For administrators who manage Chrome browser or ChromeOS devices for a business or school.
Chrome 111 release summary
The enterprise release notes are available in 9 languages. You can read about Chrome's updates in English, German, French, Dutch, Spanish, Portuguese, Korean, Indonesian, and Japanese. Please allow 1 to 2 weeks for translation for some languages.
Chrome browser updates
- Reminder of change in launch schedule
Starting in Chrome 110, Chrome started rolling out to the Stable channel one week earlier than previously planned to a very small subset of users. For example, the Chrome 111 Stable release moves from March 7 to March 1, 2023.
You can also expect to see a much smaller rollout at a significantly reduced percentage of our user population for the first week of the published Stable release date. The wider rollout to most users happens at a similar timeframe to the earlier communicated dates. This slower initial rollout leads to better stability and makes it easier for enterprises to stay on the latest and safest version of Chrome.
For more details, read about managing Chrome updates and check out the Chrome release schedule.
- Privacy Sandbox updates in Chrome 111
Chrome 111 updates the user experience of the new ad privacy features related to the Privacy Sandbox project. As part of this, Chrome now shows users a confirmation dialog that introduces the new features to users, and directs them to the appropriate settings pages to allow them to set their preferences.
IT admins can disable Chrome's Privacy Sandbox settings via the PrivacySandboxAdTopicsEnabled, PrivacySandboxSiteEnabledAdsEnabled, and PrivacySandboxAdMeasurementEnabled enterprise policies, and suppress the user-facing prompt via the PrivacySandboxPromptEnabled policy.
For more information, see the developer documentation about Privacy Sandbox technologies in Chrome.
- PPB_VideoDecoder(Dev) API removed
The PPB_VideoDecoder(Dev) API was introduced for Adobe Flash. Since Flash is no longer supported in Chrome, we are removing this API in Chrome 111. If you need any extra time to migrate legacy applications, you can use the ForceEnablePepperVideoDecoderDevAPI enterprise policy. This policy will only be supported through Chrome 114. If you need to use the policy after that, file a bug on crbug.com before May 5, 2023, explaining your use case.
- New Chrome sync dialog in Chrome for Desktop
Some users now see a visually updated dialog to turn on Chrome Sync in Chrome 111. Relevant enterprise policies such as BrowserSignin, SyncDisabled, RestrictSigninToPattern and SyncTypesListDisabled continue to work as before to configure Chrome sync.
- Payment Handler API requires CSP connect-src
If your organization uses the Web Payment API (Payment Handler and Payment Request) and also uses Content-Security-Policy (CSP) for better protection, then you need to add the domains of HTTP requests sent from the Web Payment API to the connect-src directive of the CSP. This is enforced in Chrome 111. For more information, see this developer blog post.
- Out-of-process System DNS Resolution
Starting gradually in Chrome 111, as part of the Linux and Android network service sandboxes, system DNS resolution moves out of the network service and into the unsandboxed browser process, as system DNS resolution cannot run while sandboxed on these platforms. The Enterprise policy OutOfProcessSystemDnsResolutionEnabled is available to control this feature. Setting this policy to false causes system DNS resolution to run in the network process rather than the browser process. This might force the network service sandbox to be disabled, degrading the security of Google Chrome.
- Azure AD single sign-on (SSO)
Chrome 111 now supports automatic sign-on into Microsoft identity providers using account information from Microsoft Windows. This feature is disabled by default and can be enabled using the CloudAPAuthEnabled policy.
- Chrome updater on Windows and Mac serves the most recent 12 versions
The Chrome updater now supports serving versions of Chrome that reached 100% rollout, within the latest 12 releases on the Beta, Stable, and Extended Stable channels. If you're using the TargetVersionPrefix enterprise policy, ensure you are within 12 versions of the latest release. If you don't manually manage Chrome updates, no action is required.
- Policy name changes
We’ve renamed the policies related to Window Placement, to better align with the underlying API and permissions, which have recently been renamed to Window Management. Starting in Chrome 111, DefaultWindowManagementSetting, WindowManagementAllowedForUrls, WindowManagementBlockedForUrls, WindowManagementSettings policies now supercede the DefaultWindowPlacementSetting, WindowPlacementAllowedForUrls, and WindowPlacementBlockedForUrls policies. The WindowPlacement variants will be removed in a future version. The WindowPlacementSettings atomic group has been renamed to WindowManagementSettings.
- Chrome Browser Cloud Management subscription
As early as March 2023, the Chrome Browser Cloud Management (CBCM) subscription will be automatically added to all Admin console accounts who are using CBCM without the subscription. CBCM customers are now required to have the Chrome Browser Cloud Management subscription to use the service. This change adds no new cost to your existing account and there are no actions required.
- New and updated policies in Chrome browser
Policy Description DomainReliabilityAllowed Allow reporting of domain reliability related data. MixedContentAutoupgradeEnabled Enable mixed content auto upgrading on HTTPS sites. DefaultWindowManagementSetting Default Window Management permission setting. WindowManagementAllowedForUrls Allow Window Management permission on these sites. WindowManagementBlockedForUrls Block Window Management permission on these sites. OutOfProcessSystemDnsResolutionEnabled Enable system DNS resolution outside of the network service. ForceEnablePepperVideoDecoderDevAPI Enable support for the PPB_VideoDecoder(Dev) API. CloudAPAuthEnabled Allow automatic sign-in to Microsoft® cloud identity providers. PrivacySandboxPromptEnabled Choose whether the Privacy Sandbox prompt can be shown to your users. PrivacySandboxAdMeasurementEnabled Choose whether the Privacy Sandbox ad measurement setting can be disabled. PrivacySandboxAdTopicsEnabled Choose whether the Privacy Sandbox Ad topics setting can be disabled. PrivacySandboxSiteEnabledAdsEnabled Choose whether the Privacy Sandbox Site-suggested ads setting can be disabled. GetDisplayMediaSetSelectAllScreensAllowedForUrls (now on Linux) Enables auto-select for multi screen captures.
ChromeOS updates
- Fast Pair
Fast Pair now makes Bluetooth pairing easier on ChromeOS devices and Android phones. When you turn on your Fast Pair-enabled accessory, it automatically detects and pairs with your ChromeOS device or Android phone in a single tap. Fast Pair also associates your Bluetooth accessory with your Google account, making it incredibly simple to move between devices without missing a beat.
- Keyboard shortcuts link in Text app
The ChromeOS Text app has a series of built-in keyboard shortcuts. ChromeOS 111 adds a link to the Help Center article from the Text app settings, to provide instructions on how to use these keyboard shortcuts.
- Print job origin identification for managed devices
To improve support for specific advanced printing workflows in managed environments, mostly encountered in the Healthcare space, print jobs need to contain information about the device that they originated from. ChromeOS 111 introduces the client-info IPP attribute to populate an admin-specified value, which identifies a device used for downstream printing workflow or reporting activities.
Additionally, all print jobs now indicate ChromeOS together with the running release version.
This new attribute in print jobs is only available for jobs originating from managed devices and controlled by a new admin policy.
Admin console updates
- Configure print server policies with Google groups
Admins can now use new or existing Google groups to configure print servers for users in your organization. That means when you need to configure a print server for a specific set of users–who may or may not belong to different Organizational Units (OUs)–you can now use the flexibility of groups without needing to reconfigure your OUs. Note that configuration of print server policies for user groups works exactly the same as it does for printers.
- New policies in the Admin console
Policy Name Pages Supported on Category/Field LensDesktopNTPSearchEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOSStartup > New Tab Google Lens button SendMouseEventsDisabled
FormControlsEnabledUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Disabled element MouseEvents UserBorealisAllowed User & Browser Settings; Managed Guest Session ChromeOS User experience > Allow Borealis on ChromeOS OffsetParentNewSpecBehaviorEnabled User & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidLegacy site compatibility > Enable Legacy HTMLElement Offset behavior AccessControlAllowMethods
InCORSPreflightSpecConformantUser & Browser Settings; Managed Guest Session Chrome
ChromeOS
AndroidNetwork > CORS Access Control Allow Methods Conformance
Coming soon
Note: The items listed below are experimental or planned updates. They might change, be delayed, or canceled before launching to the Stable channel.
Upcoming browser changes
- LegacySameSiteCookieBehaviorEnabledForDomainList policy extended
In Chrome 79, we introduced the LegacySameSiteCookieBehaviorEnabledForDomainList policy to revert the SameSite behavior of cookies (possibly on specific domains) to legacy behavior. LegacySameSiteCookieBehaviorEnabledForDomainList policy will continue to be supported up until Chrome 121.
- Unused site permissions module in Safety Check
In Chrome 112, Safety Check will be expanded to include auto-revocation of unused site permissions on Chrome. Chrome will reset permissions from sites that have low recent engagement. Chrome informs the user about auto-revocation of permissions and offers options to opt out or re-grant. Permissions granted by enterprise policies are not affected. This launch follows the first extension of Safety Check that introduced proactive notification of permission reminders.
- Default to origin-keyed agent clustering in Chrome 112
In Chrome 112, websites will be unable to setdocument.domain
. Websites will need to use alternative approaches such aspostMessage()
or Channel Messaging API to communicate cross-origin. If a website relies on same-origin policy relaxation viadocument.domain
to function correctly, it will need to send anOrigin-Agent-Cluster: ?0
header along with all documents that require that behavior. You can read more in the blog post.
Note:document.domain
has no effect if only one document sets it.
The OriginAgentClusterDefaultEnabled enterprise policy will allow you to extend the current behavior.
- New Chrome Sync data types available in Takeout in Chrome 112
There will be more Chrome data available to export in Takeout and Domain Wide Takeout (DWT). The following data types are available: AUTOFILL, PRIORITY_PREFERENCE, WEB_APP, DEVICE_INFO, TYPED_URL, ARC_PACKAGE, OS_PREFERENCE, OS_PRIORITY_PREFERENCE, PRINTER.
You can control which data types are synced to Chrome Sync using the SyncTypesListDisabled enterprise policy.
- Chrome for Testing
In Chrome 112, Puppeteer, Chrome's browser automation library, will start using the Chrome for Testing binary instead of a Chromium binary. In case you have the Chromium binary allowlisted, you might consider allowlisting the Chrome for Testing binary too.
Chrome for Testing is a dedicated Chrome flavor for the automated testing use case. It’s not an end-user facing product, but rather a tool to be used by automation engineers through other projects such as Puppeteer. Chrome for Testing is a completely separate binary from regular Chrome.
- Chrome apps no longer supported on Windows, Mac, and Linux
As previously announced, we are phasing out support for Chrome apps in favor of Progressive Web Apps (PWAs) and web-standard technologies. The deprecation schedule was adjusted to provide enterprises who used Chrome apps additional time to transition to other technologies, and Chrome apps will now stop functioning in Chrome 112 or later on Windows, Mac, and Linux. If you need additional time to adjust, a policy ChromeAppsEnabled will be available to extend the lifetime of Chrome Apps an additional 2 milestones.
Starting in Chrome 105, if you're force-installing any Chrome apps, users are shown a message stating that the app is no longer supported. The installed Chrome Apps are still launchable.
Starting with Chrome 112, Chrome Apps on Windows, Mac and Linux will no longer work. To fix this, remove the extension ID from the force-install extension list, and if necessary, add the corresponding install_url to the web app force install list. For common Google apps, the install_urls are listed below:
Property Extension ID (Chrome App) install_url (PWA / Web App) Gmail pjkljhegncpnkpknbcohdijeoejaedia https://mail.google.com/mail/
installwebapp?usp=adminDocs aohghmighlieiainnegkcijnfilokake https://docs.google.com/document/
installwebapp?usp=adminDrive apdfllckaahabafndbhieahigkjlhalf https://drive.google.com/drive/
installwebapp?usp=adminSheets felcaaldnbdncclmgdcncolpebgiejap https://docs.google.com/spreadsheets/
installwebapp?usp=adminSlides aapocclcgogkmnckokdopfmhonfmgoek https://docs.google.com/presentation/
installwebapp?usp=adminYoutube blpcfgokakmgnkcojhhkbfbldkacnbeo https://www.youtube.com/s/
notifications/manifest/cr_install.html
- Auto upgrade mixed content to HTTPS on iOS in Chrome 112
Chrome on iOS will start automatically upgrading passive mixed content (HTTP image, audio and video on HTTPS pages) to HTTPS when possible. The current behavior on iOS is to block passive mixed content. All other Chrome platforms already optimistically upgrade passive mixed content. An Enterprise policy MixedContentAutoupgradeEnabled is available to disable mixed content auto upgrading on HTTPS sites on iOS. The policy will be removed in 116.
- Launching FastCheckout for Checkout experiences
In Chrome 112, some users will see an updated Autofill UI targeting checkout pages on shopping websites. It can be disabled by either disabling policy AutofillAddressEnabled or AutofillCreditCardEnabled.
- Collect additional data for off-store extensions in telemetry reports
When Enhanced Safe Browsing is enabled, Chrome 112 will start collecting additional telemetry on off-store extensions, such as file hashes and the manifest.json file. The data collected are analyzed on Google servers to detect malicious off-store extensions and improve protection for all Chrome extension users. This functionality along with the entire extension telemetry feature can be turned off by setting SafeBrowsingProtectionLevel to any value other than 2; this disables Enhanced Safe Browsing. Enterprise admins can use the SafeBrowsingProtectionLevel policy if they have any concerns about exposing this data.
- Updated onboarding experience
In Chrome 112, some users may see a simplified onboarding experience with a more intuitive way to sign into Chrome. Enterprise policies like BrowserSignin, SyncDisabled, EnableSyncConsent, RestrictSigninToPattern and SyncTypesListDisabled will continue to be available as before to control whether the user can sign into Chrome and turn on sync. The PromotionalTabsEnabled policy can be used to skip the onboarding altogether.
- Deprecation Trial for Unpartitioned 3rd party Storage, Service Workers, and Communication APIs
Beginning gradually in Chrome 113, storage, service workers, and communication APIs will be partitioned in third-party contexts. In addition to being isolated by the same-origin policy, the affected APIs used in third-party contexts would also be separated by the site of the top-level context. Sites that haven’t had time to implement support for third-party storage partitioning can take part in a deprecation trial to temporarily unpartition (continue isolation by same-origin policy but remove isolation by top-level site) and restore prior behavior of storage, service workers, and communication APIs in content embedded on their site.
The following APIs will remain unpartitioned in third-party contexts should you enroll the top-level site in the DisableThirdPartyStoragePartitioning deprecation trial: Storage APIs (such as localStorage, sessionStorage, IndexedDB, Quota, and so on), Communication APIs (such as BroadcastChannel, SharedWorkers, and WebLocks), and ServiceWorker API.
Chrome 112 will also add the ThirdPartyStoragePartitioningEnabled enterprise policy, which will allow for unpartitioning all APIs in third-party contexts, to be supported for at least 12 milestones.
- Changes to phishing protection on Android as early as Chrome 113
When a user authenticates to Android with their Google password, for example during account setup, Chrome will be notified so the password can begin receiving phishing protection when surfing the Web with Chrome. In previous versions of Chrome on Android, users needed to explicitly provide their password within a Chrome tab, for example, sign in to Gmail, to receive phishing protection for their Google password.
You can disable warnings regarding password reuse by setting PasswordProtectionWarningTrigger to 0.
- Network Service on Windows will be sandboxed
As early as Chrome 113, to improve security and reliability, the network service, already running in its own process, will be sandboxed on Windows. As part of this, third-party code that is currently able to tamper with the network service may be prevented from doing so. This might cause interoperability issues with software that injects code into Chrome's process space, such as Data Loss Prevention software. The NetworkServiceSandboxEnabled policy allows you to disable the sandbox if incompatibilities are discovered. You can test the sandbox in your environment using these instructions and report any issues you encounter.
- Enable access to WebUSB API from extension service workers in Chrome 113
As early as Chrome 113, we will enable access to WebUSB API from extension service workers as a migration path for Manifest V2 extensions that currently access the API from a background page.
WebUSB policies can also be applied to extension origins to control this behavior. See DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls, and WebUsbAllowDevicesForUrls for more details.
- Extensions must be updated to leverage Manifest V3
Chrome extensions are transitioning to a new manifest version, Manifest V3. This will bring improved privacy for your users—for example, by moving to a model where extensions modify requests declaratively, without the ability to see individual requests. This also improves extension security, as remotely hosted code will be disallowed on Manifest V3.
As mentioned earlier in our blog post, More details on the transition to Manifest V3, the Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed.
During the timeline review, existing Manifest V2 extensions can still be updated, and still run in Chrome. However, all new extensions submitted to the Chrome Web Store must implement Manifest V3.
Starting with Chrome 110, an Enterprise policy ExtensionManifestV2Availability will be available to control whether Manifest v2 extensions are allowed. The policy can be used to test Manifest V3 in your organization ahead of the migration. After the migration the policy will allow you to extend the usage of Manifest V2 extensions until at least January 2024.
You can see which Manifest version is being used by all Chrome extensions running on your fleet using the Apps & extensions usage page in Chrome Browser Cloud Management.
For more details, refer to the Manifest V2 support timeline.
- First-Party Sets user controls
First-Party Sets is an upcoming framework for developers to declare relationships between domains, such that the browser can make decisions regarding access based on the third party’s relationship to the first party. A set may enjoy first party benefits, including continued access to their cookies when the top-level domain is in the same set.
First-Party Sets are part of Chrome's roadmap for a more privacy-focused web.
Chrome 113 will introduce user controls for these First-Party Sets. Two enterprise policies will be made available to manage First-Party sets: one to disable First-Party Sets and one to provide your own sets.
- Removal ChromeRootStoreEnabled policy
In Chrome 105, we announced the launch of the Chrome Root Store on Windows and Mac. A new policy, called ChromeRootStoreEnabled, was introduced to allow selective disabling of the Chrome Root Store in favor of the platform root store. This policy will be removed from Windows and Mac on Chrome 113. Support for trusted leaf certificates and the Windows Trusted People store was added for Chrome 111. If you previously disabled the Chrome Root Store to work around either of these issues, please test again with Chrome 111. We are working on launching the Chrome Root Store for Android, Linux, and ChromeOS. As the Chrome Root Store launches on more platforms, we will continue to provide the policy on those platforms for six months after launch.
- Full History sync
Starting with Chrome 112, Typed URLs will stop syncing for Enterprise users. Open Tabs will continue syncing as usual, unless disabled by existing SyncDisabled and SyncTypesListDisabled policies.
- Removal of permissive Chrome Apps webview behaviors
In Chrome 113, Chrome Apps webview usage will have the following restrictions:
- SSL errors within webview will show an error page that does not provide the user the option to unsafely proceed.
- The use of the webview NewWindow event to attach to a webview element in another App window will cause the window reference returned by the window.open call in the originating webview to be invalidated.
In Chrome 112, you’ll be able to test out this new behavior by navigating tochrome://flags
and enabling thechrome://flags/#enable-webview-tag-mparch-behavior
.
A temporary enterprise policy ChromeAppsWebViewPermissiveBehaviorAllowed will be available to give enterprises time to address possible breakage related to these changes.
Upcoming ChromeOS changes
- Cursive pre-installed for Enterprise and Education accounts
As early as ChromeOS 112, Cursive, a stylus-first notes app, will be available for Chromebooks. In an upcoming release, it will be pre-installed for all Enterprise and Education accounts on stylus-enabled Chromebooks. If you want to block access to the app, you can prevent Chromebooks in your enterprise from accessing cursive.apps.chrome.
- Screencast supports multi-language transcription in recordings
As early as ChromeOS 112, we plan to dramatically expand Screencast recording capabilities by including a wide range of languages by integrating with Google's S3 transcription API.
The Screencast app for ChromeOS lets users record transcribed screencasts on their Chromebook. In previous versions, this feature was available in EN-US only, which meant that only English speaking users in the US could record screencasts. Soon, it will be possible to record and transcribe screencasts in a wide range of languages including Spanish, Japanese, French, Italian, and German.
- Passpoint: Seamless, secure connection to Wi-Fi networks
Starting as early as ChromeOS 114, Passpoint will streamline Wi-Fi access and eliminate the need for users to find and authenticate a network each time they visit. Once a user accesses the Wi-Fi network offered at a location, the Passpoint-enabled client device will automatically connect upon subsequent visits.
Upcoming Admin console changes
Previous release notes
Chrome version & targeted Stable channel release date |
|
---|---|
Chrome 110: Feb 01, 2023 | |
Chrome 109: Jan 10, 2023 | |
Chrome 108: Nov 29, 2022 | |
Chrome 107: Oct 25, 2022 | |
Previous release notes → |
Additional resources
- For emails about future releases, sign up here.
- To try out new features before they're released, sign up for the trusted tester program.
- Connect with other Chrome Enterprise IT admins through the Chrome Enterprise Customer Forum.
- How Chrome releases work—Chrome Release Cycle
- Chrome Browser downloads and Chrome Enterprise product overviews—Chrome Browser for enterprise
- Chrome version status and timelines—Chrome Platform Status | Google Update Server Viewer
- Announcements: Chrome Releases Blog | Chromium Blog
- Developers: Learn about changes to the web platform
Still need help?
- Google Workspace, Cloud Identity customers (authorized access only)—Contact support
- Chrome Browser Enterprise Support—Sign up to contact a specialist
- Chrome Administrators Forum
- Chrome Enterprise and Education Help Center