As a Chrome Enterprise admin, you can use your Admin console to apply app and extension policies across several apps at a time. For example, you might specify all the apps that you want to force install for users or pin on users' Chrome taskbars.
Before you begin
- To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.
- To apply settings for Chrome browser users on Windows, Mac, or Linux computers, turn on Chrome management for the organizational unit that they belong to. See Turn on Chrome browser management.
- There is a limit of 500 for the total number of apps times the number of groups.
Set app or extension policies (main steps)
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeApps & extensionsUser App Settings.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserApps & extensionsSettings.
- (Users only) To apply the setting to a group, do the following:
- Select Groups.
- Select the group to which you want to apply the setting.
-
To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Set the app and extension policies that you want to change. See Learn about each setting below.
- Click Save.
Learn about each setting
As an admin, you can use the following settings to apply policies to your apps and extensions.Chrome Web Store settings
Org name & logoFor administrators of managed users who are signed in to Chrome Web Store on ChromeOS devices or Chrome browser for Windows, Mac, and Linux.
For administrators of managed users who are signed in to Chrome Web Store on ChromeOS devices or Chrome browser for Windows, Mac, and Linux.
For administrators of managed users who are signed in to Chrome Web Store on ChromeOS devices or Chrome browser for Windows, Mac, and Linux.
Customize what pages display on Chrome Web Store, as well as what categories and previews to include on the Extensions page. For example, you can configure the following:
- Discover page display—Choose to show or hide the Discover page on your store. This is the end-user homepage and is curated for their needs; it can’t be customized for your organization.
- Extensions page previews—Add a preview and quick access to recommended or private extensions. Choose which extension previews you'd like to highlight at the top of the Extensions page.
- Extensions page categories—Choose what you’d like to display for the categories on the Extensions page: Productivity, Lifestyle, and Make Chrome Yours. By default, all categories show on Chrome Web Store, and you can choose to hide extension categories such as Just for Fun. Any extensions in hidden categories are still searchable on the store.
For more information, see Customized Chrome Web Store for enterprises.
For administrators of managed users who are signed in to Chrome Web Store on ChromeOS devices or Chrome browser for Windows, Mac, and Linux.
Additional app settings
Android apps on Chrome devicesBy default, users in this organizational unit are not allowed to install Google Play and Android apps on devices. To give users access to the approved apps in the Google Play store on their ChromeOS devices, select Allow users to install Android apps.
Specifies whether users are allowed to use Android apps on ChromeOS devices that are not managed by your organization.
Note: Settings that control users’ access to apps in the Google Play store, including Android apps on Chrome devices and Android apps for unaffiliated users, take precedence over this setting.
Allows you to block users from installing certain types of apps by unchecking the type of allowed app.
Types of app:
Allows you to specify which URLs are allowed to install extensions, apps, and themes. For example, if a URL where you have a .crx file matches the list, a Chrome installation prompt will appear if the user clicks the URL. Put one URL pattern on each line. For examples, see the Chrome developer site.
This policy has no effect on Android apps running on ChromeOS. To set policies for Android apps on ChromeOS devices that support them, see Use Android apps on ChromeOS devices
Not supported on Chrome version 78 or later
Allows you to choose whether you want to allow or not allow insecure extension packaging.
Allows you to block external extensions from being installed. An external extension is any extension that is not installed from the Chrome Web Store.
You can use this setting in 2 ways:
Block installing types of extensions
Prevent users from running extensions that request certain permissions that your organizational unit doesn’t allow.
For details, see Block apps and extensions based on permissions.
Prevent apps from altering webpages
Control whether apps or extensions in general can alter webpages that you specify.
For details, see Prevent Chrome extensions from altering webpages.
- Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
- Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
Specifies whether users can see the Chrome Web Store app in the launcher on ChromeOS devices and on new tab pages.
This policy will be deprecated. To modify the Chrome Web Store homepage, use the Pages & content setting instead. For details, read about the Pages & content setting.
Changes the Chrome Web Store homepage to a custom homepage for your users when they're signed in. You can also recommend apps and extensions for your domain in a custom collection named after your domain in the Chrome Web Store.
To let users to publish private apps that are restricted to your domain on the Chrome Web Store, choose Allow users to publish private apps that are restricted to your domain on Chrome Web Store. Then, an option appears that lets you allow or prevent users from publishing private hosted apps if the domain name of the app’s launch_web_url
or app_url
is not owned by your organization.
Related topics: Create a Chrome app collection and Create and publish custom Chrome apps & extensions.
This policy only applies to extensions installed and updated from the Chrome Web Store. Off-store extensions that are self-hosted or locally installed using the command line switch or developer mode are not affected by this policy. Force-installed and version-pinned extensions are also excluded.
Specifies whether extensions unpublished from the Chrome Web Store are available on Chrome browser. By default, extensions that are unpublished on the Chrome Web Store are allowed. To disable unpublished extensions, select Disable unpublished extensions.
Chrome Apps are deprecated on Microsoft Windows, macOS, and Linux.
The default, Chrome Apps will be allowed to run on Windows, Mac, and Linux, means that Chrome Apps are allowed to run on these platforms until the final date when support is removed on all platforms.
If you select the other option, Chrome Apps might not be allowed to run, depending on the status of the deprecation rollout.
Chrome Apps that are force installed by policy are allowed regardless of which option you choose.
Allows you to monitor the success and failure of the installations to users and devices on your network by using the reporting tool found in the Admin console.
For setup information, see Monitor forced Android app installs.
Note: The report only shows information for managed users using managed ChromeOS devices that support managed Google Play.
Choose whether all apps that were running when the user signed out the last time are launched at the start of a session.
When the Restore all apps and app windows option is selected, the Pages to load on startup setting only applies when a user launches a new session for the first time on a new device or if sessions are ephemeral. For details, see Pages to load on startup.
Select one of the following options:
- Restore all apps and app windows—(Default) Apps and app windows are restored or not restored on startup depending on the option you select from Select desired behavior.
- Only restore Chrome browser—Only browser windows are automatically restored.
Settings | Result |
---|---|
Restore all apps and app windows |
Apps and app windows are always restored. |
Restore all apps and app windows + Ask user every time |
User is asked whether to restore apps and app windows. |
Restore all apps and app windows + Do not restore |
Apps and app windows are never restored. |
Only restore Chrome browser | When you select this option the browser is launched every time the user signs in depending on the option set in the Pages to load on startup setting. |
Allows you to choose whether to enable the creation of ghost windows while restoring Android apps after a crash or reboot.
Ghost windows are a preview of Android apps that are still loading. The user can see that an app will be available soon and they do not have to manually search for and start the app.
On your users’ ChromeOS devices, the launcher contains pre-installed creativity apps. These apps include Camera, Canvas, Gallery, and Screencast. Use this setting to specify which of those apps you want to pin to the shelf on devices. Users can’t unpin them.
By default, for Education customers, Canvas and Screencast are pinned to the shelf. Otherwise, none of the creative apps that are pre-installed in the launcher are pinned to the shelf.
For details about pinning apps to the launcher, see the PinnedLauncherApps policy.
Specifies extension install types that are not allowed. Selecting Command line prevents Chrome browser from loading extensions from command line.
Controls the use of ad-hoc signatures for applications created when installing a Progressive Web Application (PWA). This ensures that each installed application has a unique identity to macOS system components.
The default is Use the Chrome default setting,
If you select Do not use ad hoc code signatures for Progressive Web App shims, every native application created when installing Progressive Web Applications has the same identity. This can interfere with macOS functionality. Only select this option if you are using an endpoint security solution that blocks applications with an ad-hoc signature.
Related topics
- Automatically install apps and extensions
- Allow or block apps and extensions
- Prevent Chrome extensions from altering webpages
- Create and publish custom Chrome apps & extensions
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.