Chrome Enterprise release notes


For administrators who manage Chrome Browser or Chrome devices for a business or school.

In the following notes, the stable release or milestone number (M##) refers to the version of the scheduled feature launch. For example, M75 indicates a feature scheduled to launch with the stable version of Chrome 75. See below for a changelog and version history of Chrome.

These release notes were last updated on July 30, 2019.

Chrome version & targeted Stable channel release date

PDF
Chrome 76: July 30, 2019 PDF
Chrome 75: June 4, 2019 PDF
Chrome 74: April 23, 2019 PDF
Chrome 73: March 12, 2019 PDF
Chrome 72: January 29, 2019 PDF
Chrome 71: December 4, 2018 PDF
Chrome 70: October 16, 2018 PDF
Chrome 69: September 4, 2018 PDF
Chrome 68: July 24, 2018 PDF
Chrome 67: May 29, 2018 PDF
Chrome 66: April 17, 2018 PDF
Chrome 65: March 6, 2018 PDF
Chrome 64: January 23, 2018 PDF
Chrome 63: December 5, 2017 PDF
Chrome 62: October 17, 2017 PDF
Chrome 61: September 5, 2017 PDF
Chrome 60: July 25, 2017 PDF
Chrome 59: May 30, 2017 PDF
Chrome 58: April 18, 2017 PDF
Chrome 57: March 7, 2017 PDF

Current Chrome version release notes

Open all   |   Close all Chrome 76

Chrome Browser updates

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Administrators can manually switch back to ASK ("Dialog to Ask first before running Flash") before running Flash. This change won’t impact existing policy settings for Flash. IT admins can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

  • All privately hosted extensions must be packaged with CRX3 format in Chrome 76.

    This change was originally planned for Chrome 75, but we delayed it to Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.

    CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. This policy is only meant to provide extra time to repackage extensions, and will stop working in Chrome 78. For the CRX2 deprecation timeline, see Chromium.

    Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

  • A new page for documenting enterprise policies is available

    Chrome's policies are now listed on a new Chrome Enterprise policy list. This documentation allows you to filter by platform and Chrome version to see which policies are available for your fleet.

    Chrome Enterprise policy list
     

  • A new layout engine is being used

    LayoutNG is a new layout engine with several improvements such as:

    • Improved performance isolation
    • Better support for scripts other than Latin
    • Many issues around floats and margins fixed
    • Numerous web-compatibility issues fixed

    Although the impact to the user should be minimal, LayoutNG changes some behavior in very subtle ways, fixes hundreds of tests, and improves compatibility with other browsers. Despite our best efforts, it is likely that this will cause some sites and applications to render or behave slightly differently.

    If you suspect that WNG caused a website to break, please file a bug report, and we'll investigate.

  • Site isolation enforced in Chrome 76

    In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues. Starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms (including Chrome OS). On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • --disable-infobars is no longer supported

    Chrome will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy was added to allow you to disable some security warnings.

  • Policies with a dictionary value type can be merged 

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only the dictionary from the highest priority source will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Legacy Browser Support has been improved
    A new page at chrome://browser-switch/internals makes it easier to debug and troubleshoot Legacy Browser Support. We also fixed a bug where LBS wouldn't switch during the first minute of a browser session (when using XML site lists).

  • New version of the On-Prem Chrome Reporting Extension
    Version 2.0 of the Chrome Reporting Extension will soon ship in the Chrome Web Store. Download the corresponding native component MSI.

    If you have user browsing data reporting turned on, you will start seeing a new piece of data for each visited site: "legacy_technologies." It’s an array of strings that will initially contain one value, "Flash." This means this site requires Adobe Flash and might soon stop working correctly (see paragraph above). Future releases will list other obsolete web technologies such as Java Applets, Silverlight, and more.

    The output file has changed from a single file called chrome_reporting_log.json to a daily rotated file with file name in the format chrome_reporting_log_YYYY_MM_DD.json. This will make it simpler to manage the disk usage of the application and clear obsolete data.

  • “https” scheme and “www” subdomain will be hidden

    To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We will hide the “https” scheme and the special-case subdomain “www” in Chrome omnibox on Chrome desktop and Chrome-on-Android. After the site loads, the full URL can still be revealed by clicking twice in the URL bar (desktop) or tapping once (mobile).

    The Chrome team has also worked to build a Chrome extension to help power users recognize suspicious sites and report them to Safe Browsing. Power users can use this extension to display the full URL with no scheme or subdomain hiding, and report suspicious sites to Safe Browsing.

Chrome OS updates

  • Enhancements to automatic clicks accessibility feature

    Chromebooks have had a feature called Automatic clicks in accessibility settings for years, which has given users with motor and dexterity challenges the ability to hover over an item and have Chrome OS click it (without pressing the touchpad or mouse). In Chrome OS version 76, we have expanded this feature to not only be able to click, but also right-click, double-click, and click and drag by simply hovering. 

  • Built-in FIDO security key is now supported

    In this release, all latest-generation Chromebooks (produced since 2018) will gain support for built-in FIDO security keys backed by the Titan M chip. This feature is disabled by default, but an admin can enable the built-in security key by changing the Chrome OS policy called DeviceSecondFactorAuthentication to U2F.

  • Account consistency between the Chrome content area and the ARC++ container

    We are rolling out a single sign-on experience for Chrome and Android applications on Chrome OS over several weeks, beginning August 21, 2019, to simplify user management of Google Accounts on Chrome OS. We added a new section to Settings: "Google Accounts."

    From here, a user can manage all signed-in Google Accounts. This includes reauthenticating or removing some secondary accounts and adding others. Attempts to add secondary accounts from Chrome or ARC++ will be redirected to this unified flow. Users that previously had a secondary account signed in to Chrome or ARC++ will need to reauthenticate following the update, which will add their account to Account Manager.

Admin console updates

  • Updates to the Chrome device list and device details
    • Search and filter devices and organizational units directly from the device list.
    • Customize your preferred view with auto-update expiration date, Chrome OS version, and device model.
    • Long-running tasks such as screenshot, log capture, and reboot will now complete in the background, so you don’t need to wait for them

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
BrowserSwitcherExternalGreylistUrl
Browser only
Chrome 77+
URL of an XML file that contains URLs that should never trigger a browser switch
CommandLineFlagSecurityWarningsEnabled
Browser only
Enable security warnings for command-line flags
PolicyDictionaryMultipleSourceMergeList  Allows the selected policies to be merged when they come from different sources, with the same scopes and level

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Flags will be cleaned up from chrome://flags, starting in Chrome 77

    Many flags in chrome://flags will be removed in upcoming Chrome versions, starting with Chrome 77. You shouldn’t use flags to configure Chrome Browser because they’re not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Atomic policy groups will be introduced in Chrome 77

    To ensure predictable behavior from policies that are tightly coupled together, some policies will be regrouped based on atomic policy groups. These groups ensure that all applied policies from a single group come from the same source—the one with the highest priority—to prevent unpredictable behavior when mixing policies from multiple sources. The order of precedence for Chrome Policies is documented here

    This may be a breaking change if you set GPOs from multiple sources (e.g. the Admin Console and via Windows Group Policy). You can check if any GPOs are in conflict by visiting chrome://policy in Chrome browser. If you have multiple policies in the same policy group from different sources, update your policies to ensure that all policies in a given policy group come from the same source.

  • The First Run Experience will be updated in Chrome 77

    Chrome 77 will no longer show the single page welcome. It will instead have a new flow to welcome users, get them set up with popular Google services, and set a default web browser. The same policy that was used to disable the previous First Run Experience can be used to disable the new flow: PromotionalTabsEnabled

  • It will be possible to make guest browsing the default in Chrome 77

    You will be able to set Chrome to launch immediately into guest mode by using a --guest command line flag or a new policy called BrowserGuestModeEnforced. In this mode, your users won't see or change any other Chrome profile. When they exit guest browsing, their browsing activity is deleted from the computer.

  • Merge policies with dictionary of values in Chrome 76

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Microsoft® Active Directory®. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Experiment for DNS-over-HTTPS (DoH) in Chrome 78

    Starting in Chrome 78, the DNS requests of some users will autoupgrade to DNS-over-HTTPS if they are using a DNS provider that supports it. This is part of ongoing work to bring secure DNS options to Chrome. Individual users can opt out by disabling this experiment at chrome://flags. Admins can opt out their enterprise from this experiment by policy. Instructions will be provided in a future Chromium blog post and release notes.

  • Pop-ups and synchronous XHR requests will not be allowed in Chrome 78

    Starting in Chrome 78, pop-ups and synchronous XHR requests will not be allowed on page unload to improve page load time and make code paths simpler and more reliable. Admins will be able to revert to the old behavior using enterprise policies, which will be available until Chrome 82.

  • Ambient authentication will be disabled by default in Incognito sessions in Chrome 79
    Starting in Chrome 79, ambient authentication (NTLM/Kerberos) will be disabled by default in Incognito sessions. Admins will be able to revert to the old behavior, allowing ambient authentication using an enterprise policy.

  • Cookies with SameSite by default, and Secure SameSite=None cookies in Chrome 80
    Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. They must also be marked Secure and delivered over HTTPS. Policies will be made available for enterprises that need to configure Chrome to temporarily revert to legacy SameSite behavior.

  • Drive integration in the address bar

    Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

    Drive search in address bar

 

  • Extension User Data Policy Updated
    As part of Project Strobe, Google is updating its User Data Policy, and these changes go into effect starting October 15, 2019. For more information, see the blog post.

    • We’re requiring extensions to only request access to the least amount of data. While this has previously been encouraged for developers, now we’re making this a requirement for all extensions.
    • We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content. Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely. Now, we’re expanding this category to include extensions that handle user-provided content and personal communications. Of course, extensions must continue to be transparent in how they handle user data, disclosing the collection, use and sharing of that data.

Upcoming Chrome OS changes

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

  • User account and file name in IPP Header in Chrome 77

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux applications running on a Chromebook, so that Linux apps can access the Linux instance.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management (device settings)

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

  • New default policies for printing (CUPS)

    There will be new controls for you to manage 2-sided and color printing.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Device host name in DHCP requests
    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Previous release notes

Chrome 75

Chrome Browser updates

  • All privately-hosted extensions must be packaged with CRX3 format in Chrome 76. 

    This change was originally planned for Chrome 75 but it’s now scheduled for Chrome 76 to allow more time for customer transition. It was originally announced in the Chrome 68 release notes.

    CRX2 uses SHA1 to secure updates to a Chrome extension. Breaking SHA1 is technically possible, which allows attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 76, all force-installed extensions will need to be packaged in the CRX3 format. For details on temporarily enabling CRX2, see ExtensionAllowInsecureUpdates. For the CRX2 deprecation timeline, see Chromium.

    Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions or third-party extensions hosted outside of the Chrome Web Store that are packaged in CRX2 format, the extensions will stop updating in Chrome 76 and new installations of the extension will fail. 

  • Roll back to Chrome 72 or later on Windows

    Chrome 75 on Microsoft® Windows® will allow administrators to roll back to Chrome 72 or a later version.

    To make sure that users are protected by the latest security updates, we recommend that users are on the latest version of Chrome Browser. Running earlier versions of Chrome Browser exposes your users to known security issues. Before using this policy, see Roll back Chrome Browser to a previous version for important information about preserving user data.

  • Use policy to remove extensions (rather than just disable)

    Starting in Chrome 75, extensions can now be removed by modifying the installation_mode setting in the Extension Settings policy and setting the "removed" flag. For details, see Chromium

  • PacHttpsUrlStrippingEnabled policy removed

    As we announced in the Chrome 74 release notes, the PacHttpsUrlStrippingEnabled policy has now been removed. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    PAC HTTPS URL stripping removes privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/. This behavior will now be enforced in Chrome 75.

  • EnableSymantecLegacyInfrastructure policy removed

    As we announced in the Chrome 74 release notes, the EnableSymantecLegacyInfrastructure policy has now been removed. The policy was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. The workaround allowed time to migrate any internal certificates that are not used on the public internet.

    Certificates issued from the Legacy PKI Infrastructure should have been replaced with certificates issued by public or enterprise-trusted Certificate Authorities (CAs). 

  • SSLVersionMax policy removed

    As we announced in Chrome 74 release notes, the SSLVersionMax policy has now been removed. This policy was used as a short-term workaround while TLS 1.3 was rolled out to allow time for middleware vendors to update their TLS implementations.

  • Policy to control Signed HTTP Exchange

    You can use Signed HTTP Exchange to safely make content portable or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences

    Starting in Chrome 75, you can enable or disable Signed HTTP Exchange using the SignedHTTPExchangeEnabled policy.

  • CompanyName and LegalCopyright fields updated

    Chrome 75 changes the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll). "Google Inc." is now  "Google LLC" and "Copyright 2018 Google Inc. All rights reserved." is now "Copyright 2019 Google LLC. All rights reserved."

  • Control precedence between Chrome Browser Cloud Management and platform policies

    You can use CloudPolicyOverridesPlatformPolicy to control how policies from Chrome Browser Cloud Management interact with policies set at the platform level (for example, through the Group Policy Management Editor). This policy can be useful if you’re transitioning from managing browsers through Group Policy Object (GPO) to Chrome Browser Cloud Management.

    When set to false (default), the order of precedence is Machine platform > Machine cloud > User platform > User cloud.

    With the policy set to true, the order of precedence is Machine cloud > Machine platform > User platform > User cloud.

    The policy can only be set as a machine platform policy. For more details, see Chromium

  • Merge list policies from multiple sources

    You can now merge policies that take a list of values that are set from multiple sources, including the cloud and by platform and Microsoft® Active Directory®. Before, if multiple lists from different sources conflicted, only one list was applied. For details, see PolicyListMultipleSourceMergeList.

  • Chrome Remote Desktop on the web now available 

    You can now use Chrome Remote Desktop on the web. In turn, the Chrome Remote Desktop app will not be supported after June 30, 2019. New and existing users can switch to the new version on the web.

    To set it up:

    1. Go to Chrome Remote Desktop.
    2. In the upper-right corner, click Remote Access.
    3. Click Remote Support to get support from a trusted friend or family member, or to give support to someone else.

    You can control whether users can access other computers from Chrome using Chrome Remote Desktop. For details, see Control use of Chrome Remote Desktop.

  • Improved tab life cycle management

    Some users will start to see improved CPU and memory usage as Chrome 75 rolls out. The TabLifeCyclesEnabled policy reduces the CPU usage on browser tabs that haven’t been used for a long time. Set the policy to true or leave it unspecified to enable it. For details, see Chromium

  • Users can check Chrome Browser and OS management

    In Chrome 75 we’re enhancing the visibility features for both browser and OS with transparency view, a new view which shows users the extent to which their device and account are managed by their administrators in enterprise environments. The new transparency view focuses on reporting functionality (“Which data is visible to my administrator?”) as well as force-installed extensions (“Which data may be accessed by force-installed extensions?”).

Chrome OS updates

  • Linux on Chromebooks: 

    Support for VPN connections—Linux applications can now utilize VPN connections through an existing Android or Chrome OS VPN connection. All traffic from the Linux VM will automatically be routed through an existing (established) VPN connection.

    Support for Android devices over USB—Android devices connected over USB can now be accessed by Linux apps. Users must choose to share the USB device with Linux before they can access it.

  • Add support for PIN code with native printers

    PIN code printing will be available which will allow users to enter a pin code when sending the print job, and release the print job for printing when they enter the pin code into the printer keypad.  This gives users more control over when a print job is printed so documents aren’t lying unattended at the printer. And because a user has to actively request their print job be released, it also reduces waste. 

    PIN printing will be enabled if the user’s Chrome device is managed, and the printer supports IPPS communication and the IPP attribute for “job-password”.
    PIN printing

  • Add support for Document Providers in Files app

    To expand support for third-party file providers on Chrome OS, when users install the app of a third-party file provider that implements the DocumentsProvider API, a root for the third-party file provider will appear in the side navigation of the Chrome Files app. For more details, see Documents Provider

  • Extending protected content on secondary displays

    Digital rights management (DRM)-protected content can now be shown on an external display. 

  • BLE advertising in Chrome apps flag removed

    The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. If you or any developers use BLE Advertising APIs, you should debug the functionality in a kiosk session, rather than in a regular user session.

Admin console updates

  • Force devices to automatically re-enroll after wiping (change to forced re-enrollment behavior)

    Starting in June 2019 (with an incremental rollout), you can automatically re-enroll devices if they’re wiped.  Previously, forced re-enrollment required a user to enter their username and password to complete re-enrollment A few weeks after the roll out is complete, automatic re-enrollment will be the default for new customers as well as existing customers who have not changed the default forced re-enrollment setting. To control the setting, see Force wiped Chrome devices to re-enroll.

New and updated policies (Chrome Browser and Chrome OS)

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
AlternativeBrowserParameters
Chrome Browser only
Controls command-line parameters to launch to an alternative browser
AlternativeBrowserPath
Chrome Browser only
Controls which command to use to open URLs in an alternative browser
CloudPolicyOverridesPlatformPolicy
Chrome Browser only
Cloud policy that overrides Platform policy
PolicyListMultipleSourceMergeList Allows merging list policies from different sources
SignedHTTPExchangeEnabled Enables support for Signed HTTP Exchange (SXG)
SpellcheckLanguageBlacklist
Windows, Linux, Chrome OS only
Disables unrecognized spellcheck languages 

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® will be blocked by default in Chrome 76. Users can manually switch back to ASK ("Ask first") before running Flash. This change won’t impact existing policy settings for Flash. You can still control Flash behavior using DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls. For more details, see the Flash Roadmap.

  • Site isolation enforced in Chrome 76

    In Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 76, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • Drive integration in the address bar

    Soon, users will be able to search for Google Drive files that they have access to from the address bar. If you have G Suite Business, Enterprise, or Enterprise for Education, you can apply for the beta program.

    Drive search in address bar

  • Removing --disable-infobars in Chrome 76

    Chrome 76 will no longer support the --disable-infobars flag, which was used to hide pop-up warnings from Chrome Browser. To support automated testing, kiosks, and automation, the CommandLineFlagSecurityWarningsEnabled policy will be added to allow you to disable some security warnings.

  • Policy atomic groups introduced in Chrome 76 

    In order to ensure predictable behavior from policies that are tightly coupled with other policies, some policies will be regrouped in atomic policy groups. These groups will help ensure that all the applied policies from a single group come from the same source, which is the source with the highest priority. This change will help prevent unpredictable behavior when mixing multiple sources of policies.

  • Merge policies with dictionary of values in Chrome 76

    In Chrome 76, you can merge policies that take a dictionary of values set from multiple sources, including the cloud and by platform and Active Directory. Without this policy, if different sources conflict, only one dictionary will have an effect. For details, see PolicyDictionaryMultipleSourceMergeList.

  • Flag removal, starting with Chrome 76

    Many flags in chrome://flags will be removed in upcoming Chrome versions. You should not use flags to configure Chrome Browser because they are not supported. Instead, configure Chrome Browser for your enterprise or organization using policies.

  • Improvements to version rollback

    A future version of Chrome will improve the rollback experience on Windows by preserving some user data during the rollback process.

Upcoming Chrome OS changes

  • Print jobs to include user account and file name

    If the printer or print service support IPPS with IPP attributes for requesting-user-name and document-name, you will be able to have print jobs include the user account and file name to help with print tracking and follow-me printing. 

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier in case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. You and your users will be able to configure connections to external print servers and print from the printers on these servers.

  • Notifications on lock screen

    You will be able to set up a requirement for users to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about a print job that enables third-party printing features, such as secure printing and print-usage tracking.

  • Linux apps USB devices
    From the Chrome Shell (crosh), you’ll be able to attach a USB device to Linux apps running on a Chromebook, so that Linux applications can access the Linux instance.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management (device settings)

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Google Admin console. If you’re interested in testing this new feature, sign up for our Trusted Tester program.

  • New default policies for printing (CUPS)

    There will be new controls for you to manage 2-sided and color printing.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

  • Device host name in DHCP requests
    You will be able to configure the device host name used during DHCP requests, including variable substitutions for ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}.

Chrome 74

Chrome Browser updates

  • Chrome Browser Cloud Management

    Chrome Browser has introduced support for management through the Google Admin console with Chrome Browser Cloud Management. Admins can use the Admin console to manage Chrome Browser across Windows®, Mac®, and Linux®, without requiring users to sign in. Learn more about Chrome Browser Cloud Management.

    Chrome Browser Cloud Management

  • Dark mode for Windows in Chrome 74

    In Chrome 74, if the system theme is set to dark, Chrome on Windows will also use a dark theme on screen.

  • Pop-ups will not be allowed on page unload

    Chrome 74 no longer allows pop-ups during page unload (see the removal notice). If you have any enterprise apps that still require pop-ups on page unload, you can enable the AllowPopupsDuringPageUnload policy to allow pop-ups on page unload until Chrome 82.

  • Legacy Browser Support will no longer need an extension

    In Chrome 74, you can deploy Legacy Browser Support to automatically switch users between Chrome Browser and another browser. You can use policies to specify which URLs open in an alternative browser. For example, you can ensure that browser traffic to the public internet uses Chrome Browser, but visits to your organization’s intranet use Internet Explorer®. You can turn on LBS and set policies to manage LBS in the Chrome Group Policy Template. Learn more about Legacy Browser Support Beta for Windows.

Chrome OS updates

  • Annotations in PDF Viewer

    When viewing an Adobe PDF document in Chrome, you’ll be able to tap a button to annotate the PDF with pen and highlighter tools.

  • New search feature in Chrome 74

    We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

  • External camera support for Google Camera app

    External USB cameras, such as webcams, USB microscopes, and document cameras, are now supported by the Google Camera app.

  • Support for files and new folders in the “My files” root

    Users can save files locally and create new folders under the “My files” root outside of the default Downloads folder.

  • ChromeVox developer log options

    As of version 74, we added a new section of ChromeVox developer options within the ChromeVox options page to give developers access to ChromeVox logs, which will help debugging. This allows developers to enable logs for speech, earcons, braille, and event streams.

  • Linux apps on Chrome OS (Crostini) now support audio output

    Starting with Chrome 74, Linux apps on Chrome OS (Crostini) can now play audio.

Admin console updates

  • Policy to enable native Active Directory integration

    You can now configure an existing domain to manage your Chrome devices with a Microsoft® Active Directory® server. If enabled, Chrome devices are domain joined to AD so you can see them in your domain controllers. You can also manage sessions and push policies to users and devices with GPO. You don’t need to synchronize usernames to Google servers. Users sign in to devices using their Active Directory credentials.

    To manage integrated devices, set the policy to enable Chrome Enterprise Active Directory integration in your Admin console. Visit Manage Chrome devices with Active Directory.

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
AllowPopupsDuringPageUnload Allows a page to show pop-ups during its unloading.
AuthNegotiateDelegateByKdcPolicy​
Chrome OS, Mac, and Linux only
Use key distribution center (KDC) policy to delegate credentials on machines using Active Directory Kerberos authentication. Controls whether approval by KDC policy is respected, to delegate Kerberos tickets.
BrowserSwitcherChromeParameters
Windows only
Command-line parameters for switching from the alternative browser.
BrowserSwitcherChromePath
Windows only
Path to Chrome for switching from the alternative browser.
BrowserSwitcherDelay​ Delay before launching alternative browser (milliseconds).
BrowserSwitcherEnabled​ Enable the Legacy Browser Support feature.
BrowserSwitcherExternalSitelistUrl​ URL of an XML file that contains URLs to load in an alternative browser.
BrowserSwitcherKeepLastChromeTab​ Keep last tab open in Chrome.
BrowserSwitcherUrlGreylist​ Websites that should never trigger a browser switch.
BrowserSwitcherUrlList​ Websites to open in alternative browser.
BrowserSwitcherUseIeSitelist
Windows only
Use Internet Explorer's SiteList policy for Legacy Browser Support.
RemoteAccessHostAllowFileTransfer
Browser only
Allow remote access users to transfer files to/from the host. Controls the ability of a user connected to a remote access host to transfer files between the client and the host. This doesn’t apply to remote assistance connections, which don’t support file transfer.
WebUsbAllowDevicesForUrls Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Google Cloud Next recap

Chrome Enterprise product managers and customer engineers presented a number of talks at the Google Cloud Next conference in San Francisco the week of April 8, 2019. You can watch on YouTube recordings of the 18 Mobility & Devices Sessions.

The talks below should be specifically of interest to Chrome Enterprise IT admins:

Browser-focused talks

Chrome OS-focused talks

New Chrome OS administrator credential

We're now offering a new Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

  • Create, delete, and administer users for a domain
  • Configure and manage organizational units
  • Manage Chrome devices in the Google Admin console
  • Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser changes

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

    Drive search in address bar

  • All extensions must be packaged with CRX3 format in Chrome 75

    CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 75 

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

  • EnableSymantecLegacyInfrastructure policy will be removed in Chrome 75

    EnableSymantecLegacyInfrastructure was used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted CAs.

  • Policy rollback to a previous version in Chrome 75

    Chrome 75 on Windows will include a policy that allows administrators to roll back to a previous version of Chrome. Note that only the latest release of Chrome is officially supported, so if an admin rolls back to an older version of Chrome, they do so at their own risk. This policy is meant as an emergency mechanism and should be used with caution. A future version of Chrome on Windows will improve the rollback experience by preserving user states during the rollback process.

    Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

    Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

    Note: You can only roll back to Chrome Browser version 72 or later. Please provide feedback on this feature.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

  • Site isolation enforced on desktop in Chrome 75

    Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • Blacklisted extensions can be removed (rather than just disabled) by policy in Chrome 75

    A new policy will be made available to specify that Chrome Browser shouldn’t just disable blacklisted extensions, but remove them completely.

  • Policy to control signed HTTP exchange in Chrome 75

    Signed HTTP exchange enables publishers to safely make their content portable, or available for redistribution by other parties, while keeping the content’s integrity and attribution. Portable content has many benefits, such as enabling faster content delivery, facilitating content sharing between users, and simpler offline experiences. In Chrome 75, the SignedHTTPExchangeEnabled policy will control whether signed HTTP exchange is enabled or not.

  • CompanyName and LegalCopyright fields will be updated in Chrome 75

    Chrome 75 will change the CompanyName and LegalCopyright fields in the version resource of Windows binaries (for example chrome.exe and chrome.dll) from "Google Inc." and "Copyright 2018 Google Inc. All rights reserved." to "Google LLC" and "Copyright 2019 Google LLC. All rights reserved."

  • Flash will be blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Flash is to be blocked by default in Chrome 76 (Stable release beginning end of July 2019). Users can still switch it back to ASK by default. This change won’t impact enterprises that already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy. 

Upcoming Chrome OS changes

  • New certificate verification engine and fallback enterprise policy

    Chrome 76 will start rolling out a new certificate verifier. For a few versions, we will provide an enterprise policy that will allow deployments to fall back on the legacy certificate verifier for the unlikely case of certificate verification regressions or incompatibilities. We will provide more information about this feature in the Chrome 76 release notes.

  • Adding print server support for CUPS

    We’re working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

  • Notifications on lock screen 

    When looking for notifications, a message saying that notifications are hidden will show up. Next to it, a button will appear to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. Full password will be required, even if other authentication methods, such as PIN or fingerprint, are available.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

  • BLE advertising in Chrome apps flag being removed
    The #enable-ble-advertising-in-apps flag (about://flags) will be removed in Chrome 75. This feature is designed to work with Chrome apps operating within kiosk sessions. Any developers leveraging BLE Advertising APIs should debug functionality in kiosk session, rather than use a regular user session.

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management

    The 20-printer maximum cap will be raised to allow for thousands of printers for each organizational unit in the Admin console. If you’re interested in testing this out, join our trusted tester program.

  • New default policies for printing (CUPS)

    Soon, there will be new controls for administrators to manage printing capabilities for their users for 2-sided and color printing. Admins will be able to set defaults or restrict these print options.

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 73

Chrome Browser updates

  • Managed by your organization menu item

    Starting in Chrome 73, when one or more policies are set in Chrome Browser, some users will see a new item on the More More menu that indicates that Chrome is being managed. If a user clicks Managed by your organization, they are directed to details about Chrome Browser management.

    Managed by your organization

  • Changes to the Chrome sign-in flow

    In Chrome 73, we're rolling out the following changes to Chrome Browser settings:

    • When a user turns Chrome sync on, they now get additional features, including an enhanced spellchecker and extended reporting for safe browsing.

    • Sync and Google services—A new section that lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously in the Privacy section.

    • Make searches and browsing better—A new setting in the Sync and Google services section that allows users to control whether features in Chrome Browser can collect anonymous URLs.

      Sync and Google services setting

  • Chrome Browser binaries signed with new digital certificate

    Chrome Browser binaries and installer are now signed with a digital certificate issued to Google LLC (rather than Google Inc). There are no changes to the Certificate Authority (CA).

  • Password Manager enterprise policy for Android now aligned to desktop

    The PasswordManagerEnabled policy controls whether the password manager offers to save passwords. On Android, this policy prevented users from viewing passwords that were already saved. Starting with Chrome 73, Chrome Browser on Android will behave like other platforms and allow the user to view their saved passwords.

  • Progressive Web App support on Mac

    In Chrome 73, Progressive Web Apps (PWAs) can now be installed on Apple® Mac®. For details, see Desktop Progressive Web Apps.

  • Dark mode for Mac

    In Chrome 73, if the system theme is set to dark, Chrome Browser on Mac computers will also use a dark theme. Support for Microsoft® Windows® is planned for a future release. 

  • Accessibility improvements

    A number of improvements have been made to accessibility in Chrome Browser, including greater contrast and compatibility with screen readers. Some of the improvements include:

    • Improved contrast in pop-up boxes, the search box, and tabs (especially when a tab is not active).
    • More pop-up boxes correctly report titles to screen-reader software.
    • Tabs are now keyboard-accessible.
    • Fixes to the way pressing the F6 or Tab key moves through the order of the Chrome Browser toolbar, and other controls, including access to some new UI elements.
    • Screen reader now announces additional information, such as the page zoom level when it’s changed and the number of Find results.
    • Misleading screen-reader prompts are fixed to reflect current functionality. For example, the correct key combination is now reported when you want to zoom in on a page.
    • If a user draws around an element in the UI, there are now improvements in the contrast and appearance of focus rings.
  • New policy to force networking code to run in the browser process

    The network code we use for Chrome Browser is being moved to a separate process. It’s an internal architectural change that wasn't expected to interact with other products. However, we're aware of one report of the move breaking a third-party product that used to inject code into Chrome Browser's process. If this move is causing any issues in your environment, you can temporarily use the ForceNetworkInProcess policy to force networking to run in the browser process. This is a temporary policy that will be removed in the future; there is currently no specific timeline, but we plan to provide 4 milestones notice before removal.

  • Notice for web developers: Flexbox rendering

    Chrome Browser now follows the recommendation from the World Wide Web Consortium for the box model that’s optimized for a UI. Flex items now get the correct minimum size. If you’re a web developer, we recommend that you set the CSS on your webpages with flex items to min-height: auto. For details on the change, see Chromium and the Consortium specification.

  • Notice for developers: Changes to cross-origin requests in extension content scripts

    Chrome 73 includes changes to the behavior of cross-origin requests from content scripts. These changes help site Isolation protect Chrome users even if a renderer is compromised, but these changes may break extensions that have not yet adapted to the new security model. For instructions on how to verify if a Chrome extension you’re using is affected or to request adding an extension to a temporary allowlist, see Chromium.org.

Chrome OS updates

  • Managed guest sessions to replace public sessions

    In Chrome 73, public sessions are being replaced with managed guest sessions, which provide additional capabilities. Depending on the configuration of the organizational unit that has managed guest session devices, an existing public session device might have the capabilities automatically activated. If so, all certificates, policies, and extensions of the organization will be applied to the managed guest session of this device in the future and no manual changes are required. Learn more about how to manage guest session devices.

  • eSpeak for Chrome OS

    You can set up text-to-speech in dozens of languages on devices running Chrome OS to enhance  accessibility. For details, see eSpeak NG.

  • Pair Bluetooth braille displays with Chromebooks

    In addition to supporting USB-refreshable braille displays, you now have the ability to pair braille displays through Bluetooth®. For details, see Use a braille device with your Chromebook.

  • Camera app 5.3 update

    Users can now take photos and videos with a 3 or 10-second timer, line up shots with grid options, and use a mirror button that’s helpful when using external cameras, such as USB microscopes or document cameras.

Admin console updates

  • Enable managed Chrome devices to run Linux apps

    Last year we announced that consumer users can run Linux apps, including Android Studio on these Chrome devices. With Chrome 73, we’re making this feature available on managed devices. Admins can now enable or disable the use of virtual machines that are required to use Linux apps on managed Chrome OS devices. The policy is disabled by default. Admins who want to enable this policy, see Virtual Machines in Set Chrome device policies. Users need to follow the steps in Set up Linux (Beta) on your Chromebook.

    Chrome OS virtual machines setting in Admin console

  • New default policy for black & white printing (CUPS)

    There are new controls for administrators to manage black and white printing capabilities for their users. Controls for 2-sided and color printing are coming soon.  If you’re interested in getting early access to test printing features, please complete the trusted tester application.

    Native printers color mode setting in Admin console

New and updated policies

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Policy Description
ExtensionAllowInsecureUpdates Allows insecure algorithms in integrity checks on extension updates and installations. Starting in Chrome 77, this policy will be ignored and treated as disabled.
DeviceGpoCacheLifetime
Chrome OS only
Specifies the lifetime (in hours) of the Group Policy Object (GPO) cache.
DeviceAuthDataCacheLifetime
Chrome OS only
Specifies the lifetime (in hours) of the authentication data cache.
ForceNetworkInProcess
Windows only
Forces networking code to run in the browser process. This policy is disabled by default. If enabled, it leaves users open to potential security issues when the networking process is sandboxed.
ReportDevicePowerStatus
Chrome OS only
Reports hardware statistics and identifiers related to power.
ReportDeviceStorageStatus
Chrome OS only
Reports hardware statistics and identifiers for storage devices.
ReportDeviceBoardStatus
Chrome OS only
Reports hardware statistics for system on a chip (SoC) components.
CloudManagementEnrollmentToken
Browser only
Enrollment token used for enrolling in cloud management. This replaces the MachineLevelUserCloudPolicyEnrollmentToken policy.
PluginVmLicenseKey
Chrome OS only
Specifies a PluginVm license key for a device.
ParentAccessCodeConfig
Chrome OS only
Specifies the configuration that’s used to generate and verify a parent access code.

New Chrome OS administrator credential

We are excited to announce the Chrome OS administrator credential. The Chrome OS administrator exam is free and measures the ability to:

  • Create, delete, and administer users for a domain
  • Configure and manage organizational units
  • Manage Chrome devices in the Google Admin console
  • Configure and manage security and privacy settings

​For details, see Earn your Chrome OS administrator credential.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Flash blocked by default in Chrome 76

    As communicated in the Chromium Flash Roadmap, Adobe® Flash® is planned to be blocked by default in Chrome 76 (stable release beginning end of July 2019). Users will still be able to switch it back to Ask to use Flash by default. This change will not impact enterprises who already configure policy settings for Flash (DefaultPluginsSetting, PluginsAllowedForUrls, PluginsBlockedForUrls). Enterprises will still be able to control this policy as before. 

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including PDFs, Google Sheets, Docs, and Slides.

    Drive search in address bar

  • Dark mode for Windows in Chrome 74

    In Chrome 74, if the system theme is set to dark, Chrome Browser on Windows computers will also use a dark theme in the UI. 

  • Use a policy to roll back to a previous version of Chrome Browser

    We are working on a policy to roll back a Chrome Browser version while retaining account and profile data. The new policy will allow administrators to roll back in conjunction with the existing TargetVersionPrefix ADMX policy. You can send feedback on this feature in the Chromium bug tracker.

    Read before using this policy: To make sure that users are protected by the latest security updates, we recommend that they use the latest version of Chrome Browser. If you roll back to an earlier version, you will expose your users to known security issues. Sometimes you might need to temporarily roll back to an earlier version of Chrome Browser on Windows computers. For example, your users might have problems after a Chrome Browser version update.

    Before you temporarily roll back users to a previous version of Chrome Browser, we recommend that you turn on Chrome sync or Roaming User Profiles for all users in your organization. If you don’t, previous versions of Chrome Browser will not use data that was synced from later versions. Use this policy at your own risk.

    Note: You can only roll back to Chrome Browser version 72 or later 

  • Deprecated policies will remain in the ADMX templates

    The ADM and ADMX templates will be modified to keep deprecated and unsupported policies in the output. They will be placed in a dedicated folder and have the same description. The update will make it easier to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74 

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution, reducing the chance that sensitive information is unnecessarily exposed. For example, https://www.example.com/account?user=234 would be stripped to https://www.example.com/.  If you set this policy to True or leave it on the default value, then there will be no change. If you set this policy to False, you will no longer be able to do so in Chrome 74.  

  • EnableSymantecLegacyInfrastructure policy removed in Chrome 74

    The EnableSymantecLegacyInfrastructure policy can be used as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public internet. This policy will be removed in Chrome 74. Certificates issued from the Legacy PKI Infrastructure should have replacement certificates issued by public or enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy, which can be used as a short-term workaround while TLS 1.3 is rolled out, will be removed in Chrome 75. This allows time for middleware vendors to update their TLS implementations.

  • All extensions must be packaged with CRX3 format in Chrome 75

    CRX2 uses SHA1 to secure updates to the extension and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. And, new installations of the extension will fail. See ExtensionAllowInsecureUpdates.

  • Site isolation enforced on desktop in Chrome 75

    Before shipping site isolation in Chrome 67, we introduced enterprise policies to opt in to site isolation early or opt out of site isolation if users encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of site isolation on desktop using the SitePerProcess or IsolateOrigins policies. This change only applies to desktop platforms. On Android, the SitePerProcessAndroid and IsolateOriginsAndroid policies will continue to have the ability to disable site isolation. If you run into any issues with the policies, file a bug in Chromium.

  • ThirdPartyBlockingEnabled deprecation

    In the Chrome Enterprise 68 release notes published in July 2018, we announced that the ThirdPartyBlockingEnabled policy will be deprecated in approximately one year (Chrome 77). This announcement was intended as a general deprecation date at some point in the future, but due to feedback and in order to give the ecosystem more time to adapt to the change, the deprecation is currently not targeted for Chrome 77. When a date is set for deprecation, we will announce it in the release notes. We plan to provide 4 notices before removal.

  • TLS 1.3 downgrade hardening

    Chrome Browser enabled TLS 1.3 in Chrome 70. However, due to bugs in some enterprise TLS proxies, a hardening mechanism was temporarily disabled. A future version of Chrome Browser will re-enable this measure. To test networks in Chrome 73:

    1. Set chrome://flags/#enforce-tls13-downgrade Enabled.
    2. Visit a TLS-1.3-enabled server, such as https://mail.google.com. 
    3. If the connection fails with ERR_TLS13_DOWNGRADE_DETECTED, some proxy on the network has the hardening mechanism temporarily disabled.

    You should upgrade affected proxies to fixed versions or contact vendors if no fix is available. The following list contains the minimum firmware versions for affected products that we're aware of:

    Palo Alto Networks:

    • PAN-OS 8.1 must be upgraded to 8.1.4 or later.
    • PAN-OS 8.0 must be upgraded to 8.0.14 or later.
    • PAN-OS 7.1 must be upgraded to 7.1.21 or later.

    Cisco Firepower Threat Defense and ASA with FirePOWER Services when operating in “Decrypt - Resign mode/SSL Decryption Enabled” (advisory PDF):

    • Firmware 6.2.3 must be upgraded to 6.2.3.4 or later.
    • Firmware 6.2.2 must be upgraded to 6.2.2.5 or later.
    • Firmware 6.1.0 must be upgraded to 6.1.0.7 or later.
  • Legacy browser support planned to be incorporated into Chrome 75

    Legacy browser support functionality is being incorporated into Chrome Browser, and the separate extension will no longer be needed. We will keep the extension in the Chrome Web Store for the foreseeable future so customers on older versions of Chrome Browser can continue to use legacy browser support. If you’re interested in getting early access to test legacy browser support integration, please complete this interest form.

  • Pop-ups will not be allowed on page unload

    In Chrome 74, we will no longer allow pop-ups during page unload. See the removal notice. We’ve been notified that this might break some enterprise apps so a temporary policy will be made available to allow pop-ups on page unload when Chrome 74 launches. This temporary policy is planned to be removed in Chrome 76. 

Upcoming Chrome OS changes

  • New search feature in Chrome 74

    We’re adding a search feature so users can access recent queries and suggested apps without having to enter anything. Every time a user moves their cursor to or clicks the search box, but does not start entering text, they will get search suggestions. Users will also be able to remove recent queries that they no longer want to see and use suggested text to complete their query.

  • Adding print server support for CUPS

    We are working on a feature to add support for CUPS printing from print servers on Chrome OS. Chrome OS will be able to discover printers on print servers using CUPS. Users and administrators will be able to configure connections to external print servers and print from the printers on these servers.

  • Notifications on lock screen 

    Coming soon, when looking for notifications, a message saying that notifications are hidden will show up. Next to the message, users can click a button to enable notifications. Users must authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as PIN or fingerprint are available.

  • User account and file name in IPP Header

    If enabled by policy, all print jobs will include the requesting user account and file name of the document in the IPP header. This added functionality will provide additional information about the print job that enables third-party printing features, such as secure printing and print usage tracking, if supported.

  • Annotations in PDF viewer

    When viewing a PDF on a device running Chrome OS, you will be able to tap a button to annotate the PDF with pen and highlighter tools.

  • Linux apps USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux apps running on Chromebooks so that Linux applications can access the Linux instance.

  • External camera support for the Camera app
    External USB cameras will be supported by the Camera app. 

Upcoming Admin console changes

  • Remove 20-printer limit for CUPS print management

    Soon, the 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console. If you’re interested in testing the new feature, please join our trusted tester program.

  • New default policies for printing (CUPS)

    Soon, there will be new controls for administrators to manage printing capabilities for their users for duplex printing. Admins will be able to set defaults or restrict whether users can or cannot use duplex printing. 

  • Managed guest session support for managed Google Play

    A setting in the Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 72

Chrome Browser updates

  • New search result types

    In Chrome 72, you’ll get 2 new types of search results when you search from the address bar. You’ll get results based on entities—people, things, places, and so on. These results will contain the search text, an image of the entity you’re searching for, and a short description.

    search as you type

    You’ll also get suggestions to complete the end of a search string. For example, if you search for “widget sale best prac…”, you’ll get a suggestion for “practice” as a completion to your search.

    text auto-complete

  • Cleanup tool quarantines—instead of deleting—files it detects as malicious

    If you use the Chrome Cleanup tool on Microsoft® Windows® computers, files detected as malicious will now be quarantined rather than deleted. This update will help lessen the risk of safe files being mistakenly deleted. Learn more about removing unwanted programs and the Chrome Cleanup tool policy.

  • Save payment information to a Google Account

    In Chrome 72, users who are signed in to their managed Google Account will now see an option to save their payment information to their Google Account. As an administrator, you can turn off this feature (Sync Service setting) in the Google Admin console or by using the AutofillCreditCardEnabled policy.

  • Support for Windows 10 U2F and web authentication APIs

    If you use the most recent version of Windows 10, you’ll have added support for Universal 2nd Factor (U2F) and WebAuthn—standards that enable web authentication through security keys instead of passwords. U2F and WebAuthn are only supported on the most recent versions of Windows 10: either current Insider Preview builds or the forthcoming 19H1 release (“Redstone 6”). Integration with these APIs enables Windows Hello support through WebAuthn and support for NFC tokens. USB and Bluetooth Low Energy (BLE) devices should continue to work, although Windows UI will now be displayed. Any organizations that depend on U2F or WebAuthn, and are using sufficiently recent Windows builds, should verify that this feature works correctly before rolling it out.

  • EnableSha1ForLocalAnchors policy

    Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. This support has now been removed in Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

  • New welcome experience (Windows)

    When you start Chrome Browser for the first time on Windows, you’ll see a new welcome page, unless you’re on a device that’s joined to a Microsoft® Active Directory® domain.

  • Changes to sign-in behavior with Chrome 72

    In Chrome 72, a small percentage of users will now see the following changes to the Chrome sign-in behavior. A wider roll-out of these features will happen in Chrome 73:

    • When a user turns Chrome sync on, they now get additional features, including “Enhanced spell check” and “Safe browsing extended reporting.”
    • The Chrome settings page includes a new section—Sync and Google services—which lists all of the settings related to data collected by Google in Chrome Browser. Many of these settings were previously under “Privacy”.
    • A new setting, “Make searches and browsing better” will appear under “Sync and Google services” on the settings page. This allows users to control whether features within Chrome can collect anonymized URLs.

Chrome OS updates

  • USB connections on locked devices

    Chrome 72 will offer initial support to ignore some types of USB connections on locked devices that are running Chrome OS including printers, scanners, and storage devices. USBGuard is on by default beginning with Chrome 72. If issues are detected, admins can disable this feature through chrome://flags.

  • Android app shortcuts in launcher search

    Users can now search for app shortcuts in the launcher search. For example, users can search for Compose and be taken to the exact related app, such as a new blank message in Gmail.

  • New drawing app for Chromebooks

    Chromebook users now have the Canvas app for drawing.

  • ChromeVox screen reader update

    ChromeVox users with low vision can now opt to have the screen reader read anything under their mouse cursor. This feature can be enabled through the setting “Speak text under the mouse” in the ChromeVox options page.

    Speak text under the mouse setting

  • Android 9.0 support coming to certain Chrome devices

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. We’ll include more information in future release notes when it comes available.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Drive search results in the address bar

    Users will see Google Drive results when entering a search in the address bar, including Google Sheets, Docs, Slides, and PDFs.

    Drive search in address bar

  • Roll back Chrome Browser version with policy

    Many enterprise customers have asked Google to provide a version rollback mechanism. We are working on a policy to roll back Chrome Browser while retaining account and profile information. This will allow administrators to enable a rollback in conjunction with the existing TargetVersionPrefix ADMX policy. If the Chrome version updater cannot rollback the browser, the chrome://policy page will contain an error message and the existing release will continue to function. Only the latest release of Chrome is officially supported, so if an admin rolls back to an older version they do so at their own risk. You can provide feedback to the engineering team on this feature on Chromium.

  • Deprecated policies will remain in the ADMX templates

    Deprecated policies will be placed in a dedicated folder in the ADMX templates and have the same description. This change will make it easier for administrators to delete policies after they’re deprecated. Learn more about Deprecated Chrome policies.

  • PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74

    The PacHttpsUrlStrippingEnabled policy will be removed in Chrome 74. If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/. If you set this policy to True or leave it on its default value, then there will be no change. However, in Chrome 74, you will no longer be able to set it to False.

  • EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74

    The EnableSymantecLegacyInfrastructure policy will be removed in Chrome 74. This policy is intended as a short-term workaround to continue trusting certificates issued by the Legacy PKI Infrastructure formerly operated by Symantec Corporation. This allows time for migrating any internal certificates not used on the public Internet. This policy will be removed in Chrome 74. Certificates issued from Legacy PKI Infrastructure should have replacement certificates issued by public or Enterprise-trusted Certificate Authorities (CAs). See Migrate from Symantec certificates.

  • SSLVersionMax policy will be removed in Chrome 75

    The SSLVersionMax policy was a short-term work-around while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

  • All extensions must be packaged with CRX3 format by Chrome 75

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.This change has been made because CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

  • Site isolation will be enforced on Chrome 75 (Desktop)

    Before shipping Site Isolation in Chrome 67, we introduced enterprise policies that enterprises could use to opt in to Site Isolation early or opt out of Site Isolation if they encountered an issue. We’ve resolved the reported issues and starting with Chrome 75, we will remove the ability to opt out of Site Isolation using the SitePerProcess or IsolateOrigins policies on desktop. We tentatively plan to move Chrome 75 to the stable channel in June 2019.

    Notes:

Upcoming Chrome OS changes

  • External camera support for Camera app

    External USB cameras will be supported by the Google Camera app.

  • Users can allow notifications on lock screen

    When looking for notifications, a message saying that notifications are hidden will show up. Next to it is a button to enable notifications, which will require the user to authenticate and give permission to show notifications on lock screen. A full password will be required, even if other authentication methods, such as a PIN or fingerprint, are available.

  • Always-on VPN for managed Google Play

    Currently, Admins can install Android VPN apps on Chromebooks, however, users have to start the VPN app manually. Soon, admins will be able to set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection.

  • User account / Filename in IPP Headers

    If enabled by policy, all print jobs can include the requesting user account and file name printed in the IPP header. This new feature will provide additional information about print jobs that enable third-party printing features, such as secure printing and print-usage tracking.

  • Annotations in PDF Viewer

    When viewing a PDF in Chrome, you will be able to tap a button to add notes to the PDF with a pen and highlighter tools.

  • Linux container support for USB devices

    From the Chrome Shell (crosh), you will be able to attach a USB device to Linux running on Chrome devices (Crostini) so that Linux applications can access the Linux instance.

Upcoming Admin console changes

  • Native printing (CUPS) improvements
    • Printing limit lifted—The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.
    • Set default for 2-sided and black and white printing—Controls are coming for administrators to manage printing capabilities for their users around 2-sided printing and black and white printing. Admins will be able to set defaults or restrict these print options with CUPS (native printing).
  • Managed guest session support for managed Google Play

    A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 71

Chrome Browser updates

  • Change to using PAC scripts to configure proxy settings in Chrome

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change. This is especially so if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of https:// URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution. For example, https://www.example.com/account?user=234 will be stripped to https://www.example.com/.

    This policy will change the default value from False to True to improve security. If you already set this policy to True, there’s no impact. If you set it to False, there’s no immediate impact. If you haven’t set this policy and are relying on the default, test this change to see how your PAC scripts operate.

    This policy will be removed in a future release when PAC stripping becomes the default for Chrome.

  • Deprecate trust in remaining Legacy Symantec PKI Infrastructure

    This change is present in all release channels: Canary, Dev, Beta, and Stable. Users observing the distrust in Chrome 70 should experience the exact same behavior in Chrome 71 and later. For a small percentage of users, Chrome 71 will be the first time they experience the distrust, which could result in more problems involving related errors.

    Find instructions on how to determine whether a site is affected and any corrective action needed, as well as a description of past changes.

Chrome OS updates

  • Fingerprint and PIN enrollment in Chrome device Out of Box Experience (OOBE)

    For tablets that support fingerprint and/or PIN, users can enroll a fingerprint or set up a PIN while signing in to the device for the first time.

  • Connect to your Android phone

    Users can connect with their Android phone using a single setup flow to enable Smart Lock, instant tethering, and Android Messages PWA. Android Messages PWA gives users the ability to see, reply to, and start text messages.

  • Android Messages for Chrome OS

    Users can text from their Chrome OS by connecting with their Android phone. 

  • Print multiple pages per sheet on native (CUPS) printing

    Native printers using CUPS now support rendering multiple pages of content onto a single sheet of paper. Previously only available for Cloud Print printers, this is now available for all printing destinations.

Admin console updates

  • Managing site isolation policies

    Site isolation policies on the desktop get updated to reflect that they’re on by default. (They include controls to turn off site isolation or add specific site rules.) New policies are added to the Admin console for Chrome on Android. For more, see Protect your data with site isolation.

New and updated policies

Policy Description
AllowWakeLocks
Chrome OS only
Specifies whether wake locks are allowed. Wake locks can be requested by extensions through the power management extension API and by ARC apps.
NetworkFileSharesPreconfiguredShares
Chrome OS only
List of preconfigured network file shares.
NTLMShareAuthenticationEnabled
Chrome OS only
Network File Share feature. This policy controls enabling NTLM as an authentication protocol for SMB mounts.
SmartLockSigninAllowed
Chrome OS only
Allow Smart Lock Sign-in to be used.
VpnConfigAllowed
Chrome OS only
Allow the user to manage VPN connections.
WebUsbAllowDevicesForUrls
All operating systems
Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs.

Deprecations

  • EnableSha1ForLocalAnchors policy

    Enterprises that needed time to migrate following the 2014 announcement to sunset SHA-1 were able to configure an Enterprise policy to enable support for SHA-1 for locally installed, privately trusted Certificate Authorities. Support would be removed in January 2019 at the latest, which corresponds to Chrome 72. Enterprises that rely on server certificates that use the SHA-1 algorithm in the certificate chain will find that Chrome 72 will refuse to connect, presenting an untrusted certificate error. These certificates should be replaced with SHA-2 certificates to avoid any disruption.

  • SupervisedUserCreationEnabled policy (deprecated in Chrome 70)

    Read about consumer supervised users.

Coming soon

Note: The items listed below are experimental or planned updates. They might be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • The Chrome Cleanup Tool will quarantine—instead of deleting—files it detects as malicious

    The Chrome Cleanup Tool helps users remove unwanted software on their computers. The removal process includes deleting malicious files in the system. However, to lessen the risk of safe files being erroneously deleted, files will be moved into quarantine instead of getting deleted permanently. For more, learn about removing unwanted programs and the Chrome Cleanup Tool policy.

  • PacHttpsUrlStrippingEnabled policy (scheduled to be deprecated in Chrome 74) 

    See the above note on Change to using PAC scripts to configure proxy settings in Chrome.

  • SSLVersionMax policy (scheduled to be deprecated in Chrome 75)

    SSLVersionMax can be used as a short-term workaround while TLS 1.3 is rolled out. This allows time for middleware vendors to update their TLS implementations. The policy will be removed in Chrome 75.

  • Third-party code injection

    The Chrome 70 release notes stated that in Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users. However, due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs.

  • All extensions must be packaged with CRX3 format by Chrome 75

    Starting with Chrome 75, all force-installed extensions will need to be packaged in the CRX3 format. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. New installations of the extension will fail.

    Why is this change happening?

    CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is technically possible. So, an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

Upcoming Chrome OS features

  • Always-on VPN for managed Google Play

    Admins can install Android VPN apps on Chromebooks. However, users have to start the VPN app manually.

    Soon, admins can set an Android VPN app to start a connection when a device is turned on and direct all user traffic (Chrome OS and Android) through that connection. If the connection fails, all user traffic is blocked until the VPN connection is re-established. VPNs in Chrome OS don’t apply to any system traffic, such as OS and policy updates to prevent security exploits.

  • Android 9.0 support coming to certain Chrome devices

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices haven’t been announced. We’ll include more information in future release notes when it comes available.

Upcoming Admin console features

  • Native printer-management improvements

    The 20 printer maximum cap will be raised to allow for several thousand printers for each organizational unit in the Google Admin console.

  • Managed guest session support for managed Google Play

    A setting in the Google Admin console will allow Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 70

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
BrowserSignin Controls the sign-in behavior of Chrome Browser.
DeviceLocalAccountManagedSessionEnabled
Chrome OS only
Allows managed session behavior on a device configured for public sessions.
NetBiosShareDiscoveryEnabled
Chrome OS only
Controls Network File Share discovery through NetBIOS.
NetworkFileSharesAllowed
Chrome OS only
Controls whether the Network File Share feature for Chrome OS is allowed for a user.
PowerSmartDimEnabled
Chrome OS only
Specifies whether a smart dim model is allowed to extend the time until the screen is dimmed
PrintHeaderFooter Specifies whether users can print headers and footers.
ReportMachineIDData
Desktop only
Controls whether to report information that can be used to identify machines. Learn more about reporting on Chrome.
ReportPolicyData
Desktop only
Controls whether to report policy data and the time of a policy fetch. Learn more about reporting on Chrome.
ReportUserIDData
Desktop only
Controls whether to report information that can be used to identify users. Learn more about reporting on Chrome.
ReportVersionData
Desktop only
Controls whether to report Chrome OS version information. Learn more about reporting on Chrome.
WebRtcEventLogCollectionAllowed Specifies whether to allow or block Chrome OS from collecting WebRTC event logs from Google services.

Chrome Browser updates

  • Sign-in policy change

    Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.

    If the policy is set to "Disable browser sign-in", then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.

    If the policy is set to "Enable browser sign-in", then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.

    If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy. 

    If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

  • Cookie behavior change

    With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

  • Reduce Chrome crashes caused by third-party software

    Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.

    Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:

    Disable third-party software blocking notification

    The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

    In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

    In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

    To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

    To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

  • Deprecate trust in remaining legacy Symantec PKI infrastructure

    Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.

    Beginning with Chrome 70:

    • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
    • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
    • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

    What you need to do:

    • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
    • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.
  • Update to TLS 1.3

    We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco® Firepower® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

  • New UI support for WebAuthn

    Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

  • Form autofill policy changes

    The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).

    Autofill policies

    The AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

    If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

    If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

    If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

  • Native SMB file share support

    SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft® Active Directory®, and NTLM version 2. To initiate an SMB file share:

    1. Open a Chrome Browser window and at the top right, click More and thenSettings.
    2. Next to Network file shares, click Add File Share.
    3. Enter the required information and click Add.
    4. Open the Files app and browse the shared folder.
  • SMB file share in Chrome OS
  • Camera app updates

    The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.

  • Enable key remapping for external keyboards

    Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

  • Floating virtual keyboard

    For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

  • Restriction policy for native CUPS printing

    Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

  • Manage sign-ins in Chrome Browser and Chrome OS

    In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

  • Improved developer tools policy

    You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

  • Auto-updates over LTE policy control

    You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management and then Chrome management and then Device settings and then Device Update Settings and then Auto Update Settings.

  • Lock screen control

    After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management and then Chrome management and then User settings and then Security and then Idle Settings.

Deprecations

  • AutoFillEnabled policy deprecation

    The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

  • Gmail Offline app discontinued

    In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

  • CRX2 deprecation

    Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.

    Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

    If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.

    Why is this change happening?

    CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

  • Change to using PAC scripts to configure proxy settings in Chrome Browser

    If you’re using a Proxy Auto Config (PAC) script to configure Chrome's proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.

    The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.

    In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.

    Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

  • CRX2 deprecation

    For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

  • Android 9.0 Pie

    Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

  • Always-on VPN for managed Google Play

    Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

  • Native printer-management improvements

    Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

  • Managed guest session support for managed Google Play

    Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

Chrome 69

We're accepting sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
AllowedUILocales
Chrome OS only
Configures the allowed UI locales in a user session. This policy replaces the AllowedLocales policy.
OverrideSecurityRestrictionsOnInsecureOrigin Specifies a list of origins (URLs) for which security restrictions on insecure origins will not apply. This policy replaces UnsafelyTreatInsecureOriginAsSecure. The policy now applies to Chrome OS and Android.
PasswordProtectionChangePasswordURL Configures the change password URL.
PasswordProtectionLoginURLs Configures the list of enterprise sign-in URLs where the password protection service should capture password fingerprints for reuse detection.
PasswordProtectionWarningTrigger Configures the password protection warning trigger.
UsageTimeLimit
Chrome OS only
Configure the time limit for a user session or device usage per day.

Chrome Browser updates

  • Password Alert policy

    Password Alert has been a popular extension with enterprises for the past few years to protect Google Accounts. With the release of Chrome 69, we’re adding password alert as a policy for Chrome Browser to allow you to specify both Google and non-Google Accounts. If your users sign in to websites that aren’t whitelisted by your organization or are flagged as suspicious, they’ll get a warning that prompts them to reset their password. Preventing password reuse across multiple websites can protect your organization from compromised accounts.

  • Reduce Chrome crashes caused by third-party software

    Third parties can sometimes inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third-party injects code. In Chrome 69, third-party code is now blocked by default. If you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

    Here is the warning users will see on their computers when this policy is enabled:

    Disable third-party software blocking notification

    Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.
  • On-premise reporting

    You can use a new reporting tool for Chrome Browser that provides insight into the browser, its resource consumption, and policy compliance. You can use Chrome Reporting Extension and a companion application on user machines to enable reporting. Use policies to specify what to monitor. Browser data is stored in a local file on disk in JSON format, which you can integrate with on-premise reporting and analytic tools, such as Spunk® or Sumo Logic®. For details, see Track Chrome Browser usage and events.

  • Browser interface changes

    Chrome Browser will have a new design across all operating systems. Highlights include Microsoft® Windows 10® notification-center integration, touchpad gesture navigation on Windows, and autofill updates.

  • Flash deprecation

    Last year, Adobe announced it will stop updating and distributing Adobe Flash™ at the end of 2020. Starting with Chrome 69, every time users restart Chrome Browser, they will have to grant permission for sites to use Flash. This update won’t impact your enterprise settings. You can continue to use the DefaultPluginsSetting, PluginsAllowedForUrls, and PluginsBlockedForUrls policies to configure Flash behavior. Only user-configured settings will be impacted. For details, see the Flash roadmap on Chromium.org. Flash will not be supported after December 2020.

  • Update to Legacy Browser Support extension

    The Legacy Browser Support extension for Chrome has been updated to version 5.4. You can now specify more precise rules in URL lists to make managing multiple sites hosted on the same domain simpler. The update also improves support for automatically generated Microsoft® Internet Explorer® site lists. If you deploy the native Legacy Browser Support companion MSI manually, make sure to get the newest extension version to avoid mismatches with the extension version.

  • Improvements to Chrome management with Intune

    Policies that are only available on Microsoft® Windows® instances that are joined to a Microsoft® Active Directory® domain can now be configured with Intune. These policies can even be managed on Windows instances not joined to a domain. Managing Chrome policies with Intune is supported on the Windows 10 Pro and Enterprise editions. For details, see Manage Chrome Browser with Microsoft Intune.

Chrome OS updates

  • Linux (Beta) for Chromebooks

    Important:

    Linux (Beta) for Chromebooks allows developers to use editors and command-line tools by adding support for Linux on a Chrome device. After developers complete the set up, they’ll see a terminal in the Chrome launcher. Developers can use the terminal to install apps or packages, and the apps will be securely sandboxed inside a virtual machine.

    To try this out on an unmanaged device:

    • This feature is currently only supported on unenrolled Chrome devices and not available for managed Chrome devices.
    • This feature is only available on the latest Chrome devices. See Chromium.org for a list of Chrome device boards that support VMs.
    1. Go to Settings and then Linux (Beta).
    2. Click Turn on.
      Note: If you don’t see Linux (Beta) in your Chrome OS settings, either you’re using a managed Chromebook, or you haven’t yet updated to Chrome OS 69 or later.
    3. Click Install in the window that appears to Set up Linux (Beta) on your Chromebook.

Linux can take several minutes to install. Once installation is complete, a terminal window will appear.

  • Voice dictation from anywhere

    Voice-to-type functionality has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, many of our users have asked to make dictation a standalone feature that's separate from the accessibility keyboard. Chrome 69 now offers dictation as a separate accessibility feature. With dictation enabled, a small button will appear at the bottom of the desktop. Also, when input focus is in a text-edit area, users can click a button to start dictating or press Search+D and use their voice to input text.

  • Global text-to-speech settings

    In Chrome 69, we’re launching a new global text-to-speech settings page that’s available in your accessibility settings. Users can set a system-wide synthesized voice, language, pitch, and rate. We’re also working on making this setting smoother for any users who have non-default voice settings in the ChromeVox screen reader options page or the Select-to-speak options page.

  • Files app improvements

    Native support for Drive in the Files app is targeted for Chrome 69. We’re also working on making managed Google Play on Chrome OS files available as read/write with the Files app. And, we’ll be making updates to improve the organization of local versus cloud file storage.

  • Night Light support on Chromebooks

    To reduce eye strain and improve sleep, users can manage the color of their device displays throughout the day using Night Light. Users can use a preset sunrise and sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

  • Visual updates for enterprise device enrollment

    The device-enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). Functionality will not be affected. If you automate the out-of-box experience using USB devices, you should update your automation steps as appropriate.

Admin console updates

  • Support for enterprise mobility management (EMM) coexistence for Android

    Previously, domains that had a third-party enterprise mobility management (EMM) provider bound to their domain could not manage Android apps on Chromebooks from the Google Admin console. Also, some users saw an empty Google Play store if their company was using an EMM to install Android apps outside of Google Play. With this change, administrators will be able to assign separate sets of Android apps for their Chrome and Android users from their respective consoles. The steps to manage apps remain the same. For details, see Use Android apps on Chrome devices.

  • Android app installation improvements

    The most commonly used Android apps on a Chromebook will see performance improvements now that force-installed apps on Chromebooks can be kept as cached local copies. This improvement reduces the time it takes to install apps and network-traffic usage.

Deprecations

  • SigninAllowed policy deprecation

    The SigninAllowed policy has been deprecated since Chrome 40. It will be removed from Chrome completely in Chrome 71. If you’re still using this policy, you need to transition to supported alternatives. For example, you can use the SyncDisabled policy to control the availability of the Chrome Sync feature.

  • CRX2 deprecation

    Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting with Chrome 75, this restriction will also apply to force-installed extensions.

Upcoming Chrome Browser features (targeted for M70 and later)

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M70 and later)

  • Enable key remapping for external keyboards

    This feature will allow users to remap the Search, Command, and Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

Upcoming Admin console features

  • Native printer-management improvements

    Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

  • Manage sign-ins within Chrome Browser and on Chrome OS

    A new setting coming to the Google Admin console will allow you to restrict which domains users can use to access Google products like Gmail or G Suite. This applies for users that are browsing in the Chrome browser and on a Chrome OS device. A common way this setting could be used is to prevent students from signing in to their personal Gmail accounts on a school-owned Chromebook.

    Note: This Admin console setting combines these policies:

  • Public-session support for managed Google Play on Chrome OS

    Soon, there will be a setting in the Google Admin console that allows Android apps to run in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 68

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also includes a changelog of Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
ArcBackupRestoreServiceEnabled
Chrome OS only
Controls Android backup and restore service
ArcGoogleLocationServicesEnabled
Chrome OS only
Controls Android Google location services
ChromeCleanupEnabled
Windows only
Enables Chrome Browser Cleanup on Windows
ChromeCleanupReportingEnabled
Windows only
Controls how Chrome Browser Cleanup reports data to Google
DeveloperToolsAvailability Controls where Developer Tools can be used
IsolateOriginsAndroid
Android only
Enables Site Isolation on Chrome Browser for specified origins on Android devices
SafeBrowsingWhitelistDomains For configuring the list of domains which will not trigger Safe Browsing warnings
SitePerProcessAndroid
Android only
Enables Site Isolation for every site
WebUsbAskForUrls Allows WebUSB on these sites
WebUsbBlockedForUrls Blocks WebUSB on these sites

Chrome Browser updates

  • Unencrypted sites to show “not secure” indicator

    For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

    Chrome offers a policy to control this warning on your domain.

    "not secure" warning

  • Chrome Canary on Mac policy list update

    Chrome Canary on Mac reads the same policy file (com.google.chrome.plist) as the Dev, Beta, and Stable channels of Chrome. We’re deprecating the separate policy file com.google.chrome.canary.plist.

  • Block a locally installed, hardcoded CA for Mitel VoIP products

    In M68, we plan to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

  • Certificate transparency

    M68 requires that all new publicly trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

Chrome OS updates

  • PIN sign-in support

    Users can now sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password. Policy to control this feature in the Admin console will arrive in a future release. When the policy is added, it will allow an admin to enable or disable their end users from setting a PIN for the Chrome device. Once enabled, the user has to set the PIN themselves. The PIN only works on that device and it won’t sync to other devices.

  • Video capture service

    Video capture from internal and external cameras in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to enable isolation in services. There are no user-facing changes in functionality.

  • 802.11v and 802.11r Fast BSS Transition support added

    These changes allow Chrome OS customers to more quickly connect to a network. Specifically, the 802.11r Fast BSS Transition enables a faster handoff for devices roaming in areas with many access points (APs). For enterprise users with 802.11r-enabled APs, the time-to-associate with APs while mobile is improved. 802.11v enables clients to be topology aware. This can allow clients to transition to APs, which increase throughput and QoS.

  • Accessibility improvements

    Chrome OS M68 comes with a number of accessibility improvements.To enable the ChromeVox screen reader:

    1. Press and hold the 2 side volume buttons for 5 seconds. After a few seconds of holding these 2 buttons, an audio tone will play.
    2. Continue holding. The screen reader will start speaking. 

    Additionally, we’re launching new shortcuts to toggle accessibility features:

    • Select Ctrl + Search + M to enable/disable the full screen magnifier.
    • And select Ctrl + Search + D to enable/disable the new docked magnifier. 

    We’re adding new functionality to our Select to Speak feature, which allows users to select certain parts of the screen to be spoken aloud through a synthesized voice. With M63, we launched this feature by pressing the Search key, then clicking an item or dragging a box around content to have that content read aloud.

    With M67, we introduced the ability to highlight specific text, then press Search + D to have only that text spoken aloud.

    With M68, it’s now possible to use the Select to Speak feature with a touch screen, mouse, or stylus (in addition to or instead of the keyboard and touchpad). This adds a button in the status area that a user can click or touch, then select an area to be spoken aloud.

  • Introduction of display size and refresh rates to display settings

    As of M68, we are rolling out a new display-zoom setting for primary display and adding resolution, along with refresh rates for external displays.

    • While disconnected from external display, users will be able to manipulate the size of objects on the screen.
    • When connected to external display, we are adding an option to set resolution, which determines sharpness of text and images.

    The goal of these changes is to give users more control over UI scale and look.

Admin console updates

  • Automatic re-enrollment (Forced re-enrollment enhancement)

    A new feature allows a managed Chrome OS device that is wiped or recovered to automatically re-enroll after it connects to a network. With the previous Forced re-enrollment feature, a user had to enter their username and password to complete the re-enrollment step. But this new feature allows an admin to remove that requirement and automatically complete re-enrollment. This feature will be rolled out incrementally starting in July, 2018 and will become the default for new customers, as well as for existing customers who have not changed the default Forced re-enrollment setting.

    Admins can still require users to enter their credentials to re-enroll wiped or recovered devices and make use of enrollment permissions to prevent specific users from re-enrolling through that process.

  • Device off-hours feature

    Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome devices with their personal accounts after school hours on managed devices.

  • Native printer-management improvements

    A new policy to block users from manually adding printers is targeted for this release. With this policy, users will be limited to using printers assigned by their admin.

Upcoming Chrome Browser features (targeted for M69 and later)

  • CRX2 deprecation (M69)

    Starting in M69, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in Chrome Web Store have been automatically converted, but privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged. Starting in M75, this restriction will also apply to force-installed extensions.

  • Reduce Chrome crashes caused by third-party software (M69)

    In M66, Chrome began showing a warning to users after a crash that displays third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M69, Chrome will begin blocking third-party software from injecting code into Chrome processes.

    Please note that this blocking feature was previously scheduled for M68, but is now scheduled for M69.

    You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy. The policy will be deprecated in approximately one year (Chrome 77).

    Disable third-party software blocking notification

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M68 and later)

  • Voice dictation from anywhere (M69)

    Voice to type has been available on Chromebooks for some time through the on-screen accessibility keyboard or the virtual keyboard’s microphone icon. However, a number of users have requested the ability to use dictation as a standalone feature, separate from needing to pull up the accessibility keyboard. Soon, we will launch dictation as a separate accessibility feature. With this enabled, a small button will appear in the status area. When focus is in an edit field, users can either click the button to start dictating or press the keyboard command Search + D, then use their voice to input text. 

  • Enable key remapping for external keyboards (M69)

    The new feature allows users to remap Search/Command/Windows keys on external keyboards through keyboard settings. If an Apple® keyboard is attached to Chromebook, the external keyboard setting defaults to Control. Other external keyboards default to Search/Launcher. 

  • Files app improvements (M69)

    Native support for Drive in Files app is currently targeted for M69. The team is also working toward making ARC++ files available as read/write with the Files app and will be updating the UI to improve the organization of local vs. cloud file storage.

  • Policy to show PIN pad on sign-in and lock screen for TouchView devices

    The Policy to show PIN feature will allow admins to show the PIN pad on the sign-in screen. This is intended to make sign-in easier on tablets in domains where the administrator has made all user passwords only digits.

  • Visual updates for enterprise device enrollment flow

    The device enrollment flow will be updated to match the visual styling of the rest of the Chrome OS out-of-box experience (OOBE). These are only style changes and will not affect functionality. Customers who automate OOBE using USB devices should update their automation steps as appropriate.

  • Night Light support on Chromebooks

    To reduce eye strain and improve sleep, Night Light on Chromebooks lets users manage the color of their device displays throughout the day. Users can use a preset sunrise/sunset schedule and suggested tint. Or, they customize their daily schedule and color temperature from a spectrum of colors.

Upcoming Admin console features

  • Native printer-management improvements

    A change is coming to the Admin console to remove the 20-printer limit for each organizational unit.

  • Sign-in Within the Browser policy

    Admins can restrict users who sign in to Chrome OS from adding additional Google Accounts in the browser.

  • Public session support for managed Google Play on Chrome OS

    A setting is coming to the Admin console that will allow you to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 67

Starting with Chrome 67, release notes are listed in a new format. They're no longer exclusive to Chrome Browser, but also include Chrome OS releases and Admin console features coming soon.

We're also now taking sign-ups for the Chrome Enterprise Trusted Tester program where you can test new Chrome features in your environment. You’ll provide feedback directly to our product teams so we can develop and prioritize new features. If you’d like for your organization to participate, complete this form. We’ll follow up with more details.

New and updated policies

Policy Description
ArcAppInstallEventLoggingEnabled Logs events for Android app installs (Chrome OS)
AutoplayWhitelist Allows media autoplay on a whitelist of URL patterns
CertificateTransparencyEnforcementDisabledForCas Disables Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes
CertificateTransparencyEnforcementDisabledForLegacyCas Disables Certificate Transparency enforcement for a list of Legacy Certificate Authorities
DefaultWebUsbGuardSetting Controls use of the WebUSB API
DeviceRollbackAllowedMilestones Specifies the number of milestone rollbacks allowed (Chrome OS)
DeviceRollbackToTargetVersion Specifies a rollback to a target version (Chrome OS)
MediaRouterCastAllowAllIPs Allows Google Cast to connect to Cast-ready devices on all IP addresses
RelaunchNotificationPeriod Sets the period for update relaunch notifications
SafeBrowsingExtendedReportingEnabled Enables extended reporting for Safe Browsing (added in M66)
TabUnderAllowed Allows sites to simultaneously navigate and open notifications

Chrome Browser updates

  • SAML SSO interstitial

    Doesn’t impact users who sign in to G Suite services directly, those who use G Suite or Cloud Identity as their identity provider, or devices running Chrome OS.

    If your users use SAML to sign in to G Suite services, they’ll need to complete an extra step to confirm their identity when using the Chrome Browser. After signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen provides an extra layer of security and helps prevent users from unknowingly signing in to a malicious account.

    To minimize disruption, this screen will only be shown once per account per device. We’re working on ways to make the feature smarter in the future, meaning users in your organization should see the screen less and less over time.

    If you don’t want your users to confirm their identity on this interstitial page, you can set the X-GoogApps-AllowedDomains header and identify specific domains where the extra confirmation isn’t needed. We assume that if the user is signing in with an account that is in this list of domains, then the account is trusted by the user. You can set the header using the AllowedDomainsForApps group policy.

    For more details, see the G Suite Updates blog.

  • Site Isolation

    You can turn on site isolation to create an additional security boundary between websites. When you enable site isolation, content for each open website in Chrome Browser is always rendered in a dedicated process, isolated from other sites. Adding site isolation creates an additional security boundary between websites.

    Chrome continues to roll out Site Isolation to a larger percentage of the stable population in M67. For details, see Manage Site Isolation.

Chrome OS updates

  • Desktop Progressive Web Apps (PWAs)

    Desktop PWAs are now supported on devices running Chrome OS starting with M67. Work is underway to include support for Microsoft® Windows® and Apple® Mac®. For more information, see our developer site.

  • Detachable-base swap detection

    Detachable-base swap detection helps prevent hackers from accessing sensitive data. When a keyboard base that has not been used before is attached to a detachable tablet, such as an HP Chromebook X2, the user gets notified. The detection helps prevent hackers from replacing the base with a different one that looks the same but has been modified.

  • Block symlink traversal

    This feature improves verified boot security by preventing symlink traversal attacks, even after restart. This is a defensive measure to prevent attacks against Chromebooks from persisting through restart.

    This feature has no observable changes for most users. Developers and power users who use developer mode might run into issues, but these can be resolved by disabling this restriction. Learn more about restricting symlink traversal.

Admin console updates

  • EAP-TLS device-level support

    Admins can now configure EAP-TLS network support at a device level. These network settings apply to users across the device, including users in a public session and kiosk mode. Learn more about adding a network configuration.

  • Managed Google Play on Chrome OS policy update

    With this release, the Android user policies Backup & Restore and Google Location Services are disabled by default for the Chrome Enterprise and Chrome Education services. Admins can only turn off these features or let the users configure them. Admins cannot force these on for their users. The policies allow users to easily restore their data and help improve location accuracy on their Android apps.

  • Admins can block apps from installation
    Currently not available for the Chrome Education service

    As an administrator, you can specify a blacklist of Android apps for users who have enabled All Access mode for Android on their organization’s domain. If a blacklisted app has already been downloaded onto a user’s device, it will be uninstalled.

  • Android app installation reporting

    In a new section in the Google Admin console, you and other admins can troubleshoot Android app installations on devices running Chrome OS. You can now see the status of force-install (and uninstall) operations and filter the reports by organizational unit, user, or status. You can also see which devices the status applies to.

  • Android app bulk purchasing on Education service

    As an administrator of the Chrome Education service, you can now bulk purchase one-time payment and perpetual-access apps from the managed Google Play store and provision them by user and organizational unit in the Admin console. In the Admin console, you can force-install, allow install, and pin apps to the taskbar. You can use a credit card and Google Play gift cards. In-app and subscription purchasing is not currently supported.

Upcoming Chrome Browser features (targeted for M68 and later)

  • Unencrypted sites to show “not secure” indicator (M68)

    For the past several years, we’ve advocated that sites adopt HTTPS encryption for greater security. Within the last year, we’ve also helped users by marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

    Chrome will offer a policy to control this warning on a per-domain basis.

    "not secure" warning

  • Canary release channel on Mac update (M68)

    This change unifies the policy list for all Chrome OS release channels on Mac devices to include the Canary channel, which is consistent with how other platforms operate.

  • Reduce Chrome crashes caused by third-party software (M68)

    In M66, Chrome began showing a warning to users after a crash that will display third-party software that is injecting code into Chrome, guiding them to update or remove that software. In M68, Chrome 68 will begin blocking third-party software from injecting code into Chrome processes.

    You can enable or disable third-party software blocking with the ThirdPartyBlockingEnabled policy.

    Disable third-party software blocking notification

  • Block a locally-installed hardcoded CA for Mitel VoIP products (M68)

    In M68, we intend to blacklist a hardcoded Certificate Authority (CA) and shared private key that’s installed with certain Mitel® VoIP products. The products contain both the public and private key for the Mitel IP Communications Platform (ICP) CA, which can be installed and trusted for a wide range of certificate purposes, including website SSL and TLS certificates. We’ve observed evidence of this CA being used to maliciously issue Man-in-the-Middle (MITM) certificates, including www.google.com. While this CA is not publicly-trusted as a part of the web PKI, it warrants protecting Chrome users by blocking trust in it. For more details, see Mitel's security advisory.

  • Certificate transparency (M68)

    M68 will require that all new publicly-trusted certificates issued after April 30, 2018 have several Certificate Transparency logs. This update does not affect existing certificates or certificates from locally-trusted CAs, such as Enterprise CAs or those used with antivirus or security products. For more information, see Certificate Transparency.

  • Redirect protection

    We’re working on a new security feature that blocks redirects from cross-domain iframes. To test if sites used by your organization are affected, you can visit these sites by going to chrome://flags/ and enable the flag #enable-framebusting-needs-sameorigin-or-usergesture.

    Framebusting requires same-origin or a user gesture

Upcoming Chrome OS features (targeted for M68 and later)

  • PIN sign-in support (M68)

    Users will now be able to sign in to their device using a numeric PIN. Previously, users could only use a PIN to unlock their device after first signing in with a password.

  • Video capture service (M68)

    Video capture from internal and external camera devices in Chrome (including on Chrome OS and Chromebox for meetings devices) has traditionally been run as part of the main Chrome Browser process. With the rollout of the video capture service, this functionality is now a separate process to help enable better isolation. There are no user-facing changes in functionality.

Upcoming Admin console features

  • Automatic re-enrollment (Forced re-enrollment enhancement) (M68)

    A new feature allows a Chrome OS device that is wiped or recovered to automatically re-enroll once it connects to a network. In the past, a user had to sign in to complete the re-enrollment step. But with the new feature, user credentials are no longer required to complete re-enrollment.

    Admins can still require users to sign in to re-enroll wiped or recovered devices.

  • Native printer management improvements

    There will be 2 new improvements for native printer management:

    • A new policy for user and device settings to remove the 20-printer limit per organizational unit.
    • A new policy to block users from manually adding printers is targeted for M68.
  • Sign-in Within the Browser policy

    Admins can restrict users who are signed in to the Chrome Browser from adding additional Google Accounts in the browser.

  • Device off-hours feature

    Admins can set up schedules to customize when sign-in restrictions and guest-mode policies are needed. For instance, schools can allow guardians and family members to sign in to Chrome OS devices with their personal accounts after school hours on managed devices.

  • Public session support for managed Google Play on Chrome OS

    You will soon be able to run Android apps in public sessions. Currently, Android apps can only run in a signed-in session.

Chrome 66

Security updates

  • Continuation of distrust of Symantec Certificates 

    Following our announcement to gradually phase out trust in Symantec's PKI, Chrome continues to remove trust in Symantec-issued certificates issued before June 1, 2016.

    The Google Security Blog published a guide for impacted site operators. The EnableSymantecLegacyInfrastructure enterprise policy allows administrators to temporarily remove Chrome's distrust of the Symantec PKI. The policy expires after Chrome 73 (targeted for release January 2019), giving enterprise admins 3 releases after Chrome's full distrust to migrate off of Symantec certificates.

    For details, see Migrate from Symantec certificates.

  • Site Isolation Trial

    Chrome 66 includes a trial of Site Isolation for a small percentage of users, to prepare for a broader upcoming launch. Site Isolation improves Chrome's security and helps mitigate the risks posed by the Spectre security vulnerability.

    If you observe any issues with functionality or performance in the trial, it can be disabled by policy.  To diagnose whether an issue is caused by Site Isolation, test by going to chrome://flags#site-isolation-trial-opt-out and follow these instructions to opt out. If any of your users experience issues, you can disable the trial for your whole organization by setting the SitePerProcess policy to false, instead of leaving it unspecified.

    If you experience any issues during the Site Isolation trial, please report them here.

Enterprise features

  • Chrome relaunch policy: RelaunchNotificationPeriod (M67)

    This feature allows admins to set the time period over which Chrome relaunch notifications are shown to apply a pending update. Over the period based on the setting of the RelaunchNotification policy, the user is repeatedly notified of the need for an update. If RelaunchNotificationPeriod isn't set, the default period of one week applies.

  • Click to open PDF 

    For downloading embedded PDF content with an embed or iframe when Chrome's default PDF viewer is disabled (via settings or Enterprise policy) or not present (as on mobile), an Open button appears on the PDF placeholder.

  • Force sign-in policy: Support for Mac

    The ForceBrowserSignin policy is supported on Mac.

Chrome policies

Changes in this release:

Policy Notes
AutoplayAllowed This policy allows you to control whether videos with audio content can autoplay (without user consent) in Chrome.
EnableCommonNameFallbackForLocalAnchors This policy has been deprecated.
EnableSymantecLegacyInfrastructure When this setting is enabled, Chrome allows certificates issued by Symantec Corporation's Legacy PKI operations to be trusted if they otherwise successfully validate and chain to a recognized CA certificate.
ForceBrowserSignin Force users to sign in to the profile before using Chrome. Added support for Mac.
RelaunchNotification Notify users to relaunch Chrome to apply a pending update.
SafeBrowsingExtendedReportingEnabled This setting enables Chrome's Safe Browsing Extended Reporting and prevents users from changing it.
SSLVersionMin If this policy isn't configured, Chrome uses the default minimum version of TLS 1.0.

 

UI changes

  • Reducing Chrome crashes caused by third-party software

    Chrome will begin showing a warning to users after a crash that displays third-party software injecting code into Chrome. It guides them to update or remove that software.

    Update or remove problem applications

Deprecations

  • Enable CommonName fallback for local anchors policy

    The EnableCommonNameFallbackForLocalAnchors policy was offered to give admins more time to update their local certificates. It removes the ability to allow certificates on sites using a certificate issued by local trust anchors that are missing the subjectAlternativeName extension.

    As of Chrome M66, we will be deprecating this policy. If a user running Chrome 66 tries to access a site where the certificate isn't allowed, they will see a warning indicating they can't trust the certificate.

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

 

Corrections

  • Previously listed as launching with Chrome 66, SafeBrowsingWhitelistDomains will now launch in Chrome 67. This policy allows you to configure the list of domains Safe Browsing trusts. Safe Browsing won't check for dangerous resources (for example, phishing, malware, or unwanted software) for URLs that match these domains.

 

↑ back to top

Chrome 65

Security updates

  • Support for TLS 1.3

    This release comes with the latest version of the Transport Layer Security (TLS) protocol (TLS 1.3 draft 23) turned on. Users of Cisco Firepower devices configured to perform TLS man-in-the-middle interception in Decrypt-Resign/SSL Decryption Enabled mode should see Cisco's documentation.

Chrome policies

Changes in this release:

Policy Notes
AlwaysAuthorizePlugins This policy was deprecated.
AbusiveExperience InterventionEnforce Prevent pages with abusive experiences from opening new windows or tabs.
AdsSettingForIntrusive AdsSites Set whether ads should be blocked on sites with intrusive ads.
DeviceLoginScreenAutoSelect CertificateForUrls Automatically select client certificates for these sites on the sign-in screen (available on Chrome OS).
DisablePluginFinder This policy was deprecated.
RestrictAccountsToPatterns Restrict accounts that are visible in Chrome (available on Android.)
SecondaryGoogleAccountSign inAllowed Allow multiple sign-in access within the browser (available on Chrome OS).
SecurityKeyPermitAttestation URLs/domains are automatically permitted direct Security Key attestation.
SpellcheckEnabled If this policy is on, the user is allowed to use spellcheck.
SpellcheckLanguage This policy force enables spellcheck languages.
ThirdPartyBlockingEnabled This policy enables third-party software injection blocking (available on Windows).
UnsafelyTreatInsecureOriginA sSecure This policy specifies a list of origins (URLs) to be treated as secure context. Learn more about secure contexts.
WebDriverOverrides IncompatiblePolicies This policy allows users of the WebDriver feature to override policies that can interfere with its operation.

Developer changes

  • Ignore <a download> for cross-origin URLs

    To avoid user-mediated information leakage, Chrome starts to ignore the presence of the download attribute on anchor elements with cross-origin attributes. See more details on Chromium.org.

Deprecations

  • Mac OS X 10.9 Support 

    Chrome won't support Mac OS X 10.9. Chrome on Mac OS X 10.9 does not autoupdate. If you have Mac OS X 10.9, upgrade to a newer Mac OS.

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

 

↑ back to top

Chrome 64

Security updates

The Chrome Releases Blog lists all the latest Chrome security changes. Chrome 64 also mitigates against speculative side-channel attacks.

  • Site isolation improvements  

    With M64, we fixed known issues and made improvements with site isolation.

Enterprise features

  • Forced sign-in  

    This feature allows admins to force a user to sign in with their Google account before using Chrome. It ensures Chrome can only be used when under management by cloud-based policies configured in the Admin console. See Force users to sign in to Chrome.

UI changes

  • Site muting 

    You can mute/unmute sites by interacting with the tab options or by clicking Lock Lock to the left of the URL (desktop only). The Sound settings page (for the desktop, chrome://settings/content/sound) lets you add exceptions for individual sites, as well as turn on/off audio for all sites. If you mute a site through this feature, all open tabs for that site are muted.

Chrome site muting dialog box

 
  • Stronger pop-up blocker 

    One out of every 5 user feedback reports submitted on Chrome for desktop mention some type of unwanted content. Examples include links to third-party websites disguised as play buttons or transparent overlays on websites that capture all clicks and open new tabs or windows. In this release, Chrome's pop-up blocker now prevents sites with these types of abusive experiences from opening new tabs or windows. Site owners can use the Abusive Experiences Report in Google Search Console to see if any of these abusive experiences have been found on their site and improve their user experience.

  • Change to JavaScript dialogs 

    We are changing the way Chrome handles JavaScript dialogs window.alert(), window.confirm(), window.prompt() to improve user experience and better align with other modern browser's behaviors. Background tabs are no longer brought to the foreground when a dialog is triggered. Instead, the tab header shows a small visual indicator.

    Sites can still show browser notifications if permitted by the user or admin. Users can allow browser notifications by interacting with the pop-up permission prompt or changing site permissions. Admins can use the NotificationsAllowedForUrls policy through GPO or the Admin console to list site URLs they want to allow to display notifications to users (for example, calendar.google.com).

Developer changes

  • Resize Observer 

    Traditionally, responsive web applications have used CSS media queries or window.onresize to build responsive components that adapt content to different viewport sizes. However, both of these are global signals and require the overall viewport to change in order for the site to respond accordingly. Chrome now supports the Resize Observer API to give web applications finer control to observe changes to sizes of elements on a page.

This code snippet uses the Resize Observer API to observe changes to an element:

const ro = new ResizeObserver((entries) => {

for (const entry of entries) {

const cr = entry.contentRect;

console.log('Element:', entry.target);

console.log(`Element size: ${cr.width}px × ${cr.height}px`);

console.log(`Element padding: ${cr.top}px / ${cr.left}px`);

}

})

// Observe one or multiple elements

ro.observe(someElement);

  • import.meta 

    Developers writing JavaScript modules often want access to host-specific metadata about the current module. To make this easier, Chrome now supports the import.meta property within modules that exposes the module URL via import.meta.url. Library authors might want to access the URL of the module being bundled into the library to more easily resolve resources relative to the module file as opposed to the current HTML document. In the future, Chrome plans to add more properties to import.meta.

Deprecations

  • SharedArrayBuffer (M63)

    In line with other browsers, starting on January 5, 2018, Chrome disabled SharedArrayBuffer on Chrome 63. To help reduce the efficacy of speculative side-channel attacks, Chrome will modify the behavior of other APIs, such as performance.now. This is intended as a temporary measure until other mitigations are in place.

  • Enable CommonName fallback for local anchors policy (M66)

    Chrome offered the EnableCommonNameFallbackForLocalAnchors policy to give IT admins more time to update their local certificates. As of Chrome 66, targeted for Stable Channel on April 2018, we will start deprecating this policy, which removes the ability to allow certificates on sites using a certificate issued by local trust anchors that is missing the subjectAlternativeName extension. If an end-user running Chrome 66 attempts to access a site where the certificate isn't allowed, they will see a warning that the certificate cannot be trusted.

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

 

↑ back to top

Chrome 63

Security updates

See the latest Chrome security improvements in the Chrome Releases Blog.

  • Enabling TLS 1.3 

    TLS 1.3 is enabled starting in Chrome 63. At this time, the only Google service with TLS 1.3 enabled is Gmail, but this expands to the broader web in 2018. End users should not be impacted by this change. If you are aware of any systems that don't work with TLS 1.3, post your feedback in the admin forum. As you prepare for wider use of TLS 1.3, you can configure this policy for network software or hardware in your enterprise that will not transit TLS 1.3 connections. See more information on Chromium.org.

  • Support for NTLMv2 authentication protocol 

    Chrome 63 also includes support for NTLMv2 authentication protocol on Mac, Android, Linux, and Chrome OS. We are expanding on a previous release that supported NTLMv2 for Windows. With versions prior to Chrome 63, this must be manually enabled via chrome://flags. In 2018, we set NTLMv2 as the default NTLM protocol. For enterprises that need to extend support for NTLMv1, a new policy is available to allow you to force the older NTLMv1 protocol as needed.

  • Site isolation 

    Site isolation is available in Chrome 63. With site isolation enabled, Chrome renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome's existing sandboxing technology. Read more at Manage site isolation.

UI changes

  • Material design bookmarks

    Chrome's Bookmarks Manager has now been refreshed with new Material Design UI. Take a look by visiting chrome://bookmarks.

    Chrome bookmarks bar

Deprecations

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

 

↑ back to top

Chrome 62

Security updates

  • Warning for untrusted Symantec certificates

    Chrome 62 introduces a console warning for sites using certificates from Symantec or Symantec brands that may not be trusted in future versions of Chrome. For more information, see this blog post.

Enterprise features

  • Change to update-check URL

    We are changing our main update-check URL host on Chrome for desktop from tools.google.com to update.googleapis.com. You might need to update your enterprise's firewall whitelist to the our new update-check URL to ensure that Chrome continues to update. Learn more.

  • Manage extensions by permission

    The permission-based management of extensions is a new enterprise-focused set of controls implemented via Chrome policy and used to prevent extensions that request undesirable permissions from running. Example: Set or modify a proxy (proxy), Capture audio/video of the desktop (desktopCapture), etc. Learn more.

UI changes

  • Chrome Cleanup tool 

    On Chrome for Windows, the Chrome Cleanup feature alerts users when it detects unwanted software. It offers a quick way to remove the software and return Chrome to its default settings. We recently completed a full redesign of Chrome Cleanup. The new interface is simpler, has a native Chrome interface, and makes it easier to see what software will be removed.

    Use the Chrome Cleanup tool to remove harmful software

  • Edit username when saving passwords

    You can now edit your username when prompted to store a password for a website you visit. When you see the pop-up to save a password (or click the key icon in the address bar after signing in to a page), simply click Edit  and make any edits needed.

    Do you want Google Chrome to save your password to this site? dialog box
  • Introducing Site settings page

    Starting M62, you will see a new Site settings button. The Site settings page provides per-origin permissions, rather than per-permission exceptions.

    Site settings button accessed by clicking the lock icon at the start of the Chrome address bar

Deprecations

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

 

↑ back to top

Chrome 61

Security updates

To learn about the latest Chrome security changes, see the Chrome Releases Blog.

  • Final removal of trust in WoSign and StartCom certificates

    Chrome 61 or later won't trust website authentication certificates issued by WoSign or StartCom. This is the culmination of a multi-release distrust process.

Enterprise features

  • Side-by-side Chrome channels on Windows

    Chrome supports multiple release channels with varying degrees of stability and support. Most users browse with the Stable channel of Chrome. In addition to Stable, Google also ships early-access Chrome channels (Dev, Beta) to get early feedback on features and changes, directly from users and developers. Early-access channels allow developers and admins to try cutting-edge features and validate that business critical applications continue to function as Chrome changes.

    Currently, you can't install and run Dev or Beta Chrome on the same computer as the Stable version of Chrome. Starting M61, users can install and run Dev, Beta, and Stable versions concurrently on the same Windows computer. For more details, see the blog post.

UI changes

  • Material Design for New Tab Page (NTP)

    We applied a modernized Material Design look to the Desktop NTP. The search bar has been updated to a lighter drop-shadow style that is consistent with Google Web Search. Most visited sites has also been updated to use the same lighter style and refined hover, focus, and active states.

    Material Design New Tab Page in Chrome

  • New messaging for installing extensions that modify New Tab Page (NTP)

    Extensions can modify the main site shown on a new tab, called the new tab page (NTP). Users often install extensions that modify NTP but aren't fully aware of how their experience will change. Starting in M61, there is a new permission warning shown at extension install time, which will indicate that the extension can change the default NTP to a custom site. The goal of these changes is to improve user awareness about extensions that will change their Chrome defaults, once installed.

Deprecations

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

To see all of the changes that are in Chrome 61, visit the commit log.

 

↑ back to top

Chrome 60

Security updates

Learn more about the latest Chrome security updates in the Chrome Releases Blog.

Enterprise features

  • Chrome Enterprise Bundle (May 23, 2017)

    Google announced the release of the Chrome Enterprise Bundle, as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, and Windows Server platforms. See the announcement.

Deprecations

  • Adobe Flash Deprecation

​​Adobe announced on July 25, 2017 it plans to deprecate Flash by the end of 2020. See Adobe's announcement and Chrome's blog post regarding the Flash deprecation.

To see all of the changes in Chrome 60, visit the commit log.

 

↑ back to top

Chrome 59

Enterprise features

  • Chrome Enterprise Bundle (May 23, 2017)

    Google announced the release of the Chrome Enterprise Bundle as well as Chrome Browser support for new platforms: Citrix Xenapp, Terminal Services, Windows Server platforms. See the announcement.

UI changes

  • Material Design comes to Chrome settings

    Chrome Settings has updated to Material Design with a new look with the same ease of use and functionality.

    Notable changes:

    • Larger and more prominent search bar
    • New menu icon Menu to the top left of Settings that gives you an easy way to jump to specific sections, like People, Appearance, and Search Engine
    • Combined and simplified Sign In and People sections
    • Streamlined Content Settings section
    • Search section renamed Search Engine
    • Privacy section renamed Privacy and Security
    • Proxy settings moved under the System section
    • Font sizes and page zoom settings moved to the Appearance section
    • HTTPS/SSL Manage Certificates settings moved under Privacy and Security section

To see all of the changes in Chrome 59, visit the commit log.

 

↑ back to top

Chrome 58

UI changes

  • Material Design coming soon to the Chrome settings page (59)

    For those already on Chrome's Dev or Canary channels, the Chrome settings (chrome://settings) page has updated to Material Design. The updated design is planned to launch in Chrome 59.

  • New desktop welcome page (Windows 10)

    We redesigned Chrome's first-run experience in M58. On Windows 10 platforms, we display a welcome page, which explains how to set Chrome as the default browser or pin it to the Windows taskbar. For Windows 7 and Windows 8 platforms, we display a Material Design page that promotes the Sign in to Chrome feature. This page launched to Mac and Linux during the Chrome 57 release.

Deprecations

  • Changes to website certificate handling

    After many years of the practice being discouraged, Chrome 58 removes support for the commonName field in website certificates. Only the subjectAltName extension will be used when matching certificates to host names. The EnableCommonNameFallbackForLocalAnchors policy can be used to re-enable old behavior for locally installed roots. Organizations are strongly encouraged to migrate to modern certificate standards and not rely on the continued presence of this policy.

    Chrome 56 stopped trusting certificates issued by WoSign and StartCom after October 21, 2016 in response to various incidents, and included a whitelist of certificates that would continue to work. Chrome 58 continues reducing the size of that whitelist.

    As a reminder, since Chrome 56, the use of SHA-1 website certificates is no longer supported unless configured via policy: EnableSha1ForLocalAnchors. This policy can be used to re-enable old behavior for locally installed roots, which gives organizations more time to move away from SHA-1 certificates. Chrome strongly encourages organizations to migrate to modern certificate standards and not rely on the continued presence of this policy, because it will be removed in January 2019.

To see all of the changes that are in Chrome 58, visit the commit log.

 

↑ back to top

Chrome 57

Security updates

  • Form Not Secure warning UI (M56)

    To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. As part of a long-term plan to mark all HTTP sites as non-secure, beginning in January 2017 (Chrome 56), we mark HTTP pages that collect passwords or credit cards as non-secure. Read about Moving toward a more secure web.

  • Chrome chip and icon

    Chrome security chip and icon for Chrome internal pages (Settings, History, Downloads...) indicate and verify that page is a secure internal Chrome page.

    You are viewing a secure Google Chrome page dialog box
  • Extension name chips

    Chrome will begin showing the extension name if the page URL is a chrome-extension:// URL. The extension name is displayed in the same style as security indicator URL-bar strings, but without any animations.

Enterprise features

  • Windows roaming profiles support

    We are launching initial support for roaming profiles on Windows. It enables users to have a Chrome Sync experience anywhere they sign in to Windows with their domain accounts if roaming profiles are enabled without the need to sign in to Chrome. For more information, see Using Chrome on roaming user profile.

  • Migrating capable 32-bit Chrome users to 64-bit Chrome

    To improve stability, performance, and security, users who are currently on the 32-bit version of Chrome and 64-bit Windows with 4 GB or more memory will be automatically migrated to 64-bit Chrome during the Chrome 57 rollout. The 32-bit Chrome will still be available via the Chrome download page.

UI changes

  • Revamp first-run and onboarding experience

    We redesigned Chrome's first-run experience in 57. On non-Windows 10 platforms, we display a Material Design page which promotes the Sign in to Chrome feature. For Windows 10, this feature will be launched in the Chrome 58 release.

    Welcome to Chrome sign in page
  • Requiring explicit user action to enable sideloaded extensions on Mac

    In some instances, Chrome extensions can be bundled with Mac software and added during the software download and installation process.

    Extensions that are bundled with Mac applications will be added to Chrome in a disabled state. The user will be prompted to either enable the extension or remove it from Chrome.

    Alert box to enable a Chrome extension on a Mac

Deprecations

  • chrome://plugins

    The Chrome plugins page was used to allow management of plugin settings within Chrome. But as the web has evolved, there have been fewer plugins to manage over time. In this update, the team moved the controls for the remaining components to a more standard and discoverable location: Chrome's content settings, which can be easily accessed at chrome://settings/content.

    A list of where common settings went:

    • Chrome PDF viewer options moved under Privacy and then Content settings and then PDF documents.
    • Adobe Flash Player options moved under Privacy and then Content settings and then Flash.
    • Widevine Content Decryption Module (which enables Widevine licenses for playback of HTML audio/video content) can be adjusted under Privacy and then Content settings and then Protected Content.
  • Deprecating insecure certificate types

    Since 56, Chrome has not trusted server certificates that use the insecure SHA-1 hash algorithm if they chain to publicly trusted roots. In Chrome 57, that is also true for enterprise or locally installed roots, unless the EnableSha1ForLocalAnchors policy has been set.

    Note that a collision attack has now been demonstrated against SHA-1. This policy should only be enabled after consulting your security team. Read more about setting Chrome policies for devices and SHA-1 Certificates in Chrome.

    Chrome 58 won't consider a certificate's common name when performing trust evaluation and will rely on subject alternative name only, unless the EnableCommonNameFallbackForLocalAnchors policy is set. Turn this policy on only after consulting your security team.

  • Distrusting WoSign and StartCom certificates

    Chrome 57 continues to reduce the number of whitelisted sites that can use WoSign or StartCom issued certificates, as Google discontinues trust for these certificates. Learn more in this blog post and on Chromium.org.

To see all of the changes in Chrome 57, visit the commit log.

 

↑ back to top

Additional resources

Still need help?

Bu size yardımcı oldu mu?
Bunu nasıl iyileştirebiliriz?