted extensions must be packaged with CRX3 format in Chrome 76.

    This change was originally planned for Chrome 75, but we delayed it to Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.

    CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. This policy is only meant to provide extra time to repackage extensions, and will stop working in Chrome 78. For the CRX2 deprecation timeline, see Chromium.

    Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

  • A new page for documenting enterprise policies is available

    Chrome's policies are now listed on a new Chrome Enterprise policy list. This documentation allows you to filter by platform and Chrome version to see which policies are available for your fleet.

    Chrome Enterprise policy list
     

  • A new layout engine is being used

    LayoutNG is a new layout engine with several improvements such as:

    • Improved performance isolation
    • Better support for scripts other than Latin
    • Many issues around floats and margins fixed
    • Numerous web-compatibility issues fixed

    Although the impact to the user should be minimal, LayoutNG changes some behavior in very subtle ways, fixes hundreds of tests, and improves compatibility with other browsers. Despite our best efforts, it is likely that this will cause some sites and applications to render or behave slightly differently.

    If you suspect that WNG caused a website to break, please file a bug report, and we'll investigate.

  • Site isolation enforced in Chrome 76

    In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues. Starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms (including Chrome OS). On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • --disable-infobars is no longer supported

    Chrome will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy was added to allow you to disable some security warnings.

  • Policies with a dictionary value type can be merged 

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only the dictionary from the highest priority source will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Legacy Browser Support has been improved
    A new page at chrome://browser-switch/internals makes it easier to debug and troubleshoot Legacy Browser Support. We also fixed a bug where LBS wouldn't switch during the first minute of a browser session (when using XML site lists).

  • New version of the On-Prem Chrome Reporting Extension
    Version 2.0 of the Chrome Reporting Extension will soon ship in the Chrome Web Store. Download the corresponding native component MSI.

    If you have user browsing data reporting turned on, you will start seeing a new piece of data for each visited site: "legacy_technologies." It’s an array of strings that will initially contain one value, "Flash." This means this site requires Adobe Flash and might soon stop working correctly (see paragraph above). Future releases will list other obsolete web technologies such as Java Applets, Silverlight, and more.

    The output file has changed from a single file called chrome_reporting_log.json to a daily rotated file with file name in the format chrome_reporting_log_YYYY_MM_DD.json. This will make it simpler to manage the disk usage of the application and clear obsolete data.

  • “https” scheme and “www” subdomain will be hidden

    To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We will hide the “https” scheme and the special-case subdomain “www” in Chrome omnibox on Chrome desktop and Chrome-on-Android. After the site loads, the full URL can still be revealed by clicking twice in the URL bar (desktop) or tapping once (mobile).

    The Chrome team has also worked to build a Chrome extension to help power users recognize suspicious sites and report them to Safe Browsing. Power users can use this extension to display the full URL with no scheme or subdomain hiding, and report suspicious sites to Safe Browsing.

Chrome OS updates

  • Enhancements to automatic clicks accessibility feature

    Chromebooks have had a feature called Automatic clicks in accessibility settings for years, which has given users with motor and dexterity challenges the ability to hover over an item and have Chrome OS click it (without pressing the touchpad or mouse). In Chrome OS version 76, we have expanded this feature to not only be able to click, but also right-click, double-click, and click and drag by simply hovering. 

  • Built-in FIDO security key is now supported

    In this release, most latest-generation Chromebooks will gain support for built-in FIDO security keys backed by the Titan M chip. This feature is disabled by default, but an admin can enable the built-in security key by changing the Chrome OS policy called DeviceSecondFactorAuthentication to U2F.

  • Account consistency between the Chrome content area and the ARC++ container

    We are rolling out a single sign-on experience for Chrome and Android applications on Chrome OS over several weeks, beginning August 21, 2019, to simplify user management of Google Accounts on Chrome OS. We added a new section to Settings: "Google Accounts."

    From here, a user can manage all signed-in Google Accounts. This includes reauthenticating or removing some secondary accounts and adding others. Attempts to add secondary accounts from Chrome or ARC++ will be redirected to this unified flow. Users that previously had a secondary account signed in to Chrome or ARC++ will need to reauthenticate following the update, which will add their account to Account Manager.

Admin console updates

  • Updates to the Chrome device list and device details
    • Search and filter devices and organizational units directly from the device list.
    • Customize your preferred view with auto-update expiration date, Chrome OS version, and device model.
    • Long-running tasks such as screenshot, log capture, and reboot will now complete in the background, so you don’t need to wait for them

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
BrowserSwitcherExternalGreylistUrl
Browser only
Chrome 77+
URL of an XML file that contains URLs that should never trigger a browser switch
CommandLineFlagSecurityWarningsEnabled
Browser only
Enable security warnings for command-line flags
PolicyDictionaryMultipleSourceMergeList  Allows the selected policies to be merged when they come from different sources, with the same scopes and level

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Flags will be cleaned up from chrome://flags, starting in Chrome 77

    Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 77. You shouldn’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Atomic policy groups will be introduced in Chrome 77

    To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. These groups ensure that all applied policies from a single group come from the same source—the one with the highest priority—to prevent unpredictable behavior when mixing policies from multiple sources. The order of precedence for Chrome Policies is documented here

    This may be a breaking change if you set GPOs from multiple sources (e.g. the Admin Console and via Windows Group Policy). You can check if any GPOs are in conflict by visiting chrome://policy in Chrome browser. If you have multiple policies in the same policy group from different sources, update your policies to ensure that all policies in a given policy group come from the same source.

  • The First Run Experience will be updated in Chrome 77

    Chrome 77 will no longer show the single page welcome. It will instead have a new flow to welcome users, get them set up with popular Google services, and set a default web browser. The same policy that was used to disable the previous First Run Experience can be used to disable the new flow: PromotionalTabsEnabled

  • It will be possible to make guest browsing the default in Chrome 77

    You will be able to set Chrome to launch immediately into guest mode by using a --guest command line flag or a new policy called BrowserGuestModeEnforced. In this mode, your users won't see or change any other Chrome profile. When they exit guest browsing, their browsing activity is deleted from the computer.

  • Merge policies with dictionary of values in Chrome 76

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Microsoft® Active Directory®. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Experiment for DNS-over-HTTPS (DoH) in Chrome 78

    Starting in Chrome 78, the DNS requests of some users will autoupgrade to DNS-over-HTTPS if they are using a DNS provider that supports it. This is part of ongoing work to bring secure DNS options to Chrome. Individual users can opt out by disabling this experiment at chrome://flags. Admins can opt out their enterprise from this experiment by policy. Instructions will be provided in a future Chromium blog post and release notes.

  • Pop-ups and synchronous XHR requests will not be allowed in Chrome 78

    Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload to improve page load time and make code paths simpler and more reliable. Admins will be able to revert to the old behavior using enterprise policies, which will be available until Chrome 82.

  • Ambient authentication will be disabled by default in Incognito sessions in Chrome 79
    Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito sessions. Admins will be able to revert to the old behavior, allowing ambient authentication using an enterprise policy.

  • Cookies with SameSite by default, and Secure SameSite=None cookies in Chrome 80
    Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. They must also be marked Secure and delivered over HTTPS. Policies will be made available for enterprises that need to configure Chrome to temporarily revert to legacy SameSite behavior.

  • Drive integration in the address bar

    Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

    Drive search in address bar

 

  • Extension User Data Policy Updated
    As part of Project Strobe, Google is updating its User Data Policy, and these changes go into effect starting October 15, 2019. For more information, see the blog post.

    • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged for developers, now we’re making this a requirement for all extensions.
    • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data.

Upcoming Chrome OS changes

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

  • User account and file name in IPP Header in Chrome 77

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux applications running on a Chromebook, so that Linux apps can access the Linux instance.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management (device settings)

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

  • New default policies for printing (CUPS)

    There will be new controls for you to manage 2-sided and color printing.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Device host name in DHCP requests
    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome 75

Chrome Browser updates

  • All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 

    This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.

    CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.

    Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

  • Roll back to Chrome 72 or later on Windows

    Chrome 75 on Microsoft® Windows® will allow administrators to roll back to Chrome 72 or a later version.

    To make sure that users are protected by the latest security updates, we recommend that users are on the latest version of Chrome Browser. Running earlier versions of Chrome Browser exposes your users to known security issues. Before using this policy, see Roll back Chrome Browser to a previous version for important information about preserving user data.

  • Use policy to remove extensions (rather than just disable)

    Starting in Chrome 75, extensions can now be removed by modifying the installation_mode setting in the Extension Settings policy and setting the "removed" flag. For details, see Chromium

  • PacHttpsUrlStrippingEnabled policy removed

    As we announced in the Chrome 74 release notes, the PacHttpsUrlStrippingEnabled policy has now been removed. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    PAC HTTPS URL stripping removes privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/. This behavior will now be enforced in Chrome 75.

  • EnableSymantecLegacyInfrastructure policy removed

    As we announced in the Chrome 74 release notes, the EnableSymantecLegacyInfrastructure policy has now been removed. The policy was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. The workaround allowed time to migrate any internal certificates that are not used on the public internet.

    Certificates issued from the Legacy PKI Infrastructure should have been replaced with certificates issued by public or enterprise-trusted Certificate Authorities (CAs). 

  • SSLVersionMax policy removed

    As we announced in Chrome 74 release notes, the SSLVersionMax policy has now been removed. This policy was used as a short-term workaround while TLS 1.3 was rolled out to allow time for middleware vendors to update their TLS implementations.

  • Policy to control Signed HTTP Exchange

    You can use Signed HTTP Exchange to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences

    Starting in Chrome 75, you can enable or disable Signed HTTP Exchange using the SignedHTTPExchangeEnabled policy.

  • CompanyName and LegalCopyright fields updated

    Chrome 75 changes the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll). "Google Inc." is now  "Google LLC" and "Copyright 2018 Google Inc. All rights reserved." is now "Copyright 2019 Google LLC. All rights reserved."

  • Control precedence between Chrome Browser Cloud Management and platform policies

    You can use CloudPolicyOverridesPlatformPolicy to control how policies from Chrome Browser Cloud Management interact with policies set at the platform level (for example, through the Group Policy Management Editor). This policy can be useful if you’re transitioning from managing browsers through Group Policy Object (GPO) to Chrome Browser Cloud Management.

    When set to false (default), the order of precedence is Machine platform > Machine cloud > User platform > User cloud.

    With the policy set to true, the order of precedence is Machine cloud > Machine platform > User platform > User cloud.

    The policy can only be set as a machine platform policy. For more details, see Chromium

  • Merge list policies from multiple sources

    You can now merge policies that take a list of values that are set from multiple sources, including the cloud and by platform and Microsoft® Active Directory®. Before, if multiple lists from different sources conflicted, only one list was applied. For details, see PolicyListMultipleSourceMergeList.

  • Chrome Remote Desktop on the web now available 

    You can now use Chrome Remote Desktop on the web. In turn, the Chrome Remote Desktop app will not be supported after June 30, 2019. New and existing users can switch to the new version on the web.

    To set it up:

    1. Go to Chrome Remote Desktop.
    2. In the upper-right corner, click Remote Access.
    3. Click Remote Support to get support from a trusted friend or family member, or to give support to someone else.

    You can control whether users can access other computers from Chrome using Chrome Remote Desktop. For details, see Control use of Chrome Remote Desktop.

  • Improved tab life cycle management

    Some users will start to see improved CPU and memory usage as Chrome 75 rolls out. The TabLifeCyclesEnabled policy reduces the CPU usage on browser tabs that haven’t been used for a long time. Set the policy to true or leave it unspecified to enable it. For details, see Chromium

  • Users can check Chrome Browser and OS management

    In Chrome 75 we’re enhancing the visibility features for both browser and OS with transparency view, a new view which shows users the extent to which their device and account are managed by their administrators in enterprise environments. The new transparency view focuses on reporting functionality (“Which data is visible to my administrator?”) as well as force-installed extensions (“Which data may be accessed by force-installed extensions?”).

Chrome OS updates

  • Linux on Chromebooks: 

    Support for VPN connections—Linux applications can now utilize VPN connections through an existing Android or Chrome OS VPN connection. All traffic from the Linux VM will automatically be routed through an existing (established) VPN connection.

    Support for Android devices over USB—Android devices connected over USB can now be accessed by Linux apps. Users must choose to share the USB device with Linux before they can access it.

  • Add support for PIN code with native printers

    PIN code printing will be available which will allow users to enter a pin code when sending the print job, and release the print job for printing when they enter the pin code into the printer keypad.  This gives users more control over when a print job is printed so documents aren’t lying unattended at the printer. And because a user has to actively request their print job be released, it also reduces waste. 

    PIN printing will be enabled if the user’s Chrome device is managed, and the printer supports IPPS communication and the IPP attribute for “job-password”.
    PIN printing

  • Add support for Document Providers in Files app

    To expand support for third-party file providers on Chrome OS, when users install the app of a third-party file provider that implements the DocumentsProvider API, a root for the third-party file provider will appear in the side navigation of the Chrome Files app. For more details, see Documents Provider

  • Extending protected content on secondary displays

    Digital rights management (DRM)-protected content can now be shown on an external display. 

  • BLE advertising in Chrome apps flag removed

    The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. If you or any developers use BLE Advertising APIs, you should debug the functionality in a kiosk session, rather than in a regular user session.

Admin console updates

  • Force devices to automatically re-enroll after wiping (change to forced re-enrollment behavior)

    Starting in June 2019 (with an incremental rollout), you can automatically re-enroll devices if they’re wiped.  Previously, forced re-enrollment required a user to enter their username and password to complete re-enrollment A few weeks after the roll out is complete, automatic re-enrollment will be the default for new customers as well as existing customers who have not changed the default forced re-enrollment setting. To control the setting, see Force wiped Chrome devices to re-enroll.

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
AlternativeBrowserParameters
Chrome Browser only
Controls command-line parameters to launch to an alternative browser
AlternativeBrowserPath
Chrome Browser only
Controls which command to use to open URLs in an alternative browser
CloudPolicyOverridesPlatformPolicy
Chrome Browser only
Cloud policy that overrides Platform policy
PolicyListMultipleSourceMergeList Allows merging list policies from different sources
SignedHTTPExchangeEnabled Enables support for Signed HTTP Exchange (SXG)
SpellcheckLanguageBlacklist
Windows, Linux, Chrome OS only
Disables unrecognized spellcheck languages 

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Users can manually switch back to ASK ("Ask first") before running Flash. This change won’t impact existing policy settings for Flash. You can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

  • Site isolation enforced in Chrome 76

    In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • Drive integration in the address bar

    Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

    Drive search in address bar

  • Removing --disable-infobars in Chrome 76

    Chrome 76 will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy will be added to allow you to disable some security warnings.

  • Policy atomic groups introduced in Chrome 76 

    In order to ensure predictable behavior from policies that are tightly coupled with other policies, some policies will be regrouped in atomic policy groups. These groups will help ensure that all the applied policies from a single group come from the same source, which is the source with the highest priority. This change will help prevent unpredictable behavior when mixing multiple sources of policies.

  • Merge policies with dictionary of values in Chrome 76

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Flag removal, starting with Chrome 76

    Many flags in chrome://flags will be removed in upcoming Chrome versions. You should not use flags to configure Chrome Browser because they are not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Improvements to version rollback

    A future version of Chrome will improve the rollback experience on Windows by preserving some user data during the rollback process.

Upcoming Chrome OS changes

  • Print jobs to include user account and file name

    If the printer or print service support IPPS with IPP attributes for requesting-user-name and document-name, you will be able to have print jobs include the user account and file name to help with print tracking and follow-me printing. 

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

  • Linux apps USB devices
    From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook, so that Linux applications can access the Linux instance.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management (device settings)

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

  • New default policies for printing (CUPS)

    There will be new controls for you to manage 2-sided and color printing.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Device host name in DHCP requests
    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome 74

Chrome Browser updates

  • Chrome Browser Cloud Management

    Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows®, Mac®, and Linux®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.

    Chrome Browser Cloud Management

  • Dark mode for Windows in Chrome 74

    In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.

  • Pop-ups will not be allowed on page unload

    Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.

  • Legacy Browser Support will no longer need an extension

    In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer®. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.

Chrome OS updates

  • Annotations in PDF Viewer

    When viewing an Adobe PDF document in Chrome, you’ll be able to tap a button to annotate the PDF with pen and highlighter tools.

  • New search feature in Chrome 74

    We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

  • External camera support for Google Camera app

    External USB cameras, such as webcams, USB microscopes, and document cameras, are now supported by the Google Camera app.

  • Support for files and new folders in the “My files” root

    Users can save files locally and create new folders under the “My files” root outside of the default Downloads folder.

  • ChromeVox developer log options

    As of version 74, we added a new section of ChromeVox developer options within the ChromeVox options page to give developers access to ChromeVox logs, which will help debugging. This allows developers to enable logs for speech, earcons, braille, and event streams.

  • Linux apps on Chrome OS (Crostini) now support audio output

    Starting with Chrome 74, Linux apps on Chrome OS (Crostini) can now play audio.

Admin console updates

  • Policy to enable native Active Directory integration

    You can now configure an existing domain to manage your Chrome devices with a Microsoft® Active Directory® server. If enabled, Chrome devices are domain joined to AD so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices with GPO. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials.

    To manage integrated devices, set the policy to enable Chrome Enterprise Active Directory integration in your Admin console. Visit Manage Chrome devices with Active Directory.

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
AllowPopupsDuringPageUnload Allows a page to show pop-ups during its unloading.
AuthNegotiateDelegateByKdcPolicy​
Chrome OS, Mac, and Linux only
Use key distribution center (KDC) policy to delegate credentials on machines using Active Directory Kerberos authentication. Controls whether approval by KDC policy is respected, to delegate Kerberos tickets.
BrowserSwitcherChromeParameters
Windows only
Command-line parameters for switching from the alternative browser.
BrowserSwitcherChromePath
Windows only
Path to Chrome for switching from the alternative browser.
BrowserSwitcherDelay​ Delay before launching alternative browser (milliseconds).
BrowserSwitcherEnabled​ Enable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrl​ URL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherKeepLastChromeTab​ Keep last tab open in Chrome.
BrowserSwitcherUrlGreylist​ Websites that should never trigger a browser switch.
BrowserSwitcherUrlList​ Websites to open in alternative browser.
BrowserSwitcherUseIeSitelist
Windows only
Use Internet Explorer's SiteList policy for Legacy Browser Support.
RemoteAccessHostAllowFileTransfer
Browser only
Allow remote access users to transfer files to/from the host. Controls the ability of a user connected to a remote access host to transfer files between the client and the host. This doesn’t apply to remote assistance connections, which don’t support file transfer.
WebUsbAllowDevicesForUrls Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Google Cloud Next recap

Chrome Enterprise product managers and customer engineers presented a number of talks at the Google Cloud Next conference in San Francisco the week of April 8, 2019. You can watch on YouTube recordings of the 18 Mobility & Devices Sessions.

The talks below should be specifically of interest to Chrome Enterprise IT admins:

Browser-focused talks

Chrome OS-focused talks

New Chrome OS administrator credential

We're now offering a new Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

  • Create, delete, and administer users for a domain
  • Configure and manage organizational units
  • Manage Chrome devices in the Google Admin console
  • Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

    Drive search in address bar

  • All extensions must be packaged with CRX3 format in Chrome 75

    CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 75 

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

  • EnableSymantecLegacyInfrastructure policy will be removed in Chrome 75

    EnableSymantecLegacyInfrastructure was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted CAs.

  • Policy rollback to a previous version in Chrome 75

    Chrome 75 on Windows will include a policy that allows administrators to roll back to a previous version of Chrome. Note that only the latest release of Chrome is officially supported, so if an admin rolls back to an older version of Chrome, they do so at their own risk. This policy is meant as an emergency mechanism and should be used with caution. A future version of Chrome on Windows will improve the rollback experience by preserving user states during the rollback process.

    Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

    Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

    Note: You can only roll back to Chrome Browser version 72 or later. Please provide feedback on this feature.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

  • Site isolation enforced on desktop in Chrome 75

    Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • Blacklisted extensions can be removed (rather than just disabled) by policy in Chrome 75

    A new policy will be made available to specify that Chrome Browser shouldn’t just disable blacklisted extensions, but remove them completely.

  • Policy to control signed HTTP exchange in Chrome 75

    Signed HTTP exchange enables publishers to safely make their content portable, or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences. In Chrome 75, the SignedHTTPExchangeEnabled policy will control whether signed HTTP exchange is enabled or not.

  • CompanyName and LegalCopyright fields will be updated in Chrome 75

    Chrome 75 will change the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll) from "Google Inc." and "Copyright 2018 Google Inc. All rights reserved." to "Google LLC" and "Copyright 2019 Google LLC. All rights reserved."

  • Flash will be blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Flash is to be blocked by default in Chrome 76 (Stable release beginning end of July 2019). Users can still switch it back to ASK by default. This change won’t impact enterprises that already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy. 

Upcoming Chrome OS changes

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier for the unlikely case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

  • BLE advertising in Chrome apps flag being removed
    The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. This feature is designed to work with Chrome apps operating within kiosk sessions. Any developers leveraging BLE Advertising APIs should debug functionality in kiosk session, rather than use a regular user session.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Admin console. If you’re interested in testing this out, join our trusted tester program.

  • New default policies for printing (CUPS)

    Soon, there will be new controls for administrators to manage printing capabilities for their users for 2-sided and color printing. Admins will be able to set defaults or restrict these print options.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 73

Chrome Browser updates

  • Managed by your organization menu item

    Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More More menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

    Managed by your organization

  • Changes to the Chrome sign-in flow

    In Chrome 73, we're rolling out the following changes to Chrome Browser settings:

    • When a user turns Chrome sync on, they now get additional features, including an enhanced spellchecker and extended reporting for safe browsing.

    • Sync and Google services—A new section that lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously in the Privacy section.

    • Make searches and browsing better—A new setting in the Sync and Google services section that allows users to control whether features in Chrome Browser can collect anonymous URLs.

      Sync and Google services setting

  • Chrome Browser binaries signed with new digital certificate

    Chrome Browser binaries and installer are now signed with a digital certificate issued to Google LLC (rather than Google Inc). There are no changes to the Certificate Authority (CA).

  • Password Manager enterprise policy for Android now aligned to desktop

    The PasswordManagerEnabled policy controls whether the password manager offers to save passwords. On Android, this policy prevented users from viewing passwords that were already saved. Starting with Chrome 73, Chrome Browser on Android will behave like other platforms and allow the user to view their saved passwords.

  • Progressive Web App support on Mac

    In Chrome 73, Progressive Web Apps (PWAs) can now be installed on Apple® Mac®. For details, see Desktop Progressive Web Apps.

  • Dark mode for Mac

    In Chrome 73, if the system theme is set to dark, Chrome Browser on Mac computers will also use a dark theme. Support for Microsoft® Windows® is planned for a future release. 

  • Accessibility improvements

    A number of improvements have been made to accessibility in Chrome Browser, including greater contrast and compatibility with screen readers. Some of the improvements include:

    • Improved contrast in pop-up boxes, the search box, and tabs (especially when a tab is not active).
    • More pop-up boxes correctly report titles to screen-reader software.
    • Tabs are now keyboard-accessible.
    • Fixes to the way pressing the F6 or Tab key moves through the order of the Chrome Browser toolbar, and other controls, including access to some new UI elements.
    • Screen reader now announces additional information, such as the page zoom level when it’s changed and the number of Find results.
    • Misleading screen-reader prompts are fixed to reflect current functionality. For example, the correct key combination is now reported when you want to zoom in on a page.
    • If a user draws around an element in the UI, there are now improvements in the contrast and appearance of focus rings.
  • New policy to force networking code to run in the browser process

    The network code we use for Chrome Browser is being moved to a separate process. It’s an internal architectural change that wasn't expected to interact with other products. However, we're aware of one report of the move breaking a third-party product that used to inject code into Chrome Browser's process. If this move is causing any issues in your environment, you can temporarily use the ForceNetworkInProcess policy to force networking to run in the browser process. This is a temporary policy that will be removed in the future; there is currently no specific timeline, but we plan to provide 4 milestones notice before removal.

  • Notice for web developers: Flexbox rendering

    Chrome Browser now follows the recommendation from the World Wide Web Consortium for the box model that’s optimized for a UI. Flex items now get the correct minimum size. If you’re a web developer, we recommend that you set the CSS on your webpages with flex items to min-height: auto. For details on the change, see Chromium and the Consortium specification.

  • Notice for developers: Changes to cross-origin requests in extension content scripts

    Chrome 73 includes changes to the behavior of cross-origin requests from content scripts. These changes help site Isolation protect Chrome users even if a renderer is compromised, but these changes may break extensions that have not yet adapted to the new security model. For instructions on how to verify if a Chrome extension you’re using is affected or to request adding an extension to a temporary allowlist, see Chromium.org.

Chrome OS updates

  • Managed guest sessions to replace public sessions

    In Chrome 73, public sessions are being replaced with managed guest sessions, which provide additional capabilities. Depending on the configuration of the organizational unit that has managed guest session devices, an existing public session device might have the capabilities automatically activated. If so, all certificates, policies, and extensions of the organization will be applied to the managed guest session of this device in the future and no manual changes are required. Learn more about how to manage guest session devices.

  • eSpeak for Chrome OS

    You can set up text-to-speech in dozens of languages on devices running Chrome OS to enhance  accessibility. For details, see eSpeak NG.

  • Pair Bluetooth braille displays with Chromebooks

    In addition to supporting USB-refreshable braille displays, you now have the ability to pair braille displays through Bluetooth®. For details, see Use a braille device with your Chromebook.

  • Camera app 5.3 update

    Users can now take photos and videos with a 3 or 10-second timer, line up shots with grid options, and use a mirror button that’s helpful when using external cameras, such as USB microscopes or document cameras.

Admin console updates

  • Enable managed Chrome devices to run Linux apps

    Last year we announced that consumer users can run Linux apps, including Android Studio on these Chrome devices. With Chrome 73, we’re making this feature available on managed devices. Admins can now enable or disable the use of virtual machines that are required to use Linux apps on managed Chrome OS devices. The policy is disabled by default. Admins who want to enable this policy, see Virtual Machines in Set Chrome device policies. Users need to follow the steps in Set up Linux (Beta) on your Chromebook.

    Chrome OS virtual machines setting in Admin console

  • New default policy for black & white printing (CUPS)

    There are new controls for administrators to manage black and white printing capabilities for their users. Controls for 2-sided and color printing are coming soon.  If you’re interested in getting early access to test printing features, please complete the trusted tester application.

    Native printers color mode setting in Admin console

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
ExtensionAllowInsecureUpdates Allows insecure algorithms in integrity checks on extension updates and installations. Starting in Chrome 77, this policy will be ignored and treated as disabled.
DeviceGpoCacheLifetime
Chrome OS only
Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache.
DeviceAuthDataCacheLifetime
Chrome OS only
Specifies the lifetime (in hours) of the authentication data cache.
ForceNetworkInProcess
Windows only
Forces networking code to run in the browser process. This policy is disabled by default. If enabled, it leaves users open to potential security issues when the networking process is sandboxed.
ReportDevicePowerStatus
Chrome OS only
Reports hardware statistics and identifiers related to power.
ReportDeviceStorageStatus
Chrome OS only
Reports hardware statistics and identifiers for storage devices.
ReportDeviceBoardStatus
Chrome OS only
Reports hardware statistics for system on a chip (SoC) components.
CloudManagementEnrollmentToken
Browser only
Enrollment token used for enrolling in cloud management. This replaces the MachineLevelUserCloudPolicyEnrollmentToken policy.
PluginVmLicenseKey
Chrome OS only
Specifies a PluginVm license key for a device.
ParentAccessCodeConfig
Chrome OS only
Specifies the configuration that’s used to generate and verify a parent access code.

New Chrome OS administrator credential

We are excited to announce the Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

  • Create, delete, and administer users for a domain
  • Configure and manage organizational units
  • Manage Chrome devices in the Google Admin console
  • Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® is planned to be blocked by default in Chrome 76 (stable release beginning end of July 2019). Users will still be able to switch it back to Ask to use Flash by default. This change will not impact enterprises who already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy as before. 

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

    Drive search in address bar

  • Dark mode for Windows in Chrome 74

    In Chrome 74, if the system theme is set to dark, Chrome Browser on Windows computers will also use a dark theme in the UI. 

  • Use a policy to roll back to a previous version of Chrome Browser

    We are working on a policy to roll back a Chrome Browser version while retaining account and profile data. The new policy will allow administrators to roll back in conjunction with the existing TargetVersionPrefix ADMX policy. You can send feedback on this feature in the Chromium bug tracker.

    Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

    Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

    Note: You can only roll back to Chrome Browser version 72 or later 

  • Deprecated policies will remain in the ADMX templates

    The ADM and ADMX templates will be modified to keep deprecated and unsupported policies in the output. They will be placed in a dedicated folder and have the same description. The update will make it easier to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74 

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

  • EnableSymantecLegacyInfrastructure policy removed in Chrome 74

    The EnableSymantecLegacyInfrastructure policy can be used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed in Chrome 74. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

  • All extensions must be packaged with CRX3 format in Chrome 75

    CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

  • Site isolation enforced on desktop in Chrome 75

    Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • ThirdPartyBlockingEnabled deprecation

    In the Chrome Enterprise 68 release notes published in July 2018, we announced that the ThirdPartyBlockingEnabled policy will be deprecated in approximately one year (Chrome 77). This announcement was intended as a general deprecation date at some point in the future, but due to feedback and in order to give the ecosystem more time to adapt to the change, the deprecation is currently not targeted for Chrome 77. When a date is set for deprecation, we will announce it in the release notes. We plan to provide 4 notices before removal.

  • TLS 1.3 downgrade hardening

    Chrome Browser enabled TLS 1.3 in Chrome 70. However, due to bugs in some enterprise TLS proxies, a hardening mechanism was temporarily disabled. A future version of Chrome Browser will re-enable this measure. To test networks in Chrome 73:

    1. Set chrome://flags/#enforce-tls13-downgrade Enabled.
    2. Visit a TLS-1.3-enabled server, such as https://mail.google.com. 
    3. If the connection fails with ERR_TLS13_DOWNGRADE_DETECTED, some proxy on the network has the hardening mechanism temporarily disabled.

    You should upgrade affected proxies to fixed versions or contact vendors if no fix is available. The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.
  • Legacy browser support planned to be incorporated into Chrome 75

    Legacy browser support functionality is being incorporated into Chrome Browser, and the separate extension will no longer be needed. We will keep the extension in the Chrome Web Store for the foreseeable future so customers on older versions of Chrome Browser can continue to use legacy browser support. If you’re interested in getting early access to test legacy browser support integration, please complete this interest form.

  • Pop-ups will not be allowed on page unload

    In Chrome 74, we will no longer allow pop-ups during page unload. See the removal notice. We’ve been notified that this might break some enterprise apps so a temporary policy will be made available to allow pop-ups on page unload when Chrome 74 launches. This temporary policy is planned to be removed in Chrome 76. 

Upcoming Chrome OS changes

  • New search feature in Chrome 74

    We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

  • Adding print server support for CUPS

    We are working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

  • Annotations in PDF viewer

    When viewing a PDF on a device running Chrome OS, you will be able to tap a button to annotate the PDF with pen and highlighter tools.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

  • External camera support for the Camera app
    External USB cameras will be supported by the Camera app. 

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management

    Soon, the 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console. If you’re interested in testing the new feature, please join our trusted tester program.

  • New default policies for printing (CUPS)

    Soon, there will be new controls for administrators to manage printing capabilities for their users for duplex printing. Admins will be able to set defaults or restrict whether users can or cannot use duplex printing. 

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 72

Chrome Browser updates

  • New search result types

    In Chrome 72, you’ll get 2 new types of search results when you search from the address bar. You’ll get results based on entities—people, things, places, and so on. These results will contain the search text, an image of the entity you’re searching for, and a short description.

    search as you type

    You’ll also get suggestions to complete the end of a search string. For example, if you search for “widget sale best prac…”, you’ll get a suggestion for “practice” as a completion to your search.

    text auto-complete

  • Cleanup tool quarantines—instead of deleting—files it detects as malicious

    If you use the Chrome Cleanup tool on Microsoft® Windows® computers, files detected as malicious will now be quarantined rather than deleted. This update will help lessen the risk of safe files being mistakenly deleted. Learn more about removing unwanted programs and the Chrome Cleanup tool policy.

  • Save payment information to a Google Account

    In Chrome 72, users who are signed in to their managed Google Account will now see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy.

  • Support for Windows 10 U2F and web authentication APIs

    If you use the most recent version of Windows 10, you’ll have added support for Universal 2nd Factor (U2F) and WebAuthn—standards that enable web authentication through security keys instead of passwords. U2F and WebAuthn are only supported on the most recent versions of Windows 10: either current Insider Preview builds or the forthcoming 19H1 release (“Redstone 6”). Integration with these APIs enables Windows Hello support through WebAuthn and support for NFC tokens. USB and Bluetooth Low Energy (BLE) devices should continue to work, although Windows UI will now be displayed. Any organizations that depend on U2F or WebAuthn, and are using sufficiently recent Windows builds, should verify that this feature works correctly before rolling it out.

  • EnableSha1ForLocalAnchors policy

    Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. This support has now been removed in Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

  • New welcome experience (Windows)

    When you start Chrome Browser for the first time on Windows, you’ll see a new welcome page, unless you’re on a device that’s joined to a Microsoft® Active Directory® domain.

  • Changes to sign-in behavior with Chrome 72

    In Chrome 72, a small percentage of users will now see the following changes to the Chrome sign-in behavior. A wider roll-out of these features will happen in Chrome 73:

    • When a user turns Chrome sync on, they now get additional features, including “Enhanced spell check” and “Safe browsing extended reporting.”
    • The Chrome settings page includes a new section—Sync and Google services—which lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously under “Privacy”.
    • A new setting, “Make searches and browsing better” will appear under “Sync and Google services” on the settings page. This allows users to control whether features within Chrome can collect anonymized URLs.

Chrome OS updates

  • USB connections on locked devices

    Chrome 72 will offer initial support to ignore some types of USB connections on locked devices that are running Chrome OS including printers, scanners, and storage devices. USBGuard is on by default beginning with Chrome 72. If issues are detected, admins can disable this feature through chrome://flags.

  • Android app shortcuts in launcher search

    Users can now search for app shortcuts in the launcher search. For example, users can search for Compose and be taken to the exact related app, such as a new blank message in Gmail.

  • New drawing app for Chromebooks

    Chromebook users now have the Canvas app for drawing.

  • ChromeVox screen reader update

    ChromeVox users with low vision can now opt to have the screen reader read anything under their mouse cursor. This feature can be enabled through the setting “Speak text under the mouse” in the ChromeVox options page.

    Speak text under the mouse setting

  • Android 9.0 support coming to certain Chrome devices

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. We’ll include more information in future release notes when it comes available.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including Google Sheets, Docs, Slides, and PDFs.

    Drive search in address bar

  • Roll back Chrome Browser version with policy

    Many enterprise customers have asked Google to provide a version rollback mechanism. We are working on a policy to roll back Chrome Browser while retaining account and profile information. This will allow administrators to enable a rollback in conjunction with the existing TargetVersionPrefix ADMX policy. If the Chrome version updater cannot rollback the browser, the chrome://policy page will contain an error message and the existing release will continue to function. Only the latest release of Chrome is officially supported, so if an admin rolls back to an older version they do so at their own risk. You can provide feedback to the engineering team on this feature on Chromium.

  • Deprecated policies will remain in the ADMX templates

    Deprecated policies will be placed in a dedicated folder in the ADMX templates and have the same description. This change will make it easier for administrators to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74

    The PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/. If you set this policy to True or leave it on its default value, then there will be no change. However, in Chrome 74, you will no longer be able to set it to False.

  • EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74

    The EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74. This policy is intended as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public Internet. This policy will be removed in Chrome 74. Certificates issued from Legacy PKI Infrastructure should have replacement certificates issued by public or Enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy was a short-term work-around while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

  • All extensions must be packaged with CRX3 format by Chrome 75

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.This change has been made because CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

  • Site isolation will be enforced on Chrome 75 (Desktop)

    Before shipping Site Isolation in Chrome 67, we introduced enterprise policies that enterprises could use to opt in to Site Isolation early or opt out of Site Isolation if they encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of Site Isolation using the SitePerProcess or IsolateOrigins policies on desktop. We tentatively plan to move Chrome 75 to the stable channel in June 2019.

    Notes:

Upcoming Chrome OS changes

  • External camera support for Camera app

    External USB cameras will be supported by the Google Camera app.

  • Always-on VPN for managed Google Play

    Currently, Admins can install Android VPN apps on Chromebooks, however, users have to start the VPN app manually. Soon, admins will be able to set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection.

  • User account / Filename in IPP Headers

    If enabled by policy, all print jobs can include the requesting user account and file name printed in the IPP header. This new feature will provide additional information about print jobs that enable third-party printing features, such as secure printing and print-usage tracking.

  • Annotations in PDF Viewer

    When viewing a PDF in Chrome, you will be able to tap a button to add notes to the PDF with a pen and highlighter tools.

  • Linux container support for USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux running on Chrome devices (Crostini) so that Linux applications can access the Linux instance.

Upcoming Admin console changes

  • Native printing (CUPS) improvements
    • Printing limit lifted—The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.
    • Set default for 2-sided and black and white printing—Controls are coming for administrators to manage printing capabilities for their users around 2-sided printing and black and white printing. Admins will be able to set defaults or restrict these print options with CUPS (native printing).
  • Managed guest session support for managed Google Play

    A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 71

Chrome Browser updates

  • Change to using PAC scripts to configure proxy settings in Chrome

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. This is especially so if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/.

    This policy will change the default value from False to True to improve security. If you already set this policy to True, there’s no impact. If you set it to False, there’s no immediate impact. If you haven’t set this policy and are relying on the default, test this change to see how your PAC scripts operate.

    This policy will be removed in a future release when PAC stripping becomes the default for Chrome.

  • Deprecate trust in remaining Legacy Symantec PKI Infrastructure

    This change is present in all release channels: Canary, Dev, Beta, and Stable. Users observing the distrust in Chrome 70 should experience the exact same behavior in Chrome 71 and later. For a small percentage of users, Chrome 71 will be the first time they experience the distrust, which could result in more problems involving related errors.

    Find instructions on how to determine whether a site is affected and any corrective action needed, as well as a description of past changes.

Chrome OS updates

  • Fingerprint and PIN enrollment in Chrome device Out of Box Experience (OOBE)

    For tablets that support fingerprint and/or PIN, users can enroll a fingerprint or set up a PIN while signing in to the device for the first time.

  • Connect to your Android phone

    Users can connect with their Android phone using a single setup flow to enable Smart Lock, instant tethering, and Android Messages PWA. Android Messages PWA gives users the ability to see, reply to, and start text messages.

  • Android Messages for Chrome OS

    Users can text from their Chrome OS by connecting with their Android phone. 

  • Print multiple pages per sheet on native (CUPS) printing

    Native printers using CUPS now support rendering multiple pages of content onto a single sheet of paper. Previously only available for Cloud Print printers, this is now available for all printing destinations.

Admin console updates

  • Managing site isolation policies

    Site isolation policies on the desktop get updated to reflect that they’re on by default. (They include controls to turn off site isolation or add specific site rules.) New policies are added to the Admin console for Chrome on Android. For more, see Protect your data with site isolation.

New and updated policies

Policy Description
AllowWakeLocks
Chrome OS only
Specifies whether wake locks are allowed. Wake locks can be requested by extensions through the power management extension API and by ARC apps.
NetworkFileSharesPreconfiguredShares
Chrome OS only
List of preconfigured network file shares.
NTLMShareAuthenticationEnabled
Chrome OS only
Network File Share feature. This policy controls enabling NTLM as an authentication protocol for SMB mounts.
SmartLockSigninAllowed
Chrome OS only
Allow Smart Lock Sign-in to be used.
VpnConfigAllowed
Chrome OS only
Allow the user to manage VPN connections.
WebUsbAllowDevicesForUrls
All operating systems
Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Deprecations

  • EnableSha1ForLocalAnchors policy

    Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an Enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. Support would be removed in January 2019 at the latest, which corresponds to Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

  • SupervisedUserCreationEnabled policy (deprecated in Chrome 70)

    Read about consumer supervised users.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • The Chrome Cleanup Tool will quarantine—instead of deleting—files it detects as malicious

    The Chrome Cleanup Tool helps users remove unwanted software on their computers. The removal process includes deleting malicious files in the system. However, to lessen the risk of safe files being erroneously deleted, files will be moved into quarantine instead of getting deleted permanently. For more, learn about removing unwanted programs and the Chrome Cleanup Tool policy.

  • PacHttpsUrlStrippingEnabled policy (scheduled to be deprecated in Chrome 74) 

    See the above note on Change to using PAC scripts to configure proxy settings in Chrome.

  • SSLVersionMax policy (scheduled to be deprecated in Chrome 75)

    SSLVersionMax can be used as a short-term workaround while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

  • Third-party code injection

    The Chrome 70 release notes stated that in Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users. However, due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs.

  • All extensions must be packaged with CRX3 format by Chrome 75

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

    Why is this change happening?

    CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Upcoming Chrome OS features

  • Always-on VPN for managed Google Play

    Admins can install Android VPN apps on Chromebooks. However, users have to start the VPN app manually.

    Soon, admins can set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection. If the connection fails, all user traffic is blocked until the VPN connection is re-established. VPNs in Chrome OS don’t apply to any system traffic, such as OS and policy updates to prevent security exploits.

  • Android 9.0 support coming to certain Chrome devices

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices haven’t been announced. We’ll include more information in future release notes when it comes available.

Upcoming Admin console features

  • Native printer-management improvements

    The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.

  • Managed guest session support for managed Google Play

    A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 70

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
BrowserSignin Controls the sign-in behavior of Chrome Browser.
DeviceLocalAccountManagedSessionEnabled
Chrome OS only
Allows managed session behavior on a device configured for public sessions.
NetBiosShareDiscoveryEnabled
Chrome OS only
Controls Network File Share discovery through NetBIOS.
NetworkFileSharesAllowed
Chrome OS only
Controls whether the Network File Share feature for Chrome OS is allowed for a user.
PowerSmartDimEnabled
Chrome OS only
Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed
PrintHeaderFooter Specifies whether users can print headers and footers.
ReportMachineIDData
Desktop only
Controls whether to report information that can be used to identify machines. Learn more about reporting on Chrome.
ReportPolicyData
Desktop only
Controls whether to report policy data and the time of a policy fetch. Learn more about reporting on Chrome.
ReportUserIDData
Desktop only
Controls whether to report information that can be used to identify users. Learn more about reporting on Chrome.
ReportVersionData
Desktop only
Controls whether to report Chrome OS version information. Learn more about reporting on Chrome.
WebRtcEventLogCollectionAllowed Specifies whether to allow or block Chrome OS from collecting WebRTC event logs from Google services.

Chrome Browser updates

  • Sign-in policy change

    Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.

    If the policy is set to "Disable browser sign-in", then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.

    If the policy is set to "Enable browser sign-in", then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.

    If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy. 

    If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

  • Cookie behavior change

    With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

  • Reduce Chrome crashes caused by third-party software

    Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.

    Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:

    Disable third-party software blocking notification

    The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

    In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

    In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

    To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

    To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

  • Deprecate trust in remaining legacy Symantec PKI infrastructure

    Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.

    Beginning with Chrome 70:

    • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
    • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
    • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

    What you need to do:

    • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
    • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.
  • Update to TLS 1.3

    We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco® Firepower® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

  • New UI support for WebAuthn

    Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

  • Form autofill policy changes

    The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).

    Autofill policies

    The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

    If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

    If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

    If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

  • Native SMB file share support

    SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft® Active Directory®, and NTLM version 2. To initiate an SMB file share:

    1. Open a Chrome Browser window and at the top right, click More and thenSettings.
    2. Next to Network file shares, click Add File Share.
    3. Enter the required information and click Add.
    4. Open the Files app and browse the shared folder.
  • SMB file share in Chrome OS
  • Camera app updates

    The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.

  • Enable key remapping for external keyboards

    Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

  • Floating virtual keyboard

    For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

  • Restriction policy for native CUPS printing

    Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

  • Manage sign-ins in Chrome Browser and Chrome OS

    In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

  • Improved developer tools policy

    You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

  • Auto-updates over LTE policy control

    You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management and then Chrome management and then Device settings and then Device Update Settings and then Auto Update Settings.

  • Lock screen control

    After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management and then Chrome management and then User settings and then Security and then Idle Settings.

Deprecations

  • AutoFillEnabled policy deprecation

    The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

  • Gmail Offline app discontinued

    In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

  • CRX2 deprecation

    Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.

    Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.

    Why is this change happening?

    CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Change to using PAC scripts to configure proxy settings in Chrome Browser

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.

    In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.

    Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

  • CRX2 deprecation

    For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

  • Android 9.0 Pie

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

  • Always-on VPN for managed Google Play

    Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

  • Native printer-management improvements

    Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

  • Managed guest session support for managed Google Play

    Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 69

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
AllowedUILocales
Chrome OS only
Configures the allowed UI locales in a user session. This policy replaces the AllowedLocales policy.
OverrideSecurityRestrictionsOnInsecureOrigin Specifies a list of origins (URLs) for which security restrictions on insecure origins will not apply. This policy replaces UnsafelyTreatInsecureOriginAsSecure. The policy now applies to Chrome OS and Android.
PasswordProtectionChangePasswordURL Configures the change password URL.
PasswordProtectionLoginURLs Configures the list of enterprise sign-in URLs where the password protection service should capture password fingerprints for reuse detection.
PasswordProtectionWarningTrigger Configures the password protection warning trigger.
UsageTimeLimit
Chrome OS only
Configure the time limit for a user session or device usage per day.

Chrome Browser updates

  • Password Alert policy

    Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

  • Reduce Chrome crashes caused by third-party software

    Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

    Here is the warning users will see on their computers when this policy is enabled:

    Disable third-party software blocking notification

    Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.
  • On-premise reporting

    You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk® or Sumo Logic®. For details, see Track Chrome Browser usage and events.

  • Browser interface changes

    Chrome Browser will have a new design across all operating systems. Highlights include Microsoft® Windows 10® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

  • Flash deprecation

    Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

  • Update to Legacy Browser Support extension

    The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft® Internet Explorer® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

  • Improvements to Chrome management with Intune

    Policies that are only available on Microsoft® Windows® instances that are joined to a Microsoft® Active Directory® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

  • Linux (Beta) for Chromebooks

    Important:

    Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

    To try this out on an unmanaged device:

    • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
    • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
    1. Go to Settings and then Linux (Beta).
    2. Click Turn on.
      Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
    3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

  • Voice dictation from anywhere

    Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  • Global text-to-speech settings

    In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

  • Files app improvements

    Native support for Drive in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

  • Night Light support on Chromebooks

    To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

  • Visual updates for enterprise device enrollment

    The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

  • Support for enterprise mobility management (EMM) coexistence for Android

    Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

  • Android app installation improvements

    The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

  • SigninAllowed policy deprecation

    The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

  • CRX2 deprecation

    Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M70 and later)

  • Enable key remapping for external keyboards

    This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

  • Native printer-management improvements

    Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

  • Manage sign-ins within Chrome Browser and on Chrome OS

    A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

    Note: This Admin console setting combines these policies:

  • Public-session support for managed Google Play on Chrome OS

    Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 68

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
ArcBackupRestoreServiceEnabled
Chrome OS only
Controls Android backup and restore service
ArcGoogleLocationServicesEnabled
Chrome OS only
Controls Android Google location services
ChromeCleanupEnabled
Windows only
Enables Chrome Browser Cleanup on Windows
ChromeCleanupReportingEnabled
Windows only
Controls how Chrome Browser Cleanup reports data to Google
DeveloperToolsAvailability Controls where Developer Tools can be used
IsolateOriginsAndroid
Android only
Enables Site Isolation on Chrome Browser for specified origins on Android devices
SafeBrowsingWhitelistDomains For configuring the list of domains which will not trigger Safe Browsing warnings
SitePerProcessAndroid
Android only
Enables Site Isolation for every site
WebUsbAskForUrls Allows WebUSB on these sites
WebUsbBlockedForUrls Blocks WebUSB on these sites

Chrome Browser updates

  • Unencrypted sites to show “not secure” indicator

    For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

    Chrome offers a policy to control this warning on your domain.

    "not secure" warning

  • Chrome Canary on Mac policy list update

    Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

  • Block a locally installed, hardcoded CA for Mitel VoIP products

    In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

  • Certificate transparency

    M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

  • PIN sign-in support

    Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

  • Video capture service

    Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

  • 802.11v and 802.11r Fast BSS Transition support added

    These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

  • Accessibility improvements

    Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

    1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
    2. Continue holding. The screen reader will start speaking. 

    Additionally, we’re launching new shortcuts to toggle accessibility features:

    • Select Ctrl + Search + M to enable/disable the full screen magnifier.
    • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

    We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

    With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

    With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

  • Introduction of display size and refresh rates to display settings

    As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

    • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
    • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

    The goal of these changes is to give users more control over UI scale and look.

Admin console updates

  • Automatic re-enrollment (Forced re-enrollment enhancement)

    A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

    Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

  • Device off-hours feature

    Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

  • Native printer-management improvements

    A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

  • CRX2 deprecation (M69)

    Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

  • Reduce Chrome crashes caused by third-party software (M69)

    In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

    Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

    You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

    Disable third-party software blocking notification

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M68 and later)

  • Voice dictation from anywhere (M69)

    Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

  • Enable key remapping for external keyboards (M69)

    The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

  • Files app improvements (M69)

    Native support for Drive in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

  • Policy to show PIN pad on sign-in and lock screen for TouchView devices

    The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

  • Visual updates for enterprise device enrollment flow

    The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

  • Night Light support on Chromebooks

    To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

  • Native printer-management improvements

    A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

  • Sign-in Within the Browser policy

    Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

  • Public session support for managed Google Play on Chrome OS

    A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 67

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
ArcAppInstallEventLoggingEnabled Logs events for Android app installs (Chrome OS)
AutoplayWhitelist Allows media autoplay on a whitelist of URL patterns
CertificateTransparencyEnforcementDisabledForCas Disables Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas Disables Certificate Transparency enforcement for a list of Legacy Certificate Authorities
DefaultWebUsbGuardSetting Controls use of the WebUSB API
DeviceRollbackAllowedMilestones Specifies the number of milestone rollbacks allowed (Chrome OS)
DeviceRollbackToTargetVersion Specifies a rollback to a target version (Chrome OS)
MediaRouterCastAllowAllIPs Allows Google Cast to connect to Cast-ready devices on all IP addresses
RelaunchNotificationPeriod Sets the period for update relaunch notifications
SafeBrowsingExtendedReportingEnabled Enables extended reporting for Safe Browsing (added in M66)
TabUnderAllowed Allows sites to simultaneously navigate and open notifications

Chrome Browser updates

  • SAML SSO interstitial

    Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

    If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

    To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

    If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

    For more details, see the G Suite Updates blog.

  • Site Isolation

    You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

    Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

  • Desktop Progressive Web Apps (PWAs)

    Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft® Windows® and Apple® Mac®. For more information, see our developer site.

  • Detachable-base swap detection

    Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

  • Block symlink traversal

    This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

    This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

  • EAP-TLS device-level support

    Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

  • Managed Google Play on Chrome OS policy update

    With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

  • Admins can block apps from installation
    Currently not available for the Chrome Education service

    As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

  • Android app installation reporting

    In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

  • Android app bulk purchasing on Education service

    As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

  • Unencrypted sites to show “not secure” indicator (M68)

    For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

    Chrome will offer a policy to control this warning on a per-domain basis.

    "not secure" warning

  • Canary release channel on Mac update (M68)

    This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

  • Reduce Chrome crashes caused by third-party software (M68)

    In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

    You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

    Disable third-party software blocking notification

  • Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

    In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

  • Certificate transparency (M68)

    M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M68 and later)

  • PIN sign-in support (M68)

    Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

  • Video capture service (M68)

    Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

  • Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

    A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

    Admins can still require users to sign in to re-enroll wiped or recovered devices.

  • Native printer management improvements

    There will be 2 new improvements for native printer management:

    • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
    • A new policy to block users from manually adding printers is targeted for M68.
  • Sign-in Within the Browser policy

    Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

  • Device off-hours feature

    Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

  • Public session support for managed Google Play on Chrome OS

    You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 66

Security updates

  • Continuation of distrust of Symantec Certificates 

    Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

    The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.

    For details, see Migrate from Symantec certificates.

  • Site Isolation Trial

    Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

    If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

    If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

  • Chrome relaunch policy: RelaunchNotificationPeriod (M67)

    This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

  • Click to open PDF 

    For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

  • Force sign-in policy: Support for Mac

    The