ChromeOS policies

Allows the device user to connect to networks through Wi-Fi.

Values

• Allow chrome users to use this network
• Do not allow chrome users to use this network

Allows managed devices to connect to networks through Wi-Fi.

Values

• Allow chrome devices to use this network
• Do not allow chrome devices to use this network

Toggles the settings for your Wi-Fi network.

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

Enter the service set identifier (SSID) for your Wi-Fi network.

Specifies whether to broadcast your Wi-Fi network SSID.

Values

• This network doesn't broadcast its SSID
• This network does broadcast its SSID

Specifies whether devices can automatically connect to the network.

Values

• Automatically connect devices to this network
• Do not automatically connect devices to this network

Toggles the security settings for your Wi-Fi network.

Set a security type for your Wi-Fi network.

Values

• None
• WEP (Insecure) — If selected, the Passphrase field appears. You can enter a password for the network or leave it blank to keep the current password.
• WPA/WPA2 — If selected, the Passphrase field appears. You can enter a password for the network or leave it blank to keep the current password.
• WPA/WPA2 Enterprise (802.1X) — If selected, the Extensible Authentication Protocol (EAP) and Username fields appear. You can select an authentication protocol and set a username for it.
• Dynamic WEP (802.1X) — If selected, the Extensible Authentication Protocol (EAP) and Username fields appear. You can select an authentication protocol and set a username for it.

Enables the network's IP address to be configured on the device.

Values

• Yes
• No

Select a proxy type for your Wi-Fi network.

Values

• Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
• Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
• Automatic proxy configuration — Enables you to set an autoconfiguration URL to use for automatic proxy configuration.
• Web proxy autodiscovery — Enables the device to decide what proxy to use.

Toggles the DNS settings for your Wi-Fi network.

Enables name servers to be configured on the device.

Values

• Yes
• No

Specifies how name servers are generated.

Values

• Automatic name servers
• Google name servers — For information, see the Google Public DNS website.
• Custom name servers — If set, set the domain values in the Custom name servers field that displays.

Allows the device user to connect to networks through Ethernet.

Values

• Allow chrome users to use this network
• Do not allow chrome users to use this network

Allows managed devices to connect to networks through Ethernet.

Values

• Allow chrome devices to use this network
• Do not allow chrome devices to use this network

Toggles the settings for your Ethernet network.

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

Specifies the authentication type for your Ethernet network.

Values

• None
• Enterprise (802.1X)

Displays when you select Enterprise (802.1X) for Authentication.

Set the outer extensible authentication protocol (EAP).

Values

• PEAP — If selected, configure the network's inner EAP and outer identity and set a username, and optionally, a password and a server Certificate Authority.
• LEAP — If selected, set a username, and optionally, a password.
• EAP-TLS — If selected, set the EAP's maximum TLS version, a username, a client enrollment URL, and optionally, a server Certificate Authority. For the client enrollment URLs, each value you enter as an Issuer or Subject pattern needs to match the corresponding values you set in the server Certificate Authority, or the network doesn't use the certificate.
• EAP-TTLS — If selected, set a username. Optionally, configure the network's inner EAP and outer identity, as well as set a password and a server Certificate Authority.
• EAP-PWD — If selected, set a username, and optionally, a password.

Displays when you select Enterprise (802.1X) for Authentication.

Set the user name for the Extensible Authentication Protocol.

Enables the network's IP address to be configured on the device.

Values

• Yes
• No

Toggles the proxy settings for your Ethernet network.

Select a proxy type for your Ethernet network.

Values

• Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
• Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
• Automatic proxy configuration — Sets the proxy server through a Proxy Server Auto Configuration file you upload.
• Web proxy autodiscovery — Enables the device to decide what proxy to use.

Toggles the DNS settings for your Ethernet network.

Enables name servers to be configured on the device.

Values

• Yes
• No

Specifies how name servers are generated.

Values

• Automatic name servers
• Google name servers — For information, see the Google Public DNS website.
• Custom name servers — If set, set the domain values in the Custom name servers field that displays.

Allows the device user to connect to the VPN network.

Values

• Allow chrome users to use this network
• Do not allow chrome users to use this network

Allows managed devices to connect to the VPN network.

Values

• Allow chrome devices to use this network
• Do not allow chrome devices to use this network

Toggles the settings for your VPN network.

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

Enter the VPN's remote host name or IP address.

Enables devices to automatically connect to your VPN.

Values

• Automatically connect to this VPN
• Do not automatically connect to this VPN

Enables devices to automatically connect to the network.

Values

• L2TP over IPsec with Pre-Shared Key — Enter a username, a pre-shared key, and optionally, a password.
• Open VPN — Not available for networks that use TLS authentication. Specify the protocol, certificate authority, and optionally, a port. For the client enrollment URLs, each value you enter as an Issuer or Subject pattern needs to match the corresponding values you set in the server Certificate Authority, or the network doesn't use the certificate.

Specifies whether to save user credentials after initial connection to the VPN.

Values

• Yes
• No

Toggles the proxy settings for your VPN network.

Select a proxy type for your VPN network.

Values

• Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
• Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
• Automatic proxy configuration — Sets the proxy server through a Proxy Server Auto Configuration file you upload. Enter the file URL in the autoconfiguration URL.
• Web proxy autodiscovery — Enables the device to decide what proxy to use.

Enables the network's IP address to be configured on the device.

Values

• Yes
• No

Toggles the DNS settings for your VPN network.

Enables name servers to be configured on the device.

Values

• Yes
• No

Specifies how name servers are generated.

Values

• Automatic name servers
• Google name servers — For information, see the Google Public DNS website.
• Custom name servers — If set, set the domain values in the Custom name servers field that displays.

Specifies the networks that devices can auto-connect to.

Values

• Allow all networks to connect
• Restrict users to only auto-connect to managed networks

Allows the device user from connecting to Wi-Fi networks.

Values

• Allow users to connect to networks not configured in this organizational unit
• Restrict users to only connect to Wi-Fi networks configured for this organizational unit
• Restrict users to only connect to Wi-Fi networks configured for this organizational unit, but only if such networks are in range of the device

Specifies the network interfaces that the device user can connect to.

Values

• wifi
• ethernet
• cellular
• vpn

Specifies device user session duration. The remaining session time is shown on a countdown timer in the system tray. After the specified time, the user account is automatically signed out and the session ends.

Values

Enter a session length, in minutes. The value can be 1–1440 (maximum 24 hours).

Sets the user account avatar on the login screen.

Values

To add an image, click . To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 512 KB in size.

Sets the desktop wallpaper.

Values

To add an image, click . To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

Toggles the Show password button on sign in and lock screens. This button makes the password visible as plain text while the device user enters their credentials.

Values

• Show the display password button on the login and lock screens
• Hide the display password button on the login and lock screens

Allows the device user to add secondary accounts to ChromeOS that are also managed accounts. When a managed account is added as a secondary account to the Google Play Store, Android apps, Chrome browser, and other platforms that use Chrome browser technology, the main user session and account history of ChromeOS are unaffected.

Values

• All usages of managed accounts are allowed (default) — The device user can add secondary accounts that are managed accounts to ChromeOS, as normal.
• Block addition of a managed account as secondary account (in-session) — The device user can't add secondary accounts that are managed accounts to ChromeOS.

ChromeOS 103 and higher

Not available for Education domains

Specifies which organization to enroll the Chromebooks in. Only applies when a Chromebook is first enrolled.

Values

• Place Chrome devicein user organization — When you first enroll a Chromebook, it's added to the organization that the enrolling user belongs to, and that organization's profile is applied. This setting is useful if you need to manually enroll many Chromebooks, as you won't need to manually move them into more specific organizations after enrollment.
• Keep Chrome device in current location — When you first enroll a Chromebook, it's added to the top-level organization in your enterprise, and that organization's profile is applied.

Allows the device user to add an asset ID and location for a Chromebook when they enroll it. If enabled, the Device information page pre-populates with data. If no data exists, the page's fields are blank. The user can edit or enter the Chromebook details before they complete enrollment.

Values

• Users in this organization can provide asset ID and location during enrollment
• Do not allow for users in this organization

Allows the device user to enroll new devices, re-enroll existing devices that have been enrolled, or re-enroll deprovisioned devices. Existing devices include wiped or factory-reset devices. Re-enrolling an existing device does not consume an upgrade.

Enrollment permissions only take effect on devices that have been configured to re-enroll with manual credential entry.

Values

• Allow users in this organization to enroll new or re-enroll existing devices (default) — The device user can enroll new devices and re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
• Only allow users in this organization to re-enroll existing devices(cannot enroll new or deprovisioned devices) — The device user can re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
• Do not allow users in this organization to enroll new or re-enroll existing devices — The device user can't enroll or re-enroll any device, including through forced re-enrollment.

Allows device users to end processes on the Task Manager.

Values

• Allow users to end processes with the Chrome task manage
• Block users from ending processes with the Chrome task manage

Toggles site isolation on Chrome browser.

Values

• Require site isolation for all websites, as well as any origins specified in below (default) — Every website is rendered by a separate, isolated process.
• Turn off site isolation for all websites, except those set in below — Only websites specified by the allowlist render in a separate, isolated process.

Specifies an allowlist of websites that aren't isolated on Chrome browser.

Values

To add a URL, enter it and click . To remove one, click .

The pattern matching for this policy differs from the typical enterprise URL pattern format. For full details, see IsolateOrigins.

Toggles the password manager on Chrome browser.

Values

• Allow the user to decide (default) — The device user can enable or disable the password manager.
• Never allow use of password manage — The password manager remembers and autofills prior saved passwords, but the device user can't add new passwords.
• Always allow use of password manage — The password manager always remembers and autofills passwords.

Toggles the lock screen.

Values

• Allow locking screen — Under conditions that would normally lock the screen, the screen locks.
• Do not allow locking screen — Under conditions that would normally lock the screen, including the system going to sleep, the system signs out the user account.

Allows the device user to unlock the system with the PIN and fingerprint methods, if configured. As a security best practice, you should avoid allowing PIN unlock on shared Chromebooks.

Values

Select which quick unlock methods to allow:

• PIN — The device user can unlock the Chromebook with a PIN.
• Fingerprint — The device user can unlock the Chromebook with a fingerprint scan.

Allows the device user to sign in to websites supporting WebAuthn using the PIN or fingerprint methods, if configured.

Values

• PIN — The device user can sign in to websites supporting WebAuthn with the PIN.
• FINGERPRINT — The device user can sign in to websites supporting WebAuthn with a fingerprint scan.
• All — The device user can sign in to websites supporting WebAuthn using either method.

If this value is unset, the device user can't use WebAuthn to sign in to applicable websites.

Toggles the PIN auto-submit feature on the sign in and lock screens. This feature displays a PIN-based UI, like that of a smartphone, and indicates how many digits are in the PIN.

Values

• Enable PIN auto-submit on the lock and login screen
• Disable PIN auto-submit on the lock and login screen

Toggles media playback while the Chromebook is locked.

Values

• Allow users to play media when the device is locked
• Do not allow users to play media when the device is locked

Specifies the duration of the idle timer on the Chromebook. This setting defines the time, in minutes, before the device goes to sleep or signs out the user account. Leave blank for system default.

Values

Enter an idle time in minutes.

Controls the Chromebook behavior when the idle time elapses.

Values

• Sleep (default) — Go to sleep.
• Logout — Sign out.
• Lock Screen — Lock.

Controls the Chromebook behavior when its lid is closed.

Values

• Sleep (default) — Go to sleep.
• Logout — Sign out.

• Lock Screen — Lock.

Controls the Chromebook behavior when it sleeps.

Values

• Allow user to configure (default) — The device user can locally change this setting.
• Don't lock screen — Doesn't lock.
• Lock screen — Lock.

Allows the device user to browse in Incognito mode on Chrome browser.

Values

• Yes (default)
• No

Toggles browsing history on Chrome browser.

Values

• Never save browser history
• Always save browser history (default)

Allows the device user to clear their Chrome browser data, including their browsing and download history.

Values

• Allow clearing history in settings menu
• Do not allow clearing history in settings menu

Toggles Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks for HTTPS certificates.

Values

• Perform online OCSP/CRL checks
• Do not perform online OCSP/CRL checks

Allows websites to track the Chromebook's location.

Values

• Allow sites to detect user's geolocation — Websites are granted location information. Android apps ask the device user for access to location information.
• Do not allow sites to detect users' geolocation — Websites aren't granted location information. Android apps cannot access location information.
• Always ask the user if a site wants to detect their geolocation — Websites ask the device user for access to location information. Android apps ask the device user for access to location information.
• Allow user to decide (default) — The device user can locally change this setting.

Toggles Security Assertion Markup Language (SAML) single sign-on (SSO) for the Chromebook.

Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provide.

Values

• Enable SAML-based single sign-on for Chrome devices
• Disable SAML-based single sign-on for Chrome devices (default)

Specifies the frequency of forced online sign-in for SAML-based single sign-on (SSO) accounts on the login screen. Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provide.

Values

Choose a frequency:

• Every day
• Every 3 days
• Every week
• Every 2 weeks (default)
• Every 3 weeks
• Every 4 weeks
• Every time
• Never

Specifies where the device user will be asked to sign in if their password changes, either on the sign-in screen only, or both the sign in and lock screens. This policy only applies when the SAML single sign-on password synchronization policy is configured.

Values

• Enforce online logins on the login and lock screen
• Only enforce online logins on the login screen (default)

Enables password syncing between different Chromebooks and notifications to upcoming changes to the device user's password.

Values

• Trigger authentication flows to synchronize passwords with SSO providers — Passwords sync between Chromebooks, and the device user can change their password when signed in and enable notifications that inform them of upcoming changes to the password.
• Do not trigger authentication flows for password synchronization (default — Passwords can't sync between Chromebooks.

Specifies an allowlist of URLs to exempt from certificate transparency enforcement. For more details, see CertificateTransparencyEnforcementDisabledForUrls.

Values

To add a URL, enter it and click . To remove one, click .

Only the host in the URL is matched. Wildcard hostnames are not supported.

Specifies an allowlist of certificate authority (CA) subjectPublicKeyInfo hashes that are exempt from certificate transparency enforcement. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click . To remove one, click .

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForCas.

Specifies an allowlist of legacy certificate authority (CA) subjectPublicKeyInfo hashes exempt from certificate transparency enforcement. These hashes must match a recognized Legacy CA. Legacy CAs are trusted by some OSs that run Chrome browser, but not ChromeOS or Android. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForLegacyCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click . To remove one, click .

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForLegacyCas.

Allows the device user to import, edit, and remove certificate authority (CA) certificates.

Values

• Allow users to manage all certificates (default) — The device user can edit trust settings for all CA certificates, remove user-imported certificates, and import certificates.
• Allow users to manage user certificates — The device user can manage settings for user-imported certificates, but not edit trust settings for CA certificates.
• Disallow users from managing certificates — The device user can view CA certificates, but not manage them.

Allows the device user to manage client and device-wide certificates.

Values

• Allow users to manage all certificates (default) — The device user can manage all certificates.
• Allow users to manage user certificates — Users can manage user certificates, but not device-wide certificates.
• Disallow users from managing certificates — Users can view certificates, but not manage them.

Specifies the priority mode of the Intel Hyper-Threading Technology on the Chromebook's CPU.

Values

• Allow the user to decide (default)
• Optimize for stability
• Optimize for performance

Toggles the Chrome browser feature that checks for known leaked user credentials. This feature is only available in Safe Browsing mode.

Values

• Allow the user to decide (default)
• Disable Leak detection for entered credentials
• Enable Leak detection for entered credentials

Toggles the NTLM/Kerberos feature that provides HTTP authentication without credentials on Chrome browser during regular, guest, and Incognito sessions.

Values

• No policy set
• Enable in regular sessions only (default)
• Enable in regular and incognito sessions
• Enable in regular and guest sessions
• Enable in regular, incognito and guest sessions

ChromeOS 80 — Ambient authentication is enabled in all sessions

ChromeOS 81 and higher — If the policy is unset, ambient authentication is enabled during regular sessions

Toggles warnings from Chrome browser when it detects that it's running on an unsupported OS or hardware.

Values

• Suppress warnings when Chrome is running on an unsupported system
• Allow Chrome to display warnings when running on an unsupported system (default)

Toggles whether device users enrolled in the Advanced Protection program on Chrome browser receive the extra protections provided by the program.

Values

• Users enrolled in the Advanced Protection program will receive extra protections (default)
• Users enrolled in the Advanced Protection program will only receive standard consumer protections

Specifies an allowlist of websites and domains that bypass insecure origin restrictions on Chrome browser. Allowlisted origins and websites are not labeled Not Secure in the address bar.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Controls the default behavior on Chrome browser for interactions between pages and pop-ups opened with a target of _blank.

Values

• Block popups opened with a target of _blank from interacting with the page that opened the popup (default) — A page that opens a pop-up with a target of _blank must explicitly opt in to interact with the popup.
• Allow popups opened with a target of _blank to interact with the page that opened the popup — A page that opens a popup with a target of _blank interacts with the pop-up, unless it explicitly opts out of the interaction.

Specifies the behavior when the device user's smart card security token is removed from the Chromebook. This policy only applies when sessions on the Chromebook are configured for smart cards.

Values

• Nothing (default) — No action is taken.
• Log the user out — The account is signed out. This setting makes the Removal notification duration (seconds) policy available.
• Lock the current session — The session is locked until re-authenticated using the smart card. This setting makes the Removal notification duration (seconds) policy available.

Enables WebSQL in non-secure contexts. WebSQL in non-secure contexts will be disabled by default in ChromeOS 109 and will become unavailable starting in ChromeOS 110. This policy and its sub-policies also apply to managed guest session devices.

Values

• Enable WebSQL in non-secure contexts
• Disable WebSQL in non-secure contexts unless enabled by Chrome flag

Specifies the duration to display a notification describing the impending action upon smart card removal. The notification informs the device user that they will be signed out or their session will lock after the specified period, and blocks them from interacting with the system. After the notification expires, the action chosen in the Security token removal policy is performed. The device user can prevent the action by re-inserting the security token before the notification expires.

Values

Enter the notification duration, in seconds.

If this value is unset or 0 , the notification is disabled, and the chosen action performs immediately.

Allows the device user to dismiss any compromised password alerts they receive when signing in.

Values

• Allow dismissing compromised password alerts (default)
• Prevent dismissing compromised password alerts

If this setting is unset or enabled, the device user can dismiss or restore the compromised password alerts.

Specifies an allowlist of web apps that can use the getDisplayMediaSet API to automatically screen capture multiple screens simultaneously without the device user's permission. This policy and its sub-policies also apply to managed guest session devices.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Enables Chrome Browser to encrypt ClientHello messages and sensitive fields. Enabling this policy allows supported websites to avoid leaking sensitive data by using a HTTPS RR DNS record. Chrome Browser's use of ECH is subject to its evolution as a protocol. This policy and its sub-policies also apply to managed guest session devices.

Values

• Enable the TLS Encrypted ClientHello experiment
• Disable the TLS Encrypted ClientHello experiment

If this value is unset or enabled, Chrome Browser defaults to the standard Encrypted ClientHello (ECH) rollout process.

Specifies an allowlist of domain names for remote access clients, and prevents the device user from changing the setting on the Chromebook. Only clients from the specified domains can connect to the host device.

Values

To add a domain, enter it and click . To remove one, click .

If this value is unset, the host allows connections from authorized users from any domain.

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of domain names that are imposed on remote access hosts, and prevents the device user from changing the setting on the Chromebook. Only hosts with accounts registered on an allowlisted domain name can be shared.

Values

To add a domain, enter it and click . To remove one, click .

If this value is unset, hosts can be shared through any user account.

For details on the URL format, see Enterprise policy URL pattern format.

Toggles the use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) servers when remote clients try to establish a connection to the Chromebook. This policy and its sub-policies also apply to managed guest session devices.

Values

First field:

• Enable firewall traversal (default) — Allow remote clients to discover and connect to the Chromebook if they are separated by a firewall.
• Disable firewall traversal — Don't allow remote clients to discover and connect to the Chromebook if they are separated by a firewall. If this setting is applied and outgoing UDP connections are filtered by the firewall, the Chromebook only allows connections with client machines within the local network.

Second field:

• Enable the use of relay servers (default) — Allow connections to peers and data transfer without a direct connection when a firewall is in place.
• Disable the user of relay servers — Only allow connections to peers and data transfer with a direct connection when a firewall is in place.

Restricts the UDP port range used by the remote access host in the Chromebook.

Values

Enter a range of UDP ports, from minimum to maximum. For example, 12400–12409.

If this value is unset, any port can be used.

Toggles the Sign out button on the shelf.

Values

• Show logout button in tray
• Do not show logout button in tray (default)

Allows Kerberos single sign-on for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.

Values

• Enable Kerberos
• Disable Kerberos

Toggles the automatic addition of a Kerberos account.

Values

• Do not automatically add a Kerberos account (default)
• Automatically add a Kerberos account — If set, the name of the principal added is defined by the Principal name policy.

Specifies the Kerberos principal to automatically add on behalf of the device user. This policy applies if the Enable Kerberos automatically policy is set to Automatically add a Kerberos account.

Values

Enter a principal name. The following string substitution tokens are supported:

• ${LOGIN_ID} — The username part of principal name. For example, if the user signs in as alex@realm the username is alex.
• ${LOGIN_EMAIL} — The full principal name.

Applies a custom Kerberos configuration.

Values

• Use default Kerberos configuration (default)
• Customize Kerberos configuration — Customize the Kerberos configuration with the values defined by the Kerberos configuration policy.

Define one or more Kerberos configuration option overrides. For a list of supported options, see Configure how to get tickets.

Values

To add a configuration override, enter it and click . To remove one, click .

Allow the device user to let ChromeOS remember Kerberos passwords.

Values

• Allow users to remember Kerberos passwords — ChromeOS automatically fetches Kerberos tickets unless additional authentication, such as two-factor, is required.
• Do not allow users to remember Kerberos passwords — ChromeOS doesn't remember Kerberos passwords and removes all previously stored passwords.

Allow the device user to manage Kerberos accounts.

Values

• Allow users to add Kerberos accounts (default) — The device user can add, modify, and remove Kerberos accounts.
• Do not allow users to add Kerberos accounts — The device user can't manage Kerberos. Kerberos accounts can only be set by device policies.

Specifies how ChromeOS connects to the internet. Android apps on Chromebooks have access to, or are made aware of, a subset of proxy settings, but there is no guarantee that a particular app uses them. Typically, apps using Android System WebView or the built-in network stack do so. Android apps receive different information based on the setting you choose.

Values

• Allow user to configure (default) — ChromeOS uses a direct connection by default. The device user can configure the connection settings to connect to a proxy server. Android apps are provided with the HTTP proxy server address and port, if the user configures one.
• Never use a proxy — ChromeOS always uses a direct connection. Android apps are made aware that no proxy is configured.
• Always auto detect the proxy — ChromeOS uses the Web Proxy Auto-Discovery Protocol (WPAD) to determine which proxy server to connect to. Android apps are made aware of the script URL http://wpad/wpad.dat. No other part of WPAD is used.
• Always use the proxy specified in below — ChromeOS connects to the specified proxy server. Android apps are provided with the HTTP proxy server address and port. Enter the URL of the proxy server in the Proxy server URL policy, which becomes available when you choose this setting. The URLs which bypass the proxy policy also becomes available, which lets you specify URLs to connect to directly.
• Always use the proxy auto-config specified in below — ChromeOS follows the proxy connection schema defined in a Proxy Auto-Configuration (PAC) file. Android apps are made aware of the URL of the PAC file. Enter the URL of the PAC file in the Proxy server auto configuration file URL, which becomes available when you choose this setting.

Specifies the address of the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

Enter the URL as IP address:port, for example 192.168.1.1:3128 .

Specifies an allowlist of websites and domains that bypass the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

The URL address of the PAC file to use to configure network connections. Only available if Proxy mode policy is set to Always use the proxy auto-config specified in below.

Values

Enter the URL to the PAC file.

Specifies whether ChromeOS can bypass a configured proxy server for captive portal authentication. Some examples of captive portal pages are landing or sign-in pages where users are prompted to accept terms or sign in before Chrome browser detects a successful internet connection.

Values

• Ignore policies for captive portal pages — Chrome browser opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user.
• Keep policies for captive portal pages (default) — Chrome browser opens captive portal pages in a new browser tab and applies the current user's policies and restrictions.

Specifies which HTTP authentication schemes are supported by Chrome browser. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is used. You can override the default behavior by enabling specific authentication schemes.

Values

• Basic — User credentials are required, but are unencrypted. The least secure method.
• Digest — User credentials are required, and use simple encryption. More secure than basic.
• NTLM (NT LAN Manager) — A challenge-response scheme that uses Microsoft's NTLM technology. More secure than digest.
• Negotiate — A challenge-response scheme that uses the Kerberos protocol. More secure than NTLM.

If this value is unset, all four schemes are used.

Toggles the basic authentication scheme over a non-secure HTTP connection on Chrome browser.

Values

• Basic authentication scheme is allowed on HTTP connections (default)
• HTTPS is required to use Basic authentication scheme

Toggles NTLMv2 authentication.

Values

• Enable NTLMv2 authentication (default)
• Disable NTLMv2 authentication

Specifies the minimum internet security protocol required in connections on Chrome browser.

Values

• TLS 1.0
• TLS 1.1
• TLS 1.2
• SSL3

Specifies whether the device user can bypass SSL warnings when connecting to a page on Chrome browser.

Values

• Allow users to click through SSL warnings and proceed to the page (default)
• Block users from clicking through SSL warnings

Specifies an allowlist of origins for which the device user can bypass SSL warnings when connecting to a page on Chrome browser. This policy is ignored if the SSL error override policy is set to Allow users to click through SSL warnings and proceed to the page.

Values

To add an origin, enter it and click . To remove one, click .

The path portion of the URL is ignored.

For details on the URL format, see Enterprise policy URL pattern format.

Restricts use of the UDP protocol with Web Real-Time Communication (WebRTC) to a specified port range on Chrome browser.

Values

• Allow WebRTC to pick any UDP port (1024-65535) (default) — All ports are allowed.
• Specify range of UDP ports allowed for WebRTC — A port range determines the allowed ports. This setting makes the Minimum value for allowed UDP ports and Maximum value for allowed UDP ports policies available.

Specifies the lowest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the lower port.

The absolute minimum is port 1024. This value must be lower than the maximum.

Specifies the highest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the upper port.

The absolute maximum is port 65535. This value must be higher than the minimum.

Specifies an allowlist of websites and domains that can view your local IPs as WebRTC Interactive Connectivity Establishment (ICE) candidates. Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Toggles the Quick UDP Internet Connections (QUIC) protocol on Chrome browser.

Values

• Enable (default)
• Disable

Toggles the Chrome browser's built-in DNS client.

Values

• Use the built-in DNS client on macOS, Android and ChromeOS. Allow the user to change the setting (default)
• Never use the built-in DNS client
• Always use the built-in DNS client if available

Specifies an allowlist of server domains for Integrated Windows Authentication (IWA). When Chrome browser gets an authentication challenge from a proxy or server in this allowlist, integrated authentication turns on.

Values

To add a domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of servers that can be used for Kerberos authentication.

Values

To add a server, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies whether to respect the Key Distribution Center (KDC) policy that delegates Kerberos tickets.

Values

• Respect KDC policy
• Ignore KDC policy (default)

Specifies the source of the name used to generate the Kerberos service principal name (SPN).

Values

• Use original name entered
• Use canonical DNS name (default)

Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.

Values

• Include non-standard port
• Do not include non-standard port (default)

Allows third-party content on a page to prompt the device user for HTTP basic authentication on Chrome browser.

Values

• Allow cross-origin authentication (default)
• Block cross-origin authentication

Allows websites that are not cross-origin isolated to use SharedArrayBuffers.

Values

• Allow sites that are not cross-origin isolated to use SharedArrayBuffers
• Prevent sites that are not cross-origin isolated to use SharedArrayBuffers

Allows the Chrome browser to fulfill requests by servers for User-Agent client hints —identifying information about itself and the Chromebook.

Values

• Allow User-Agent client hints (default)
• Disable User-Agent client hints

Allows Chrome browser to access pages served on a Signed HTTP Exchange.

Values

• Accept web content server as Signed HTTP Exchanges (default)
• Prevent Signed HTTP Exchanges from loading

Toggles limiting the scope of Chrome browser's global cache of HTTP server authentication credentials. This policy is intended to give organizations that depend on legacy authentication methods time to update their sign-in procedures. Google plans to remove it in the future.

Values

• HTTP authentication credentials entered in the context of one site will automatically be used in the context of another — All cached HTTP user authentication credentials are shared. This setting makes the device user vulnerable to cross-site-tracking schemes where malicious pages add entries to the HTTP authentication cache by embedding credentials ino URLs.
• HTTP authentication credentials are scoped to top-level sites (default) — Cached HTTP authentication credentials are only shared within a top-level website. If two different websites use resources from the same authenticating domain, credentials need to be provided independently in the context of both websites. Cached proxy credentials are reused across websites.

Controls whether Chrome always performs revocation checks on validated server certificates that are signed by locally-installed CA certificates. If Chrome can't retrieve any revocation status information on a certificate, it treats it as revoked.

Values

• Perform revocation checks for successfully validated server certificates signed by locally installed CA certificates
• Use existing online revocation-checking settings (default)

Specifies an allowlist of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy, which forces Chrome browser to only access websites that provide HTTPS encryption.

Values

To add a hostname, enter it and click . To remove one, click .

Only enter single-label hostnames. Hostnames must be canonical, IDNs must be in A-label representation, and all ASCII letters must be lowercase. An entry only applies to the hostname specified, and not to subdomains of that hostname.

Toggles DNS interception checking on Chrome browser, which tests to see if the connection is behind a proxy that redirects unknown hostnames.

Values

• Perform DNS interception checks (default)
• Do not perform DNS interception checks

Toggles treating a single-word query in the omnibox as a hostname rather than a search term on Chrome browser. When enabled, if the device user searches for a single word, Chrome browser issues a DNS request for the term as a hostname, and then asks the user if they want to try and connect to the query as a URL rather than search for it. An example would be a search for calendar that matches an internal host http://calendar/ .

If your network resolves every DNS request for a single-word host, you should allow interception checks with the DNS interception checks enabled policy. However, this Intranet Redirection Behavior policy is more flexible because with it you can also enable the prompt (infobar) that the device user sees.

Values

• Use default browser behavior (default) — DNS interception checks and intranet redirect suggestions are enabled. Google plans to deprecate this setting in the future.
• Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome treats a single-word query as a search, and does not check whether hostnames are being redirected by the DNS.
• Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and does not check whether hostnames are being redirected by the DNS.
• Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and checks whether hostnames are being redirected by the DNS.

Toggles Web Proxy Auto-Discovery (WPAD) optimization on Chrome browser. WPAD helps automatically locate and interface with cache services in a network, speeding up content delivery to the browser.

Values

• Enable Web Proxy Auto-Discovery (WPAD) optimization (default)
• Disable Web Proxy Auto-Discovery (WPAD) optimization

Controls whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

Values

• Use login credentials for network authentication to a managed proxy — Credentials are used. If authentication fails, the device user is prompted to enter their username and password.
• Don't use login credentials for network authentication — Credentials aren't used.

Allows outbound connections on select ports that are normally restricted on the Chromebook. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.

Overrides the --explicitly-allowed-ports command-line option.

Values

• port 554 (expires 2021/10/15)
• port 6566 (expires 2021/10/15)
• port 10080 (expires 2022/04/01) If this value is unset, all restricted ports are blocked.

Controls whether ChromeOS follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS). CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on devices. CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware.

Values

• Enable default CECPQ2 rollout process (default)
• Disable CECPQ2

Controls Chrome browser's settings for the User-Agent string major version. Some websites may have compatibility issues if the major version of Chrome browser has a 3-digit User-Agent string instead of a 2-digit one. This policy controls if the User-Agent string can be frozen at 99 for Chrome versions 100 or higher to avoid these User-Agent string compatibility issues. This policy and its sub-policies also apply to managed guest session devices.

Values

• Default to browser settings for User-Agent string (default) — The device user chooses if they want to freeze the major version of the User-Agent string.
• Do not freeze the major version — The device user can't choose to freeze the major version of the User-Agent string.
• Freeze the major version as 99 — The Chrome major version will report the User-Agent string as 99 and set the browser's major version value to the minor position. For example, Chrome version 102.0.0.0 will report as 99.102.0.0.

If you select Freeze the major version as 99 and set the User-Agent Reduction policy to Enable reduction for all origins, the User-Agent string will always set to 99.0.0.0.

Allows the device user to back up content, data, and settings from Android apps to their Google Account. When users sign in to another Chromebook, they can restore the data. App data can be any data that an app has saved, including potentially sensitive data such as contacts, messages, and photos. Backup data will not count toward the user's Drive storage quota.

Values

• Backup and restore disabled (default) — Android apps can't back up during initial setup.
• Let user decides whether to enabled backup and restore — Android apps can ask the device user whether to back up after initial setup.

Allows Android apps to track the Chromebook's physical location.

Values

• Disable location services for Android apps in ChromeOS (default) — Android apps can't access location information during initial setup.
• Allow the user to decide whether an Android app in ChromeOS can use location services — Android apps can ask user for location information after initial setup.

Toggles syncing of ChromeOS certificates to Android apps.

Values

• Disable usage of ChromeOS CA Certificates in Android apps (default)
• Enable usage of ChromeOS CA Certificates in Android apps

Toggles the Home button on the toolbar on Chrome browser. This policy corresponds to the setting under Settings > Appearance > Show home button.

Values

• Allow the user to decide (default)
• Never show "Home" button
• Always show "Home" button

Specifies the home page on Chrome browser.

Values

• Allow user to configure (default) — The device user chooses the home page.
• Homepage is always the URL set below — The home page is set to a specific address, which the device user can't override. This setting makes the Homepage URL policy available.
• Homepage is always the new tab page — The home page is the special chrome://newtab page.

Specifies the address of the home page on Chrome browser. Only available if the Homepage policy is set to Homepage is always the URL set below.

Values

Enter a URL for the home page.

Specifies the address of a new tab on Chrome browser. When left empty, the page will be used.

Values

Enter a URL for new tabs.

Allows custom backgrounds on Google's new tab page.

Values

• Allow users to customize the background on the New Tab page — New tabs use a custom background, if the device user sets one.

• Do not allow users to customize the background on the New Tab page — New tabs only use the default background.

  Caution

  Using this setting deletes any custom backgrounds uploaded by the device user.

A list of pages to open when Chrome browser starts. Each page opens in a separate tab.

Values

To add a page, enter its URL and click . To remove one, click .

Toggles the profile picker settings.

Values

• Allow the user to decide — By default, Chrome browser shows the profile picker at startup, but the device user can disable it.
• Do not show profile picker at browser startup — Chrome browser never shows profile picker and the device user can't enable it.
• Always show profile picker at browser startup — Even if a device only has one profile, Chrome browser always shows profile picker.

Enforces SafeSearch filtering in search results. SafeSearch filters mature or explicit content, like pornography. For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. For all other domains, the default is Do not enforce Safe Search for Google Web Search queries. For more details on SafeSearch enforcement, see Lock SafeSearch for accounts, devices & networks you manage.

Values

• Always use SafeSearch for Google Search queries
• Do not enforce SafeSearch for Google Search queries (default)

Enforces the level of Restricted Mode on YouTube, which algorithmically limits which videos are viewable based on their content. The device user can raise, but not lower, the Restricted mode level that this policy enforces. For more details on Restricted Mode for YouTube, see Manage your organization's YouTube settings.

Values

• Do not enforce Restricted Mode on YouTube (default) — The device user chooses the level of Restricted mode in their YouTube settings.
• Enforce at least Moderate Restricted Mode on YouTube — Enforces Restricted Mode at a medium level, which filters a moderate number of videos.
• Enforce Strict Restricted Mode on YouTube — Enforces Restricted Mode at the highest level, which filters a large number of videos.

Allows the device user to take screenshots on the Chromebook. The policy applies to screenshots taken by any means, including the built-in keyboard shortcut, Android apps, and apps and extensions that use the screenshot functionality of the Chrome API.

Values

• Do not allow users to take screenshots or video recordings
• Allow users to take screenshots and video recordings (default)

Allows websites to prompt the device user to live stream a Chrome browser tab, window, or the entire screen.

Values

• Allow sites to prompt the user to share a video stream of their screen (default)
• Do not allow sites to prompt the user to share a video stream of their screen

Specifies an allowlist of URL patterns for which Chrome browser automatically selects a client certificate. If a valid client certificate is installed and the browser accesses an allowlisted URL, the browser skips the client certificate selection prompt. The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen.

Values

To add a URL pattern, enter it and click . To remove one, click .

A URL pattern must be a JSON string with the following format:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter":{}}

Specifies an allowlist of websites and domains that do not prompt the device user when their security keys request attestation certificates. Additionally, when keys are requested, a signal is sent to the security key to indicate that individual attestation may be used.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

URLs will only match as Universal 2nd Factor (U2F) app IDs. Domains only match as WebAuthn relying party (RP) IDs. Thus, to cover both U2F and WebAuthn APIs for a website or domain, both its app ID URL and domain should be listed.

Allows websites to use the Web-based Graphics Library (WebGL) API and plugins on Chrome browser. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Values

• Never allow display of 3D content
• Always allow display of 3D content (default)

Allows websites on Chrome browser to store browsing information, such as the device user's website preferences and profile information. This policy corresponds to the cookie options in the browser's settings.

Values

• Allow the user to decide (default) — The device user chooses one of the settings below.
• Allow cookies — Cookies are stored.
• Block cookies — Cookies are never stored.
• Session only — Cookies are stored for the duration of the session.

Specifies an allowlist of websites and domains that are allowed to set cookies.

Values

To add a website or domain, enter it and click . To delete one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of websites and domains that are not allowed to set cookies.

Values

To add a website or domain, enter it and click . To delete one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of websites and domains that are allowed to set session-only cookies.

Values

To add a website or domain, enter it and click . To delete one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Controls third-party cookies.

Values

• Allow the user to decide (default)
• Allow third-party cookies
• Disallow third-party cookies

Allows legacy behavior for the SameSite cookie attribute on Chrome browser. The SameSite attribute allows cross-site cookies to be sent securely. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services. You can temporarily revert Chrome browser to the legacy behavior, which is less secure.

To test how Chrome browser treats cookies that don't specify a SameSite attribute on your websites and services, see Tips for testing and debugging SameSite-by-default.

Values

• Revert to legacy SameSite behavior for cookies on all sites — Chrome browser doesn't require cookies with SameSite=None to include the Secure attribute. Cookies that don't specify any SameSite attribute are treated as if they have SameSite=None.
• Use SameSite-by-default behavior for cookies on all sites — Chrome browser reverts to its default SameSite behavior, depending on its version.

• Use the user's personal configuration for SameSite features (default) — Chrome browser uses the device user's SameSite settings, as configured in the browser's flags.

Specifies an allowlist of websites for which Chrome browser uses its legacy behavior for the SameSite cookie attribute. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Controls whether Chrome browser allows websites to display images. Fo Show images on these sites and Block images on these sites, put one URL pattern on each line.

Values

• Allow the user to decide (default)
• Allow all sites to show all images
• Do not allow any site to show images

Specifies an allowlist of websites and domains that can display images on Chrome browser.

Values

To add a website or domain, enter it URL and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains that can't display images on Chrome browser.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Controls whether Chrome browser allows websites to run JavaScript.

Values

• Allow the user to decide (default)
• Allow sites to run JavaScript
• Do not allow any site to use JavaScript

Specifies an allowlist of websites and domains that can run JavaScript on Chrome browser.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains for which Chrome browser blocks JavaScript.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Suspends JavaScript timers on background tabs that haven't been used for 5 minutes or more on Chrome browser. For these suspended tabs, timers only execute their code once per minute, which can significantly decrease CPU load and battery consumption. This policy is applied per-website, with the most recent setting applied to a tab when it loads. The user must perform a full restart of Chrome browser for the setting to apply to all loaded tabs.

Values

• Allow throttling of background javascript timers to be controlled by Chrome's logic and configurable by users (default) — Background tabs have JavaScript throttled based on the browser's internal logic, and the policy can be manually configured by the device user.
• Force no throttling of background javajscript timers — Background tabs never have JavaScript throttled.
• Force throttling of background javascript timers — Background tabs have JavaScript throttled after they are suspended.

Specifies the JavaScript setTimeout() clamping settings. SetTimeout() sets a timer to run a section of code at a specified time. Some browsers will clamp or change the number of milliseconds you specify for your timeout rate. This policy and its sub-policies also apply to managed guest session devices.

Values

• Default behavior for setTimeout() function nested clamp — The setTimeout() function clamp setting will default to the browser's settings.
• JavaScript setTimeout() will be clamped after a normal nesting threshold — If a setTimeout rate is longer than 4 milliseconds, it'll be clamped. This may change task ordering on websites which could lead to unanticipated behavior if they depend on specific forms of ordering.
• JavaScript setTimeout() will not be clamped as aggressively — If a setTimeout rate is shorter than 4 milliseconds, it won't be clamped as forcefully. This may help short term performance, but webpages may eventually have their setTimeouts clamped.

Allows you to configure clipboard access for websites. This policy doesn't impact any operations not controlled by the clipboard site permission, such as copy and paste. This policy and its sub-policies also apply to managed guest session devices.

Values

• Allow the user to decide (default) — The device user can decide if websites can request clipboard access.
• Allow sites to ask the user to grant the clipboard site permission — Websites can ask the device user for clipboard access.
• Do not allow any site to use the clipboard site permission — No websites have clipboard access.

Specifies an allowlist of websites and domains that can request clipboard access from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains that can't request clipboard access from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Allows websites to display desktop notifications.

Values

• Allow the user to decide (default)
• Allow sites to show desktop notifications
• Do not allow sites to show desktop notifications
• Always ask the user if a site can show desktop notifications

Specifies an allowlist of websites and domains that can display desktop notifications.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains that can't display desktop notifications.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of websites and domains that can automatically play video content with sound on Chrome browser without the device user's consent. If you change this policy on deployed Chromebooks, it only applies to newly opened tabs.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a list of protocol handlers available to the device user. The device user can't remove any protocol handlers that you've added, but they can register their own. If a device is handling Android intents, it won't use protocol handlers set through this setting.

Values

• URL — The URL pattern of the application handling the protocol.
• Protocol — Select a protocol from the drop down list.
• Custom Protocol — Only available if you select the web+ protocol.

To add a protocol handler, click . To remove one, click .

Specifies an allowlist of file types to automatically open after download on Chrome browser. If Safe Browsing is turned on, the browser still checks whether they are malicious or dangerous, and only opens them if they pass. When this list is blank, only file types that the device user allows can automatically open.

Values

To add a file type, enter it and click . To remove one, click .

Do not include the leading separator when listing the type. For example, enter txt, not . txt.

Specifies an allowlist of websites and domains that can automatically open the file types that you specify in Auto open downloaded files policy. Chrome continues to automatically open file types that the device user chooses to automatically open.

Values

To add a website or domain, enter it and click . To remove one, click .

If this value is unset, Chrome automatically opens all file types specified in the Auto open downloaded files policy, no matter their origin.

For details on the URL format, see Enterprise policy URL pattern format.

Allows websites to open pop-ups on Chrome browser. When a website's pop-ups are blocked, the device user can click in the omnibox to allow them.

Values

• Let the user decide (default)
• Allow all pop-ups
• Block all pop-ups

Specifies an allowlist of websites and domains that can open popups.

Values

To add a website or domain, enter its URL and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains that can't open pop-ups.

Values

To add a website or domain, enter its URL and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Allows cross-origin iframes on websites to prompt the device user on Chrome browser. Starting with Chrome browser 91, cross-origin iframes can't trigger JavaScript prompts ( window.alert, window.confirm, and window.prompt ). This change was made to prevent embedded content from spoofing messages from the origin website or Chrome browser.

Values

• Block JavaScript dialogs triggered from a cross-origin iframe (default)
• Allow JavaScript dialogs triggered from a cross-origin iframe

Specifies a blocklist of URLs on the Chromebook. You can add up to 1,000 URLs. When an exact URL is blocked by this policy and excepted by the Blocked URL exceptions policy, the exception takes precedence.

Block URLs on Android apps

Android apps on Chromebooks that use Android System WebView do not honor the blocked URL and blocked URL exception lists. To enforce a blocklist on these apps, manually configure these policies as JSON data in a text file. See Apply managed configurations to an Android app for more details. Here is an example configuration of these two policies:

{
    "com.android.browser:URLBlocklist": "[\"*\"]",
    "com.android.browser:URLAllowlist": "[
        \"www.example.com\",
        \"www.my-enterprise.com\"
    ]"
}

For apps that don't use Android System WebView, consult their documentation for information about how to block URLs.

Values

To add a URL, enter it and click . To remove one, click .

The URL formatting for this policy differs from Google's typical enterprise policy URL pattern syntax. Each URL must contain a valid hostname (such as google.com), an IP address, or a wildcard (*) host. URLs can include:

• The URL scheme, which is http, https, or ftp, followed by ://
• A valid port value from 1–65,535
• The path to the resource
• Query parameters

Specifies a list of exceptions to the URL blocklist on the Chromebook. Maximum of 1000 URLs.

Values

See the URL blocking policy description for instructions and syntax details.

Controls whether the device user can sync with Google Drive on the Chromebook. This policy has no effect on the Google Drive Android app. To completely disable any syncing with Google Drive, select Disable Google Drive syncing and block the Google Drive Android app from being installed on the Chromebook. For more details, see Deploy Android apps to managed users on ChromeOS devices.

Values

• Disable Google Drive syncing
• Enable Google Drive syncing (default)

Controls whether the device user can sync with Google Drive on the Chromebook over a cellular connection. This policy has no effect on the Google Drive Android app.

Values

• Disable Google Drive syncing over cellular connections
• Enable Google Drive syncing over cellular connections (default)

Allows the device user to use a Chromecast device to cast from a Chrome tab.

Values

• Allow users to Cast (default)
• Do not allow users to Cast

Toggles the Cast icon on the toolbar. Only available if the Cast policy is set to Allow users to Cast.

Values

• Always show the Cast icon in the toolbar — The Cast icon is added the toolbar, and the device user can't remove it.
• Do not show the Cast icon in the toolbar, but let users choose (default) — The Cast icon isn't added to the toolbar, but the device user can add it.

Allows the device user to enable mixed content on websites and domains on Chrome browser. By default, on an HTTPS website, Chrome browser blocks all active content (scripts and iframes) available through HTTP.

Values

• Do not allow any sites to load blockable mixed content (default) — All mixed content on secure website and domains is blocked.

• Allow users to add exceptions to allow blockable mixed content — The device user can allow specific websites and domains to load active mixed content. To add a website or domain, the device user must:

  1. Open Chrome.
  2. At the top-right, click > Settings.
  3. Navigate to Privacy and security > Site settings > Additional content settings > Insecure content.
  4. Under Allowed to show insecure content, select Add.
  5. Enter the URL of the website. The URL syntax follows the Enterprise policy URL pattern format.

Specifies an allowlist of websites and domains that can display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click . To remove one, click .

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains that can't display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click . To remove one, click .

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

Toggles warnings when a website delivers a form through HTTP on Chrome browser.

Values

• Show warnings and disable autofill on insecure forms
• Do not show warnings and disable autofill on insecure forms

Enables the window.webkitStorageInfo API after the non-standard API window.webkitStorageInfo is deprecated. This policy and its sub-policies also apply to managed guest session devices.

Values

• Disable window.webkitStorageInfo
• Enable window.webkitStorageInfo

Enables the Event.path API until Chrome 115. This policy and its sub-policies also apply to managed guest session devices.

Values

• Enable Event.path API until Chrome 108 (default) — The Event.path API is available until Chrome 108.
• Disable Event.path API — The Event.path API is unavailable.
• Enable Event.path API until Chrome 115 — The Event.path API is available until Chrome 115.

Toggles network file sharing on the Chromebook.

Values

• Allow network file shares
• Block allow network file shares

Allows the NetBIOS name query request protocol to discover shares on the network. If this policy is not set, NetBIOS discovery is allowed for managed user accounts, but not for unmanaged accounts. Only available when Network file shares policy is set to Allow network file shares.

Values

• Use NetBIOS discovery
• Do not allow NetBIOS discovery (default)

Toggles NTLM as an authentication protocol for mounted server message block (SMB) shares. Only available when Network file shares policy is set to Allow network file shares.

Values

• Use NTLM authentication — Authentication for shares is required for all accounts.
• Do not use NTLM authentication (default) — Authentication for shares is required for managed user accounts, but not for non-managed accounts.

Specifies a list of pre-configured network file shares available to the Chromebook. Only available when Network file shares is set to Allow network file shares.

Values

To add a file share, enter its URL, select a Mode, then click . To remove one, click .

• URL — The URL of the file or resource to share. For examples, smb://server/share or \shared\resource.
• Mode — How the file or resource is shared:
  • Drop down — Adds the URL to the share discovery menu.
  • Pre mount — Automatically shares the file or resource.

Allows links to highlight and scroll to text on a webpage on Chrome browser. Links with special fragment syntax can target text on a page. When the page is fully loaded, the browser scrolls to the text.

Values

• Allow sites to scroll to specific text fragments via URL (default)
• Do not allow sites to scroll to specific text fragments via URL

Toggles URL-keyed anonymized data collection, which sends Google the URL of each website that Chrome browser visits in order to improve searching and browsing.

Values

• Allow the user to decide (default)
• Data collection is never active
• Data collection is always active

Allows websites to use the deprecated application cache (AppCache) technology on Chrome browser. AppCache was designed to permanently store website content on the local system, but was deprecated on all major browsers due to the security vulnerabilities it introduced.

Values

• Allow websites to use the deprecated AppCache feature
• Do not allow websites to use the deprecated AppCache feature

Specifies whether websites can request access to Bluetooth devices via the Web Bluetooth API.

Values

• Allow the user to decide (default)
• Do not allow sites to request access to Bluetooth devices via the Web Bluetooth API
• Allow sites to request access to Bluetooth devices via the Web Bluetooth API

Allows annotations on the PDF viewer.

Values

• Allow the PDF viewer to annotate PDFs (default)
• Do not allow the PDF viewer to annotate PDFs

Toggles printing.

Values

• Enable printing (default) — The device user can print.
• Disable printing — The device user can't print from the Chrome browser, including with extensions and JavaScript apps. Android apps are unaffected.

Toggles whether available Privet cloud printers appear in the print preview dialog.

Values

• Enable deprecated privet printing (default)
• Disable deprecated privet printing

Specifies the default printer. This policy has no effect on Android apps. This policy and its sub-policies also apply to managed guest session devices.

Values

• Define the default printer — When the device user prints, the system looks for a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.
• Use default printer behavior (default) — When the device user prints, the system selects the most recently used printer.

Specifies the type of printer to search for and use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

• Cloud and local — Search for both types of printers.
• Cloud only — Search for cloud printers.
• Local only — Search for local printers.

Specifies how to search for a printer to use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

• Match by name — Search for the printer's name.
• Match by ID — Search for the printer's ID.

Specifies the name or ID of the printer to match as the default printer. The print preview dialog defaults to the first printer that matches. This policy has no effect on Android apps. Only available if Print preview default is set to Define the default printer.

Values

Enter a pattern that matches a printer name or ID.

The pattern is case-sensitive. Wildcards (.*) and number substitution (.$) are supported.

Examples:

• office-north would match a printer named office-north.
• office-.* would match printers named office-north or office-south.
• office-floor.$-north would match printers named office-floor1-north or office-floor2-north.

Allows the device user to add local printers. For more details about printing on Chromebooks, see Manage local and network printers.

Values

• Allow users to add new printers (default)
• Do not allow users to add new printers

Specifies whether to print in color or black and white by default. On individual print jobs, the device user can choose the color mode.

Values

• Colo (default)
• Black and white

Forces printing in color or black and white and prevents the device user from choosing the mode.

Values

• Do not restrict color printing mode (default)
• Color only
• Black and white only

Specifies how many paper sides to print on by default. Two-sided printing is only available on duplex and multi-function printers. On individual print jobs, the device user can choose whether to print on one or two sides.

Values

• One-sided (default)
• Short-edge two-sided printing
• Long-edge two-sided printing

Forces printing in one-sided (simplex) or two-sided (duplex) mode and prevents the device user from choosing the mode. Duplex mode only applies to duplex printers.

Values

• Do not restrict duplex printing mode (default)
• One-sided only
• Two-sided only

Specifies whether to print background graphics by default. On individual print jobs, the device can choose whether to print background graphics.

Values

• Disable background graphics printing mode by default
• Enable background graphics printing mode by default

Forces whether to print background graphics and prevents the device user from choosing.

Values

• Allow the user to decide (default)
• Always require printing of background graphics
• Do not allow printing of background graphics

Toggles tracking the user account and file name in print jobs that are sent using IPP over HTTPS (IPPS).

Values

• Include user account and filename in job — The user account and file name are included in the IPPS print job header. If set, third-party printing features, such as secure printing and print-usage tracking, can also be used.

  Important

  This setting prevents printing on printers that do not support IPPS.

• Do not include user account and filename in print job (default) — The user account and file name are not included in the IPPS print job header.

ChromeOS 72 and higher

IPPS printers only

Specifies how long the metadata for completed print jobs is stored on the Chromebook.

Values

Enter a period, in days.

To store indefinitely, enter -1. To disable storage, enter 0.

If this value is unset, the period is 90 days.

Allows the device user to delete their print job history using the print management app or by deleting their browser history.

Values

• Allow print job history to be deleted (default)
• Do not allow print job history to be deleted

Forces whether print jobs on PIN-compatible printers always require PIN authentication.

Values

• Do not restrict PIN printing mode (default)
• Always require PIN printing
• Do not allow PIN printing

ChromeOS 75 and higher

Printers with PIN capability only

Toggles whether print jobs on PIN-compatible printers require PIN authentication by default.

Values

• With PIN
• Without PIN

ChromeOS 75 and higher

Printers with PIN capability only

Specifies the maximum number of sheets of paper a single print job can use.

Values

Enter a maximum number of sheets.

If this value is unset, no limit is applied.

Specifies the default page size. If the device user chooses a printer that doesn't support the page size defined by this policy, the policy is ignored.

Values

• Letter
• Legal
• A4
• Tabloid
• A3
• Custom — Enter the height and width, in millimeters. If you enter values not supported by the printer chosen by the device user, this policy is ignored.

Specifies the custom page width. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page width, in millimeters.

Specifies the custom page height. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page height, in millimeters.

Forces printing headers and footers.

Values

• Allow the user to decide (default)
• Never print headers and footers
• Always print headers and footers

Disables printer types or destinations from being available for printing. Selecting all printer types effectively disables printing.

Values

Select the printer types to disable:

• Zeroconf-based (mDNS + DNS-SD) protocol
• Local printer — Also known as native printing destinations, and include destinations available to the local machine and shared network printers.
• Extension-based — Also known as print provider destinations, and include any destination that belongs to a Chrome browser extension.
• Google Cloud Print and 'Save to Google Drive'
• Save as PDF

Allows the device user to print PDFs as images. For better resolution, some PDFs need to be rasterized to images before printing. If enabled, you can specify how you want this setting to be available. This policy and its sub-policies also apply to managed guest session devices.

Values

• Do not allow users to print PDF documents as images
• Allow users to print PDF documents as images
• Default to printing PDFs without being rasterized
• Default to printing PDFs as images when available

DPI is used to rasterize PDFs when printed as an image.

Values

Enter a number in the DPI field. Enter 0 to use the system default resolution.

Defines a collection of bookmarks to push to Chrome browser. The bookmarks appear in a folder on the bookmarks bar on Chrome Browser. The device user can hide the folder, but they can't modify its contents. The default folder name for managed bookmarks is "Managed bookmarks", but it can be changed.

Manage bookmarks

Begin managing the bookmarks by clicking Add. The Manage Folders & Bookmarks dialog opens.

To add a folder:

1. Click Add Folder.
2. Choose a Parent folder for the new folder.
3. Enter a new Folder Name.
4. Click OK.

To add a bookmark:

1. Click Add Bookmark.
2. Choose a Parent Folder for the new bookmark.
3. Enter a name for the bookmark in the Bookmark field.
4. Enter the URL of the bookmark.
5. Click OK.

To change a folder or bookmark:

1. Select it.
2. Click Modify.
3. If you selected a folder, you can rename it and change its parent folder. If you selected a bookmark, you can rename it, changes its parent folder, and edit its URL.
4. Click Save.

To reorder a folder or bookmark:

1. Select it.
2. Click ↑ or ↓ .

To delete a folder or bookmark:

1. Select it.
2. Click Delete.

Once you finish making changes, Save the bookmarks.

Toggles the bookmarks bar on Chrome browser.

Values

• Allow the user to decide (default)
• Disable bookmark bar
• Enable bookmark bar

Specifies the position of the shelf.

Values

• Allow the user to decide (default)
• Bottom
• Left
• Right

Toggles the shelf automatic hiding behavior.

Values

• Allow the user to decide (default)
• Always auto-hide the shelf
• Never auto-hide the shelf

Allows the device user to add, edit, or remove items from the bookmarks bar on Chrome browser.

Values

• Enable bookmark editing (default)
• Disable bookmark editing

Specifies the default download location on Chrome browser. This policy applies to downloaded files only—if the user saves a page or file, the save file dialog is used. This setting has no effect on Android apps. This policy has no effect on Android apps, which always download files to the default Downloads folder.

Values

• Set local Downloads folder as default, but allow user to change — Downloads save to the Downloads folder unless the device user chooses a different default location.
• Set Google Drive as default, but allow user to change — Downloads save to Google Drive unless the device user chooses a different default location.
• Force Google Drive — Downloads save to Google Drive, and the device user can't select a different location. For Chrome version 90 and later, this setting has no effect on screenshots taken on ChromeOS. Screenshots save to the default ChromeOS downloads folder.

Specifies whether to ask the device user where to save each download on Chrome browser.

Values

• Allow the user to decide (default) — The device user chooses whether they want to be asked where to save each download.
• Do not ask the user (downloads start immediately) — The device user is never asked where they want to save each download.
• Ask the user where to save the file before downloading — The device user is always asked where they want to save each download.

Toggles spell check on Chrome browser.

Values

• Allow the user to decide (default) — The device user can enable spell check.
• Disable spell check — Turn off spell check from all sources, and prevent the device user from enabling it. Selecting this setting makes the Spell check service policy have no effect.
• Enable spell check — Turn on spell check and prevent the device user from disabling it. The device user can still disable spell check for individual languages, and if they disable it for all languages, then they effectively disable spell check.

Toggles Google's online spell checking service, also known as Enhanced spell check in the Chrome browser settings. If the Spell check policy is set to Disable spell check, this policy has no effect.

Values

• Allow the user to decide (default) — The device user can toggle Enhanced spell check in the Chrome browser settings.
• Disable the spell checking web service — Chrome browser never uses Google's online service to check for spelling errors.
• Enable the spell checking web service — Chrome browser always uses Google's online service to check for spelling errors.

Toggle Google Translate on Chrome browser. When the browser detects that page content is in a different language than the one configured for the user account, it offers to translate it.

Values

• Allow the user to decide (default)
• Never offer translation
• Always offer translation

Toggles navigation suggestions when Chrome browser is unable to connect to an address. The browser suggests opening another page on the website, or to search for the page.

Values

• Allow the user to decide (default)
• Never use alternate error pages
• Always use alternate error pages

Allows the device user to access the developer tools on Chrome browser.

Values

• Always allow use of built-in developer tools (default for unmanaged user accounts) — The device user can access the developer tools by all methods, including in extensions that are installed by policy. They can also access the Android Developer Options.
• Allow use of built-in developer tools except for force-installed extensions (default for managed user accounts) — The device user can access the developer tools by all methods (keyboard shortcuts, menu entries, and context menu entries) in general, but not in extensions that are installed by policy. They can also can access the Android Developer Options.
• Never allow use of built-in developer tools — The device user can't access the developer tools by any method or context, and can't access the Android Developer Options. If this value is unset, the device user can access the Android Developer Options.

Allows websites check if the device user has stored payment methods on Chrome browser.

Values

• Allow websites to check if the user has payment methods saved
• Always tell websites that no payment methods are saved

Toggle emoji suggestions as the device user types.

Values

• Enable emoji suggestions when users type (default) — Emoji suggestions appear as the device user types, and they can toggle the feature.
• Disable emoji suggestions when users type — Emoji suggestions are disabled, and the device user can't enable the feature.

Allow multiple user accounts to sign in at the same time. This setting allows device users to switch between multiple accounts on the Chromebook without having to sign out. To ensure that ChromeOS policies always apply to your users, use the Block multiple sign-in access for users in this organization setting. When any other setting is used, there is no guarantee that all policies apply to every user account.

Values

• Managed user must be the primary use(secondary users are allowed)
• Unrestricted user access (allow any user to be added to any other user's session)
• Block multiple sign-in access for users in this organization

Allows device users to switch between accounts in Chrome browser and Google Play, or sign ins to specific Google Workspace domains. If you allow devices users to only sign in to specific Google Workspace domains, or block them from signing in or out in the browser, you should also disable Incognito mode with the Incognito mode policy.

Values

• Allow users to sign in to any secondary Google Accounts — Device users can sign in to other Google accounts in Chrome browser.
• Block users from signing in or out of secondary Google Accounts — Device users can't sign in or out of Google accounts in Chrome browser.
• Allow users to sign in to the Google Workspace domains set in below — Device users can only access Google services from accounts belonging to Google Workspaces domains specified by the Allowed domains policy.

Specifies an allowlist of Google Workspace domains for user accounts. Make sure you list all of your organization's domains. Otherwise, device users might not have access to Google services. To see a list of your domains, click organization's domains under the domain list on the Google Admin console.

Values

To add a domain, enter it and click . To remove a domain, click .

For details on the URL format, see Enterprise policy URL pattern format.

To include consumer Google accounts, such as @gmail.com and @googlemail.com, add consumer_accounts to the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.

Allows the device user to span an app across multiple displays.

Values

• Make Unified Desktop mode available to use
• Do not make Unified Desktop mode available to use (default)

Allows Google services to call the Chrome API to collect WebRTC events for device users who have opted in. The initial value is inherited from Google Meet log upload settings. These logs help Google identify and resolve issues with audio and video meetings, and have no video or audio content from the meetings.

Values

• Allow WebRTC event log collection — Allow Google to collect WebRTC event logs. To fully enable these event logs, you must also enable the Client logs upload policy on the Google Admin console.
• Do not allow WebRTC event log collection — Block Google from collecting WebRTC event logs.

Enables the device user to use Quick Answers. Quick Answers sends content chosen by the device user to the Google server to get definition, translation, or unit conversion information. This policy and its sub-policies also apply to managed guest session devices.

Values

• Disable Quick Answers
• Enable Quick Answers
• Enable Quick Answers definition
• Disable Quick Answers definition
• Enable Quick Answers translation
• Disable Quick Answers translation
• Enable Quick Answers unit conversion
• Disable Quick Answers unit conversion

If this value is unset, the device user can choose to enable or disable Quick Answers.

Specifies which system features to disable on the Chromebook. Use this policy to block the features listed below instead of using the URL blocking policy or blocking apps and extensions by ID. When the device user tries to use a disabled feature, a message tells them that it has been blocked by their administrator.

Values

Choose the features to disable:

• Camera
• Scanning (ChromeOS 87 and higher)
• OS settings
• Browser settings

Toggles the dinosaur game easter egg.

Values

• Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled ChromeOS devices — When the device is offline, the device user can't play the dinosaur game on enrolled Chrome devices, but they can play it on Chrome Browser.
• Do not allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can't play the dinosaur game.
• Allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can play the dinosaur game.

Toggles app recommendations in the launcher for apps that the device user installed on other devices. These results appear when the search box is empty.

Values

• Show app recommendations in the ChromeOS launcher
• Do not show app recommendations in the ChromeOS launcher

Toggles online content recommendations in the launcher.

Values

• Enable suggested content
• Disable suggested content If this value is unset, online content is recommended to unmanaged device users, but not managed device users.

Toggles the page's full URL in the address bar on Chrome browser. This helps to protect the device user from some common phishing tactics.

Values

• Display the default URL. Users may switch to the full URL, unless on a managed Chrome device
• Display the default URL
• Display the full URL

Allows the device user to copy and paste text between different devices when Chrome sync is enabled and each device is signed in to the same Google account.

Values

• Enable the shared clipboard feature (default)
• Disable the shared clipboard feature

Allows fullscreen mode for user accounts, apps, and extensions with appropriate permissions.

Values

• Allow fullscreen mode (default)
• Do not allow fullscreen mode

Toggles whether a fullscreen alert shows when the device returns from sleep or dark screen in order to remind the device user to exit fullscreen before entering their password.

Values

• Enable fullscreen alert when waking the device (default)
• Disable fullscreen alert when waking the device

Toggle the content cards on the New Tab Page. These cards remind the device about recent searches and are based on their browsing behavior.

Values

• Allow the user to decide (default)
• Do not show cards on the New Tab Page
• Show cards on the New Tab Page if content is available

Toggles whether Chrome browser maximizes its first window on launch.

Values

• Maximize the first browser window on first run
• Default system behavior (based on screen size)

Allows the device user to send feedback to Google on Chrome browser.

Values

• Allow user feedback (default)
• Do not allow user feedback

Toggle whether Chrome browser shows personalized media recommendations to the device user. These recommendations are based on the device user's browsing and search behavior.

Values

• Show personalized media recommendations (default)
• Do not show personalized media recommendations

Allows the device user to see and use the Google Lens region search menu item in the context menu when Google Len region search is supported. This policy and its sub-policies also apply to managed guest session devices.

Values

• Enable Google Lens region search
• Disable Google Lens region search

Allows the device user to sign in or unlock the Chromebook with the aid of a paired Android device. If the Android device is unlocked and connected to the Chromebook through Bluetooth, the device user can sign in with one click.

Values

• Allow Smart Lock (default for unmanaged user accounts)
• Do not allow Smart Lock (default for managed user accounts)

Allows the device user to use Instant Tethering, which automatically connects the Chromebook to a paired Android device through Wi-Fi in order to use its mobile data connection. The Android device must be in hotspot mode, and there must be no known Wi-Fi access points available nearby. Not all Chromebooks support Instant Tethering. See ChromeOS Devices Which Do Not Support Instant Tethering.

Values

• Allow users to use Instant Tethering (default for unmanaged user accounts)
• Do not allow users to use Instant Tethering (default for managed user accounts)

Allows the device user to sync their SMS messages between their phone and the Chromebook.

Values

• Allow users to sync SMS messages between their phone and Chromebook (default for unmanaged users)
• Do not allow users to sync SMS messages between their phone and Chromebook (default for managed users)

Allows the device user to share phone numbers from the Chromebook to an Android device.

Values

• Allow the user to decide (default)
• Do not allow users to send phone numbers from Chrome to their phone
• Allow users to send phone numbers from Chrome to their phone

Allows the device user to use Nearby Share, which lets them share files, images, web pages, and text, with nearby Chromebooks and Android devices.

Values

• Allow users to enable Nearby Share
• Prevent users from enabling Nearby Share

Allows the device user to control and receive select features and notifications on their Android phone from the Chromebook.

Values

• Allow Phone Hub to be enabled (default for unmanaged user accounts)
• Do not allow Phone Hub to be enabled (default for managed user accounts)

Toggles pushing notifications from the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

• Allow Phone Hub notifications to be enabled (default)
• Do not allow Phone Hub notifications to be enabled

Toggles passing the most recent Chrome browser tabs accessed on the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

• Allow Phone Hub task continuation to be enabled (default)
• Do not allow Phone Hub task continuation to be enabled

Toggles the screen reader, also known as ChromeVox.

Values

• Allow the user to decide (default)
• Disable spoken feedback
• Enable spoken feedback

Toggles selective screen reading, including text selections and sections of the screen.

Values

• Allow the user to decide (default)
• Disable select to speak
• Enable select to speak

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

• Allow the user to decide (default)
• Disable high contrast
• Enable high contrast

Toggles the screen magnification feature, which allows the device user to zoom in their screen by up to 20x.

Values

• Allow the user to decide (default) — The device user chooses one of the settings below.
• Disable screen magnifier — Screen magnification is disabled.
• Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
• Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.

Toggles inputting key combinations separately and in sequence rather than simultaneously.

Values

• Allow the user to decide (default)
• Disable sticky keys
• Enable sticky keys

Toggles the on-screen keyboard.

Values

• Allow the user to decide (default)
• Disable on-screen keyboard
• Enable on-screen keyboard

Toggles speech-to-text input.

Values

• Allow the user to decide (default)
• Disable dictation
• Enable dictation

Toggles enhanced object highlighting during keyboard navigation.

Values

• Allow the user to decide (default)
• Disable keyboard focus highlighting
• Enable keyboard focus highlighting

Toggles a ring around the caret (keyboard cursor) during typing.

Values

• Allow the user to decide (default)
• Disable caret highlight
• Enable caret highlight

Toggles mouse clicking when the cursor stops moving.

Values

• Allow the user to decide (default)
• Disable auto-click
• Enable auto-click

Toggles a bigger mouse cursor.

Values

• Allow the user to decide (default)
• Disable large cursor
• Enable large cursor

Toggles a ring around the mouse cursor during mouse movement.

Values

• Allow the user to decide (default)
• Disable cursor highlight
• Enable cursor highlight

Specifies which mouse button performs primary interactions.

Values

• Allow the user to decide (default)
• Left button is primary
• Right button is primary

If this value is unset, the left mouse button is primary.

Toggles single-channel audio.

Values

• Allow the user to decide (default)
• Disable mono audio
• Enable mono audio

Toggles the built-in accessibility shortcuts.

Values

• Allow the user to decide (default)
• Disable accessibility shortcuts
• Enable accessibility shortcuts

Toggle the accessibility options entry in the system tray menu. If accessibility options are enabled by other means, they still appear in the system menu tray.

Values

• Allow the user to decide (default)
• Hide accessibility options in the system tray menu
• Show accessibility options in the system tray menu

Toggles automatically-generated labels for online images that lack descriptions such as alt text. This feature provides text descriptions for screen readers by sending image data to a Google service. No cookies or other user data is sent, and Google does not save or log any image content. For more details, see Get image descriptions on Chrome.

Values

• Let users choose to use an anonymous Google service to provide automatic descriptions for unlabeled images (default)
• Do not use Google services to provide automatic image descriptions
• Use an anonymous service to provide automatic descriptions for unlabeled images

Toggles wake locks, which is a power management feature that keeps the screen on or the CPU running when the Chromebook is in standby mode. This can be helpful if idle power conservation is undesirable, for example if the Chromebook requires a Wi-Fi connection to stay at full performance at all times. Extensions and apps can request wake locks through the power management extension API.

Values

• Allow wake locks (default)
• Do not allow wake locks

Toggles screen wake locks, which are a sub-type of wake lock requests that prevent the screen from dimming or locking when an extension or app is running. Only available if the Wake locks policy is set to Allow wake locks.

Values

• Allow screen wake locks for power management (default)
• Demote screen wake lock requests to system wake lock requests — Screen wake lock requests are treated like standard wake lock requests.

Toggles predictive search queries and suggestions in the address bar on Chrome browser.

Values

• Allow the user to decide (default)
• Never allow users to use search suggest
• Always allow users to use search suggest

Allows the device user to connect and mount external storage devices on the Chromebook. These devices include:

• External drives — USB flash drives, external hard drives, external optical drives
• Memory cards — SD, MMC, other memory cards
• MTP devices — Phones, cameras, media players. If the device user attempts to mount an external drive when mounting is blocked, ChromeOS notifies them that the policy is in effect. This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Values

• Allow external storage devices — The Chromebook can read and write data from external storage devices.
• Allow external storage devices (read-only) — The Chromebook can read data from external storage devices, but can't write data to it or format it.
• Disallow external storage devices — The Chromebook can't mount external storage devices.

Controls whether websites on Chrome browser can access USB devices connected to the Chromebook.

Values

• Do not allow any site to request access — Websites can't ask for access to connected USB devices.
• Allow sites to ask the user for access — Websites can ask for access to connected USB devices.
• Allow the user to decide if sites can ask (default) — Websites can ask for access to connected USB devices. The device user can locally change this setting.

Specifies an allowlist of websites and domains on Chrome browser that can request access to connected USB devices without consent from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains on Chrome browser that can't request access to connected USB devices. If a website or domain is not blocked, access is determined first by the Controls which websites can ask for USB access policy's setting, then by the device user's Chrome browser settings.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Specifies an allowlist of websites and domains on Chrome browser that can automatically access connected USB devices with specific product and vendor IDs. This policy and its sub-policies also apply to managed guest session devices.

Values

To add a website or domain, enter it in the URL field. To add a product or vendor ID, add it to the device IDs field. To add an item click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Controls whether websites on Chrome browser can request access to the Chromebook's audio input devices.

Values

• Prompt user to allow each time — Websites can ask for access to audio input devices.
• Disable audio input — Websites can't access audio input devices. All Android apps are blocked from accessing the built-in microphone.

If this value is unset, websites can ask for access, but the device user can choose to block all requests.

Specifies an allowlist of websites and domains on Chrome browser that can access the Chromebook's audio input devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website or domain, enter it and click . To remove one, click .

For details on the URL format, see Enterprise policy URL pattern format.

Toggles all audio output devices on the Chromebook. Audio output devices include:

• Internal speakers
• Connected audio devices — Headphone jack, Bluetooth, and other connectors

This policy has no effect on the Google Drive Android app.

Values

• Enable audio output (default) — The Chromebook outputs audio. The device user can adjust audio controls.
• Disable audio output — The Chromebook shows as muted. The audio controls are still available, but the device user can't adjust them.

Controls whether websites on Chrome browser and apps can access the Chromebook's video input devices. Video input devices include:

• Internal webcam
• Connected video devices — USB, HDMI, Ethernet, Wi-Fi

Values

• Enable camera input for websites and apps (default) — Websites and apps can ask for access to video input devices. The device user can choose to block all requests.
• Disable camera input for websites and apps — Websites and apps can't access audio input devices.

Specifies an allowlist of websites, domains, and apps that can access video capture devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website, domain, or app ID, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies the behavior of the top row of keys on the keyboard.

Values

• Treat top-row keys as media keys, but allow user to change (default)
• Treat top-row keys as function keys, but allow user to change

Controls whether websites on Chrome browser can access serial ports available through the Web Serial API. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

• Do not allow any site to request access to serial ports via the Serial Port API — Websites can't access serial ports on the Chromebook.
• Allow sites to ask the user to grant access to serial ports via the Serial Port API — Websites can ask for access to serial ports.
• Allow the user to decide (default) — Websites can ask for access to serial ports on the Chromebook. The device user can locally change this setting.

Specifies an allowlist of websites and domains on Chrome browser that can request access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains on Chrome browser that can't ask for access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Toggles the integrated hardware privacy screen on supported Chromebooks.

Values

• Allow the user to decide (default) — The privacy screen is disabled. The device user can locally change this setting.
• Always disable the privacy screen
• Always enable the privacy screen

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's settings on Chrome browser.

Values

• Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
• Allow sites to ask the user to grant read access to files and directories — Websites can ask for read access to the file system.
• Do not allow sites to request read access to files and directories — Websites don't have read access to the file system.

Specifies an allowlist of websites and domains on Chrome browser that have read access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system on the Chromebook.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website isn't allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

• Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
• Allow sites to ask the user to grant write access to files and directories — Websites can ask for read access to the file system.
• Do not allow sites to request write access to files and directories — Websites don't have read access to the file system.

Specifies an allowlist of websites and domains on Chrome browser that have write access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Controls whether websites on Chrome browser can access built-in motion and light sensors on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

• Allow sites to access sensors — Websites can access built-in sensors.
• Do not allow any site to access sensors — Websites can't access built-in sensors.
• Allow the user to decide if a site may access sensors (default) — Websites can ask for access to built-in sensors. The device user can locally change this setting.

Specifies an allowlist of websites and domains on Chrome browser that can access built-in sensors without consent from the device user.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Specifies a blocklist of websites and domains on Chrome browser that can't access built-in sensors.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Allows extensions added by a managed profile to use the Enterprise Hardware Platform API. This API handles requests from extensions for information about the Chromebook's manufacturer and model. This policy also affects Chrome browser component extensions.

Values

• Allow managed extensions to use the Enterprise Hardware Platform API
• Do not allow managed extensions to use the Enterprise Hardware Platform API

Controls whether Verified Access can attest the Chromebook if it boots in developer mode.

Values

• Require verified mode boot for Verified Access — If the Chromebook boots into developer mode, it won't pass Verified Access.
• Skip boot mode check for Verified Access — If the Chromebook boots into developer mode, it can pass Verified Access.

Specifies an allowlist of email addresses of service accounts that have full access to the Google Verified Access API. These are the service accounts created on the Google API Console.

Values

To add an account, enter it and click . To remove one, click .

Specifies an allowlist of email addresses of service accounts that have limited access to the Google Verified Access API. These are the service accounts created on the Google API Console.

Values

To add an account, enter it and click . To remove one, click .

Toggles Chrome Browser's Safe Browsing feature, which helps to protect the device user from potentially unsafe websites. This policy and its sub-policies also apply to managed guest session devices.

Values

• Allow the user to decide (default) — The device user can enable or disable Safe Browsing and choose the protection mode that they'd like.
• Safe Browsing is never active — Disables Safe Browsing.
• Safe Browsing is active in the standard mode — Standard mode helps provide a standard level of protection against malware and phishing.
• Safe Browsing is active in the enhanced mode. This mode provides better security, but requires showing more browsing information with Google — Enhanced mode helps provide an enhanced level of protection against malware and phishing in Chrome and Gmail.

If this value is unset, Safe Browsing will use the Standard protection mode.

Toggles Extended Reporting for Safe Browsing on Chrome browser, which automatically sends some system information and page content to Google to help detect dangerous apps and websites.

Values

• Allow the user to decide (default)
• Disable sending extra information to help improve Safe Browsing
• Enable sending extra information to help improve Safe Browsing

Specifies an allowlist of trusted websites and domains on Chrome browser. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs, and its download protection service will not check downloads hosted on listed domains.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Prevents the device user from downloading dangerous files on Chrome browser, such as malware, infected files, or dangerous file types like SWF and EXE. For more information about Chrome's flags for potentially harmful files, see Google Chrome blocks downloads.

Values

• No special restrictions (default) — Downloads are allowed. The browser warns the device user about websites identified as dangerous, but they can bypass the warning.
• Block all malicious downloads — Downloads are allowed, except for those flagged as malware. Dangerous files are allowed. Recommended by Google.
• Block dangerous downloads — Most downloads are allowed, except those flagged as dangerous.
• Block potentially dangerous downloads — Downloads are allowed, except those flagged as potentially dangerous. The device user cannot bypass the warning.
• Block all downloads — Downloads are blocked.

Allows the device user to bypass Safe Browsing warnings and access deceptive or dangerous websites or download potentially harmful files on Chrome browser.

Values

• Do not allow users to bypass Safe Browsing warnings — The device user can't bypass this setting.
• Allow user to bypass Safe Browsing warnings (default) — Safe Browsing warnings can by bypassed. The device user can locally change this setting.

Toggles the password protection warning, which alerts the device user when they try to save their protected password on a dangerous website on Chrome browser.

Values

• No password protection warning
• Trigger on password reuse
• Trigger on password reuse on phishing page (default)

Specifies the web address to show to the device user when they receive a warning to change their password on Chrome browser. This address should be a secure page that provides a salted and hashed password generation form. To help ChromeOS correctly capture the new password on this page, the page should follow the guidelines at Create amazing password forms.

Values

Enter a URL.

Specifies an allowlist of web pages where the device user will enter their enterprise password to sign in to their Google account. If a sign-in process is split across 2 pages, add the page that contains the password field. When the device user enters their password, a non-reversible hash is stored locally on the Chromebook and later used to detect password reuse. Make sure that the password change page that you specify follows these guidelines.

Values

To add a web page, enter it and click . To remove one, click .

If this value is unset, the password protection service only captures the password hashes on https://accounts.google.com.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Toggles the SafeSites URL filter on Chrome browser. This filter uses the Google Safe Search API to classify whether websites contain pornography.

Values

• Do not filter sites for adult content (default for non-K-12 EDU domains)
• Filter top level sites (but not embedded iframes) for adult content (default for K-12 EDU domains)

Specifies an allowlist of websites and domains that bypass Chrome browser's lookalike URL warnings. Lookalike websites are spoof and phishing websites with URLs that are made to look identical to those of familiar or popular safe websites. When one is detected, the browser warns the device user that the address might be a spoof.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

Allows ads on websites that are known to have intrusive ads on Chrome browser.

Values

• Allow ads on all sites (default)
• Block ads on sites with intrusive ads

Allows websites that are flagged as containing abusive experience from opening new windows or tabs.

Values

• Prevent sites with abusive experiences from opening new windows or tabs (default)
• Allow sites with abusive experiences to open new windows or tabs

Toggles automatic updates for Chrome browser components. Some components can't have automatic updates disabled, such as:

• Components that don't contain executable code
• Components that don't significantly alter the behavior of the browse
• Components that are critical for its security will not be disabled

Values

• Enable updates for all components (default)
• Disable updates for components

Controls how the device user is notified that Chrome Browser must be relaunched to apply an update.

Values

• No relaunch notification — The device user receives no warning notification to relaunch Chrome Browser.

• Show notification recommending relaunch — The device user receives a recurring warning notification to relaunch Chrome Browser, which they can close.

  • Time period (hours) — Enter the time period, during which, the device user is repeatedly notified to relaunch Chrome browser or restart their Chromebook. If this value is unset, the system default is 168 hours or 7 days.
  • Initial quiet period (hours) — Enter the initial quiet period, during which, the device user won't be asked to relaunch Chrome browser or restart their Chromebook.

• Force relaunch after a period — The device user receives a recurring warning notification to relaunch Chrome Browser. They can close this message, but will see a recurring warning message to relaunch Chrome Browser within a set amount of time.

  • Time period (hours) — Enter the time period, during which, the device user is repeatedly notified to relaunch Chrome browser or restart their Chromebook. If this value is unset, the system default is 168 hours or 7 days.
  • Initial quiet period (hours) — Enter the initial quiet period, during which, the device user won't be asked to relaunch Chrome browser or restart their Chromebook.

Toggles command line (CLI) tools on the virtual machine (VM) management console.

Values

• Disable VM command line access
• Enable VM command line access (default)

Toggles the Crostini container technology, which provides support for running Linux containers on the Chromebook in order to run Linux apps. Once this policy if modified, it applies to new Linux containers, not to those already running.

Values

• Allow usage for virtual machines needed to support Linux apps for users — The device user can run Linux VMs as long as these additional policies are also set:

  Virtual machines	Always enable virtual machines
  Linux virtual machines for unaffiliated users (BETA)	Allow usage for virtual machines needed to support Linux apps for unaffiliated users

• Block usage for virtual machines needed to support Linux apps for users (default) — The device user can't run Linux VMs.

Allows the device user to configure port forwarding into Linux containers.

Values

• Allow users to enable and configure port forwarding into the VM container (default)
• Do not allow users to enable and configure port forwarding into the VM container

Toggles installation of Android apps from untrusted sources. This policy does not apply to apps on the Google Play store.

Values

• Prevent the user from using Android apps from untrusted sources (default)
• Allow the user to use Android apps from untrusted sources — The device user can install Android apps from untrusted sources, provided they also locally allow this setting.

Toggles Parallels© Desktop for Chromebook to access Microsoft Windows apps and files on the Chromebook.

Values

• Allow users to use Parallels desktop — Enables Parallels Desktop. When set, you must accept the end-user license agreement.
• Do not allow users to use Parallels desktop — Disables Parallels Desktop.

The policy set for configuring the Windows OS image that the device user downloads on their Chromebooks in order to use Parallels Desktop.

Specifies the address for the Windows image.

Values

Enter the URL.

Specifies the SHA-256 hash of the Windows image.

Values

Enter the hash.

Specifies the free disk space required for Parallels Desktop. When deciding on a value, you should take the size of your uncompressed Windows image and add how much space is needed for the additional data or apps you expect to install. If you set a required free disk space value and the Chromebook detects that the remaining space is smaller than that value, it cannot run Parallels Desktop.

Values

Enter the disk space, in gigabytes (GB).

If this value is unset, the default disk space is 20 GB.

Toggles the generation and collection of event logs pertaining to Parallels Desktop usage. For details on the information collected in the logs, see Parallels Customer Experience Program.

Values

• Enable sharing diagnostics data to Parallels
• Disable sharing diagnostics data to Parallels

Specifies an allowlist of list and dictionary device policies that can merge even if they are from different sources. If policies from different sources conflict, but they have the same scopes and levels, their settings merge to create a new policy. If policies from different sources conflict, but they have different scopes and levels, the policy with the highest priority takes precedence.

For more information, see Understand Chrome policy management.

Values

Enter one policy per line in the field or enter the wildcard character (*) to allow all supported policies to merge.

Specifies the maximum delay between when a policy invalidation signal is received and the new policy is fetched from the device management service.

Values

Enter a delay, in milliseconds.

Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values above or below the range are clamped.

If this value is unset, the default delay is 10 seconds.

Allows the device user to sync Wi-Fi network configurations between the Chromebook and a connected Android phone.

Values

• Allow Wi-Fi network configurations to be synced across Google ChromeOS devices and a connected Android phone — Wi-Fi network configurations can be synced. The device user must first explicitly opt-in to this feature by completing a setup flow.
• Do not allow Wi-Fi network configurations to be synced across Google ChromeOS devices and a connected Android phone —Wi-Fi network configurations can't be synced.

Enables persistent quota functionality for the webkitRequestFileSystem until ChromeOS 107.

This policy has been deprecated.

Values

• Disable persistent quota — The persistent type webkitRequestFileSystem uses temporary quota.
• Enable persistent quota — The persistent type webkitRequestFileSystem uses persistent quota.

Controls if a device is forced to re-enroll in your account after it's wiped. Re-enrolling a wiped device to your account ensures that the policies you set are still enforced.

Values

• Force device to automatically re-enroll after wiping — A wiped device re-enrolls automatically without the device user's credentials.
• Force device to re-enroll with user credentials after wiping — The device user needs to enter their credentials to re-enroll a wiped device.
• Device is not forced to re-enroll after wiping — A wiped device isn't forced to re-enroll.

Allows the device user to factory reset the Chromebook.

Values

• Allow users to trigger powerwash (default)
• Do not allow users to trigger powerwash

Enables a web service that requests proof that the Chromebook is unmodified and policy-compliant. For more details on this topic, see Enable Verified Access with ChromeOS devices.

Values

• Ensure devices in your organization will verify their identity to content providers using a unique key — Enables Verified Access on the Chromebook.
• Do not require devices to verify their identity to content providers — Verified Access on the Chromebook. If set, some premium web content might be unavailable to the device user.

Controls whether Verified Access can attest the Chromebook if it boots into developer mode. For more details, see Enable Verified Access with ChromeOS devices.

Values

• Require verified mode boot for verified access — If the Chromebook boots into developer mode, it fails verification by Verified Access.
• Skip boot mode for verified access — If the Chromebook boots into developer mode, it can be verified by Verified Access.

Specifies an allowlist of email addresses of Google service accounts with full access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click . To remove one, click .

Specifies an allowlist of email addresses of Google service accounts with limited access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click . To remove one, click .

Specifies a custom message to display on lost or stolen devices that have been disabled by an administrator. By default, a disabled device states that it's locked by an administrator, and this custom message displays below that statement.

Values

Enter the message text.

When unset, no custom message displays.

Allows 2-factor authentication (2FA) on devices with a Titan M security chip.

Values

• Allow the user to device (default)
• Disable integrated second facto
• Enable integrated second facto

Enables guest user sessions on the Chromebook.

Values

• Disable guest mode — A Google Account or Google Workspace account must be used to sign in to the Chromebook. Default for K-12 EDU domains.
• Allow guest mode — Device users can sign in to the Chromebook as a guest. Default for all other domains.

Controls which device users can sign in to the Chromebook.

Values

• Restrict sign-in to a list of users — Only allowed managed users set by the Allowed users policy can sign in to the Chromebook. Managed users not on the allowlist are shown an error message.
• Allow any user to sign in — Any managed user can sign in to the Chromebook. The Add person button is available on the sign-in screen.
• Do not allow any user to sign in — Nobody can sign in to the Chromebook. The Add person button is unavailable.

Specifies an allowlist of email addresses that can sign in to the Chromebook. Only available if the Sign-in restriction policy is set to Restrict sign-in to a list of users. If the list allows entire domains, the Add person button is always available on the sign-in screen. If the list allows specific user accounts, the Add person button is disabled when all of the accounts are signed in.

Values

To add an account, enter it and click . To remove one, click .

You can allow all email addresses in a domain with the wildcard (*) token. For example, *@corp.example.com.

Specifies a default account domain name to present to device users on the sign-in page. If this policy is enabled, users don't need to enter the @domain.com part of their account name during sign-in.

Values

• Use the domain name set the field below for autocomplete at sign in — Presents the domain name specified by the Autocomplete domain prefix policy to device users on the sign-in page.
• Do not display an autocomplete domain on the sign-in screen (default)

Specifies the default account domain name to present to device users on the sign-in page. Only available if the Autocomplete domain policy is set to Use the domain name set the field below for autocomplete at sign in.

Values

Enter the domain name.

Toggles cards on the sign-in screen that contain the names and profile pictures of user accounts that have previously signed in to the device. The device user can select the card representing their account to sign-in instantly. If 2-Step Verification is enabled, the sign in flow still requires the device user to provide a second factor.

Values

• Always show usernames and photos (default) — Account cards are enabled, and the device user can select their account.
• Never show usernames and photos — Account cards are disabled, and the device user must enter their credentials each time they sign in. If SAML single sign-on (SSO) is enabled and the SAML identity provider page opens, the page redirects to the SSO sign-in page without the device user having to enter their account name.

Sets the wallpaper on the sign-in screen.

Values

To add an image, click . To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

Allows single sign-on (SSO) user accounts to sign in to internal websites and cloud services from your enterprise's identity provider on subsequent sign-ins. The Chromebook must have SAML SSO.

SAML SSO cookies transfer the first time the user account signs in on the Chromebook. If this policy is enabled, the cookies also transfer during subsequent sign-ins.

Cookies will not be transferred to Android apps on supported devices.

Values

• Enable transfer of SAML SSO Cookies into user session during sign-in
• Disable transfer of SAML SSO Cookies into user session during sign-in (default)

Specifies an allowlist of third-party apps or services that can access the Chromebook's internal camera during SAML single sign-on (SSO). The Chromebook must have SAML SSO.

Values

To add an identity provider, enter it and click . To remove one, click .

Specifies the URL parameter name used to autofill the username field on the SAML IdP sign-in and lock screens so that the device user won't need to manually enter their username twice. If this policy is set, the value for the URL parameter will be the device user's Chrome email.

For more information on URL parameters, see About URL parameters.

Values

Enter the URL parameter name in the entry field.

Specifies an allowlist of single sign-on (SSO) URL patterns for which Chrome browser automatically chooses the client certificate. When the browser connects to a site matching one of these patterns, if a valid client certificate is installed, it uses the certificate and skips the certificate selection prompt.

The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen. Devices must have SAML SSO.

Values

To add a URL pattern, enter it and click . To remove one, click .

A URL pattern must be a JSON string with the following format:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter":{}}

Controls the language displayed on the sign-in screen.

Values

• Use the language of the last user session (default)
• Choose a language — Select from a list of supported languages. For example, English (United States), Portuguese (Brazil) - Português (Brasil), Chinese (Simplified) - 简体中文 , Korean - 한국어

Specifies an allowlist of URL patterns of websites and endpoints that can perform verified access checks during SAML authentication on the sign-in screen. If a website matches an allowlisted pattern, it receives an HTTP header attesting device identity and device state.

If no URLs are added, no websites or endpoints can perform remote attestation on the sign-in screen.

Values

To add a URL pattern, enter it and click . To remove one, click .

URLs must have HTTPS scheme. For example, https://example.com.

For details on the URL format, see Enterprise policy URL pattern format

Allows the device user to toggle device system information on the sign-in screen, or displays it by default.

Values

• Allow users to display system information on the sign-in screen by pressing Alt + V (default)
• Do not allow users to display system information on the sign-in screen
• Always display system information on the sign-in screen

Toggles the privacy screen on the sign-in screen. Only applicable to Chromebooks with an integrated hardware privacy screen.

Values

• Allow the user to decide (default)
• Always disable the privacy screen on sign-in screen
• Always enable the privacy screen on sign-in screen

Toggles the numeric keyboard for password input on Chromebooks with a touchscreen.

Values

• Default to a numeric keyboard for password input — Enables the numeric keyboard by default. The device user can switch to the standard keyboard.
• Default to a standard keyboard for password input (default)

Toggles the screen reader, also known as ChromeVox. For more details about this feature, see Use the built-in screen reader and Use a braille device with your Chromebook.

Values

• Allow the user to decide (default)
• Disable spoken feedback
• Enable spoken feedback

Toggles selective screen reading, where only parts of the screen are read, such as text selections and certain sections. For more details about this feature, see Hear text read aloud.

Values

• Allow the user to decide (default)
• Disable select to speak
• Enable select to speak

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

• Allow the user to decide (default)
• Disable high contrast
• Enable high contrast

Toggles the screen magnification feature. For more details about this feature, see Zoom in or magnify your Chromebook screen.

Values

• Allow the user to decide (default) — The device user chooses one of the settings below.
• Disable screen magnifier — Screen magnification is disabled.
• Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
• Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.

Toggles inputting key combinations one keypress at a time, without holding any keys down. For more details about this feature, see Use keyboard shortcuts one key at a time.

Values

• Allow the user to decide (default)
• Disable sticky keys
• Enable sticky keys

Toggles the on-screen keyboard. For more details about this feature, see Use the on-screen keyboard.

Values

• Allow the user to decide (default)
• Disable on-screen keyboard
• Enable on-screen keyboard

Toggles speech-to-text input. For more details about this feature, see Type text with your voice.

Values

• Allow the user to decide (default)
• Disable dictation
• Enable dictation

Toggles enhanced object highlighting during keyboard navigation of the sign-in screen.

Values

• Allow the user to decide (default)
• Disable keyboard focus highlighting
• Enable keyboard focus highlighting

Toggles a ring around the caret (keyboard cursor) during typing.

Values

• Allow the user to decide (default)
• Disable caret highlight
• Enable caret highlight

Toggles mouse clicking when the cursor stops moving. For more details about this feature, see Automatically click objects on your Chromebook.

Values

• Allow the user to decide (default)
• Disable auto-click
• Enable auto-click

Toggles a bigger mouse cursor.

Values

• Allow the user to decide (default)
• Disable large cursor
• Enable large cursor

Toggles a ring around the mouse cursor during mouse movement.

Values

• Allow the user to decide (default)
• Disable cursor highlight
• Enable cursor highlight

Specifies which mouse button performs primary interactions.

Values

• Allow the user to decide (default)
• Left button is primary
• Right button is primary

If this value is unset, the left mouse button is primary.

Toggles single-channel audio.

Values

• Allow the user to decide (default)
• Disable mono audio
• Enable mono audio

Toggles the built-in accessibility shortcuts.

Values

• Allow the user to decide (default)
• Disable accessibility shortcuts
• Enable accessibility shortcuts

Controls if your devices will automatically update to new ChromeOS versions.

Values

• Allow updates
• Block updates

Controls if your devices use an earlier ChromeOS version. If newer versions may create compatibility issues across your organization's devices, consider using the long-term support candidate or long-term support channels to maintain device stability. These channels release security fixes every 2 weeks and feature updates every 6 months.

Values

• No restriction
• 107.*
• 108.*
• 109.*
• 110.*
• 108.*(long-term support candidate)
• 102.*(long-term support)

Controls if devices roll back to the target version.

Values

• Do not roll back OS
• Roll back OS

Controls which of the five ChromeOS channels your devices are on. The Stable channel is the default.

For details on these channels, see ChromeOS release best practices.

Values

• Allow user to configure
• Stable channel
• Beta channel
• Long-term support channel
• Long-term support candidate channel
• Dev channel (may be unstable)

Specifies the rollout schedule for your devices.

Values

• Default (devices should update as soon as a new version is available)
• Roll out updates over a specific schedule — Configure the roll out stages, including the update period (in days) and the percentage of devices initially updated.
• Scatter updates — Downloads occur at random intervals to avoid causing network issues. Select how many days you want to scatter updates over.

Specifies the blackout periods when Chrome stops automatically checking for device updates. Blackout periods temporarily pause updates for devices currently updating.

Values

To add a blackout window, configure it and click . To remove one, click .

Specifies if a device automatically restarts after updating.

Values

• Disallow auto-reboots — Auto-reboots are disabled.
• Allow auto-reboots — Auto-reboots are enabled. After updating, a kiosk configured device will restart automatically. Devices configured as user or managed guest sessions restart after the device user signs out.

Specifies how devices can connect to automatically update to new ChromeOS versions. The default is that devices only update automatically if connected to Wi-Fi and Ethernet.

Values

• Allow automatic updates over Wi-Fi and Ethernet only
• Allow automatic updates on all connections, including cellular

Controls if devices can use peer to peer networking to automatically update Chrome through close by devices of the same model. This policy requires that your organization allows peer to peer network connectivity and that your local area network doesn't block multicast DNS.

Values

• Allow peer to peer update downloads
• Do not allow peer to peer update downloads

Specifies when to sign the device user out of their device if they haven't updated to a ChromeOS version that you allow.

Values

• Block devices & user sessions after — Select a time from the list after which the device user is signed out of their device.
• if they are not running at least version — Select the ChromeOS version from the drop down list that is the oldest version allowed on devices.
• Extend this period for Auto Update Expiration devices to — Select a value from the list to set when the device user is signed out of their device after the Auto Update Expiration (AUE) passes and the device no longer receives automatic updates from Google. For more information on AUE, see Auto Update policy.

Specifies a message shown to the device user if they have not updated to a ChromeOS version that you allow and their device reached its AUE date. For more information on AUE, see Auto Update policy.

Values

• Enter an Auto Update Expiration (AUE) message in plain text with no formatting in the field. The device user will see the default message if this field is blank.

Specifies what ChromeOS devices download ChromeOS updates over, HTTP or HTTPS.

Values

• Use HTTP for update downloads
• Use HTTPS for update downloads

Enables the Chrome variations framework. If this policy is enabled, Google can selectively deliver security fixes and experimental features to ChromeOS.

Values

• Enable Chrome variations (default)
• Enable variations for critical fixes only
• Disable variations

Allows the device user to set the display resolution and scale factor.

Values

• Allow users to overwrite predefined display settings (default)
• Do not allow user changes for predefined display settings

Sets the display resolution and scale factor for external displays.

Values

• Always use native resolution (default)
• Use custom resolution — Applies the values specified by the External display width, External display height, External display scale, and Internal display scale sub-policies. If the custom resolution entered is not supported, the display will revert to its native resolution.

Specifies the width of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display width, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

Specifies the height of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display height, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

Specifies the scale of the external display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

• Not set
• 50%
• 55%
• 60%
• 65%
• 70%
• 75%
• 80%
• 85%
• 90%
• 95%
• 100%
• 105%
• 110%
• 115%
• 120%
• 125%
• 130%
• 135%
• 140%
• 145%
• 150%

Specifies the scale of the internal display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

• Not set
• 50%
• 55%
• 60%
• 65%
• 70%
• 75%
• 80%
• 85%
• 90%
• 95%
• 100%
• 105%
• 110%
• 115%
• 120%
• 125%
• 130%
• 135%
• 140%
• 145%
• 150%

Controls whether the Chromebook should stay awake or go to sleep or shut down after no device user has signed in for some time.

Values

• Allow device to sleep/shut down when idle on the sign-in screen (default)
• Do not allow device to sleep/shut down when idle on the sign-in screen

Specifies the number of days the Chromebook remains powered on before it automatically restarts. If a user session is running when the time elapses, there is a grace period of 24 hours before restart. Only applicable to Chromebooks in kiosk mode and with a sign-in screen.

Values

Enter the uptime duration, in days.

If this value is unset, the Chromebook doesn't restart automatically.

Controls whether users can use the keyboard, mouse, or screen to power off the Chromebook.

Values

• Only allow users to turn off the device using the physical power button
• Allow users to turn off the device using either the shut down button or the physical power button (default)

Controls if you force devices to reboot when the device user signs out or if an ARC (Android runtime on ChromeOS) or VM session has started.

Values

• Do not reboot on user sign-out
• Reboot on user sign-out if Android has started
• Always reboot on user sign-out
• Reboot on user sign-out if Android or a VM has started

Controls whether unaffiliated device users can run Linux virtual machines on the Chromebook. Once this policy is modified, it applies to new Linux containers, not to those already running. For more details, see Linux virtual machines (BETA).

Values

• Allow device to sleep/shut down when idle on the sign-in screen
• Block usage for virtual machines needed to support Linux apps for unaffiliated (default)

Allows the device user to install Android apps from untrusted sources. This policy does not apply to apps from Google Play.

Values

• Prevent users of this device from using ADB sideloading (default) — Prevents the installation of Android apps from untrusted sources.
• Block usage for virtual machines needed to support Linux apps for unaffiliated — Prevents the installation of Android apps from untrusted sources, and factory resets the Chromebook if ADB sideloading was previously allowed.
• Allow affiliated users of this device to use ADB sideloading — The device user can install Android apps from untrusted sources, provided they also locally enable this setting.

Specifies the hostname passed to the DHCP server in DHCP requests.

Values

Enter a hostname. If this value is set to a non-empty string, the string is used as the device's hostname during the DHCP request. The following string substitution tokens are supported:

• ${ASSET_ID}
• ${SERIAL_NUM}
• ${MAC_ADDR}
• ${MACHINE_NAME}
• ${LOCATION}

The substitution should be a valid hostname pe RFC 1035, section 3.1.

If this value isn't set or isn't valid, no hostname will be used in the DHCP request.

Configures the time zone settings on the device.

You can set up to two timezone policies:

• System timezone
• System timezone automatic detection

Sets the time zone on the Chromebook. Only available if the Timezone policy is locally applied.

Values

• Keep as it is on device currently (default)
• Select which timezone to set — Determines the time zone.

Controls how the Chromebook detects and sets the current time zone. Only available if the Timezone policy is locally applied.

Values

• Let users decide (default) — The device user chooses how the time zone is set.
• Always use coarse timezone detection — The Chromebook determines the time zone based on the geolocation of its public IP address.
• Always send WiFi access-points to server while resolving — The Chromebook determines the time zone based on the geolocation of the Wi-Fi access point that it's connected to.
• Send all location information — The Chromebook uses a combination of all of the information from the preceding values to determine the time zone.

Allows connecting to a mobile network maintained by a different carrier to access the Internet. Mobile data roaming must be allowed on the Chromebook, and roaming charges may apply.

Values

• Allow mobile data roaming (default)
• Do not allow mobile data roaming

Specifies an allowlist list of USB devices that ChromeOS apps can access through the chrome.usb API.

Values

To add a USB device, enter the USB vendor identifier (VID) and product identifier (PID) as a colon-separated hexadecimal pair (VID:PID), and then click . To remove one, click .

For example, to add a mouse with a VID of 046E and a PID of D626, enter 046E:D626.

Enables Bluetooth.

Values

• Do not disable Bluetooth (default)
• Disable Bluetooth

If the value is changed from Disable Bluetooth to Do not disable Bluetooth, the device must be restarted for the change to take effect.

If the value is changed from Do not disable Bluetooth to Disable Bluetooth, the change is immediate and no action is required.

Specifies an allowlist of Bluetooth services the Chromebook can connect to. This policy only applies if Bluetooth is enabled.

Values

Enter the UUID of the service, and click . To remove one, click .

UUIDs can be in short form (abcd or 0xabcd) or long form (aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee).

If no values are specified, all services are allowed.

Controls device-level bandwidth consumption. If enabled, throttles all network interfaces on a device, including Wi-Fi, Ethernet, USB Ethernet adapters, USB cellular dongles, and USB wireless cards. All network traffic is also throttled, including OS updates.

This policy is only applicable to devices in managed guest session, kiosk, or user & browser mode running ChromeOS 56 or higher.

Values

• Disable network throttling (default)
• Enable network throttling

Specifies the maximum allowed download rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter a download rate, in kbps. The minimum speed allowed is 513 kbps.

Specifies the maximum allowed upload rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter an upload rate, in kbps. The minimum speed allowed is 513 kbps.

Allows the device user to update the Trusted Platform Module (TPM) firmware on the Chromebook.

For more details about how to install firmware updates, see Update your Chromebook's security

Values

• Allow users to perform TPM firmware update
• Block users from performing TPM firmware update (default)

Sends system traffic through an Internet proxy server with authentication.

Values

• Block system traffic from going through a proxy with authentication (default)
• Allow system traffic to go through a proxy with authentication — All system traffic is sent through a proxy server and authenticated with the credentials of a service account. You can specify the credentials with the Username and Password sub-policies.

Specifies the service account username used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the username.

Specifies the service account password used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the password.

Specifies the clock format displayed on the sign-in screen and for managed guest sessions.

Values

• Automatic, based on current language (default)
• 12 hour clock format
• 24 hour clock format

Specifies the amount of storage space used for caching installation of apps and extensions by multiple users of a single Chromebook.

Values

Enter the cache size, in bytes. Must be at least 1 MB (1048576 bytes). Leave empty for a default of 256 MB.

Allows hardware profiles to be downloaded from Google servers.

Values

• Allow hardware profiles to be downloaded from Google servers (default)
• Disable hardware profile downloads from Google servers

Enables notifications for low disk space. Applies to all users on the device. If the Chromebook is unmanaged or only has one user, the policy is ignored and low disk space notifications are always displayed.

Values

• Show notification when disk space is low — Displays low disk space notifications for managed devices with multiple user accounts.
• Do not show notification when disk space is low (default)

Allows device users to redeem offers through ChromeOS registration.

Values

• Allow users to redeem offers through ChromeOS registration (default)
• Prevent users from redeeming offers through ChromeOS registration

Allows the device user to enable network packet captures on the Chromebook for debugging.

Values

• Allow user to perform network packet captures (default)
• Do not allow user to perform network packet captures

Specifies whether the device user is prompted to select a client certificate on the sign-in screen when the Single sign-on certificates policy matches multiple certificates from the certificate allowlist. For more details about certificates on ChromeOS, see Single sign-on client certificates.

If your enterprise uses Personal Identity Verification (PIV) cards for sign-in, the DriveLock Smart Card Middleware (CSSI) app parameter filter_auth_cert can be set to automatically filter authentication certificates. For details, see Auto-select certificates during sign-in.

This policy only applies if an allowlist has been specified in the Single sign-on certificates policy.

Values

• Prompt the user to select the client certificate whenever the auto-selection policy matches multiple certificates on the sign-in screen
• Do not prompt the user to select a client certificate on the sign-in screen (default)

Allows you to set a Chromebook as a managed guest session, allowing multiple users to use the same device without signing in to their Google Accounts. This policy is only available for devices with the Chrome Education or Chrome Enterprise upgrades. This policy and its sub-policies also apply to managed guest session devices.

Values

• Allow managed guest sessions
• Do not allow managed guest sessions
• Auto-launch managed guest session

Specifies the auto-launch delay if you want to auto-launch a managed guest session.

Values

Enter an auto-launch delay value in seconds in the field.

Enables you to monitor kiosk health.

Values

Enables kiosk devices to automatically capture system logs and upload them to your Google Admin console. For more information, see Monitor kiosk health.

Values

Specifies the screen orientation for kiosk devices.

Values

• No policy set (allow the device to keep its current display rotation)
• 0 degrees
• 90 degrees
• 180 degrees
• 270 degrees

Allows Android apps to be installed on the Chromebook by the device user or a managed profile. For more details on how to deploy Android apps, see Deploy Android apps to managed users on ChromeOS devices.

Values

• Do not allow (default)
• Allow

See ChromeOS Systems Supporting Android Apps.

Specifies the app types to block the device user from installing.

Values

Choose which app types to block:

• Extension
• Theme
• Google Apps Script
• Hosted app
• Legacy packaged app
• Chrome packaged app

Specifies an allowlist of sources from which the device user can directly install extensions, apps, and themes on Chrome browser. If a URL linking to a CRX file (Chrome extension) matches an allowlisted pattern, the browser will prompt the user to immediately install it.

Values

To add a website or domain, enter it and click . To remove one, click .

For detailed information on valid URL patterns, see Match patterns.

Allows insecure extension packaging.

Values

• Allow insecurely packaged extensions
• Do not allow insecurely packaged extensions

Allows the installation of external extensions, which are extensions from outside the Chrome Web Store. For more information about deploying external extensions, see Alternative extension distribution options.

Values

• Block external extensions from being installed
• Allow external extensions to be installed

Specifies extensions to block based on the permissions they require. For details, see Block apps and extensions based on permissions.

Values

Choose which required permissions to use as a basis to block extensions. If an extension requires a chosen permission, it is blocked:

• Alarms
• Audio capture
• Certificate provide
• Clipboard read
• Clipboard write
• Context menus
• Desktop capture
• Document scan
• Enterprise device attributes
• Experimental APIs
• Fullscreen apps
• File browser handle
• File system
• File system provide
• HID
• Override fullscreen escape
• Detect idle
• Identity
• Google cloud messaging
• Geo location
• Media galleries
• Native messaging
• Captive portal authenticator
• Power
• Notifications
• Printers
• Serial
• Set proxy
• Platform keys
• Storage
• Sync file system
• CPU metadata
• Memory metadata
• Network metadata
• Display metadata
• Storage metadata
• Text to speech
• Unlimited storage
• USB
• Video capture
• VPN provide
• Web requests
• Block web requests

Specifies a blocklist of websites that apps and extensions can't modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

Values

To add a website, enter it and click . To remove one, click .

The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

Specifies an allowlist of websites that apps and extensions can modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

Values

To add a website, enter it and click . To remove one, click .

The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

Toggles the Chrome Web Store app link in the footer of the new tab page on Chrome Browser and in its app launcher.

Values

• Do not show the Chrome Web Store icon in the ChromeOS launcher or on the new tab page
• Show the Chrome Web Store icon in the ChromeOS launcher or on the new tab page

Configure the home page of the Chrome Web Store for the device user.

Values

• Use the default homepage (default) — The front page of the Chrome Web Store.
• Use the Chrome Web Store collection — A custom collection of apps and extensions hosted on the Chrome Web Store that is tailored to your device users. For more details on custom collections, see Create a Chrome app collection.
• Use a custom page — A custom page not hosted on the Chrome Web Store.

Toggles whether all or only some private apps are available in your enterprise's collection. Private apps appear alongside public apps in the Chrome Web Store. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

Values

• Include all private apps from this domain
• Choose which apps are included in this collection

Specifies the name of your enterprise's custom collection as displayed on the page. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

Values

Enter a name.

Specifies the path to your enterprise's custom collection page on the Chrome Web Store. The full URL would be https://chrome.google.com/webstore/path. Only available if the Chrome Web Store homepage policy is set to Use a custom page.

Values

Enter a path to the page.

Allows the device user to publish private apps that are restricted to your domain on the public Chrome Web Store. For more details, see Create a Chrome app collection and Create and publish custom Chrome apps & extensions.

Values

• Allow users to publish private apps that are restricted to your domain on Chrome Web Store
• Do not allow users to publish private apps that are restricted to your domain on Chrome Web Store

Allows the device user to publish private apps that are restricted to your domain but whose packaged URLs don't actually match the domain on the Chrome Web Store. Only available if the Chrome Web Store permissions policy is set to Allow users to publish private apps that are restricted to your domain on Chrome Web Store.

Values

• Allow users to publish private hosted apps even if the domain name of the app's web_launch_url or app_url is not owned by the organization
• Do not allow users to publish private hosted apps if the domain name of the app's web_launch_url or app_url is not owned by the organization

Toggles the monitoring and reporting of Android app installations forced by policy. For more details on this reporting tool, see Monitor forced Android app installs.

Values

• Enable Android reporting
• Disable Android reporting