Menu

Chrome OS policies

This page describes the policies that you can configure for Chromebooks.

Chrome OS policies can be in one of several possible states:

  • Set — A setting is chosen, and it changes behavior.
  • Set and default — A setting is chosen, but it doesn't change any behavior because it's the same as the default.
  • Set and user-defined — A setting is chosen, but it allows the device user to specify the behavior on the Chromebook.
  • Unset and user-defined — No setting is chosen, and the device user can specify the behavior on the Chromebook.

In order to help reduce potential confusion, settings labelled (default) in a policy description indicate default system and user account behavior. There may also be notation that describes unique default behavior when a policy is unset, or system behavior that by default the device user has control over.

Unless otherwise specified, managed user or device user refers to someone who has signed in to an enrolled Chromebook with a Google account associated with one of your organizations. Unmanaged user refers to someone who has signed in to an enrolled Chromebook with an unassociated Google account. Some policies apply differently to managed and unmanaged users. In these cases, the policy's description accounts for any differences.

User & Browser

General

Policy Description Supported system
Maximum user session length

Specifies device user session duration. The remaining session time is shown on a countdown timer in the system tray. After the specified time, the user account is automatically signed out and the session ends.

Values

Enter a session length, in minutes. The value can be 1—1440 (maximum 24 hours).

Chrome OS 25 and higher
Custom avatar

Sets the user account avatar on the login screen.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 512 KB in size.

Chrome OS 34 and higher
Custom wallpaper

Sets the desktop wallpaper.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

Chrome OS 61 and higher

Sign-in settings

Policy Description Supported system
Display password button

Toggles the Show password button on sign in and lock screens. This button makes the password visible as plain text while the device user enters their credentials.

Values

  • Show the display password button on the login and lock screens
  • Hide the display password button on the login and lock screens
Chrome OS 86 and higher

Enrollment controls

Policy Description Supported system
Device enrollment

Specifies which organization to enroll the Chromebooks in. Only applies when a Chromebook is first enrolled.

Values

  • Place Chrome device in user organization — When you first enroll a Chromebook, it's added to the organization that the enrolling user belongs to, and that organization's profile is applied. This setting is useful if you need to manually enroll many Chromebooks, as you won't need to manually move them into more specific organizations after enrollment.
  • Keep Chrome device in current location — When you first enroll a Chromebook, it's added to the top-level organization in your enterprise, and that organization's profile is applied.
Asset identifier during enrollment

Allows the device user to add an asset ID and location for a Chromebook when they enroll it. If enabled, the Device information page pre-populates with data. If no data exists, the page's fields are blank. The user can edit or enter the Chromebook details before they complete enrollment.

Values

  • Users in this organization can provide asset ID and location during enrollment
  • Do not allow for users in this organization
Enrollment permissions

Allows the device user to enroll new devices, re-enroll existing devices that have been enrolled, or re-enroll deprovisioned devices. Existing devices include wiped or factory-reset devices. Re-enrolling an existing device does not consume an upgrade.

Enrollment permissions only take effect on devices that have been configured to re-enroll with manual credential entry.

Values

  • Allow users in this organization to enroll new or re-enroll existing devices (default) — The device user can enroll new devices and re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
  • Only allow users in this organization to re-enroll existing devices (cannot enroll new or deprovisioned devices) — The device user can re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
  • Do not allow users in this organization to enroll new or re-enroll existing devices — The device user can't enroll or re-enroll any device, including through forced re-enrollment.

Apps and extensions

Policy Description Supported system
Task manager

Allows device users to end processes on the Task Manager.

Values

  • Allow users to end processes with the Chrome task manager
  • Block users from ending processes with the Chrome task manager
Chrome OS 52 and higher

Site isolation

Policy Description Supported system
Site isolation

Toggles site isolation on Chrome browser.

Values

  • Require site isolation for all websites, as well as any origins specified in below (default) — Every website is rendered by a separate, isolated process.
  • Turn off site isolation for all websites, except those set in below — Only websites specified by the allowlist render in a separate, isolated process.
Chrome OS 63 and higher
> Isolated origins

Specifies an allowlist of websites that aren't isolated on Chrome browser.

Values

To add a URL, enter it and click add. To remove one, click delete.

The pattern matching for this policy differs from the typical enterprise URL pattern format. For full details, see IsolateOrigins.

Chrome OS 63 and higher

Security

Policy Description Supported system
Password manager

Toggles the password manager on Chrome browser.

Values

  • Allow the user to decide (default) — The device user can enable or disable the password manager.
  • Never allow use of password manager — The password manager remembers and autofills prior saved passwords, but the device user can't add new passwords.
  • Always allow use of password manager — The password manager always remembers and autofills passwords.
Chrome OS 11 and higher
Lock screen

Toggles the lock screen.

Values

  • Allow locking screen — Under conditions that would normally lock the screen, the screen locks.
  • Do not allow locking screen — Under conditions that would normally lock the screen, including the system going to sleep, the system signs out the user account.
Chrome OS 52 and higher
Quick unlock

Allows the device user to unlock the system with the PIN and fingerprint methods, if configured. As a security best practice, you should avoid allowing PIN unlock on shared Chromebooks.

Values

Select which quick unlock methods to allow:

  • PIN — The device user can unlock the Chromebook with a PIN.
  • Fingerprint — The device user can unlock the Chromebook with a fingerprint scan.
Chrome OS 87 and higher
PIN auto-submit

Toggles the PIN auto-submit feature on the sign in and lock screens. This feature displays a PIN-based UI, like that of a smartphone, and indicates how many digits are in the PIN.

Values

  • Enable PIN auto-submit on the lock and login screen
  • Disable PIN auto-submit on the lock and login screen
Chrome OS 86 and higher
Lock screen media playback

Toggles media playback while the Chromebook is locked.

Values

  • Allow users to play media when the device is locked
  • Do not allow users to play media when the device is locked
Chrome OS 78 and higher
Idle settings

Specifies the duration of the idle timer on the Chromebook. This setting defines the time, in minutes, before the device goes to sleep or signs out the user account. Leave blank for system default.

Values

Enter an idle time in minutes.

Chrome OS 35 and higher
> Action on idle

Controls the Chromebook behavior when the idle time elapses.

Values

  • Sleep (default) — Go to sleep.
  • Logout — Sign out.
  • Lock Screen — Lock.
Chrome OS 35 and higher
> Action on lid close

Controls the Chromebook behavior when its lid is closed.

Values

  • Sleep (default) — Go to sleep.
  • Logout — Sign out.
  • Lock Screen — Lock.
Chrome OS 26 and higher
> Lock screen on sleep

Controls the Chromebook behavior when it sleeps.

Values

  • Allow user to configure (default) — The device user can locally change this setting.
  • Don't lock screen — Doesn't lock.
  • Lock screen — Lock.
Chrome OS 9 and higher
Incognito mode

Allows the device user to browse in Incognito mode on Chrome browser.

Values

  • Allow incognito mode (default)
  • Disallow incognito mode
Chrome OS 14 and higher
Browser history

Toggles browsing history on Chrome browser.

Values

  • Never save browser history
  • Always save browser history (default)
Chrome OS 11 and higher
Clear browser history

Allows the device user to clear their Chrome browser data, including their browsing and download history.

Values

  • Allow clearing history in settings menu
  • Do not allow clearing history in settings menu
Chrome OS 57 and higher
Online revocation checks

Toggles Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks for HTTPS certificates.

Values

  • Perform online OCSP/CRL checks
  • Do not perform online OCSP/CRL checks
Chrome OS 19 and higher
Geolocation

Allows websites to track the Chromebook's location.

Values

  • Allow sites to detect user's geolocation — Websites are granted location information. Android apps ask the device user for access to location information.
  • Do not allow sites to detect users' geolocation — Websites aren't granted location information. Android apps cannot access location information.
  • Always ask the user if a site wants to detect their geolocation — Websites ask the device user for access to location information. Android apps ask the device user for access to location information.
  • Allow user to decide (default) — The device user can locally change this setting.
Chrome OS 11 and higher
Single sign-on

Toggles Security Assertion Markup Language (SAML) single sign-on (SSO) for the Chromebook.

Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provider.

Values

  • Enable SAML-based single sign-on for Chrome devices
  • Disable SAML-based single sign-on for Chrome devices (default)
Chrome OS 51 and higher
SAML single sign-on login frequency

Specifies the frequency of forced online sign-in for SAML-based single sign-on (SSO) accounts on the login screen. Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provider.

Values

Choose a frequency:

  • Every day
  • Every 3 days
  • Every week
  • Every 2 weeks (default)
  • Every 3 weeks
  • Every 4 weeks
  • Every time
  • Never
Chrome OS 34 and higher
Allowed certificate transparency URLs

Specifies an allowlist of URLs to exempt from certificate transparency enforcement. For more details, see CertificateTransparencyEnforcementDisabledForUrls.

Values

To add a URL, enter it and click add. To remove one, click delete.

Only the host in the URL is matched. Wildcard hostnames are not supported.

Chrome OS 53 and higher
Certificate transparency CA allowlist

Specifies an allowlist of certificate authority (CA) subjectPublicKeyInfo hashes that are exempt from certificate transparency enforcement. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click add. To remove one, click delete.

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForCas.

Chrome OS 67 and higher
Certificate transparency legacy CA allowlist

Specifies an allowlist of legacy certificate authority (CA) subjectPublicKeyInfo hashes exempt from certificate transparency enforcement. These hashes must match a recognized Legacy CA. Legacy CAs are trusted by some OSs that run Chrome browser, but not Chrome OS or Android. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForLegacyCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click add. To remove one, click delete.

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForLegacyCas.

Chrome OS 67 and higher
User management of installed CA certificates

Allows the device user to import, edit, and remove certificate authority (CA) certificates.

Values

  • Allow users to manage all certificates (default) — The device user can edit trust settings for all CA certificates, remove user-imported certificates, and import certificates.
  • Allow users to manage user certificates — The device user can manage settings for user-imported certificates, but not edit trust settings for CA certificates.
  • Disallow users from managing certificates — The device user can view CA certificates, but not manage them.
Chrome OS 78 and higher
User management of installed client certificates

Allows the device user to manage client and device-wide certificates.

Values

  • Allow users to manage all certificates (default) — The device user can manage all certificates.
  • Allow users to manage user certificates — Users can manage user certificates, but not device-wide certificates.
  • Disallow users from managing certificates — Users can view certificates, but not manage them.
Chrome OS 74 and higher
CPU task scheduler

Specifies the priority mode of the Intel Hyper-Threading Technology on the Chromebook's CPU.

Values

  • Allow the user to decide (default)
  • Optimize for stability
  • Optimize for performance
Chrome OS 74 and higher
Enable leak detection for entered credentials

Toggles the Chrome browser feature that checks for known leaked user credentials. This feature is only available in Safe Browsing mode.

Values

  • Allow the user to decide (default)
  • Disable Leak detection for entered credentials
  • Enable Leak detection for entered credentials
Chrome OS 79 and higher
Ambient authentication

Toggles the NTLM/Kerberos feature that provides HTTP authentication without credentials on Chrome browser during regular, guest, and Incognito sessions.

Values

  • No policy set
  • Enable in regular sessions only (default)
  • Enable in regular and incognito sessions
  • Enable in regular and guest sessions
  • Enable in regular, incognito and guest sessions

Chrome OS 80 — Ambient authentication is enabled in all sessions

Chrome OS 81 and higher — If the policy is unset, ambient authentication is enabled during regular sessions

Unsupported system warning

Toggles warnings from Chrome browser when it detects that it's running on an unsupported OS or hardware.

Values

  • Suppress warnings when Chrome is running on an unsupported system
  • Allow Chrome to display warnings when running on an unsupported system (default)
Chrome OS 49 and higher
Advanced Protection program

Toggles whether device users enrolled in the Advanced Protection program on Chrome browser receive the extra protections provided by the program.

Values

  • Users enrolled in the Advanced Protection program will receive extra protections (default)
  • Users enrolled in the Advanced Protection program will only receive standard consumer protections
Chrome OS 83 and higher
Override insecure origin restrictions

Specifies an allowlist of websites and domains that bypass insecure origin restrictions on Chrome browser. Allowlisted origins and websites are not labeled Not Secure in the address bar.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 69 and higher
Popup interactions

Controls the default behavior on Chrome browser for interactions between pages and pop-ups opened with a target of _blank.

Values

  • Block popups opened with a target of _blank from interacting with the page that opened the popup (default) — A page that opens a pop-up with a target of _blank must explicitly opt in to interact with the popup.
  • Allow popups opened with a target of _blank to interact with the page that opened the popup — A page that opens a popup with a target of _blank interacts with the pop-up, unless it explicitly opts out of the interaction.
Chrome OS 85 and higher
Security token removal

Specifies the behavior when the device user's smart card security token is removed from the Chromebook. This policy only applies when sessions on the Chromebook are configured for smart cards.

Values

Chrome OS 90 and higher
> Removal notification duration (seconds)

Specifies the duration to display a notification describing the impending action upon smart card removal. The notification informs the device user that they will be signed out or their session will lock after the specified period, and blocks them from interacting with the system. After the notification expires, the action chosen in the Security token removal policy is performed. The device user can prevent the action by re-inserting the security token before the notification expires.

Values

Enter the notification duration, in seconds.

If this value is unset or 0, the notification is disabled, and the chosen action performs immediately.

Chrome OS 90 and higher

Remote access

Policy Description Supported system
Remote access clients

Specifies an allowlist of domain names for remote access clients, and prevents the device user from changing the setting on the Chromebook. Only clients from the specified domains can connect to the host device.

Values

To add a domain, enter it and click add. To remove one, click delete.

If this value is unset, the host allows connections from authorized users from any domain.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 60 and higher
Remote access hosts

Specifies an allowlist of domain names that are imposed on remote access hosts, and prevents the device user from changing the setting on the Chromebook. Only hosts with accounts registered on an allowlisted domain name can be shared.

Values

To add a domain, enter it and click add. To remove one, click delete.

If this value is unset, hosts can be shared through any user account.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 60 and higher
Firewall traversal

Toggles the use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) servers when remote clients try to establish a connection to the Chromebook.

Values

First field:

  • Enable firewall traversal (default) — Allow remote clients to discover and connect to the Chromebook if they are separated by a firewall.
  • Disable firewall traversal — Don't allow remote clients to discover and connect to the Chromebook if they are separated by a firewall. If this setting is applied and outgoing UDP connections are filtered by the firewall, the Chromebook only allows connections with client machines within the local network.

Second field:

  • Enable the use of relay servers (default) — Allow connections to peers and data transfer without a direct connection when a firewall is in place.
  • Disable the user of relay servers — Only allow connections to peers and data transfer with a direct connection when a firewall is in place.
Chrome OS 41 and higher
> UDP port range

Restricts the UDP port range used by the remote access host in the Chromebook.

Values

Enter a range of UDP ports, from minimum to maximum. For example, 12400—12409.

If this value is unset, any port can be used.

Chrome OS 41 and higher

Session settings

Policy Description Supported system
Show logout button in tray

Toggles the Sign out button on the shelf.

Values

  • Show logout button in tray
  • Do not show logout button in tray (default)
Chrome OS 25 and higher

Kerberos

Policy Description Supported system
Kerberos tickets

Allows Kerberos single sign-on for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.

Values

  • Enable Kerberos
  • Disable Kerberos
Chrome OS 91 and higher
> Enable Kerberos automatically

Toggles the automatic addition of a Kerberos account.

Values

  • Do not automatically add a Kerberos account (default)
  • Automatically add a Kerberos account — If set, the name of the principal added is defined by the Principal name policy.
Chrome OS 91 and higher
> Principal name

Specify the Kerberos principal to automatically add on behalf of the device user. This policy applies if the Enable Kerberos automatically policy is set to Automatically add a Kerberos account.

Values

Enter a principal name. The following string substitution tokens are supported:

  • ${LOGIN_ID} — The username part of principal name. For example, if the user logs in as alex@realm the username is alex.
  • ${LOGIN_EMAIL} — The full principal name.
Chrome OS 91 and higher
> Enable Kerberos custom configuration

Applies a custom Kerberos configuration.

Values

  • Use default Kerberos configuration (default)
  • Customize Kerberos configuration — Customize the Kerberos configuration with the values defined by the Kerberos configuration policy.
Chrome OS 91 and higher
> Kerberos configuration

Define one or more Kerberos configuration option overrides. For a list of supported options, see Configure how to get tickets.

Values

To add a configuration override, enter it and click add. To remove one, click delete.

Chrome OS 91 and higher
Remember Kerberos passwords

Allow the device user to let Chrome OS remember Kerberos passwords.

Values

  • Allow users to remember Kerberos passwords — Chrome OS automatically fetches Kerberos tickets unless additional authentication, such as 2-factor, is required.
  • Do not allow users to remember Kerberos passwords — Chrome OS does not remember Kerberos passwords and removes all previously stored passwords.
Chrome OS 91 and higher
Kerberos accounts

Allow the device user to manage Kerberos accounts.

Values

  • Allow users to add Kerberos accounts (default) — The device user can add, modify, and remove Kerberos accounts.
  • Do not allow users to add Kerberos accounts — The device user can't manage Kerberos. Kerberos accounts can only be set by device policies.
Chrome OS 91 and higher

Network

Policy Description Supported system
Proxy mode

Specifies how Chrome OS connects to the internet. Android apps on Chromebooks have access to, or are made aware of, a subset of proxy settings, but there is no guarantee that a particular app uses them. Typically, apps using Android System WebView or the built-in network stack do so. Android apps receive different information based on the setting you choose.

Values

  • Allow user to configure (default) — Chrome OS uses a direct connection by default. The device user can configure the connection settings to connect to a proxy server. Android apps are provided with the HTTP proxy server address and port, if the user configures one.
  • Never use a proxy — Chrome OS always uses a direct connection. Android apps are made aware that no proxy is configured.
  • Always auto detect the proxy — Chrome OS uses the Web Proxy Auto-Discovery Protocol (WPAD) to determine which proxy server to connect to. Android apps are made aware of the script URL http://wpad/wpad.dat. No other part of WPAD is used.
  • Always use the proxy specified in below — Chrome OS connects to the specified proxy server. Android apps are provided with the HTTP proxy server address and port. Enter the URL of the proxy server in the Proxy server URL policy, which becomes available when you choose this setting. The URLs which bypass the proxy policy also becomes available, which lets you specify URLs to connect to directly.
  • Always use the proxy auto-config specified in below — Chrome OS follows the proxy connection schema defined in a Proxy Auto-Configuration (PAC) file. Android apps are made aware of the URL of the PAC file. Enter the URL of the PAC file in the Proxy server auto configuration file URL, which becomes available when you choose this setting.
Chrome OS 18 and higher
> Proxy server URL

Specifies the address of the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

Enter the URL as IP address:port, for example 192.168.1.1:3128.

Chrome OS 18 and higher
> URLs which bypass the proxy

Specifies an allowlist of websites and domains that bypass the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 18 and higher
> Proxy server auto configuration file URL

The URL address of the PAC file to use to configure network connections. Only available if Proxy mode policy is set to Always use the proxy auto-config specified in below.

Values

Enter the URL to the PAC file.

Chrome OS 18 and higher
Ignore proxy on captive portals

Specifies whether Chrome OS can bypass a configured proxy server for captive portal authentication. Some examples of captive portal pages are landing or sign-in pages where users are prompted to accept terms or sign in before Chrome browser detects a successful internet connection.

Values

  • Ignore policies for captive portal pages — Chrome browser opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user.
  • Keep policies for captive portal pages (default) — Chrome browser opens captive portal pages in a new browser tab and applies the current user's policies and restrictions.
Chrome OS 41 and higher
Supported authentication schemes

Specifies which HTTP authentication schemes are supported by Chrome browser. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is used. You can override the default behavior by enabling specific authentication schemes.

Values

  • Basic — User credentials are required, but are unencrypted. The least secure method.
  • Digest — User credentials are required, and use simple encryption. More secure than basic.
  • NTLM (NT LAN Manager) — A challenge-response scheme that uses Microsoft's NTLM technology. More secure than digest.
  • Negotiate — A challenge-response scheme that uses the Kerberos protocol. More secure than NTLM.

If this value is unset, all four schemes are used.

Chrome OS 62 and higher
Allow Basic authentication for HTTP

Toggles the basic authentication scheme over a non-secure HTTP connection on Chrome browser.

Values

  • Basic authentication scheme is allowed on HTTP connections (default)
  • HTTPS is required to use Basic authentication scheme
Chrome OS 88 and higher
NTLMv2 authentication

Toggles NTLMv2 authentication.

Values

  • Enable NTLMv2 authentication (default)
  • Disable NTLMv2 authentication
Chrome OS 63 and higher
Minimum SSL version enabled

Specifies the minimum internet security protocol required in connections on Chrome browser.

Values

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • SSL3
Chrome OS 66 and higher
SSL error override

Specifies whether the device user can bypass SSL warnings when connecting to a page on Chrome browser.

Values

  • Allow users to click through SSL warnings and proceed to the page (default)
  • Block users from clicking through SSL warnings
Chrome OS 44 and higher
SSL error override allowed domains

Specifies an allowlist of origins for which the device user can bypass SSL warnings when connecting to a page on Chrome browser. This policy is ignored if the SSL error override policy is set to Allow users to click through SSL warnings and proceed to the page.

Values

To add an origin, enter it and click add. To remove one, click delete.

The path portion of the URL is ignored.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 90 and higher
WebRTC UDP ports

Restricts use of the UDP protocol with Web Real-Time Communication (WebRTC) to a specified port range on Chrome browser.

Values

  • Allow WebRTC to pick any UDP port (1024-65535) (default) — All ports are allowed.
  • Specify range of UDP ports allowed for WebRTC — A port range determines the allowed ports. This setting makes the Minimum value for allowed UDP ports and Maximum value for allowed UDP ports policies available.
Chrome OS 54 and higher
> Minimum value for allowed UDP ports

Specifies the lowest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the lower port.

The absolute minimum is port 1024. This value must be lower than the maximum.

Chrome OS 54 and higher
> Maximum value for allowed UDP ports

Specifies the highest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the upper port.

The absolute maximum is port 65535. This value must be higher than the minimum.

Chrome OS 54 and higher
WebRTC ICE candidate URLs for local IPs

Specifies an allowlist of websites and domains that can view your local IPs as WebRTC Interactive Connectivity Establishment (ICE) candidates. Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.

CAUTION — Enabling this policy can weaken the protection of your local IPs.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 79 and higher
QUIC protocol

Toggles the Quick UDP Internet Connections (QUIC) protocol on Chrome browser.

Values

  • Enable (default)
  • Disable
Chrome OS 43 and higher
Built-in DNS client

Toggles the Chrome browser's built-in DNS client.

Values

  • Use the built-in DNS client on macOS, Android and Chrome OS. Allow the user to change the setting (default)
  • Never use the built-in DNS client
  • Always use the built-in DNS client if available
Chrome OS 73 and higher
Integrated authentication servers

Specifies an allowlist of server domains for Integrated Windows Authentication (IWA). When Chrome browser gets an authentication challenge from a proxy or server in this allowlist, integrated authentication turns on.

Values

To add a domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Kerberos delegation servers

Specifies an allowlist of servers that can be used for Kerberos authentication.

Values

To add a server, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Kerberos ticket delegation

Specifies whether to respect the Key Distribution Center (KDC) policy that delegates Kerberos tickets.

Values

  • Respect KDC policy
  • Ignore KDC policy (default)
Chrome OS 74 and higher
Kerberos service principal name

Specifies the source of the name used to generate the Kerberos service principal name (SPN).

Values

  • Use original name entered
  • Use canonical DNS name (default)
Chrome OS 62 and higher
Kerberos SPN port

Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.

Values

  • Include non-standard port
  • Do not include non-standard port (default)
Chrome OS 62 and higher
Cross-origin authentication

Allows third-party content on a page to prompt the device user for HTTP basic authentication on Chrome browser.

Values

  • Allow cross-origin authentication (default)
  • Block cross-origin authentication
Chrome OS 88 and higher
SharedArrayBuffer

Allows websites that are not cross-origin isolated to use SharedArrayBuffers.

Values

  • Allow sites that are not cross-origin isolated to use SharedArrayBuffers
  • Prevent sites that are not cross-origin isolated to use SharedArrayBuffers
Chrome OS 91 and higher
User-Agent client hints

Allows the Chrome browser to fulfill requests by servers for User-Agent client hints—identifying information about itself and the Chromebook.

Values

  • Allow User-Agent client hints (default)
  • Disable User-Agent client hints
Chrome OS 85 and higher
Signed HTTP Exchange (SXG) support

Allows Chrome browser to access pages served on a Signed HTTP Exchange.

Values

  • Accept web content server as Signed HTTP Exchanges (default)
  • Prevent Signed HTTP Exchanges from loading
Chrome OS 73 and higher
Globally scoped HTTP authentication cache

Toggles limiting the scope of Chrome browser's global cache of HTTP server authentication credentials. This policy is intended to give organizations that depend on legacy authentication methods time to update their sign-in procedures. Google plans to remove it in the future.

Values

  • HTTP authentication credentials entered in the context of one site will automatically be used in the context of another — All cached HTTP user authentication credentials are shared. This setting makes the device user vulnerable to cross-site-tracking schemes where malicious pages add entries to the HTTP authentication cache by embedding credentials into URLs.
  • HTTP authentication credentials are scoped to top-level sites (default) — Cached HTTP authentication credentials are only shared within a top-level website. If two different websites use resources from the same authenticating domain, credentials need to be provided independently in the context of both websites. Cached proxy credentials are reused across websites.
Chrome OS 80 and higher
Require online OCSP/CRL checks for local trust anchors

Controls whether Chrome always performs revocation checks on validated server certificates that are signed by locally-installed CA certificates. If Chrome can't retrieve any revocation status information on a certificate, it treats it as revoked.

Values

  • Perform revocation checks for successfully validated server certificates signed by locally installed CA certificates
  • Use existing online revocation-checking settings (default)
Chrome OS 19 and higher
HSTS policy bypass list

Specifies an allowlist of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy, which forces Chrome browser to only access websites that provide HTTPS encryption.

Values

To add a hostname, enter it and click add. To remove one, click delete.

Only enter single-label hostnames. Hostnames must be canonical, IDNs must be in A-label representation, and all ASCII letters must be lowercase. An entry only applies to the hostname specified, and not to subdomains of that hostname.

Chrome OS 78 and higher
DNS interception checks enabled

Toggles DNS interception checking on Chrome browser, which tests to see if the connection is behind a proxy that redirects unknown hostnames.

Values

  • Perform DNS interception checks (default)
  • Do not perform DNS interception checks
Chrome OS 80 and higher
Intranet Redirection Behavior

Toggles treating a single-word query in the omnibox as a hostname rather than a search term on Chrome browser. When enabled, if the device user searches for a single word, Chrome browser issues a DNS request for the term as a hostname, and then asks the user if they want to try and connect to the query as a URL rather than search for it. An example would be a search for calendar that matches an internal host http://calendar/.

If your network resolves every DNS request for a single-word host, you should allow interception checks with the DNS interception checks enabled policy. However, this Intranet Redirection Behavior policy is more flexible because with it you can also enable the prompt (infobar) that the device user sees.

Values

  • Use default browser behavior (default) — DNS interception checks and intranet redirect suggestions are enabled. Google plans to deprecate this setting in the future.
  • Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome treats a single-word query as a search, and does not check whether hostnames are being redirected by the DNS.
  • Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and does not check whether hostnames are being redirected by the DNS.
  • Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and checks whether hostnames are being redirected by the DNS.
Chrome OS 88 and higher — Use default browser behavior is the default setting
WPAD optimization

Toggles Web Proxy Auto-Discovery (WPAD) optimization on Chrome browser. WPAD helps automatically locate and interface with cache services in a network, speeding up content delivery to the browser.

Values

  • Enable Web Proxy Auto-Discovery (WPAD) optimization (default)
  • Disable Web Proxy Auto-Discovery (WPAD) optimization
Chrome OS 35 and higher
Login credentials for network authentication

Controls whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

Values

  • Use login credentials for network authentication to a managed proxy — Credentials are used. If authentication fails, the device user is prompted to enter their username and password.
  • Don't use login credentials for network authentication — Credentials aren't used.
Chrome OS 89 and higher
Allowed network ports

Allows outbound connections on select ports that are normally restricted on the Chromebook. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.

Overrides the --explicitly-allowed-ports command-line option.

Values

  • port 554 (expires 2021/10/15)
  • port 6566 (expires 2021/10/15)
  • port 10080 (expires 2022/04/01)If this value is unset, all restricted ports are blocked.
Chrome OS 91 and higher
CECPQ2 post-quantum key-agreement for TLS

Controls whether Chrome OS follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS). CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on devices. CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware.

Values

  • Enable default CECPQ2 rollout process (default)
  • Disable CECPQ2
Chrome OS 91 and higher

Android applications

Policy Description Supported system
Control Android backup and restore service

Allows the device user to back up content, data, and settings from Android apps to their Google Account. When users sign in to another Chromebook, they can restore the data. App data can be any data that an app has saved, including potentially sensitive data such as contacts, messages, and photos. Backup data will not count toward the user's Drive storage quota.

Values

  • Backup and restore disabled (default) — Android apps can't back up during initial setup.
  • Let user decides whether to enabled backup and restore — Android apps can ask the device user whether to back up after initial setup.
Chrome OS 68 and higher
Google location services

Allows Android apps to track the Chromebook's physical location.

Values

  • Disable location services for Android apps in Chrome OS (default) — Android apps can't access location information during initial setup.
  • Allow the user to decide whether an Android app in Chrome OS can use location services — Android apps can ask user for location information after initial setup.
Chrome OS 68 and higher
Certificate synchronization

Toggles syncing of Chrome OS certificates to Android apps.

Values

  • Disable usage of Chrome OS CA Certificates in Android apps (default)
  • Enable usage of Chrome OS CA Certificates in Android apps
Chrome OS 52 and higher

Startup

Policy Description Supported system
Home button

Toggles the Home button on the toolbar on Chrome browser. This policy corresponds to the setting under Settings > Apperance > Show home button.

Values

  • Allow the user to decide (default)
  • Never show "Home" button
  • Always show "Home" button
Chrome OS 11 and higher
Homepage

Specifies the home page on Chrome browser.

Values

  • Allow user to configure (default) — The device user chooses the home page.
  • Homepage is always the URL set below — The home page is set to a specific address, which the device user can't override. This setting makes the Homepage URL policy available.
  • Homepage is always the new tab page — The home page is the special chrome://newtab page.
Chrome OS 11 and higher
> Homepage URL

Specifies the address of the home page on Chrome browser. Only available if the Homepage policy is set to Homepage is always the URL set below.

Values

Enter a URL for the home page.

Chrome OS 11 and higher
New tab page

Specifies the address of a new tab on Chrome browser. When left empty, the page will be used.

Values

Enter a URL for new tabs.

Chrome OS 58 and higher
New tab page background

Allows custom backgrounds on Google's new tab page.

Values

  • Allow users to customize the background on the New Tab page — New tabs use a custom background, if the device user sets one.
  • Do not allow users to customize the background on the New Tab page — New tabs only use the default background.

    CAUTION — Using this setting deletes any custom backgrounds uploaded by the device user.
Chrome OS 80 and higher
Pages to load on startup

A list of pages to open when Chrome browser starts. Each page opens in a separate tab.

Values

To add a page, enter its URL and click add. To remove one, click delete.

Chrome OS 11 and higher

Content

Policy Description Supported system
SafeSearch and Restricted Mode Chrome OS 55 and higher
> SafeSearch for Google Search queries

Enforces SafeSearch filtering in search results. SafeSearch filters mature or explicit content, like pornography. For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. For all other domains, the default is Do not enforce Safe Search for Google Web Search queries. For more details on SafeSearch enforcement, see Lock SafeSearch for accounts, devices & networks you manage.

Values

  • Always use SafeSearch for Google Search queries
  • Do not enforce SafeSearch for Google Search queries (default)
Chrome OS 41 and higher
> Restricted Mode for YouTube

Enforces the level of Restricted Mode on YouTube, which algorithmically limits which videos are viewable based on their content. The device user can raise, but not lower, the Restricted mode level that this policy enforces. For more details on Restricted Mode for YouTube, see Manage your organization's YouTube settings.

Values

  • Do not enforce Restricted Mode on YouTube (default) — The device user chooses the level of Restricted mode in their YouTube settings.
  • Enforce at least Moderate Restricted Mode on YouTube — Enforces Restricted Mode at a medium level, which filters a moderate number of videos.
  • Enforce Strict Restricted Mode on YouTube — Enforces Restricted Mode at the highest level, which filters a large number of videos.
Chrome OS 55 and higher
Screenshot

Allows the device user to take screenshots on the Chromebook. The policy applies to screenshots taken by any means, including the built-in keyboard shortcut, Android apps, and apps and extensions that use the screenshot functionality of the Chrome API.

Values

  • Do not allow users to take screenshots or video recordings
  • Allow users to take screenshots and video recordings (default)
Chrome OS 22 and higher
Screen video capture

Allows websites to prompt the device user to live stream a Chrome browser tab, window, or the entire screen.

Values

  • Allow sites to prompt the user to share a video stream of their screen (default)
  • Do not allow sites to prompt the user to share a video stream of their screen
Chrome OS 25 and higher
Client certificates

Specifies an allowlist of URL patterns for which Chrome browser automatically selects a client certificate. If a valid client certificate is installed and the browser accesses an allowlisted URL, the browser skips the client certificate selection prompt. The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

A URL pattern must be a JSON string with the following format:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter": {}}

Chrome OS 15 and higher
Security key attestation

Specifies an allowlist of websites and domains that do not prompt the device user when their security keys request attestation certificates. Additionally, when keys are requested, a signal is sent to the security key to indicate that individual attestation may be used.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

URLs will only match as Universal 2nd Factor (U2F) app IDs. Domains only match as WebAuthn relying party (RP) IDs. Thus, to cover both U2F and WebAuthn APIs for a website or domain, both its app ID URL and domain should be listed.

Chrome OS 65 and higher
3D content

Allows websites to use the Web-based Graphics Library (WebGL) API and plugins on Chrome browser. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Values

  • Never allow display of 3D content
  • Always allow display of 3D content (default)
Chrome OS 11 and higher
Cookies

Allows websites on Chrome browser to store browsing information, such as the device user's website preferences and profile information. This policy corresponds to the cookie options in the browser's settings.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Allow cookies — Cookies are stored.
  • Block cookies — Cookies are never stored.
  • Session only — Cookies are stored for the duration of the session.
Chrome OS 11 and higher
> Allow cookies for URL patterns

Specifies an allowlist of websites and domains that are allowed to set cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Block cookies for URL patterns

Specifies an allowlist of websites and domains that are not allowed to set cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Allow session-only cookies for URL patterns

Specifies an allowlist of websites and domains that are allowed to set session-only cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher

Controls third-party cookies.

Values

  • Allow the user to decide (default)
  • Allow third-party cookies
  • Disallow third-party cookies
Chrome OS 11 and higher

Allows legacy behavior for the SameSite cookie attribute on Chrome browser. The SameSite attribute allows cross-site cookies to be sent securely. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services. You can temporarily revert Chrome browser to the legacy behavior, which is less secure.

To test how Chrome browser treats cookies that don't specify a SameSite attribute on your websites and services, see Tips for testing and debugging SameSite-by-default.

Values

  • Revert to legacy SameSite behavior for cookies on all sites — Chrome browser doesn't require cookies with SameSite=None to include the Secure attribute. Cookies that don't specify any SameSite attribute are treated as if they have SameSite=None.
  • Use SameSite-by-default behavior for cookies on all sites — Chrome browser reverts to its default SameSite behavior, depending on its version.
  • Use the user's personal configuration for SameSite features (default) — Chrome browser uses the device user's SameSite settings, as configured in the browser's flags.
Chrome OS 79—92

Specifies an allowlist of websites for which Chrome browser uses its legacy behavior for the SameSite cookie attribute. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 79 and higher
Images

Controls whether Chrome browser allows websites to display images. For Show images on these sites and Block images on these sites, put one URL pattern on each line.

Values

  • Allow the user to decide (default)
  • Allow all sites to show all images
  • Do not allow any site to show images
Chrome OS 11 and higher
> Show images on these sites

Specify an allowlist of websites and domains that can display images on Chrome browser.

Values

To add a website or domain, enter it URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Block images on these sites

Specify a blocklist of websites and domains that can't display images on Chrome browser.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
JavaScript

Controls whether Chrome browser allows websites to run JavaScript.

Values

  • Allow the user to decide (default)
  • Allow sites to run JavaScript
  • Do not allow any site to use JavaScript
Chrome OS 11 and higher
> Allow these sites to run JavaScript

Specify an allowlist of websites and domains that can run JavaScript on Chrome browser.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Block JavaScript on these sites

Specify a blocklist of websites and domainsfor which Chrome browser blocks JavaScript.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
JavaScript IntensiveWakeUpThrottling

Suspends JavaScript timers on background tabs that haven't been used for 5 minutes or more on Chrome browser. For these suspended tabs, timers only execute their code once per minute, which can significantly decrease CPU load and battery consumption. This policy is applied per-website, with the most recent setting applied to a tab when it loads. The user must perform a full restart of Chrome browser for the setting to apply to all loaded tabs.

Values

  • Allow throttling of background javascript timers to be controlled by Chrome's logic and configurable by users (default) — Background tabs have JavaScript throttled based on the browser's internal logic, and the policy can be manually configured by the device user.
  • Force no throttling of background javajscript timers — Background tabs never have JavaScript throttled.
  • Force throttling of background javascript timers — Background tabs have JavaScript throttled after they are suspended.
Chrome OS 85 and higher
Notifications

Allows websites to display desktop notifications.

NOTE — If you block desktop notifications for all websites, some web apps that rely on desktop notifications, such as Google Calendar and Slack, may provide a poorer user experience. To enable expected behavior and experiences, you should add these apps' URLs to the Allow these sites to show notifications allowlist.

Values

  • Allow the user to decide (default)
  • Allow sites to show desktop notifications
  • Do not allow sites to show desktop notifications
  • Always ask the user if a site can show desktop notifications
Chrome OS 11 and higher
> Allow these sites to show notifications

Specify an allowlist of websites and domains that can display desktop notifications.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Block notifications on these sites

Specify a blocklist of websites and domains that can't display desktop notifications.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
Autoplay video

Specifies an allowlist of websites and domains that can automatically play video content with sound on Chrome browser without the device user's consent. If you change this policy on deployed Chromebooks, it only applies to newly opened tabs.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Auto open downloaded files

Specifies an allowlist of file types to automatically open after download on Chrome browser. If Safe Browsing is turned on, the browser still checks whether they are malicious or dangerous, and only opens them if they pass. When this list is blank, only file types that the device user allows can automatically open.

Values

To add a file type, enter it and click add. To remove one, click delete.

Do not include the leading separator when listing the type. For example, enter txt, not .txt.

Chrome OS 84 and higher
> Auto open URLs

Specifies an allowlist of websites and domains that can automatically open the file types that you specify in Auto open downloaded files policy. Chrome continues to automatically open file types that the device user chooses to automatically open.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

If this value is unset, Chrome automatically opens all file types specified in the Auto open downloaded files policy, no matter their origin.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 84 and higher
Pop-ups

Allows websites to open pop-ups on Chrome browser. When a website's pop-ups are blocked, the device user can click the blocked pop-ups button in the omnibox to allow them.

Values

  • Let the user decide (default)
  • Allow all pop-ups
  • Block all pop-ups
Chrome OS 11 and higher
> Allow pop-ups on these sites

Specify an allowlist of websites and domains that can open pop-ups.

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
> Block pop-ups on these sites

Specify a blocklist of websites and domains that can't open pop-ups.

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 11 and higher
Cross-origin JavaScript dialogs

Allows cross-origin iframes on websites to prompt the device user on Chrome browser. Starting with Chrome browser 91, cross-origin iframes can't trigger JavaScript prompts (window.alert, window.confirm, and window.prompt). This change was made to prevent embedded content from spoofing messages from the origin website or Chrome browser.

Values

  • Block JavaScript dialogs triggered from a cross-origin iframe (default)
  • Allow JavaScript dialogs triggered from a cross-origin iframe
Chrome OS 91—94
URL blocking

Specifies a blocklist of URLs on the Chromebook. You can add up to 1,000 URLs. When an exact URL is blocked by this policy and excepted by the Blocked URL exceptions policy, the exception takes precedence.

TIP — To block OS and browser setting URLs, such as chrome://flags, use the Disabled system features policy instead of blocking the URL here.

Block URLs on Android apps

Android apps on Chromebooks that use Android System WebView do not honor the blocked URL and blocked URL exception lists. To enforce a blocklist on these apps, manually configure these policies as JSON data in a text file. See Apply managed configurations to an Android app for more details. Here is an example configuration of these two policies:

{
    "com.android.browser:URLBlocklist": "[\"*\"]",
    "com.android.browser:URLAllowlist": "[
        \"www.example.com\",
        \"www.my-enterprise.com\"
    ]"
}

For apps that don't use Android System WebView, consult their documentation for information about how to block URLs.

Values

To add a URL, enter it and click add. To remove one, click delete.

The URL formatting for this policy differs from Google's typical enterprise policy URL pattern syntax. Each URL must contain a valid hostname (such as google.com), an IP address, or a wildcard (*) host. URLs can include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1—65,535
  • The path to the resource
  • Query parameters

Notes:

  • To disable subdomain matching, put an extra period before the host.
  • You cannot use user:password fields, such as http://user:pass@ftp.example.com/pub/file.iso. Instead, enter http://ftp.example.com/pub/file.iso.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • Wildcards (*) are allowed when appended to a URL, but cannot be entered alone.
  • You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by &.
  • The key-value tokens are separated by =.
  • A query token can optionally end with a wildcard (*) to indicate prefix match. Token order is ignored during matching.
Chrome OS 86 and higher
> Blocked URL exceptions

Specifies a list of exceptions to the URL blocklist on the Chromebook. Maximum of 1000 URLs.

Values

See the URL blocking policy description for instructions and syntax details.

Chrome OS 86 and higher
Google Drive syncing

Controls whether the device user can sync with Google Drive on the Chromebook. This policy has no effect on the Google Drive Android app. To completely disable any syncing with Google Drive, select Disable Google Drive syncing and block the Google Drive Android app from being installed on the Chromebook. For more details, see Use Android apps on Chrome OS devices.

Values

  • Disable Google Drive syncing
  • Enable Google Drive syncing (default)
Chrome OS 19 and higher
Google Drive syncing over cellular

Controls whether the device user can sync with Google Drive on the Chromebook over a cellular connection. This policy has no effect on the Google Drive Android app.

Values

  • Disable Google Drive syncing over cellular connections
  • Enable Google Drive syncing over cellular connections (default)
Chrome OS 19 and higher
Cast

Allows the device user to use a Chromecast device to cast from a Chrome tab.

Values

  • Allow users to Cast (default)
  • Do not allow users to Cast
Chrome OS 52 and higher
> Show the Cast icon in the toolbar

Toggles the Cast icon on the toolbar. Only available if the Cast policy is set to Allow users to Cast.

Values

  • Always show show the Cast icon in the toolbar — The Cast icon is added the toolbar, and the device user can't remove it.
  • Do not show the Cast icon in the toolbar, but let users choose (default )— The Cast icon isn't added to the toolbar, but the device user can add it.
Chrome OS 58 and higher
Control use of insecure content exceptions

Allows the device user to enable mixed content on websites and domains on Chrome browser. By default, on an HTTPS website, Chrome browser blocks all active content (scripts and iframes) available through HTTP.

Values

  • Do not allow any sites to load blockable mixed content (default) — All mixed content on secure website and domains is blocked.
  • Allow users to add exceptions to allow blockable mixed content — The device user can allow specific websites and domains to load active mixed content. To add a website or domain, the device user must:
    1. Open Chrome.
    2. At the top-right, click the Chrome browser menu > Settings.
    3. Navigate to Privacy and security > Site settings > Additional content settings > Insecure content.
    4. Under Allowed to show insecure content, select Add.
    5. Enter the URL of the website. The URL syntax follows the Enterprise policy URL pattern format.
Chrome OS 79 and higher
Allow insecure content on these sites

Specifies an allowlist of websites and domains that can display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

Chrome OS 79 and higher
Block insecure content on these sites

Specifies a blocklist of websites and domains that can't display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

Chrome OS 79 and higher
Insecure forms

Toggles warnings when a website delivers a form through HTTP on Chrome browser.

Values

  • Show warnings and disable autofill on insecure forms
  • Do not show warnings and disable autofill on insecure forms
Chrome OS 85 and lower
Network file shares

Toggles network file sharing on the Chromebook.

Values

  • Allow network file shares
  • Block allow network file shares
Chrome OS 70 and higher
> Net Bios Share discovery

Allows the NetBIOS name query request protocol to discover shares on the network. If this policy is not set, NetBIOS discovery is allowed for managed user accounts, but not for unmanaged accounts. Only available when Network file shares policy is set to Allow network file shares.

Values

  • Use NetBIOS discovery
  • Do not allow NetBIOS discovery (default)
Chrome OS 70 and higher
> NTLM Share authentication

Toggles NTLM as an authentication protocol for mounted server message block (SMB) shares. Only available when Network file shares policy is set to Allow network file shares.

Values

  • Use NTLM authentication — Authentication for shares is required for all accounts.
  • Do not use NTLM authentication (default) — Authentication for shares is required for managed user accounts, but not for non-managed accounts.
Chrome OS 71 and higher
> Preconfigured network file shares

Specifies a list of pre-configured network file shares available to the Chromebook. Only available when Network file shares is set to Allow network file shares.

Values

To add a file share, enter its URL, select a Mode, then click add. To remove one, click delete.

  • URL — The URL of the file or resource to share. For examples, smb://server/share or \shared\resource.
  • Mode — How the file or resource is shared:
    • Drop down — Adds the URL to the share discovery menu.
    • Pre mount — Automatically shares the file or resource.
Chrome OS 71 and higher
Scroll to text fragment

Allows links to highlight and scroll to text on a webpage on Chrome browser. Links with special fragment syntax can target text on a page. When the page is fully loaded, the browser scrolls to the text.

Values

  • Allow sites to scroll to specific text fragments via URL (default)
  • Do not allow sites to scroll to specific text fragments via URL
Chrome OS 83 and higher
Enable URL-keyed anonymized data collection

Toggles URL-keyed anonymized data collection, which sends Google the URL of each website that Chrome browser visits in order to improve searching and browsing.

Values

  • Allow the user to decide (default)
  • Data collection is never active
  • Data collection is always active
Chrome OS 69 and higher
AppCache

Allows websites to use the deprecated application cache (AppCache) technology on Chrome browser. AppCache was designed to permanently store website content on the local system, but was deprecated on all major browsers due to the security vulnerabilities it introduced.

Values

  • Allow websites to use the deprecated AppCache feature
  • Do not allow websites to use the deprecated AppCache feature
Chrome OS 84-95
Web Bluetooth API

Specifies whether websites can request access to Bluetooth devices via the Web Bluetooth API.

Values

  • Allow the user to decide (default)
  • Do not allow sites to request access to Bluetooth devices via the Web Bluetooth API
  • Allow sites to request access to Bluetooth devices via the Web Bluetooth API
Chrome OS 50 and higher
PDF Annotations

Allows annotations on the PDF viewer.

Values

  • Allow the PDF viewer to annotate PDFs (default)
  • Do not allow the PDF viewer to annotate PDFs
Chrome OS 91 and higher

Printing

Policy Description Supported system
Printing

Toggles printing.

Values

  • Enable printing (default) — The device user can print.
  • Disable printing — The device user can't print from the Chrome browser, including with extensions and JavaScript apps. Android apps are unaffected.
Chrome OS 11 and higher
Deprecated privet printing

Toggles whether available Privet cloud printers appear in the print preview dialog.

Values

  • Enable deprecated privet printing (default)
  • Disable deprecated privet printing
Chrome OS 89—93
Print preview default

Specifies the default printer. This policy has no effect on Android apps. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Define the default printer — When the device user prints, the system looks for a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.
  • Use default printer behavior (default) — When the device user prints, the system selects the most recently used printer.
Chrome OS 61 and higher
> Printer types

Specifies the type of printer to search for and use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

  • Cloud and local — Search for both types of printers.
  • Cloud only — Search for cloud printers.
  • Local only — Search for local printers.
Chrome OS 80 and higher
> Printer matching

Specifies how to search for a printer to use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

  • Match by name — Search for the printer's name.
  • Match by ID — Search for the printer's ID.
Chrome OS 80 and higher
> Default printer

Specifies the name or ID of the printer to match as the default printer. The print preview dialog defaults to the first printer that matches. This policy has no effect on Android apps. Only available if Print preview default is set to Define the default printer.

Values

Enter a pattern that matches a printer name or ID.

The pattern is case-sensitive. Wildcards (.*) and number substitution (.$) are supported.

Examples:

  • office-north would match a printer named office-north.
  • office-.* would match printers named office-north or office-south.
  • office-floor.$-north would match printers named office-floor1-north or office-floor2-north.
Chrome OS 48 and higher
Printer management

Allows the device user to add local printers. For more details about printing on Chromebooks, see Manage local and network printers.

Values

  • Allow users to add new printers (default)
  • Do not allow users to add new printers
Chrome OS 67 and higher
Default color printing mode

Specifies whether to print in color or black and white by default. On individual print jobs, the device user can choose the color mode.

Values

  • Color (default)
  • Black and white
Chrome OS 72 and higher
Restrict color printing mode

Forces printing in color or black and white and prevents the device user from choosing the mode.

Values

  • Do not restrict color printing mode (default)
  • Color only
  • Black and white only
Chrome OS 71 and higher
Default page sides

Specifies how many paper sides to print on by default. Two-sided printing is only available on duplex and multi-function printers. On individual print jobs, the device user can choose whether to print on one or two sides.

Values

  • One-sided (default)
  • Short-edge two-sided printing
  • Long-edge two-sided printing
Chrome OS 72 and higher
Restrict page sides

Forces printing in one-sided (simplex) or two-sided (duplex) mode and prevents the device user from choosing the mode. Duplex mode only applies to duplex printers.

Values

  • Do not restrict duplex printing mode (default)
  • One-sided only
  • Two-sided only
Chrome OS 71 and higher
Background graphics printing default

Specifies whether to print background graphics by default. On individual print jobs, the device can choose whether to print background graphics.

Values

  • Disable background graphics printing mode by default
  • Enable background graphics printing mode by default
Chrome OS 79 and higher
Background graphics printing restriction

Forces whether to print background graphics and prevents the device user from choosing.

Values

  • Allow the user to decide (default)
  • Always require printing of background graphics
  • Do not allow printing of background graphics
Chrome OS 79 and higher
CUPS Print job information

Toggles tracking the user account and file name in print jobs that are sent using IPP over HTTPS (IPPS).

Values

  • Include user account and filename in job — The user account and file name are included in the IPPS print job header. If set, third-party printing features, such as secure printing and print-usage tracking, can also be used.

    IMPORTANT — This setting prevents printing on printers that do not support IPPS.
  • Do not include user account and filename in print job (default) — The user account and file name are not included in the IPPS print job header.

Chrome OS 72 and higher

IPPS printers only

Print job history retention period

Specifies how long the metadata for completed print jobs is stored on the Chromebook.

Values

Enter a period, in days.

To store indefinitely, enter -1. To disable storage, enter 0.

If this value is unset, the period is 90 days.

Chrome OS 79 and higher
Print job history deletion

Allows the device user to delete their print job history using the print management app or by deleting their browser history.

Values

  • Allow print job history to be deleted (default)
  • Do not allow print job history to be deleted
Chrome OS 85 and higher
Restrict PIN printing mode

Forces whether print jobs on PIN-compatible printers always require PIN authentication.

Values

  • Do not restrict PIN printing mode (default)
  • Always require PIN printing
  • Do not allow PIN printing

Chrome OS 75 and higher

Printers with PIN capability only

Default PIN printing mode

Toggles whether print jobs on PIN-compatible printers require PIN authentication by default.

Values

  • With PIN
  • Without PIN

Chrome OS 75 and higher

Printers with PIN capability only

Maximum sheets

Specifies the maximum number of sheets of paper a single print job can use.

Values

Enter a maximum number of sheets.

If this value is unset, no limit is applied.

Chrome OS 84 and higher
Default printing page size

Specifies the default page size. If the device user chooses a printer that doesn't support the page size defined by this policy, the policy is ignored.

Values

  • Letter
  • Legal
  • A4
  • Tabloid
  • A3
  • Custom — Enter the height and width, in millimeters. If you enter values not supported by the printer chosen by the device user, this policy is ignored.
Chrome OS 84 and higher
> Page width (in millimeters)

Specifies the custom page width. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page width, in millimeters.

Chrome OS 84 and higher
> Page height (in millimeters)

Specifies the custom page height. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page height, in millimeters.

Chrome OS 84 and higher
Print headers and footers

Forces printing headers and footers.

Values

  • Allow the user to decide (default)
  • Never print headers and footers
  • Always print headers and footers
Chrome OS 70 and higher
Blocked printer types

Disables printer types or destinations from being available for printing. Selecting all printer types effectively disables printing.

Values

Select the printer types to disable:

  • Zeroconf-based (mDNS + DNS-SD) protocol
  • Local printer — Also known as native printing destinations, and include destinations available to the local machine and shared network printers.
  • Extension-based — Also known as print provider destinations, and include any destination that belongs to a Chrome browser extension.
  • Google Cloud Print and 'Save to Google Drive'
  • Save as PDF
Chrome OS 80 and higher

User experience

Policy Description Supported system
Managed bookmarks

Defines a collection of bookmarks to push to Chrome browser. The bookmarks appear in a folder on the bookmarks bar on Chrome Browser. The device user can hide the folder, but they can't modify its contents. The default folder name for managed bookmarks is "Managed bookmarks", but it can be changed.

Manage bookmarks

Begin managing the bookmarks by clicking Add. The Manage Folders & Bookmarks dialog opens.

To add a folder:

  1. Click Add Folder.
  2. Choose a Parent folder for the new folder.
  3. Enter a new Folder Name.
  4. Click OK.

To add a bookmark:

  1. Click Add Bookmark.
  2. Choose a Parent Folder for the new bookmark.
  3. Enter a name for the bookmark in the Bookmark field.
  4. Enter the URL of the bookmark.
  5. Click OK.

To change a folder or bookmark:

  1. Select it.
  2. Click Modify.
  3. If you selected a folder, you can rename it and change its parent folder. If you selected a bookmark, you can rename it, changes its parent folder, and edit its URL.
  4. Click Save.

To reorder a folder or bookmark:

  1. Select it.
  2. Click or .

To delete a folder or bookmark:

  1. Select it.
  2. Click Delete.

Once you finish making changes, Save the bookmarks.

Chrome OS 37 and higher
Bookmark bar

Toggles the bookmarks bar on Chrome browser.

Values

  • Allow the user to decide (default)
  • Disable bookmark bar
  • Enable bookmark bar
Chrome OS 12 and higher
Shelf position

Specifies the position of the shelf.

Values

  • Allow the user to decide (default)
  • Bottom
  • Left
  • Right
Chrome OS 79 and higher
Shelf auto-hiding

Toggles the shelf automatic hiding behavior.

Values

  • Allow the user to decide (default)
  • Always auto-hide the shelf
  • Never auto-hide the shelf
Chrome OS 25 and higher
Bookmark editing

Allows the device user to add, edit, or remove items from the bookmarks bar on Chrome browser.

Values

  • Enable bookmark editing (default)
  • Disable bookmark editing
Chrome OS 12 and higher
Download location

Specifies the default download location on Chrome browser. This policy applies to downloaded files only—if the user saves a page or file, the save file dialog is used. This setting has no effect on Android apps. This policy has no effect on Android apps, which always download files to the default Downloads folder.

Values

  • Set local Downloads folder as default, but allow user to change — Downloads save to the Downloads folder unless the device user chooses a different default location.
  • Set Google Drive as default, but allow user to change — Downloads save to Google Drive unless the device user chooses a different default location.
  • Force Google Drive — Downloads save to Google Drive, and the device user can't select a different location. For Chrome version 90 and later, this setting has no effect on screenshots taken on Chrome OS. Screenshots save to the default Chrome OS downloads folder.
Chrome OS 64 and higher
Download location prompt

Specifies whether to ask the device user where to save each download on Chrome browser.

Values

  • Allow the user to decide (default) — The device user chooses whether they want to be asked where to save each download.
  • Do not ask the user (downloads start immediately) — The device user is never asked where they want to save each download.
  • Ask the user where to save the file before downloading — The device user is always asked where they want to save each download.
Chrome OS 35 and higher
Spell check

Toggles spell check on Chrome browser.

Values

  • Allow the user to decide (default) — The device user can enable spell check.
  • Disable spell check — Turn off spell check from all sources, and prevent the device user from enabling it. Selecting this setting makes the Spell check service policy have no effect.
  • Enable spell check — Turn on spell check and prevent the device user from disabling it. The device user can still disable spell check for individual languages, and if they disable it for all languages, then they effectively disable spell check.
Chrome OS 65 and higher
Spell check service

Toggles Google's online spell checking service, also known as Enhanced spell check in the Chrome browser settings. If the Spell check policy is set to Disable spell check, this policy has no effect.

Values

  • Allow the user to decide (default) — The device user can toggle Enhanced spell check in the Chrome browser settings.
  • Disable the spell checking web service — Chrome browser never uses Google's online service to check for spelling errors.
  • Enable the spell checking web service — Chrome browser always uses Google's online service to check for spelling errors.
Chrome OS 22 and higher
Google Translate

Toggle Google Translate on Chrome browser. When the browser detects that page content is in a different language than the one configured for the user account, it offers to translate it.

Values

  • Allow the user to decide (default)
  • Never offer translation
  • Always offer translation
Chrome OS 12 and higher
Alternate error pages

Toggles navigation suggestions when Chrome browser is unable to connect to an address. The browser suggests opening another page on the website, or to search for the page.

Values

  • Allow the user to decide (default)
  • Never use alternate error pages
  • Always use alternate error pages
Chrome OS 11 and higher
Developer tools

Allows the device user to access the developer tools on Chrome browser.

NOTE — If the device user has access to the Android Developer Options, they can enable them by opening the Settings app > About phone or Software information > tapping Build number seven times.

Values

  • Always allow use of built-in developer tools (default for unmanaged user accounts) — The device user can access the developer tools by all methods, including in extensions that are installed by policy. They can also access the Android Developer Options.
  • Allow use of built-in developer tools except for force-installed extensions (default for managed user accounts) — The device user can access the developer tools by all methods (keyboard shortcuts, menu entries, and context menu entries) in general, but not in extensions that are installed by policy. They can also can access the Android Developer Options.
  • Never allow use of built-in developer tools — The device user can't access the developer tools by any method or context, and can't access the Android Developer Options.If this value is unset, the device user can access the Android Developer Options.
Chrome OS 68 and higher
Payment methods

Allows websites check if the device user has stored payment methods on Chrome browser.

Values

  • Allow websites to check if the user has payment methods saved
  • Always tell websites that no payment methods are saved
Chrome OS 80 and higher
Emoji suggestions

Toggle emoji suggestions as the device user types.

Values

  • Enable emoji suggestions when users type (default) — Emoji suggestions appear as the device user types, and they can toggle the feature.
  • Disable emoji suggestions when users type — Emoji suggestions are disabled, and the device user can't enable the feature.
Chrome OS 86 and higher
Multiple sign-in access

Allow multiple user accounts to sign in at the same time. This setting allows device users to switch between multiple accounts on the Chromebook without having to sign out. To ensure that Chrome OS policies always apply to your users, use the Block multiple sign-in access for users in this organization setting. When any other setting is used, there is no guarantee that all policies apply to every user account.

IMPORTANT — To use Android apps, a user account must be both managed and primary (the first to sign in).

Values

  • Managed user must be the primary user (secondary users are allowed)
  • Unrestricted user access (allow any user to be added to any other user's session)
  • Block multiple sign-in access for users in this organization
Chrome OS 31 and higher
Sign-in to secondary accounts

Allows device users to switch between accounts in Chrome browser and Google Play, or sign ins to specific Google Workspace domains. If you allow devices users to only sign in to specific Google Workspace domains, or block them from signing in or out in the browser, you should also disable Incognito mode with the Incognito mode policy.

Values

  • Allow users to sign in to any secondary Google Accounts — Device users can sign in to other Google accounts in Chrome browser.
  • Block users from signing in or out of secondary Google Accounts — Device users can't sign in or out of Google accounts in Chrome browser.
  • Allow users to sign in to the Google Workspace domains set in below — Device users can only access Google services from accounts belonging to Google Workspaces domains specified by the Allowed domains policy.
Chrome OS 51 and higher
> Allowed domains

Specifies an allowlist of Google Workspace domains for user accounts. Make sure you list all of your organization's domains. Otherwise, device users might not have access to Google services. To see a list of your domains, click organization's domains under the domain list on the Google Admin console.

Values

To add a domain, enter it and click add. To remove a domain, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

To include consumer Google accounts, such as @gmail.com and @googlemail.com, add consumer_accounts to the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.

Chrome OS 51 and higher
Unified Desktop (BETA)

Allows the device user to span an app across multiple displays.

Values

  • Make Unified Desktop mode available to user
  • Do not make Unified Desktop mode available to user (default)
Chrome OS 47 and higher
WebRTC event log collection

Allows Google services to call the Chrome API to collect WebRTC events for device users who have opted in. The initial value is inherited from Google Meet log upload settings. These logs help Google identify and resolve issues with audio and video meetings, and have no video or audio content from the meetings.

Values

  • Allow WebRTC event log collection — Allow Google to collect WebRTC event logs. To fully enable these event logs, you must also enable the Client logs upload policy on the Google Admin console.
  • Do not allow WebRTC event log collection — Block Google from collecting WebRTC event logs.
Chrome OS 70 and higher
Disabled system features

Specifies which system features to disable on the Chromebook. Use this policy to block the features listed below instead of using the URL blocking policy or blocking apps and extensions by ID. When the device user tries to use a disabled feature, a message tells them that it has been blocked by their administrator.

Values

Choose the features to disable:

  • Camera
  • Scanning (Chrome OS 87 and higher)
  • OS settings
  • Browser settings
Chrome OS 84 and higher
Dinosaur game

Toggles the dinosaur game easter egg.

Values

  • Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled Chrome OS devices — When the device is offline, the device user can't play the dinosaur game on enrolled Chrome devices, but they can play it on Chrome Browser.
  • Do not allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can't play the dinosaur game.
  • Allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can play the dinosaur game.
Chrome OS 48 and higher
Previously installed app recommendations

Toggles app recommendations in the launcher for apps that the device user installed on other devices. These results appear when the search box is empty.

Values

  • Show app recommendations in the Chrome OS launcher
  • Do not show app recommendations in the Chrome OS launcher
Chrome OS 75 and higher
Suggested content

Toggles online content recommendations in the launcher.

Values

  • Enable suggested content
  • Disable suggested contentIf this value is unset, online content is recommended to unmanaged device users, but not managed device users.
Chrome OS 85 and higher
URLs in the address bar

Toggles the page's full URL in the address bar on Chrome browser. This helps to protect the device user from some common phishing tactics.

Values

  • Display the default URL. Users may switch to the full URL, unless on a managed Chrome device
  • Display the default URL
  • Display the full URL
Chrome OS 86 and higher
Shared clipboard

Allows the device user to copy and paste text between different devices when Chrome sync is enabled and each device is signed in to the same Google account.

Values

  • Enable the shared clipboard feature (default)
  • Disable the shared clipboard feature
Chrome OS 79 and higher
Fullscreen mode

Allows fullscreen mode for user accounts, apps, and extensions with appropriate permissions.

Values

  • Allow fullscreen mode (default)
  • Do not allow fullscreen mode
Chrome OS 31 and higher
Fullscreen alert

Toggles whether a fullscreen alert shows when the device returns from sleep or dark screen in order to remind the the device user to exit fullscreen before entering their password.

Values

  • Enable fullscreen alert when waking the device (default)
  • Disable fullscreen alert when waking the device
Chrome OS 88 and higher
Show cards on the New Tab Page

Toggle the content cards on the New Tab Page. These cards remind the device about recent searches and are based on their browsing behavior.

Values

  • Allow the user to decide (default)
  • Do not show cards on the New Tab Page
  • Show cards on the New Tab Page if content is available
Chrome OS 88 and higher
Maximize window on first run

Toggles whether Chrome browser maximizes its first window on launch.

Values

  • Maximize the first browser window on first run
  • Default system behavior (based on screen size)
Chrome OS 43 and higher
Allow user feedback

Allows the device user to send feedback to Google on Chrome browser.

Values

  • Allow user feedback (default)
  • Do not allow user feedback
Chrome OS 77 and higher
Media recommendations

Toggle whether Chrome browser shows personalized media recommendations to the device user. These recommendations are based on the device user's browsing and search behavior.

Values

  • Show personalized media recommendations (default)
  • Do not show personalized media recommendations
Chrome OS 87 and higher

Connected devices

Policy Description Supported system
Smart Lock

Allows the device user to sign in or unlock the Chromebook with the aid of a paired Android device. If the Android device is unlocked and connected to the Chromebook through Bluetooth, the device user can sign in with one click.

Values

  • Allow Smart Lock (default for unmanaged user accounts)
  • Do not allow Smart Lock (default for managed user accounts)
Chrome OS 71 and higher
Instant Tethering

Allows the device user to use Instant Tethering, which automatically connects the Chromebook to a paired Android device through Wi-Fi in order to use its mobile data connection. The Android device must be in hotspot mode, and there must be no known Wi-Fi access points available nearby. Not all Chromebooks support Instant Tethering. See Chrome OS Devices Which Do Not Support Instant Tethering.

Values

  • Allow users to use Instant Tethering (default for unmanaged user accounts)
  • Do not allow users to use Instant Tethering (default for managed user accounts)
Chrome OS 60 and higher
Messages

Allows the device user to sync their SMS messages between their phone and the Chromebook.

Values

  • Allow users to sync SMS messages between their phone and Chromebook (default for unmanaged users)
  • Do not allow users to sync SMS messages between their phone and Chromebook (default for managed users)
Chrome OS 70 and higher
Click to Call

Allows the device user to share phone numbers from the Chromebook to an Android device.

Values

  • Allow the user to decide (default)
  • Do not allow users to send phone numbers from Chrome to their phone
  • Allow users to send phone numbers from Chrome to their phone
Chrome OS 79 and higher
Phone Hub

Allows the device user to control and receive select features and notifications on their Android phone from the Chromebook.

Values

  • Allow Phone Hub to be enabled (default for unmanaged user accounts)
  • Do not allow Phone Hub to be enabled (default for managed user accounts)
Chrome OS 89 and higher
> Notifications

Toggles pushing notifications from the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

  • Allow Phone Hub notifications to be enabled (default)
  • Do not allow Phone Hub notifications to be enabled
Chrome OS 89 and higher
> Task continuation

Toggles passing the most recent Chrome browser tabs accessed on the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

  • Allow Phone Hub task continuation to be enabled (default)
  • Do not allow Phone Hub task continuation to be enabled
Chrome OS 89 and higher

Accessibility

Policy Description Supported system
Spoken feedback

Toggles the screen reader, also known as ChromeVox.

Values

  • Allow the user to decide (default)
  • Disable spoken feedback
  • Enable spoken feedback
Chrome OS 29 and higher
Select to speak

Toggles selective screen reading, including text selections and sections of the screen.

Values

  • Allow the user to decide (default)
  • Disable select to speak
  • Enable select to speak
Chrome OS 77 and higher
High contrast

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

  • Allow the user to decide (default)
  • Disable high contrast
  • Enable high contrast
Chrome OS 29 and higher
Screen magnifier

Toggles the screen magnification feature, which allows the device user to zoom in their screen by up to 20x.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Disable screen magnifier — Screen magnification is disabled.
  • Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
  • Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.
Chrome OS 29 and higher
Sticky keys

Toggles inputting key combinations separately and in sequence rather than simultaneously.

Values

  • Allow the user to decide (default)
  • Disable sticky keys
  • Enable sticky keys
Chrome OS 76 and higher
On-screen keyboard

Toggles the on-screen keyboard.

Values

  • Allow the user to decide (default)
  • Disable on-screen keyboard
  • Enable on-screen keyboard
Chrome OS 34 and higher
Dictation

Toggles speech-to-text input.

Values

  • Allow the user to decide (default)
  • Disable dictation
  • Enable dictation
Chrome OS 78 and higher
Keyboard focus highlighting

Toggles enhanced object highlighting during keyboard navigation.

Values

  • Allow the user to decide (default)
  • Disable keyboard focus highlighting
  • Enable keyboard focus highlighting
Chrome OS 78 and higher
Caret highlight

Toggles a ring around the caret (keyboard cursor) during typing.

Values

  • Allow the user to decide (default)
  • Disable caret highlight
  • Enable caret highlight
Chrome OS 87 and higher
Auto-click enabled

Toggles mouse clicking when the cursor stops moving.

Values

  • Allow the user to decide (default)
  • Disable auto-click
  • Enable auto-click
Chrome OS 78 and higher
Large cursor

Toggles a bigger mouse cursor.

Values

  • Allow the user to decide (default)
  • Disable large cursor
  • Enable large cursor
Chrome OS 29 and higher
Cursor highlight

Toggles a ring around the mouse cursor during mouse movement.

Values

  • Allow the user to decide (default)
  • Disable cursor highlight
  • Enable cursor highlight
Chrome OS 78 and higher
Primary mouse button

Specifies which mouse button performs primary interactions.

Values

  • Allow the user to decide (default)
  • Left button is primary
  • Right button is primary

If this value is unset, the left mouse button is primary.

Chrome OS 81 and higher
Mono audio

Toggles single-channel audio.

Values

  • Allow the user to decide (default)
  • Disable mono audio
  • Enable mono audio
Chrome OS 78 and higher
Accessibility shortcuts

Toggles the built-in accessibility shortcuts.

Values

  • Allow the user to decide (default)
  • Disable accessibility shortcuts
  • Enable accessibility shortcuts
Chrome OS 81 and higher
Accessibility options in the system tray menu

Toggle the accessibility options entry in the system tray menu. If accessibility options are enabled by other means, they still appear in the system menu tray.

Values

  • Allow the user to decide (default)
  • Hide accessibility options in the system tray menu
  • Show accessibility options in the system tray menu
Chrome OS 27 and higher
Image descriptions

Toggles automatically-generated labels for online images that lack descriptions such as alt text. This feature provides text descriptions for screen readers by sending image data to a Google service. No cookies or other user data is sent, and Google does not save or log any image content. For more details, see Get image descriptions on Chrome.

Values

  • Let users choose to use an anonymous Google service to provide automatic descriptions for unlabeled images (default)
  • Do not use Google services to provide automatic image descriptions
  • Use an anonymous service to provide automatic descriptions for unlabeled images
Chrome OS 84 and higher

Power and shutdown

Policy Description Supported system
Wake locks

Toggles wake locks, which is a power management feature that keeps the screen on or the CPU running when the Chromebook is in standby mode. This can be helpful if idle power conservation is undesirable, for example if the Chromebook requires a Wi-Fi connection to stay at full performance at all times. Extensions and apps can request wake locks through the power management extension API.

Values

  • Allow wake locks (default)
  • Do not allow wake locks
Chrome OS 71 and higher
> Screen wake locks

Toggles screen wake locks, which are a sub-type of wake lock requests that prevent the screen from dimming or locking when an extension or app is running. Only available if the Wake locks policy is set to Allow wake locks.

Values

  • Allow screen wake locks for power management (default)
  • Demote screen wake lock requests to system wake lock requests — Screen wake lock requests are treated like standard wake lock requests.
Chrome OS 28 and higher

Omnibox search provider

Policy Description Supported system
Search suggest

Toggles predictive search queries and suggestions in the address bar on Chrome browser.

Values

  • Allow the user to decide (default)
  • Never allow users to use search suggest
  • Always allow users to use search suggest
Chrome OS 11 and higher

Hardware

Policy Description Supported system
External storage devices

Allows the device user to connect and mount external storage devices on the Chromebook. These devices include:

  • External drives — USB flash drives, external hard drives, external optical drives
  • Memory cards — SD, MMC, other memory cards
  • MTP devices — Phones, cameras, media playersIf the device user attempts to mount an external drive when mounting is blocked, Chrome OS notifies them that the policy is in effect. This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Values

  • Allow external storage devices — The Chromebook can read and write data from external storage devices.
  • Allow external storage devices (read-only) — The Chromebook can read data from external storage devices, but can't write data to it or format it.
  • Disallow external storage devices — The Chromebook can't mount external storage devices.
Chrome OS 22 and higher
Controls which websites can ask for USB access

Controls whether websites on Chrome browser can access USB devices connected to the Chromebook.

Values

  • Do not allow any site to request access — Websites can't ask for access to connected USB devices.
  • Allow sites to ask the user for access — Websites can ask for access to connected USB devices.
  • Allow the user to decide if sites can ask (default) — Websites can ask for access to connected USB devices. The device user can locally change this setting.
Chrome OS 67 and higher
> Allow these sites to ask for USB access

Specifies an allowlist of websites and domains on Chrome browser that can request access to connected USB devices without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 68 and higher
> Block these sites from asking for USB access

Specifies a blocklist of websites and domains on Chrome browser that can't request access to connected USB devices. If a website or domain is not blocked, access is determined first by the Controls which websites can ask for USB access policy's setting, then by the device user's Chrome browser settings.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 68 and higher
Audio input (microphone)

Controls whether websites on Chrome browser can request access to the Chromebook's audio input devices.

Values

  • Prompt user to allow each time — Websites can ask for access to audio input devices.
  • Disable audio input — Websites can't access audio input devices. All Android apps are blocked from accessing the built-in microphone.

If this value is unset, websites can ask for access, but the device user can choose to block all requests.

Chrome OS 23 and higher
Audio input allowed URLs

Specifies an allowlist of websites and domains on Chrome browser that can access the Chromebook's audio input devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

Chrome OS 29 and higher
Audio output

Toggles all audio output devices on the Chromebook. Audio output devices include:

  • Internal speakers
  • Connected audio devices — Headphone jack, Bluetooth, and other connectors

This policy has no effect on the Google Drive Android app.

Values

  • Enable audio output (default) — The Chromebook outputs audio. The device user can adjust audio controls.
  • Disable audio output — The Chromebook shows as muted. The audio controls are still available, but the device user can't adjust them.
Chrome OS 23 and higher
Built-in camera access

Controls whether websites on Chrome browser and apps can access the Chromebook's video input devices. Video input devices include:

  • Internal webcam
  • Connected video devices — USB, HDMI, Ethernet, Wi-Fi

Values

  • Enable camera input for websites and apps (default) — Websites and apps can ask for access to video input devices. The device user can choose to block all requests.
  • Disable camera input for websites and apps — Websites and apps can't access audio input devices.
Chrome OS 25 and higher
Video input allowed URLs

Specifies an allowlist of websites, domains, and apps that can access video capture devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website, domain, or app ID, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 29 and higher
Keyboard

Specifies the behavior of the top row of keys on the keyboard.

Values

  • Treat top-row keys as media keys, but allow user to change (default)
  • Treat top-row keys as function keys, but allow user to change
Chrome OS 35 and higher
Serial Port API

Controls whether websites on Chrome browser can access serial ports available through the Web Serial API. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Do not allow any site to request access to serial ports via the Serial Port API — Websites can't access serial ports on the Chromebook.
  • Allow sites to ask the user to grant access to serial ports via the Serial Port API — Websites can ask for access to serial ports.
  • Allow the user to decide (default) — Websites can ask for access to serial ports on the Chromebook. The device user can locally change this setting.
Chrome OS 86 and higher
> Allow the Serial API on these sites

Specifies an allowlist of websites and domains on Chrome browser that can request access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
> Block the Serial API on these sites

Specifies a blocklist of websites and domains on Chrome browser that can't ask for access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Privacy screen

Toggles the integrated hardware privacy screen on supported Chromebooks.

Values

  • Allow the user to decide (default) — The privacy screen is disabled. The device user can locally change this setting.
  • Always disable the privacy screen
  • Always enable the privacy screen
Chrome OS 83 and higher
File system read access

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's settings on Chrome browser.

Values

  • Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
  • Allow sites to ask the user to grant read access to files and directories — Websites can ask for read access to the file system.
  • Do not allow sites to request read access to files and directories — Websites don't have read access to the file system.
Chrome OS 86 and higher
> Allow file system read access on these sites

Specifies an allowlist of websites and domains on Chrome browser that have read access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
> Block read access on these sites

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
File system write access

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website isn't allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
  • Allow sites to ask the user to grant write access to files and directories — Websites can ask for read access to the file system.
  • Do not allow sites to request write access to files and directories — Websites don't have read access to the file system.
Chrome OS 86 and higher
> Allow write access to files and directories on these sites

Specifies an allowlist of websites and domains on Chrome browser that have write access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
> Block write access to files and directories on these sites

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Sensors

Controls whether websites on Chrome browser can access built-in motion and light sensors on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Allow sites to access sensors — Websites can access built-in sensors.
  • Do not allow any site to access sensors — Websites can't access built-in sensors.
  • Allow the user to decide if a site may access sensors (default) — Websites can ask for access to built-in sensors. The device user can locally change this setting.
Chrome OS 88 and higher
> Allow access to sensors on these sites

Specifies an allowlist of websites and domains on Chrome browser that can access built-in sensors without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 88 and higher
> Block access to sensors on these sites

Specifies a blocklist of websites and domains on Chrome browser that can't access built-in sensors.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 88 and higher
Enterprise Hardware Platform API

Allows extensions added by a managed profile to use the Enterprise Hardware Platform API. This API handles requests from extensions for information about the Chromebook's manufacturer and model. This policy also affects Chrome browser component extensions.

Values

  • Allow managed extensions to use the Enterprise Hardware Platform API
  • Do not allow managed extensions to use the Enterprise Hardware Platform API
Chrome OS 71 and higher

User verification

Policy Description Supported system
Verified Mode

Controls whether Verified Access can attest the Chromebook if it boots in developer mode.

Values

  • Require verified mode boot for Verified Access — If the Chromebook boots into developer mode, it won't pass Verified Access.
  • Skip boot mode check for Verified Access — If the Chromebook boots into developer mode, it can pass Verified Access.
Chrome OS 33 and higher
> Service accounts which are allowed to receive user data

Specifies an allowlist of email addresses of service accounts that have full access to the Google Verified Access API. These are the service accounts created in the Google API Console.

Values

To add an account, enter it and click add. To remove one, click delete.

Chrome OS 33 and higher
> Service accounts which can verify users but do not receive user data

Specifies an allowlist of email addresses of service accounts that have limited access to the Google Verified Access API. These are the service accounts created in the Google API Console.

Values

To add an account, enter it and click add. To remove one, click delete.

Chrome OS 33 and higher

Chrome Safe Browsing

Policy Description Supported system
Help improve Safe Browsing

Toggles Extended Reporting for Safe Browsing on Chrome browser, which automatically sends some system information and page content to Google to help detect dangerous apps and websites.

Values

  • Allow the user to decide (default)
  • Disable sending extra information to help improve Safe Browsing
  • Enable sending extra information to help improve Safe Browsing
Chrome OS 66 and higher
Safe Browsing allowed domains

Specifies an allowlist of trusted websites and domains on Chrome browser. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs, and its download protection service will not check downloads hosted on listed domains.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Download restrictions

Prevents the device user from downloading dangerous files on Chrome browser, such as malware, infected files, or dangerous file types like SWF and EXE. For more information about Chrome's flags for potentially harmful files, see Google Chrome blocks downloads.

Values

  • No special restrictions (default) — Downloads are allowed. The browser warns the device user about websites identified as dangerous, but they can bypass the warning.
  • Block all malicious downloads — Downloads are allowed, except for those flagged as malware. Dangerous files are allowed. Recommended by Google.
  • Block dangerous downloads — Most downloads are allowed, except those flagged as dangerous.
  • Block potentially dangerous downloads — Downloads are allowed, except those flagged as potentially dangerous. The device user cannot bypass the warning.
  • Block all downloads — Downloads are blocked.
Chrome OS 61 and higher
Disable bypassing Safe Browsing warnings

Allows the device user to bypass Safe Browsing warnings and access deceptive or dangerous websites or download potentially harmful files on Chrome browser.

Values

  • Do not allow users to bypass Safe Browsing warnings — The device user can't bypass this setting.
  • Allow user to bypass Safe Browsing warnings (default) — Safe Browsing warnings can by bypassed. The device user can locally change this setting.
Chrome OS 22 and higher
Password alert

Toggles the password protection warning, which alerts the device user when they try to save their protected password on a dangerous website on Chrome browser.

Values

  • No password protection warning
  • Trigger on password reuse
  • Trigger on password reuse on phishing page (default)
Chrome OS 69 and higher
> URL for password change

Specifies the web address to show to the device user when they receive a warning to change their password on Chrome browser. This address should be a secure page that provides a salted and hashed password generation form. To help Chrome OS correctly capture the new password on this page, the page should follow the guidelines at Create amazing password forms.

Values

Enter a URL.

Chrome OS 69 and higher
> Login URLs

Specifies an allowlist of web pages where the device user will enter their enterprise password to sign in to their Google account. If a sign-in process is split across 2 pages, add the page that contains the password field. When the device user enters their password, a non-reversible hash is stored locally on the Chromebook and later used to detect password reuse. Make sure that the password change page that you specify follows these guidelines.

Values

To add a web page, enter it and click add. To remove one, click delete.

If this value is unset, the password protection service only captures the password hashes on https://accounts.google.com.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 69 and higher
SafeSites URL filter

Toggles the SafeSites URL filter on Chrome browser. This filter uses the Google Safe Search API to classify whether websites contain pornography.

Values

  • Do not filter sites for adult content (default for non-K-12 EDU domains)
  • Filter top level sites (but not embedded iframes) for adult content (default for K-12 EDU domains)
Chrome OS 69 and higher
Suppress lookalike domain warnings on domains

Specifies an allowlist of websites and domains that bypass Chrome browser's lookalike URL warnings. Lookalike websites are spoof and phishing websites with URLs that are made to look identical to those of familiar or popular safe websites. When one is detected, the browser warns the device user that the address might be a spoof.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Chrome OS 86 and higher
Sites with intrusive ads

Allows ads on websites that are known to have intrusive ads on Chrome browser.

Values

  • Allow ads on all sites (default)
  • Block ads on sites with intrusive ads
Chrome OS 65 and higher
Abusive Experience intervention

Allows websites that are flagged as containing abusive experience from opening new windows or tabs.

Values

  • Prevent sites with abusive experiences from opening new windows or tabs (default)
  • Allow sites with abusive experiences to open new windows or tabs
Chrome OS 65 and higher

Chrome updates

Policy Description Supported system
Component updates

Toggles automatic updates for Chrome browser components. Some components can't have automatic updates disabled, such as:

  • Components that don't contain executable code
  • Components that don't significantly alter the behavior of the browser
  • Components that are critical for its security will not be disabled
CAUTION — Disabling this policy may prevent the Chromebook from obtaining critical security fixes in a timely manner, and is therefore not recommended.

Values

  • Enable updates for all components (default)
  • Disable updates for components
Chrome OS 54 and higher

Virtual machines (VMs) and developers

Policy Description Supported system
Command line access

Toggles command line (CLI) tools on the virtual machine (VM) management console.

Values

  • Disable VM command line access
  • Enable VM command line access (default)
Chrome OS 77 and higher
Linux virtual machines (BETA)

Toggles the Crostini container technology, which provides support for running Linux containers on the Chromebook in order to run Linux apps. Once this policy if modified, it applies to new Linux containers, not to those already running.

NOTE — This feature is no longer in Beta for consumer Chrome OS devices. It remains in Beta for managed devices and users.

Values

  • Allow usage for virtual machines needed to support Linux apps for users — The device user can run Linux VMs as long as these additional policies are also set:
Virtual machines Always enable virtual machines
Linux virtual machines for unaffiliated users (BETA) Allow usage for virtual machines needed to support Linux apps for unaffiliated users
  • Block usage for virtual machines needed to support Linux apps for users (default) — The device user can't run Linux VMs.
Chrome OS 70 and higher
Port forwarding

Allows the device user to configure port forwarding into Linux containers.

Values

  • Allow users to enable and configure port forwarding into the VM container (default)
  • Do not allow users to enable and configure port forwarding into the VM container
Chrome OS 85 and higher
Android apps from untrusted sources

Toggles installation of Android apps from untrusted sources. This policy does not apply to apps on the Google Play store.

Values

  • Prevent the user from using Android apps from untrusted sources (default)
  • Allow the user to use Android apps from untrusted sources — The device user can install Android apps from untrusted sources, provided they also locally allow this setting.

Parallels© Desktop

Policy Description Supported system
Parallels Desktop

Toggles Parallels© Desktop for Chromebook to access Microsoft Windows apps and files on the Chromebook.

Values

  • Allow users to use Parallels desktop — Enables Parallels Desktop. When set, you must accept the end-user license agreement.
  • Do not allow users to use Parallels desktop — Disables Parallels Desktop.
Chrome OS 85 and higher
Parallels Desktop Windows image

The policy set for configuring the Windows OS image that the device user downloads on their Chromebooks in order to use Parallels Desktop.

Chrome OS 85 and higher
> URL

Specifies the address for the Windows image.

Values

Enter the URL.

Chrome OS 85 and higher
> SHA-256 hash

Specifies the SHA-256 hash of the Windows image.

Values

Enter the hash.

Chrome OS 85 and higher
Required disk space

Specifies the free disk space required for Parallels Desktop. When deciding on a value, you should take the size of your uncompressed Windows image and add how much space is needed for the additional data or apps you expect to install. If you set a required free disk space value and the Chromebook detects that the remaining space is smaller than that value, it cannot run Parallels Desktop.

Values

Enter the disk space, in gigabytes (GB).

If this value is unset, the default disk space is 20 GB.

Chrome OS 85 and higher
Diagnostic information

Toggles the generation and collection of event logs pertaining to Parallels Desktop usage. For details on the information collected in the logs, see Parallels Customer Experience Program.

Values

  • Enable sharing diagnostics data to Parallels
  • Disable sharing diagnostics data to Parallels
Chrome OS 85 and higher

Other settings

Policy Description Supported system
Policy fetch delay

Specifies the maximum delay between when a policy invalidation signal is received and the new policy is fetched from the device management service.

Values

Enter a delay, in milliseconds.

Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values above or below the range are clamped.

If this value is unset, the default delay is 10 seconds.

Chrome OS 30 and higher
Wi-Fi network configurations sync

Allows the device user to sync Wi-Fi network configurations between the Chromebook and a connected Android phone.

Values

  • Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone — Wi-Fi network configurations can be synced. The device user must first explicitly opt-in to this feature by completing a setup flow.
  • Do not allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone —Wi-Fi network configurations can't be synced.
Chrome OS 89 and higher

Device

Enrollment and access

Policy Description Supported system
Powerwash

Allows the device user to factory reset the Chromebook.

Values

  • Allow users to trigger powerwash (default)
  • Do not allow users to trigger powerwash
Chrome OS 77 and higher
Verified access

Enables a web service that requests proof that the Chromebook is unmodified and policy-compliant. For more details on this topic, see Enable Verified Access with Chrome OS devices.

Values

  • Ensure devices in your organization will verify their identity to content providers using a unique key — Enables Verified Access on the Chromebook.
  • Do not require devices to verify their identity to content providers — Verified Access on the Chromebook. If set, some premium web content might be unavailable to the device user.
Chrome OS 33 and higher
Verified mode

Controls whether Verified Access can attest the Chromebook if it boots into developer mode. For more details, see Enable Verified Access with Chrome OS devices.

Values

  • Require verified mode boot for verified access — If the Chromebook boots into developer mode, it fails verification by Verified Access.
  • Skip boot mode for verified access — If the Chromebook boots into developer mode, it can be verified by Verified Access.
Chrome OS 33 and higher
> Services with full access

Specifies an allowlist of email addresses of Google service accounts with full access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click add. To remove one, click delete.

Chrome OS 33 and higher
> Services with limited access

Specifies an allowlist of email addresses of Google service accounts with limited access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click add. To remove one, click delete.

Chrome OS 33 and higher
Disabled device return instructions

Specifies a custom message to display on lost or stolen devices that have been disabled by an administrator. By default, a disabled device states that it's locked by an administrator, and this custom message displays below that statement.

Values

Enter the message text.

When unset, no custom message displays.

Integrated FIDO second factor

Allows 2-factor authentication (2FA) on devices with a Titan M security chip.

Values

  • Allow the user to device (default)
  • Disable integrated second factor
  • Enable integrated second factor
Chrome OS 76 and higher

Sign-in settings

Policy Description Supported system
Guest mode

Enables guest user sessions on the Chromebook.

Values

  • Disable guest mode — A Google Account or Google Workspace account must be used to sign in to the Chromebook. Default for K-12 EDU domains.
  • Allow guest mode — Device users can sign in to the Chromebook as a guest. Default for all other domains.
Chrome OS 12 and higher
Sign in restriction

Controls which device users can sign in to the Chromebook.

NOTE — If you allow guest sessions or managed guest sessions, users will be able to sign in to the device regardless of the restrictions chosen.

Values

  • Restrict sign-in to a list of users — Only allowed managed users set by the Allowed users policy can sign in to the Chromebook. Managed users not on the allowlist are shown an error message.
  • Allow any user to sign in — Any managed user can sign in to the Chromebook. The Add person button is available on the sign-in screen.
  • Do not allow any user to sign in — Nobody can sign in to the Chromebook. The Add person button is unavailable.
Chrome OS 94 and higher
> Allowed users

Specifies an allowlist of email addresses that can sign in to the Chromebook. Only available if the Sign-in restriction policy is set to Restrict sign-in to a list of users. If the list allows entire domains, the Add person button is always available on the sign-in screen. If the list allows specific user accounts, the Add person button is disabled when all of the accounts are signed in.

Values

To add an account, enter it and click add. To remove one, click delete.

You can allow all email addresses in a domain with the wildcard (*) token. For example, *@corp.example.com.

Chrome OS 94 and higher
Autocomplete domain

Specifies a default account domain name to present to device users on the sign-in page. If this policy is enabled, users don't need to enter the @domain.com part of their account name during sign-in.

Values

  • Use the domain name set the field below for autocomplete at sign in — Presents the domain name specified by the Autocomplete domain prefix policy to device users on the sign-in page.
  • Do not display an autocomplete domain on the sign-in screen (default)
Chrome OS 44 and higher
> Autocomplete domain prefix

Specifies the default account domain name to present to device users on the sign-in page. Only available if the Autocomplete domain policy is set to Use the domain name set the field below for autocomplete at sign in.

Values

Enter the domain name.

Chrome OS 44 and higher
Sign-in screen

Toggles cards on the sign-in screen that contain the names and profile pictures of user accounts that have previously signed in to the device. The device user can select the card representing their account to sign-in instantly. If 2-Step Verification is enabled, the sign in flow still requires the device user to provide a second factor.

Values

  • Always show usernames and photos (default) — Account cards are enabled, and the device user can select their account.
  • Never show usernames and photos — Account cards are disabled, and the device user must enter their credentials each time they sign in. If SAML single sign-on (SSO) is enabled and the SAML identity provider page opens, the page redirects to the SSO sign-in page without the device user having to enter their account name.
Chrome OS 12 and higher
Device wallpaper image

Sets the wallpaper on the sign-in screen.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

Chrome OS 61 and higher

Allows single sign-on (SSO) user accounts to sign in to internal websites and cloud services from your enterprise's identity provider on subsequent sign-ins. The Chromebook must have SAML SSO.

SAML SSO cookies transfer the first time the user account signs in on the Chromebook. If this policy is enabled, the cookies also transfer during subsequent sign-ins.

Cookies will not be transferred to Android apps on supported devices.

Values

  • Enable transfer of SAML SSO Cookies into user session during sign-in
  • Disable transfer of SAML SSO Cookies into user session during sign-in (default)
Chrome OS 38 and higher
Single sign-on camera permissions

Specifies an allowlist of third-party apps or services that can access the Chromebook's internal camera during SAML single sign-on (SSO). The Chromebook must have SAML SSO.

Values

To add an identity provider, enter it and click add. To remove one, click delete.

Chrome OS 52 and higher
Single sign-on client certificates

Specifies an allowlist of single sign-on (SSO) URL patterns for which Chrome browser automatically chooses the client certificate. When the browser connects to a site matching one of these patterns, if a valid client certificate is installed, it uses the certificate and skips the certificate selection prompt.

The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen. Devices must have SAML SSO.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

A URL pattern must be a JSON string with the following format:

{“pattern”:”https://www.example.com”,”filter”:{“ISSUER”:{“CN”:”certificate issuer name”}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter": {}}

Chrome OS 65 and higher
Sign-in language

Controls the language displayed on the sign-in screen.

Values

  • Use the language of the last user session (default)
  • Choose a language — Select from a list of supported languages. For example, English (United States), Portuguese (Brazil) - Português (Brasil), Chinese (Simplified) - 简体中文, Korean - 한국어
Chrome OS 58 and higher
Single sign-on verified access

Specifies an allowlist of URL patterns of websites and endpoints that can perform verified access checks during SAML authentication on the sign-in screen. If a website matches an allowlisted pattern, it receives an HTTP header attesting device identity and device state.

If no URLs are added, no websites or endpoints can perform remote attestation on the sign-in screen.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

URLs must have HTTPS scheme. For example, https://example.com.

For details on the URL format, see Enterprise policy URL pattern format

Chrome OS 33 and higher
System info on sign-in screen

Allows the device user to toggle device system information on the sign-in screen, or displays it by default.

Values

  • Allow users to display system information on the sign-in screen by pressing Alt + V (default)
  • Do not allow users to display system information on the sign-in screen
  • Always display system information on the sign-in screen
Chrome OS 79 and higher
Privacy screen on sign-in screen

Toggles the privacy screen on the sign-in screen. Only applicable to Chromebooks with an integrated hardware privacy screen.

Values

  • Allow the user to decide (default)
  • Always disable the privacy screen on sign-in screen
  • Always enable the privacy screen on sign-in screen
Chrome OS 83 and higher
Show numeric keyboard for password input

Toggles the numeric keyboard for password input on Chromebooks with a touchscreen.

Values

  • Default to a numeric keyboard for password input — Enables the numeric keyboard by default. The device user can switch to the standard keyboard.
  • Default to a standard keyboard for password input (default)
Chrome OS 80 and higher

Sign-in screen accessibility

Policy Description Supported system
Spoken feedback

Toggles the screen reader, also known as ChromeVox. For more details about this feature, see Use the built-in screen reader and Use a braille device with your Chromebook.

Values

  • Allow the user to decide (default)
  • Disable spoken feedback
  • Enable spoken feedback
Chrome OS 29 and higher
Select to speak

Toggles selective screen reading, where only parts of the screen are read, such as text selections and certain sections. For more details about this feature, see Hear text read aloud.

Values

  • Allow the user to decide (default)
  • Disable select to speak
  • Enable select to speak
Chrome OS 77 and higher
High contrast

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

  • Allow the user to decide (default)
  • Disable high contrast
  • Enable high contrast
Chrome OS 29 and higher
Screen magnifier

Toggles the screen magnification feature. For more details about this feature, see Zoom in or magnify your Chromebook screen.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Disable screen magnifier — Screen magnification is disabled.
  • Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
  • Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.
Chrome OS 29 and higher
Sticky keys

Toggles inputting key combinations one keypress at a time, without holding any keys down. For more details about this feature, see Use keyboard shortcuts one key at a time.

Values

  • Allow the user to decide (default)
  • Disable sticky keys
  • Enable sticky keys
Chrome OS 76 and higher
On-screen keyboard

Toggles the on-screen keyboard. For more details about this feature, see Use the on-screen keyboard.

Values

  • Allow the user to decide (default)
  • Disable on-screen keyboard
  • Enable on-screen keyboard
Chrome OS 34 and higher
Dictation

Toggles speech-to-text input. For more details about this feature, see Type text with your voice.

Values

  • Allow the user to decide (default)
  • Disable dictation
  • Enable dictation
Chrome OS 78 and higher
Keyboard focus highlighting

Toggles enhanced object highlighting during keyboard navigation of the sign-in screen.

Values

  • Allow the user to decide (default)
  • Disable keyboard focus highlighting
  • Enable keyboard focus highlighting
Chrome OS 78 and higher
Caret highlight

Toggles a ring around the caret (keyboard cursor) during typing.

Values

  • Allow the user to decide (default)
  • Disable caret highlight
  • Enable caret highlight
Chrome OS 87 and higher
Auto-click enabled

Toggles mouse clicking when the cursor stops moving. For more details about this feature, see Automatically click objects on your Chromebook.

Values

  • Allow the user to decide (default)
  • Disable auto-click
  • Enable auto-click
Chrome OS 78 and higher
Large cursor

Toggles a bigger mouse cursor.

Values

  • Allow the user to decide (default)
  • Disable large cursor
  • Enable large cursor
Chrome OS 29 and higher
Cursor highlight

Toggles a ring around the mouse cursor during mouse movement.

Values

  • Allow the user to decide (default)
  • Disable cursor highlight
  • Enable cursor highlight
Chrome OS 78 and higher
Primary mouse button

Specifies which mouse button performs primary interactions.

Values

  • Allow the user to decide (default)
  • Left button is primary
  • Right button is primary

If this value is unset, the left mouse button is primary.

Chrome OS 81 and higher
Mono audio

Toggles single-channel audio.

Values

  • Allow the user to decide (default)
  • Disable mono audio
  • Enable mono audio
Chrome OS 78 and higher
Accessibility shortcuts

Toggles the built-in accessibility shortcuts.

Values

  • Allow the user to decide (default)
  • Disable accessibility shortcuts
  • Enable accessibility shortcuts
Chrome OS 81 and higher

Device update settings

Policy Description Supported system
Variations

Enables the Chrome variations framework. If this policy is enabled, Google can selectively deliver security fixes and experimental features to Chrome OS.

CAUTION — Disabling variations significantly increases the risk of future security and compatibility issues and isn't recommended.

Values

  • Enable Chrome variations (default)
  • Enable variations for critical fixes only
  • Disable variations
Chrome OS 83 and higher

Display settings

Policy Description Supported system
Screen settings

Allows the device user to set the display resolution and scale factor.

Values

  • Allow users to overwrite predefined display settings (default)
  • Do not allow user changes for predefined display settings
Chrome OS 72 and higher
> External resolution

Sets the display resolution and scale factor for external displays.

Values

Chrome OS 72 and higher
> External display width (in pixels)

Specifies the width of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display width, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

Chrome OS 72 and higher
> External display height (in pixels)

Specifies the height of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display height, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

Chrome OS 72 and higher
> External display scale (percentage)

Specifies the scale of the external display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

  • Not set
  • 50%
  • 55%
  • 60%
  • 65%
  • 70%
  • 75%
  • 80%
  • 85%
  • 90%
  • 95%
  • 100%
  • 105%
  • 110%
  • 115%
  • 120%
  • 125%
  • 130%
  • 135%
  • 140%
  • 145%
  • 150%
Chrome OS 72 and higher
> Internal display scale (percentage)

Specifies the scale of the internal display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

  • Not set
  • 50%
  • 55%
  • 60%
  • 65%
  • 70%
  • 75%
  • 80%
  • 85%
  • 90%
  • 95%
  • 100%
  • 105%
  • 110%
  • 115%
  • 120%
  • 125%
  • 130%
  • 135%
  • 140%
  • 145%
  • 150%
Chrome OS 72 and higher

Power and shutdown

Policy Description Supported system
Power management

Controls whether the Chromebook should stay awake or go to sleep or shut down after no device user has signed in for some time.

Values

  • Allow device to sleep/shut down when idle on the sign-in screen (default)
  • Do not allow device to sleep/shut down when idle on the sign-in screen
Chrome OS 30 and higher
Reboot after uptime limit

Specifies the number of days the Chromebook remains powered on before it automatically restarts. If a user session is running when the time elapses, there is a grace period of 24 hours before restart. Only applicable to Chromebooks in kiosk mode and with a sign-in screen.

Values

    Enter the uptime duration, in days.

    If this value is unset, the Chromebook doesn't restart automatically.

Chrome OS 29 and higher
Allow shutdown

Controls whether users can use the keyboard, mouse, or screen to power off the Chromebook.

Values

  • Only allow users to turn off the device using the physical power button
  • Allow users to turn off the device using either the shut down button or the physical power button (default)
Chrome OS 41 and higher

Virtual machines

Policy Description Supported system
Linux virtual machines for unaffiliated users (BETA)

Controls whether unaffiliated device users can run Linux virtual machines on the Chromebook. Once this policy is modified, it applies to new Linux containers, not to those already running. For more details, see Linux virtual machines (BETA).

Values

  • Allow device to sleep/shut down when idle on the sign-in screen
  • Block usage for virtual machines needed to support Linux apps for unaffiliated (default)
Chrome OS 70 and higher
Android apps from untrusted sources

Allows the device user to install Android apps from untrusted sources. This policy does not apply to apps from Google Play.

Values

  • Prevent users of this device from using ADB sideloading (default) — Prevents the installation of Android apps from untrusted sources.
  • Block usage for virtual machines needed to support Linux apps for unaffiliated — Prevents the installation of Android apps from untrusted sources, and factory resets the Chromebook if ADB sideloading was previously allowed.
  • Allow affiliated users of this device to use ADB sideloading — The device user can install Android apps from untrusted sources, provided they also locally enable this setting.

Other settings

Policy Description Supported system
Device network hostname template

Specifies the hostname passed to the DHCP server in DHCP requests.

Values

Enter a hostname. If this value is set to a non-empty string, the string is used as the device's hostname during the DHCP request. The following string substitution tokens are supported:

  • ${ASSET_ID}
  • ${SERIAL_NUM}
  • ${MAC_ADDR}
  • ${MACHINE_NAME}
  • ${LOCATION}

The substitution should be a valid hostname per RFC 1035, section 3.1.

If this value isn't set or isn't valid, no hostname will be used in the DHCP request.

Chrome OS 65 and higher
Timezone

Configures the time zone settings on the device.

You can set up to two timezone policies:

Chrome OS 22 and higher
> System timezone

Sets the time zone on the Chromebook. Only available if the Timezone policy is locally applied.

Values

  • Keep as it is on device currently (default)
  • Select which timezone to set — Determines the time zone.
Chrome OS 22 and higher
> System timezone automatic detection

Controls how the Chromebook detects and sets the current time zone. Only available if the Timezone policy is locally applied.

Values

  • Let users decide (default) — The device user chooses how the time zone is set.
  • Always use coarse timezone detection — The Chromebook determines the time zone based on the geolocation of its public IP address.
  • Always send WiFi access-points to server while resolving — The Chromebook determines the time zone based on the geolocation of the Wi-Fi access point that it's connected to.
  • Send all location information — The Chromebook uses a combination of all of the information from the preceding values to determine the time zone.
Chrome OS 53 and higher
Mobile data roaming

Allows connecting to a mobile network maintained by a different carrier to access the Internet. Mobile data roaming must be allowed on the Chromebook, and roaming charges may apply.

Values

  • Allow mobile data roaming (default)
  • Do not allow mobile data roaming
Chrome OS 12 and higher
USB access

Specifies an allowlist list of USB devices that Chrome OS apps can access through the chrome.usb API.

Values

To add a USB device, enter the USB vendor identifier (VID) and product identifier (PID) as a colon-separated hexadecimal pair (VID:PID), and then click add. To remove one, click delete.

For example, to add a mouse with a VID of 046E and a PID of D626, enter 046E:D626.

Chrome OS 74 and higher
Bluetooth

Enables Bluetooth.

Values

  • Do not disable Bluetooth (default)
  • Disable Bluetooth

If the value is changed from Disable Bluetooth to Do not disable Bluetooth, the device must be restarted for the change to take effect.

If the value is changed from Do not disable Bluetooth to Disable Bluetooth, the change is immediate and no action is required.

Chrome OS 52 and higher
Bluetooth services allowed

Specifies an allowlist of Bluetooth services the Chromebook can connect to. This policy only applies if Bluetooth is enabled.

Values

Enter the UUID of the service, and click add. To remove one, click delete.

UUIDs can be in short form (abcd or 0xabcd) or long form (aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee).

If no values are specified, all services are allowed.

Chrome OS 91 and higher
Throttle device bandwidth

Controls device-level bandwidth consumption. If enabled, throttles all network interfaces on a device, including Wi-Fi, Ethernet, USB Ethernet adapters, USB cellular dongles, and USB wireless cards. All network traffic is also throttled, including OS updates.

This policy is only applicable to devices in managed guest session, kiosk, or user & browser mode running Chrome OS 56 or higher.

Values

  • Disable network throttling (default)
  • Enable network throttling
Chrome OS 56 and higher
> Download rate (kbits)

Specifies the maximum allowed download rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter a download rate, in kbps. The minimum speed allowed is 513 kbps.

Chrome OS 56 and higher
> Upload rate (kbits)

Specifies the maximum allowed upload rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter an upload rate, in kbps. The minimum speed allowed is 513 kbps.

Chrome OS 56 and higher
TPM firmware update

Allows the device user to update the Trusted Platform Module (TPM) firmware on the Chromebook.

NOTE — Updating the TPM firmware may factory reset the Chromebook. Repeated update failures may render it unusable.

For more details about how to install firmware updates, see Update your Chromebook's security

Values

  • Allow users to perform TPM firmware update
  • Block users from performing TPM firmware update (default)
Chrome OS 63 and higher
Authenticated Proxy Traffic

Sends system traffic through an Internet proxy server with authentication.

Values

  • Block system traffic from going through a proxy with authentication (default)
  • Allow system traffic to go through a proxy with authentication — All system traffic is sent through a proxy server and authenticated with the credentials of a service account. You can specify the credentials with the Username and Password sub-policies.

Notes:

  • Only HTTPS system traffic can be sent through the authenticated proxy.
  • If your network cannot support Chrome OS updates over HTTPS, see Authenticated Proxy Traffic and Update downloads.
  • The service account credentials specified by the Username and Password sub-policies only apply to system traffic. For browser traffic, the device user account credentials authenticate to the proxy.
> Username

Specifies the service account username used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the username.

> Password

Specifies the service account password used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the password.

System clock format

Specifies the clock format displayed on the sign-in screen and for managed guest sessions.

Values

  • Automatic, based on current language (default)
  • 12 hour clock format
  • 24 hour clock format
Chrome OS 30 and higher
Apps and extensions cache size

Specifies the amount of storage space used for caching installation of apps and extensions by multiple users of a single Chromebook.

Values

Enter the cache size, in bytes. Must be at least 1 MB (1048576 bytes). Leave empty for a default of 256 MB.

Chrome OS 43 and higher
Hardware profiles

Allows hardware profiles to be downloaded from Google servers.

Values

  • Allow hardware profiles to be downloaded from Google servers (default)
  • Disable hardware profile downloads from Google servers
Chrome OS 51 and higher
Low disk space notification

Enables notifications for low disk space. Applies to all users on the device. If the Chromebook is unmanaged or only has one user, the policy is ignored and low disk space notifications are always displayed.

Values

  • Show notification when disk space is low — Displays low disk space notifications for managed devices with multiple user accounts.
  • Do not show notification when disk space is low (default)
Chrome OS 86 and higher
Redeem offers through Chrome OS registration

Allows device users to redeem offers through Chrome OS registration.

Values

  • Allow users to redeem offers through ChromeOS registration (default)
  • Prevent users from redeeming offers through ChromeOS registration
Chrome OS 26 and higher
Debug network packet captures

Allows the device user to enable network packet captures on the Chromebook for debugging.

Values

  • Allow user to perform network packet captures (default)
  • Do not allow user to perform network packet captures
Chrome OS 92 and higher
Prompt when multiple certificates match on the sign-in screen

Specifies whether the device user is prompted to select a client certificate on the sign-in screen when the Single sign-on certificates policy matches multiple certificates from the certificate allowlist. For more details about certificates on Chrome OS, see Single sign-on client certificates.

If your enterprise uses Personal Identity Verification (PIV) cards for sign-in, the DriveLock Smart Card Middleware (CSSI) app parameter filter_auth_cert can be set to automatically filter authentication certificates. For details, see Auto-select certificates during sign-in.

This policy only applies if an allowlist has been specified in the Single sign-on certificates policy.

Values

  • Prompt the user to select the client certificate whenever the auto-selection policy matches multiple certificates on the sign-in screen
  • Do not prompt the user to select a client certificate on the sign-in screen (default)
Chrome OS 96 and higher

Apps and extensions

Additional settings

Policy Description Supported system
Android applications on Chrome devices

Allows Android apps to be installed on the Chromebook by the device user or a managed profile. For more details on how to deploy Android apps, see Deploy Android apps to managed users on Chrome OS devices.

Values

  • Do not allow (default)
  • Allow

See Chrome OS Systems Supporting Android Apps

Allowed types of apps and extensions

Specifies the app types to block the device user from installing.

Values

Choose which app types to block:

Chrome OS 25 and higher
App and extension install sources

Specifies an allowlist of sources from which the device user can directly install extensions, apps, and themes on Chrome browser. If a URL linking to a CRX file (Chrome extension) matches an allowlisted pattern, the browser will prompt the user to immediately install it.

NOTE — This policy has no effect on Android apps. To set policies for Android apps, see Deploy Android apps to managed users on Chrome OS devices.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Match patterns.

Chrome OS 21 and higher
Allow insecure extension packaging

Allows insecure extension packaging.

Values

  • Allow insecurely packaged extensions
  • Do not allow insecurely packaged extensions
Chrome OS 77 and lower
External extensions

Allows the installation of external extensions, which are extensions from outside the Chrome Web Store. For more information about deploying external extensions, see Alternative extension distribution options.

Values

  • Block external extensions from being installed
  • Allow external extensions to be installed
Chrome OS 80 and higher
Permissions and URLs

Specifies extensions to block based on the permissions they require. For details, see Block apps and extensions based on permissions.

Values

Choose which required permissions to use as a basis to block extensions. If an extension requires a chosen permission, it is blocked:

  • Alarms
  • Audio capture
  • Certificate provider
  • Clipboard read
  • Clipboard write
  • Context menus
  • Desktop capture
  • Document scan
  • Enterprise device attributes
  • Experimental APIs
  • Fullscreen apps
  • File browser handler
  • File system
  • File system provider
  • HID
  • Override fullscreen escape
  • Detect idle
  • Identity
  • Google cloud messaging
  • Geo location
  • Media galleries
  • Native messaging
  • Captive portal authenticator
  • Power
  • Notifications
  • Printers
  • Serial
  • Set proxy
  • Platform keys
  • Storage
  • Sync file system
  • CPU metadata
  • Memory metadata
  • Network metadata
  • Display metadata
  • Storage metadata
  • Text to speech
  • Unlimited storage
  • USB
  • Video capture
  • VPN provider
  • Web requests
  • Block web requests
Chrome OS 25 and higher
> Runtime blocked hosts

Specifies a blocklist of websites that apps and extensions can't modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

Values

To add a website, enter it and click add. To remove one, click delete.

The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

Chrome OS 25 and higher
> Runtime allowed hosts

Specifies an allowlist of websites that apps and extensions can modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

Values

To add a website, enter it and click add. To remove one, click delete.

The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

Chrome OS 25 and higher
Chrome Web Store app icon

Toggles the Chrome Web Store app link in the footer of the new tab page on Chrome Browser and in its app launcher.

Values

  • Do not show the Chrome Web Store icon in the Chrome OS launcher or on the new tab page
  • Show the Chrome Web Store icon in the Chrome OS launcher or on the new tab page
Chrome OS 68 and higher
Chrome Web Store homepage

Configure the home page of the Chrome Web Store for the device user.

Values

  • Use the default homepage (default) — The front page of the Chrome Web Store.
  • Use the Chrome Web Store collection — A custom collection of apps and extensions hosted on the Chrome Web Store that is tailored to your device users. For more details on custom collections, see Create a Chrome app collection.
  • Use a custom page — A custom page not hosted on the Chrome Web Store.
> Collection include private apps

Toggles whether all or only some private apps are available in your enterprise's collection. Private apps appear alongside public apps in the Chrome Web Store. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

Values

  • Include all private apps from this domain
  • Choose which apps are included in this collection
> Collection name

Specifies the name of your enterprise's custom collection as displayed on the page. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

Values

Enter a name.

> Collection URL

Specifies the path to your enterprise's custom collection page on the Chrome Web Store. The full URL would be https://chrome.google.com/webstore/path. Only available if the Chrome Web Store homepage policy is set to Use a custom page.

Values

Enter a path to the page.

Chrome Web Store permissions

Allows the device user to publish private apps that are restricted to your domain on the public Chrome Web Store. For more details, see Create a Chrome app collection and Create and publish custom Chrome apps & extensions.

Values

  • Allow users to publish private apps that are restricted to your domain on Chrome Web Store
  • Do not allow users to publish private apps that are restricted to your domain on Chrome Web Store
> Allow Web Store Publish Unverified

Allows the device user to publish private apps that are restricted to your domain but whose packaged URLs don't actually match the domain on the Chrome Web Store. Only available if the Chrome Web Store permissions policy is set to Allow users to publish private apps that are restricted to your domain on Chrome Web Store.

Values

  • Allow users to publish private hosted apps even if the domain name of the app's web_launch_url or app_url is not owned by the organization
  • Do not allow users to publish private hosted apps if the domain name of the app's web_launch_url or app_url is not owned by the organization
Android reporting for users and devices

Toggles the monitoring and reporting of Android app installations forced by policy. For more details on this reporting tool, see Monitor forced Android app installs.

Values

  • Enable Android reporting
  • Disable Android reporting