Planning your return to office strategy? See how Chrome OS can help.

Understand Chrome policy management

For administrators who manage Chrome browser or Chrome OS devices for a business or school.

To deploy Chrome Enterprise or Chrome Education features to Chrome users, you push policies and settings to their devices or their managed Google Account (Chrome profile). Use policies to set your users' homepage, automatically install apps and extensions, control what sites they can visit, and much more.

Options for enforcing Chrome policies

You have several ways to push policies to users. Which you choose depends on the devices you're managing and the configuration tools you want to use.

Windows, Mac, Linux managed on-premise by GPOs, managed preferences, and JSON files and Chromebook cloud-managed in Admin console

What's in the diagram

  • User devices: Manage Chrome browsers on Windows, Mac, and Linux computers, or on Chrome OS devices, such as Chromebooks.

  • Admin tools: Use your preferred on-premise tools to keep management behind your organization's firewall. Or manage policies from the Google's secure Admin console.

  • Policies: Enforce Chrome policies at the device/machine-level so they apply for anyone who uses the device. Or customize policies at the OS user-level or Chrome profile level.

Order of precedence for Chrome policies

You can set Chrome policies at the device level, where they apply for anyone who uses the device. Or set a policy at the user level, where it only applies when users sign in to a managed account. If the same policy gets set at more than one level, only one value gets applied, as shown below.

Chrome policy precedence

Security considerations

To prevent the order of precedence from being set using the Admin Console, set CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy to false at the device/machine level.

1. Device/machine-level policies

  • Apply to all users of a device, no matter which browser they use or whether they’re signed in to any account.
  • By default, take precedence over all user-level policies.
  • Are set using Windows Group Policy, the Admin console for Chrome OS devices, or Managed preferences for Mac. They can also be set for Linux.

2. Machine-level cloud policies

  • Apply to Chrome browsers enrolled in Chrome Browser Cloud Management.
  • By default, take precedence over OS user settings, and Chrome profile settings made in the Admin console.
  • Are set using the Admin console.

3. OS-user level policies

  • Apply when a user signs in to their account on a managed Windows or Mac computer.
  • By default, take precedence over Chrome profile settings made in the Admin console.
  • Are set using Windows Group Policy, or Managed Preferences on Mac.

4. Chrome profile policies

  • Refers to a user’s Chrome experience when they sign in to a cloud-managed user account on Chrome browser (Windows, Mac, or Linux) or on a Chrome OS device.
  • By default, are overridden by policies set on-premise for corporate-managed PCs.
  • Are set using the Admin console.

Changing the order of precedence

Does not apply for Chrome OS devices

You can use the CloudPolicyOverridesPlatformPolicy and CloudUserPolicyOverridesCloudMachinePolicy policies to change the order of precedence for Chrome policies.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome.
  3. Click Settingsand thenUsers & browsers.
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Go to Setting sources.
  6. For Policy precedence, choose an option. See the options described below.
  7. Click Save.
Option 1
  • Admin console—Machineand thenMachine cloudand thenOS userand thenChrome profile
  • Policies
    • CloudPolicyOverridesPlatformPolicy: false
    • CloudUserPolicyOverridesCloudMachinePolicy: false

Change policy order for scenario 1

Option 2
  • Admin console—Machineand thenChrome profileand thenMachine Cloudand thenOS user
  • Policies
    • CloudPolicyOverridesPlatformPolicy: false
    • CloudUserPolicyOverridesCloudMachinePolicy: true

Option 3
  • Admin console—Machine cloudand thenMachineand thenOS usand thenChrome profile
  • Policies
    • CloudPolicyOverridesPlatformPolicy: true
    • CloudUserPolicyOverridesCloudMachinePolicy: false

Option 4
  • Admin console—Chrome profileand thenMachine cloudand thenMachineand thenOS user
  • Policies
    • CloudPolicyOverridesPlatformPolicy: true
    • CloudUserPolicyOverridesCloudMachinePolicy: true

Merging Chrome policies

You can use PolicyListMultipleSourceMergeList and PolicyDictionaryMultipleSourceMergeList to allow the merging of Chrome policies that are applied from multiple sources.

Security considerations

To prevent users from controlling policies, policies applied to Chrome profiles and Chrome OS users cannot be merged.

If the Chrome browser and profile are managed through the Admin console by the same organization, you can use CloudUserPolicyMerge to enable the merging of policies applied to Chrome profiles.

Examples

Machine-level merging

Merging policy values:

  • PolicyListMultipleSourceMergeList: [“ExtensionInstallForcelist”]
  • CloudUserPolicyMerge: false

ExtensionInstallForcelist policy values across multiple sources:

  • Device / machine: [“a”, “b”]
  • Machine-level cloud: [“b”, “c”, “d”]
  • Chrome profile: [“e”, “f”]
  • Chrome OS user: [“g”, “h”]

ExtensionInstallForcelist policy value applied to the browser: [“a”, “b”, “c”, “d”]

Machine and user-level merging

In this example, we assume that the same organization manages the Chrome browser and profile through the Admin console.

Merging policy values:

  • PolicyListMultipleSourceMergeList: [“ExtensionInstallForcelist”]
  • CloudUserPolicyMerge: true

ExtensionInstallForcelist policy values across multiple sources:

  • Device / machine: [“a”, “b”]
  • Machine-level cloud: [“b”, “c”, “d”]
  • Chrome profile: [“e”, “f”]
  • Chrome OS user: [“g”, “h”]

ExtensionInstallForcelist policy value applied to the browser: [“a”, “b”, “c”, “d”, “e”, “f”]:

  • OS user policy values are not merged

Related topics

Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
410864
false