Allow private browsing

For administrators who manage Chrome Browser or Chrome devices for a business or school.

As a Chrome administrator, you can let users browse the web in private. For example, multiple users can share the same device without being able to see other users’ browsing history and Chrome profile information.

Step 1: Compare private browsing options

Decide which type of private browsing is right for users in your organization.

  • Ephemeral—Users sign in to Chrome and have access to the full extent of a browser session. For example, they can use Chrome sync to synchronize and save their bookmarks, history, and other settings to their Google Account. When they sign out of Chrome or exit the browser, all local data is deleted. Ephemeral browsing is useful for shared devices with multiple users.
  • Guest—Users can browse the web without signing in to their Google Account or being affected by existing Chrome profiles on a device. Browser session data isn’t saved on the local disk. Guest sessions are useful for letting other users privately browse the web without signing in. For example, users can provision certificates or gather logs to help troubleshoot problems with Chrome.
  • Incognito—Users can browse the web using a separate Chrome window from the one that they’re signed in to. Users can switch between Incognito windows and their regular Chrome windows, but they only browse in private when they're using an Incognito window. Browser session data isn’t saved on the local disk. Incognito windows are useful when users want to temporarily browse the web without keeping history or using previous history. For example, if a user has signed in to their personal account and wants to temporarily sign in to the Google Admin console using a different account, Incognito mode creates separation and ephemerality.

Users can browse Chrome as a guest or in Incognito mode, unless you use policy to disable those browsing modes. Users can only browse Chrome in Ephemeral mode if you use policy to force them to. The following table compares commonly used features available for ephemeral, guest, and incognito private browsing options.

Feature Ephemeral Guest Incognito
Users can add bookmarks. Yes
Bookmarks are removed when the browser session ends.
No Yes
Bookmarks remain after the browser session ends.
Chrome sync is available. Yes No No
Data is written to disk during browser session. Yes
Data is removed when the browser session ends.
No No
Users can use extensions. Yes No Yes
Users need to individually enable extensions in Incognito mode.
Users can launch Chrome Browser in this mode. No No Yes
Users can reopen recently closed tabs. Yes No No
Browsing history is saved. Yes (only if Chrome sync is enabled) No No

Step 2: Review policies

Policy Description

BrowserGuestModeEnabled

Specifies whether users can use Chrome Browser as a guest. Guest users can browse the web without having to sign in to their Google Account.

Unset: Guest sessions are allowed.

DeviceEphemeralUsersEnabled

Specifies whether to wipe local user data when users sign out of Chrome.

Unset: Devices running Chrome OS keep local user data.

DeviceGuestModeEnabled

Specifies whether users can use a device running Chrome OS as a guest. Guest users can browse the web without having to sign in to their Google Account.

Unset: Guest users can browse the web.

ForceEphemeralProfiles

Specifies whether to switch to ephemeral browsing when Chrome Browser starts.

If you use on-premise tools to enforce policies that control Chrome Browser, this policy applies to all users who sign in to Chrome, including personal Gmail accounts. If you use the Google Admin console to manage user-level policies from the cloud, this policy only applies when users sign in to Chrome with their managed Google Account.

Unset: Chrome Browser doesn’t switch to ephemeral browsing.

IncognitoModeAvailability

Specifies whether users can browse the web in an Incognito window in Chrome Browser and on devices running Chrome OS.

Choose one of the options:

  • 0—Incognito mode available: Users can open webpages in an Incognito window.
  • 1—Incognito mode disabled: Users can't open webpages in an Incognito window.
  • 2—Incognito mode forced: Users can only open webpages in an Incognito window.

Unset: Users can browse the web in an Incognito window.

Step 3: Set the policies

Click below for the steps, based on how you want to manage these policies.

Admin console

Can apply for signed-in users on any device, or enrolled browsers on Windows, Mac, or Linux. Learn more
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. (Optional) To force users to browse the web in Ephemeral mode:
    1. Click User settings.
    2. On the left, select the organization where you want to configure policies.
      For all users, select the top-level organization. Otherwise, select a child organization.
    3. Go to Security.
    4. For Force Ephemeral mode, select Erase all local user data.
  4. (Optional) To allow guest browsing on devices using Chrome OS:
    1. Click Device settings.
    2. On the left, select the organization where you want to configure policies.
      For all devices, select the top-level organization. Otherwise, select a child organization.
    3. Go to Sign-in Settings.
    4. For guest browsing policy, select Allow Guest Mode.
  5. (Optional) To let users browse the web in Incognito mode:
    1. Click User settings.
      On the left, select the organization where you want to configure policies.
      For all users, select the top-level organization. Otherwise, select a child organization.
    2. Go to Security.
    3. For  Incognito mode, select Allow Incognito Mode.
  6. Click Save.

Windows

Applies to Windows users who sign in to a managed account on Chrome Browser.

Using Group Policy

In your Microsoft Windows Group Policy Management Editor (cComputer or User Configuration folder):
  1. Go to Policiesand thenAdministrative Templatesand thenGoogleand thenGoogle Chrome.
  2. To force users to browse the web in Ephemeral mode, enable Ephemeral profile.
    Tip: If you don't see this policy, download the latest policy template.
    Leaving this policy Not configured uses the Unset behavior described above.
  3. To allow guest browsing in Chrome Browser, turn on Enable guest mode in browser.
    Leaving this policy Not configured uses the Unset behavior described above.
  4. To let users browse the web in Incognito mode:
    1. Enable Incognito mode availability.
      Leaving this policy Not configured uses the Unset behavior described above.
    2. Set an option:
      • Incognito mode available—Users can open webpages in Incognito mode.
      • Incognito mode disabled—Users can’t open webpages in Incognito mode.
      • Incognito mode forced—Users can only open webpages in Incognito mode.
  5. Deploy the update to your users.

Mac

Applies to Mac users who sign in to a managed account on Chrome Browser.
  1. In your Chrome configuration profile, add or update the following keys: 
    • To force users to browse the web in Ephemeral mode, set the ForceEphemeralProfiles key to true.
    • To allow guest browsing in Chrome Browser, set the BrowserGuestModeEnabled key to true.
    • To let users browse the web in Incognito mode, set the IncognitoModeAvailability key to <integer>value</integer>, where <value> is 0, 1, or 2.
  2. Deploy the change to your users.

Linux

Applies to Linux users who sign in to a managed account on Chrome Browser.
Using your preferred JSON file editor:
  1. Go to your /etc/opt/chrome/policies/managed folder.
  2. Create or update a JSON file.
  3. Apply settings:
    • To force users to browse the web in Ephemeral mode, set ForceEphemeralProfiles to 1.
    • To allow guest browsing in Chrome Browser, set BrowserGuestModeEnabled to 1.
    • To let users browse the web in Incognito mode, set IncognitoModeAvailability to 0, 1, or 2.

Verify policies are applied

After you apply any Chrome policies, users need to restart Chrome Browser for the settings to take effect. Check users’ devices to make sure the policy was applied correctly.

  1. On a managed device, go to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the policies that you set, make sure that Status is set to OK:
    • DeviceEphemeralUsersEnabled
    • ForceEphemeralProfiles
    • IncognitoModeAvailability
    • DeviceGuestModeEnabled
    • BrowserGuestModeEnabled
  5. For the policies that you set, make sure that the policy values match what you set in the policy.
    • DeviceEphemeralUsersEnabled—true or false
    • ForceEphemeralProfiles—true or false
    • IncognitoModeAvailability—0, 1, or 2
    • DeviceGuestModeEnabled—true or false
    • BrowserGuestModeEnabled—true or false

Related topics

Was this helpful?
How can we improve it?