Understand Chrome policy management

For administrators who manage Chrome browser or ChromeOS devices for a business or school.

Want to remotely set policies for ChromeOS devices? Start your Chrome Enterprise Upgrade trial at no charge today

To deploy Chrome Enterprise or Chrome Education features to Chrome users and customize your users Chrome browser experience, you push policies and settings to their devices or their managed Google Account (Chrome profile). Use policies to set your users' homepage, automatically install apps and extensions, control what sites they can visit, and much more.

Options for enforcing Chrome policies

You have several ways to push policies to users. Which you choose depends on the devices you're managing and the configuration tools you want to use.

Windows, Mac, Linux managed on-premise by GPOs, managed preferences, and JSON files and Chromebook cloud-managed in Admin console

What's in the diagram

  • User devices: Manage Chrome browsers on Windows, Mac, and Linux computers, or on ChromeOS devices, such as Chromebooks.

  • Admin tools: Use your preferred on-premise tools to keep management behind your organization's firewall. Or manage policies from the Google's secure Admin console.

  • Policies: Enforce Chrome policies at the device/machine-level so they apply for anyone who uses the device. Or customize policies at the OS user-level or Chrome profile level.

Understanding the different policies

Platform policies

Apply to all users of a device, independent of the Chrome browser in use, Dev, Beta, Canary, Stable or Extended Stable, or whether users are signed into the browser.

You can set these policies using:

  • Group Policy Object (GPO) for Windows
  • The Admin console for ChromeOS
  • Managed preferences for MacOS
  • Enterprise management tools for Linux
  • Machine-based policies using your device management solution of choice, for example, Workspace One, Intune, or BigFix
Machine cloud policies

Apply to all browsers enrolled in Chrome Enterprise Core where an enrollment token has been deployed to the machine. For details, see Enroll cloud-managed Chrome browsers.

Policies are configured and enforced using the Admin console regardless of your OS.

OS-user policies

Applies when a user signs in with their corporate account on a managed device.

You can set these policies using:

  • Group Policy Object (GPO) for Windows
  • Managed Preferences for MacOS
  • Enterprise management tools for Linux
  • User based policies using your device management solution of choice. For example, Workspace One, Intune, BigFix
Cloud-user policies (Chrome profile)

Applies to a user who signs into Chrome browser with a managed account and to domain-verified accounts. If you are using an email-verified account, you have to verify your domain to unlock this feature.

Policies are configured and enforced using the Admin console regardless of your OS. For details, see Manage user profiles on Chrome browser.

Order of precedence for Chrome policies

By default, Chrome policies respect the following order:

  1. Platform policies
  2. Machine cloud policies
  3. OS-user policies
  4. Cloud-user policies (Chrome profile)

This means that if the same policy is set using different methods, by default, the policy at top of the hierarchy is applied, and all other policies are ignored.

Example

You have configured a Windows device policy with a set of bookmarks you want to push to your Windows fleet, using a group policy. You have deployed the policy to a group of devices. This is an example of a platform policy.

You have also configured another set of bookmarks in the Admin console. This policy was configured for an organizational unit containing all the enrolled browsers in your Windows fleet. This is an example of a machine cloud policy.

In this scenario, since platform policies are hierarchically superior to machine cloud policies, the bookmarks configured in the group policy are applied on your Windows devices. The bookmarks set in the Admin console are ignored.

Changing the order of precedence

Does not apply for ChromeOS devices

You can use either the Policy precedence setting in the Admin console or the CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy machine-based policies to change the order of precedence for Chrome policies.

To change the order of precedence, your Chrome browser fleet must be managed by Chrome Enterprise Core. User cloud policies only take precedence if the associated Chrome profile is affiliated. If not, they follow the default order of precedence. For details, see Understand user affiliation.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  3. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. Go to Setting sources.
  5. Click Policy precedence.
  6. Choose an option. See the options described below.
  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Precedence order choices in order of priority:

  • 1. Machineand then2. Machine cloudand then3. OS userand then4. Chrome profile
  • 1. Machine cloudand then2. Machineand then3. OS userand then4. Chrome profile
  • 1. Machineand then2. Chrome profileand then3. Machine cloudand then4. OS user
  • 1. Chrome profileand then2. Machine cloudand then3. Machineand then4. OS user

Merging Chrome policies

When policies are configured using different methods, only the policy at the top of the hierarchy applies.

You can use either the Policy mergelist setting in the Admin console or the PolicyListMultipleSourceMergeList and PolicyDictionaryMultipleSourceMergeList policies to merge policies that are applied from multiple sources.

Alternatively, you can use the wildcard * that allows you to merge all supported policies.

The PolicyDictionaryMultipleSourceMergeList only applies to:

  • ContentPackManualBehaviorURLs
  • DeviceLoginScreenPowerManagement
  • ExtensionSettings
  • KeyPermissions
  • PowerManagementIdleSettings
  • ScreenBrightnessPercent
  • ScreenLockDelays

Example:

When one set of bookmarks is configured through group policy and another set of bookmarks is set in the Admin console, the first is hierarchically superior to the second, so only the bookmarks configured with the group policy are applied on the device.

If you want to have both sets of bookmarks applied on your Windows devices, you can configure the merging of the policies and using the wildcard * value. This means, even though you have configured bookmarks using different methods, your Windows devices will get all bookmarks; those configured via group policy and those configured using the Admin console.

Security considerations

For ChromeOS only: to prevent users from controlling policies, policies applied to Chrome profiles and ChromeOS users cannot be merged.

To prevent data leaks, machine and user policies can not be merged if they do not originate from the same Admin console.

Example 1

You have a machine managed under Company A’s domain. You also sign into a managed Chrome profile from Company B. User policies from Company B’s console can not be merged with machine policies applied from Company A. Company A’s policies will always take precedence over Company B’s user profile policies.

Example 2

You have a managed Chrome profile from Company A and another managed Chrome profile from Company B. You have no machine policies applied from the domain. In that instance each company’s policies will independently apply for their respective profiles but there will never be a way for them to merge. The profiles and policies are mutually exclusive.

If the Chrome profile is affiliated, you can use either the User cloud policy merge setting in the Admin console or the CloudUserPolicyMerge policy to enable the merging of user cloud policies into machine-level policies.

Note: Even if you enable this policy, a mandatory policy still overrides a recommended policy and a machine scope policy still overrides a user scope policy.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
17912806563272914715