Back to top

ChromeOS policies

Last updated September 25th, 2024

This page describes the policies that you can configure for Chromebooks.

ChromeOS policies can be in one of several possible states:

  • Set. A setting is chosen, and it changes behavior.
  • Set and default. A setting is chosen, but it doesn’t change any behavior because it’s the same as the default.
  • Set and user-defined. A setting is chosen, but it allows the device user to specify the behavior on the Chromebook.
  • Unset and user-defined. No setting is chosen, and the device user can specify the behavior on the Chromebook.

In order to help reduce potential confusion, settings labelled (default) in a policy description indicate default system and user account behavior. There may also be notation that describes unique default behavior when a policy is unset, or system behavior that by default the device user has control over.

Unless otherwise specified, managed user or device user refers to someone who has signed in to an enrolled Chromebook with a Google account associated with one of your organizations. Unmanaged user refers to someone who has signed in to an enrolled Chromebook with an unassociated Google account. Some policies apply differently to managed and unmanaged users. In these cases, the policy’s description accounts for any differences.

Network policies

To configure networks settings, go to Profile details > Modify Network Policy. To add a profile configuration for sub-organizations, click add.

Wi-Fi

Policy Description Supported system
Platform access (by user)

Allows the device user to connect to networks through Wi-Fi.

Values

  • Allow chrome users to use this network
  • Do not allow chrome users to use this network
ChromeOS 99 and higher
Platform access (by device)

Allows managed devices to connect to networks through Wi-Fi.

Values

  • Allow chrome devices to use this network
  • Do not allow chrome devices to use this network
ChromeOS 99 and higher
Setting Values

Toggles the settings for your Wi-Fi network.

ChromeOS 99 and higher
Name

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

ChromeOS 99 and higher
SSID

Enter the service set identifier (SSID) for your Wi-Fi network.

ChromeOS 99 and higher
> Hidden SSID

Specifies whether to broadcast your Wi-Fi network SSID.

Values

  • This network doesn't broadcast its SSID
  • This network does broadcast its SSID
ChromeOS 99 and higher
> Automatically connect

Specifies whether devices can automatically connect to the network.

Values

  • Automatically connect devices to this network
  • Do not automatically connect devices to this network
ChromeOS 99 and higher
Security settings

Toggles the security settings for your Wi-Fi network.

ChromeOS 99 and higher
Security type

Set a security type for your Wi-Fi network.

Values

  • None
  • WEP (Insecure) — If selected, the Passphrase field appears. You can enter a password for the network or leave it blank to keep the current password.
  • WPA/WPA2 — If selected, the Passphrase field appears. You can enter a password for the network or leave it blank to keep the current password.
  • WPA/WPA2 Enterprise (802.1X) — If selected, the Extensible Authentication Protocol (EAP) and Username fields appear. You can select an authentication protocol and set a username for it.
  • Dynamic WEP (802.1X) — If selected, the Extensible Authentication Protocol (EAP) and Username fields appear. You can select an authentication protocol and set a username for it.
ChromeOS 99 and higher
IP settings

Enables the network's IP address to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
Proxy Type

Select a proxy type for your Wi-Fi network.

Values

  • Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
  • Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
  • Automatic proxy configuration — Enables you to set an autoconfiguration URL to use for automatic proxy configuration.
  • Web proxy autodiscovery — Enables the device to decide what proxy to use.
ChromeOS 99 and higher
DNS settings

Toggles the DNS settings for your Wi-Fi network.

ChromeOS 99 and higher
> Name servers

Enables name servers to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
> Name server type

Specifies how name servers are generated.

Values

  • Automatic name servers
  • Google name servers — For information, see the Google Public DNS website.
  • Custom name servers — If set, set the domain values in the Custom name servers field that displays.
ChromeOS 99 and higher

Ethernet

Policy Description Supported system
Platform access (by user)

Allows the device user to connect to networks through Ethernet.

Values

  • Allow chrome users to use this network
  • Do not allow chrome users to use this network
ChromeOS 99 and higher
Platform access (by device)

Allows managed devices to connect to networks through Ethernet.

Values

  • Allow chrome devices to use this network
  • Do not allow chrome devices to use this network
ChromeOS 99 and higher
Setting Values

Toggles the settings for your Ethernet network.

ChromeOS 99 and higher
> Name

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

ChromeOS 99 and higher
> Authentication

Specifies the authentication type for your Ethernet network.

Values

  • None
  • Enterprise (802.1X)
ChromeOS 99 and higher
>> Extensible Authentication Protocol

Displays when you select Enterprise (802.1X) for Authentication.

Set the outer extensible authentication protocol (EAP).

Values

  • PEAP — If selected, configure the network's inner EAP and outer identity and set a username, and optionally, a password and a server Certificate Authority.
  • LEAP — If selected, set a username, and optionally, a password.
  • EAP-TLS — If selected, set the EAP's maximum TLS version, a username, a client enrollment URL, and optionally, a server Certificate Authority. For the client enrollment URLs, each value you enter as an Issuer or Subject pattern needs to match the corresponding values you set in the server Certificate Authority, or the network doesn't use the certificate.
  • EAP-TTLS — If selected, set a username. Optionally, configure the network's inner EAP and outer identity, as well as set a password and a server Certificate Authority.
  • EAP-PWD — If selected, set a username, and optionally, a password.
ChromeOS 99 and higher
>> Username settings

Displays when you select Enterprise (802.1X) for Authentication.

Set the user name for the Extensible Authentication Protocol.

ChromeOS 99 and higher
IP settings

Enables the network's IP address to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
Proxy settings

Toggles the proxy settings for your Ethernet network.

Proxy Type

Select a proxy type for your Ethernet network.

Values

  • Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
  • Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
  • Automatic proxy configuration — Sets the proxy server through a Proxy Server Auto Configuration file you upload.
  • Web proxy autodiscovery — Enables the device to decide what proxy to use.
ChromeOS 99 and higher
DNS settings

Toggles the DNS settings for your Ethernet network.

ChromeOS 99 and higher
> Name servers

Enables name servers to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
> Name server type

Specifies how name servers are generated.

Values

  • Automatic name servers
  • Google name servers — For information, see the Google Public DNS website.
  • Custom name servers — If set, set the domain values in the Custom name servers field that displays.
ChromeOS 99 and higher

VPN

Policy Description Supported system
Platform access (by user)

Allows the device user to connect to the VPN network.

Values

  • Allow chrome users to use this network
  • Do not allow chrome users to use this network
ChromeOS 99 and higher
Platform access (by device)

Allows managed devices to connect to the VPN network.

Values

  • Allow chrome devices to use this network
  • Do not allow chrome devices to use this network
ChromeOS 99 and higher
Setting Values

Toggles the settings for your VPN network.

ChromeOS 99 and higher
Name

Defines the display name of the network as shown on the Knox Manage console.

Values

Enter a name.

ChromeOS 99 and higher
Remote Host

Enter the VPN's remote host name or IP address.

ChromeOS 99 and higher
> Configures if devices will automatically connect to this VPN

Enables devices to automatically connect to your VPN.

Values

  • Automatically connect to this VPN
  • Do not automatically connect to this VPN
ChromeOS 99 and higher
VPN Type

Enables devices to automatically connect to the network.

Values

  • L2TP over IPsec with Pre-Shared Key — Enter a username, a pre-shared key, and optionally, a password.
  • Open VPN — Not available for networks that use TLS authentication. Specify the protocol, certificate authority, and optionally, a port. For the client enrollment URLs, each value you enter as an Issuer or Subject pattern needs to match the corresponding values you set in the server Certificate Authority, or the network doesn't use the certificate.
ChromeOS 99 and higher
Save username and password after initial connection

Specifies whether to save user credentials after initial connection to the VPN.

Values

  • Yes
  • No
ChromeOS 99 and higher
Proxy settings

Toggles the proxy settings for your VPN network.

ChromeOS 99 and higher
Proxy Type

Select a proxy type for your VPN network.

Values

  • Direct internet connection — Enables websites to directly access all websites through the internet without use of a proxy server.
  • Manual proxy configuration — Enables you to set a proxy server for some or all of your IP addresses and domains. For each proxy setting field, enter the server's host IP address and port number.
  • Automatic proxy configuration — Sets the proxy server through a Proxy Server Auto Configuration file you upload. Enter the file URL in the autoconfiguration URL.
  • Web proxy autodiscovery — Enables the device to decide what proxy to use.
ChromeOS 99 and higher
IP settings

Enables the network's IP address to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
DNS settings

Toggles the DNS settings for your VPN network.

> Name servers

Enables name servers to be configured on the device.

Values

  • Yes
  • No
ChromeOS 99 and higher
> Name server type

Specifies how name servers are generated.

Values

  • Automatic name servers
  • Google name servers — For information, see the Google Public DNS website.
  • Custom name servers — If set, set the domain values in the Custom name servers field that displays.
ChromeOS 99 and higher

General settings

Policy Description Supported system
Auto-connect

Specifies the networks that devices can auto-connect to.

Values

  • Allow all networks to connect
  • Restrict users to only auto-connect to managed networks
ChromeOS 99 and higher
Wi-Fi networks

Allows the device user from connecting to Wi-Fi networks.

Values

  • Allow users to connect to networks not configured in this organizational unit
  • Restrict users to only connect to Wi-Fi networks configured for this organizational unit
  • Restrict users to only connect to Wi-Fi networks configured for this organizational unit, but only if such networks are in range of the device
ChromeOS 99 and higher
Allowed network interfaces

Specifies the network interfaces that the device user can connect to.

Values

  • wifi
  • ethernet
  • cellular
  • vpn
ChromeOS 99 and higher

User & Browser

To access the following policies, go to Profile details > Modify Policy.

General

Policy Description Supported system
Maximum user session length

Specifies device user session duration. The remaining session time is shown on a countdown timer in the system tray. After the specified time, the user account is automatically signed out and the session ends.

Values

Enter a session length, in minutes. The value can be 1–1440 (maximum 24 hours).

ChromeOS 99 and higher
Custom avatar

Sets the user account avatar on the login screen.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 512 KB in size.

ChromeOS 99 and higher
Custom wallpaper

Sets the desktop wallpaper.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

ChromeOS 99 and higher

Sign-in settings

Policy Description Supported system
Display password button

Toggles the Show password button on sign in and lock screens. This button makes the password visible as plain text while the device user enters their credentials.

Values

  • Show the display password button on the login and lock screens
  • Hide the display password button on the login and lock screens
ChromeOS 99 and higher
Managed account as secondary account

Allows the device user to add secondary accounts to ChromeOS that are also managed accounts. When a managed account is added as a secondary account to the Google Play Store, Android apps, Chrome browser, and other platforms that use Chrome browser technology, the main user session and account history of ChromeOS are unaffected.

Values

  • All usages of managed accounts are allowed (default) — The device user can add secondary accounts that are managed accounts to ChromeOS, as normal.
  • Block addition of a managed account as secondary account (in-session) — The device user can't add secondary accounts that are managed accounts to ChromeOS.

ChromeOS 103 and higher

Not available for Education domains

Enrollment controls

Policy Description Supported system
Device enrollment

Specifies which organization to enroll the Chromebooks in. Only applies when a Chromebook is first enrolled.

Values

  • Place Chrome devicein user organization — When you first enroll a Chromebook, it's added to the organization that the enrolling user belongs to, and that organization's profile is applied. This setting is useful if you need to manually enroll many Chromebooks, as you won't need to manually move them into more specific organizations after enrollment.
  • Keep Chrome device in current location — When you first enroll a Chromebook, it's added to the top-level organization in your enterprise, and that organization's profile is applied.
ChromeOS 99 and higher
Asset identifier during enrollment

Allows the device user to add an asset ID and location for a Chromebook when they enroll it. If enabled, the Device information page pre-populates with data. If no data exists, the page's fields are blank. The user can edit or enter the Chromebook details before they complete enrollment.

Values

  • Users in this organization can provide asset ID and location during enrollment
  • Do not allow for users in this organization
ChromeOS 99 and higher
Enrollment permissions

Allows the device user to enroll new devices, re-enroll existing devices that have been enrolled, or re-enroll deprovisioned devices. Existing devices include wiped or factory-reset devices. Re-enrolling an existing device does not consume an upgrade.

Enrollment permissions only take effect on devices that have been configured to re-enroll with manual credential entry.

Values

  • Allow users in this organization to enroll new or re-enroll existing devices (default) — The device user can enroll new devices and re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
  • Only allow users in this organization to re-enroll existing devices(cannot enroll new or deprovisioned devices) — The device user can re-enroll existing devices that were wiped or factory reset, but not deprovisioned.
  • Do not allow users in this organization to enroll new or re-enroll existing devices — The device user can't enroll or re-enroll any device, including through forced re-enrollment.
ChromeOS 99 and higher

Apps and extensions

To access the following policies, go to Profile details > Modify Policy.

Policy Description Supported system
Task manage

Allows device users to end processes on the Task Manager.

Values

  • Allow users to end processes with the Chrome task manage
  • Block users from ending processes with the Chrome task manage
ChromeOS 99 and higher

Site isolation

Policy Description Supported system
Site isolation

Toggles site isolation on Chrome browser.

Values

  • Require site isolation for all websites, as well as any origins specified in below (default) — Every website is rendered by a separate, isolated process.
  • Turn off site isolation for all websites, except those set in below — Only websites specified by the allowlist render in a separate, isolated process.
ChromeOS 99 and higher
> Isolated origins

Specifies an allowlist of websites that aren't isolated on Chrome browser.

Values

To add a URL, enter it and click add. To remove one, click delete.

The pattern matching for this policy differs from the typical enterprise URL pattern format. For full details, see IsolateOrigins.

ChromeOS 99 and higher

Security

Policy Description Supported system
Password manage

Toggles the password manager on Chrome browser.

Values

  • Allow the user to decide (default) — The device user can enable or disable the password manager.
  • Never allow use of password manage — The password manager remembers and autofills prior saved passwords, but the device user can't add new passwords.
  • Always allow use of password manage — The password manager always remembers and autofills passwords.
ChromeOS 99 and higher
Lock screen

Toggles the lock screen.

Values

  • Allow locking screen — Under conditions that would normally lock the screen, the screen locks.
  • Do not allow locking screen — Under conditions that would normally lock the screen, including the system going to sleep, the system signs out the user account.
ChromeOS 99 and higher
Quick unlock

Allows the device user to unlock the system with the PIN and fingerprint methods, if configured. As a security best practice, you should avoid allowing PIN unlock on shared Chromebooks.

Values

Select which quick unlock methods to allow:

  • PIN — The device user can unlock the Chromebook with a PIN.
  • Fingerprint — The device user can unlock the Chromebook with a fingerprint scan.
ChromeOS 99 and higher
WebAuthn

Allows the device user to sign in to websites supporting WebAuthn using the PIN or fingerprint methods, if configured.

Values

  • PIN — The device user can sign in to websites supporting WebAuthn with the PIN.
  • FINGERPRINT — The device user can sign in to websites supporting WebAuthn with a fingerprint scan.
  • All — The device user can sign in to websites supporting WebAuthn using either method.

If this value is unset, the device user can't use WebAuthn to sign in to applicable websites.

ChromeOS 101 and higher
PIN auto-submit

Toggles the PIN auto-submit feature on the sign in and lock screens. This feature displays a PIN-based UI, like that of a smartphone, and indicates how many digits are in the PIN.

Values

  • Enable PIN auto-submit on the lock and login screen
  • Disable PIN auto-submit on the lock and login screen
ChromeOS 99 and higher
Lock screen media playback

Toggles media playback while the Chromebook is locked.

Values

  • Allow users to play media when the device is locked
  • Do not allow users to play media when the device is locked
ChromeOS 99 and higher
Idle settings

Specifies the duration of the idle timer on the Chromebook. This setting defines the time, in minutes, before the device goes to sleep or signs out the user account. Leave blank for system default.

Values

Enter an idle time in minutes.

ChromeOS 99 and higher
> Action on idle

Controls the Chromebook behavior when the idle time elapses.

Values

  • Sleep (default) — Go to sleep.
  • Logout — Sign out.
  • Lock Screen — Lock.
ChromeOS 99 and higher
> Action on lid close

Controls the Chromebook behavior when its lid is closed.

Values

  • Sleep (default) — Go to sleep.
  • Logout — Sign out.
  • Lock Screen — Lock.
ChromeOS 99 and higher
> Lock screen on sleep

Controls the Chromebook behavior when it sleeps.

Values

  • Allow user to configure (default) — The device user can locally change this setting.
  • Don't lock screen — Doesn't lock.
  • Lock screen — Lock.
ChromeOS 99 and higher
Incognito mode

Allows the device user to browse in Incognito mode on Chrome browser.

Values

  • Yes (default)
  • No
ChromeOS 99 and higher
Browser history

Toggles browsing history on Chrome browser.

Values

  • Never save browser history
  • Always save browser history (default)
ChromeOS 99 and higher
Clear browser history

Allows the device user to clear their Chrome browser data, including their browsing and download history.

Values

  • Allow clearing history in settings menu
  • Do not allow clearing history in settings menu
ChromeOS 99 and higher
Online revocation checks

Toggles Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks for HTTPS certificates.

Values

  • Perform online OCSP/CRL checks
  • Do not perform online OCSP/CRL checks
ChromeOS 99 and higher
Geolocation

Allows websites to track the Chromebook's location.

Values

  • Allow sites to detect user's geolocation — Websites are granted location information. Android apps ask the device user for access to location information.
  • Do not allow sites to detect users' geolocation — Websites aren't granted location information. Android apps cannot access location information.
  • Always ask the user if a site wants to detect their geolocation — Websites ask the device user for access to location information. Android apps ask the device user for access to location information.
  • Allow user to decide (default) — The device user can locally change this setting.
ChromeOS 99 and higher
Single sign-on

Toggles Security Assertion Markup Language (SAML) single sign-on (SSO) for the Chromebook.

Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provide.

Values

  • Enable SAML-based single sign-on for Chrome devices
  • Disable SAML-based single sign-on for Chrome devices (default)
ChromeOS 99 and higher
SAML single sign-on login frequency

Specifies the frequency of forced online sign-in for SAML-based single sign-on (SSO) accounts on the login screen. Before you can enable this feature, you must set up third-party SSO for Google Workspace. For more details, see Set up SSO via a third party Identity provide.

Values

Choose a frequency:

  • Every day
  • Every 3 days
  • Every week
  • Every 2 weeks (default)
  • Every 3 weeks
  • Every 4 weeks
  • Every time
  • Never
ChromeOS 99 and higher
SAML single sign-on password synchronization flows

Specifies where the device user will be asked to sign in if their password changes, either on the sign-in screen only, or both the sign in and lock screens. This policy only applies when the SAML single sign-on password synchronization policy is configured.

Values

  • Enforce online logins on the login and lock screen
  • Only enforce online logins on the login screen (default)
ChromeOS 99 and higher
SAML single-sign on password synchronization

Enables password syncing between different Chromebooks and notifications to upcoming changes to the device user's password.

Values

  • Trigger authentication flows to synchronize passwords with SSO providers — Passwords sync between Chromebooks, and the device user can change their password when signed in and enable notifications that inform them of upcoming changes to the password.
  • Do not trigger authentication flows for password synchronization (default — Passwords can't sync between Chromebooks.
ChromeOS 99 and higher
Allowed certificate transparency URLs

Specifies an allowlist of URLs to exempt from certificate transparency enforcement. For more details, see CertificateTransparencyEnforcementDisabledForUrls.

Values

To add a URL, enter it and click add. To remove one, click delete.

Only the host in the URL is matched. Wildcard hostnames are not supported.

ChromeOS 99 and higher
Certificate transparency CA allowlist

Specifies an allowlist of certificate authority (CA) subjectPublicKeyInfo hashes that are exempt from certificate transparency enforcement. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click add. To remove one, click delete.

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForCas.

ChromeOS 99 and higher
Certificate transparency legacy CA allowlist

Specifies an allowlist of legacy certificate authority (CA) subjectPublicKeyInfo hashes exempt from certificate transparency enforcement. These hashes must match a recognized Legacy CA. Legacy CAs are trusted by some OSs that run Chrome browser, but not ChromeOS or Android. With this feature, Chrome browser can use non-public certificates issued to your organization by a CA. For more details, see CertificateTransparencyEnforcementDisabledForLegacyCas.

Values

To add a subjectPublicKeyInfo hash, enter it and click add. To remove one, click delete.

For details on the hash syntax, see CertificateTransparencyEnforcementDisabledForLegacyCas.

ChromeOS 99 and higher
User management of installed CA certificates

Allows the device user to import, edit, and remove certificate authority (CA) certificates.

Values

  • Allow users to manage all certificates (default) — The device user can edit trust settings for all CA certificates, remove user-imported certificates, and import certificates.
  • Allow users to manage user certificates — The device user can manage settings for user-imported certificates, but not edit trust settings for CA certificates.
  • Disallow users from managing certificates — The device user can view CA certificates, but not manage them.
ChromeOS 99 and higher
User management of installed client certificates

Allows the device user to manage client and device-wide certificates.

Values

  • Allow users to manage all certificates (default) — The device user can manage all certificates.
  • Allow users to manage user certificates — Users can manage user certificates, but not device-wide certificates.
  • Disallow users from managing certificates — Users can view certificates, but not manage them.
ChromeOS 99 and higher
CPU task schedule

Specifies the priority mode of the Intel Hyper-Threading Technology on the Chromebook's CPU.

Values

  • Allow the user to decide (default)
  • Optimize for stability
  • Optimize for performance
ChromeOS 99 and higher
Enable leak detection for entered credentials

Toggles the Chrome browser feature that checks for known leaked user credentials. This feature is only available in Safe Browsing mode.

Values

  • Allow the user to decide (default)
  • Disable Leak detection for entered credentials
  • Enable Leak detection for entered credentials
ChromeOS 99 and higher
Ambient authentication

Toggles the NTLM/Kerberos feature that provides HTTP authentication without credentials on Chrome browser during regular, guest, and Incognito sessions.

Values

  • No policy set
  • Enable in regular sessions only (default)
  • Enable in regular and incognito sessions
  • Enable in regular and guest sessions
  • Enable in regular, incognito and guest sessions

ChromeOS 80 — Ambient authentication is enabled in all sessions

ChromeOS 81 and higher — If the policy is unset, ambient authentication is enabled during regular sessions

Unsupported system warning

Toggles warnings from Chrome browser when it detects that it's running on an unsupported OS or hardware.

Values

  • Suppress warnings when Chrome is running on an unsupported system
  • Allow Chrome to display warnings when running on an unsupported system (default)
ChromeOS 99 and higher
Advanced Protection program

Toggles whether device users enrolled in the Advanced Protection program on Chrome browser receive the extra protections provided by the program.

Values

  • Users enrolled in the Advanced Protection program will receive extra protections (default)
  • Users enrolled in the Advanced Protection program will only receive standard consumer protections
ChromeOS 99 and higher
Override insecure origin restrictions

Specifies an allowlist of websites and domains that bypass insecure origin restrictions on Chrome browser. Allowlisted origins and websites are not labeled Not Secure in the address bar.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Popup interactions

Controls the default behavior on Chrome browser for interactions between pages and pop-ups opened with a target of _blank.

Values

  • Block popups opened with a target of _blank from interacting with the page that opened the popup (default) — A page that opens a pop-up with a target of _blank must explicitly opt in to interact with the popup.
  • Allow popups opened with a target of _blank to interact with the page that opened the popup — A page that opens a popup with a target of _blank interacts with the pop-up, unless it explicitly opts out of the interaction.
ChromeOS 99 and higher
Security token removal

Specifies the behavior when the device user's smart card security token is removed from the Chromebook. This policy only applies when sessions on the Chromebook are configured for smart cards.

Values

ChromeOS 99 and higher
WebSQL in non-secure contexts

Enables WebSQL in non-secure contexts. WebSQL in non-secure contexts will be disabled by default in ChromeOS 109 and will become unavailable starting in ChromeOS 110. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Enable WebSQL in non-secure contexts
  • Disable WebSQL in non-secure contexts unless enabled by Chrome flag
ChromeOS 105 to 111
> Removal notification duration (seconds)

Specifies the duration to display a notification describing the impending action upon smart card removal. The notification informs the device user that they will be signed out or their session will lock after the specified period, and blocks them from interacting with the system. After the notification expires, the action chosen in the Security token removal policy is performed. The device user can prevent the action by re-inserting the security token before the notification expires.

Values

Enter the notification duration, in seconds.

If this value is unset or 0 , the notification is disabled, and the chosen action performs immediately.

ChromeOS 99 and higher
Compromised password alerts

Allows the device user to dismiss any compromised password alerts they receive when signing in.

Values

  • Allow dismissing compromised password alerts (default)
  • Prevent dismissing compromised password alerts

If this setting is unset or enabled, the device user can dismiss or restore the compromised password alerts.

ChromeOS 100 and higher
Auto-select for multi screen captures

Specifies an allowlist of web apps that can use the getDisplayMediaSet API to automatically screen capture multiple screens simultaneously without the device user's permission. This policy and its sub-policies also apply to managed guest session devices.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 102 and higher
TLS encrypted ClientHello

Enables Chrome Browser to encrypt ClientHello messages and sensitive fields. Enabling this policy allows supported websites to avoid leaking sensitive data by using a HTTPS RR DNS record. Chrome Browser's use of ECH is subject to its evolution as a protocol. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Enable the TLS Encrypted ClientHello experiment
  • Disable the TLS Encrypted ClientHello experiment

If this value is unset or enabled, Chrome Browser defaults to the standard Encrypted ClientHello (ECH) rollout process.

ChromeOS 105 and higher

Remote access

Policy Description Supported system
Remote access clients

Specifies an allowlist of domain names for remote access clients, and prevents the device user from changing the setting on the Chromebook. Only clients from the specified domains can connect to the host device.

Values

To add a domain, enter it and click add. To remove one, click delete.

If this value is unset, the host allows connections from authorized users from any domain.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Remote access hosts

Specifies an allowlist of domain names that are imposed on remote access hosts, and prevents the device user from changing the setting on the Chromebook. Only hosts with accounts registered on an allowlisted domain name can be shared.

Values

To add a domain, enter it and click add. To remove one, click delete.

If this value is unset, hosts can be shared through any user account.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Firewall traversal

Toggles the use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) servers when remote clients try to establish a connection to the Chromebook. This policy and its sub-policies also apply to managed guest session devices.

Values

First field:

  • Enable firewall traversal (default) — Allow remote clients to discover and connect to the Chromebook if they are separated by a firewall.
  • Disable firewall traversal — Don't allow remote clients to discover and connect to the Chromebook if they are separated by a firewall. If this setting is applied and outgoing UDP connections are filtered by the firewall, the Chromebook only allows connections with client machines within the local network.

Second field:

  • Enable the use of relay servers (default) — Allow connections to peers and data transfer without a direct connection when a firewall is in place.
  • Disable the user of relay servers — Only allow connections to peers and data transfer with a direct connection when a firewall is in place.
ChromeOS 99 and higher
> UDP port range

Restricts the UDP port range used by the remote access host in the Chromebook.

Values

Enter a range of UDP ports, from minimum to maximum. For example, 12400–12409.

If this value is unset, any port can be used.

ChromeOS 99 and higher

Session settings

Policy Description Supported system
Show logout button in tray

Toggles the Sign out button on the shelf.

Values

  • Show logout button in tray
  • Do not show logout button in tray (default)
ChromeOS 99 and higher

Kerberos

Policy Description Supported system
Kerberos tickets

Allows Kerberos single sign-on for internal resources that support Kerberos authentication. Internal resources might include websites, file shares, certificates, and so on.

Values

  • Enable Kerberos
  • Disable Kerberos
ChromeOS 99 and higher
> Enable Kerberos automatically

Toggles the automatic addition of a Kerberos account.

Values

  • Do not automatically add a Kerberos account (default)
  • Automatically add a Kerberos account — If set, the name of the principal added is defined by the Principal name policy.
ChromeOS 99 and higher
> Principal name

Specifies the Kerberos principal to automatically add on behalf of the device user. This policy applies if the Enable Kerberos automatically policy is set to Automatically add a Kerberos account.

Values

Enter a principal name. The following string substitution tokens are supported:

  • ${LOGIN_ID} — The username part of principal name. For example, if the user signs in as alex@realm the username is alex.
  • ${LOGIN_EMAIL} — The full principal name.
ChromeOS 99 and higher
> Enable Kerberos custom configuration

Applies a custom Kerberos configuration.

Values

  • Use default Kerberos configuration (default)
  • Customize Kerberos configuration — Customize the Kerberos configuration with the values defined by the Kerberos configuration policy.
ChromeOS 99 and higher
> Kerberos configuration

Define one or more Kerberos configuration option overrides. For a list of supported options, see Configure how to get tickets.

Values

To add a configuration override, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher
Remember Kerberos passwords

Allow the device user to let ChromeOS remember Kerberos passwords.

Values

  • Allow users to remember Kerberos passwords — ChromeOS automatically fetches Kerberos tickets unless additional authentication, such as two-factor, is required.
  • Do not allow users to remember Kerberos passwords — ChromeOS doesn't remember Kerberos passwords and removes all previously stored passwords.
ChromeOS 99 and higher
Kerberos accounts

Allow the device user to manage Kerberos accounts.

Values

  • Allow users to add Kerberos accounts (default) — The device user can add, modify, and remove Kerberos accounts.
  • Do not allow users to add Kerberos accounts — The device user can't manage Kerberos. Kerberos accounts can only be set by device policies.
ChromeOS 99 and higher

Network

Policy Description Supported system
Proxy mode

Specifies how ChromeOS connects to the internet. Android apps on Chromebooks have access to, or are made aware of, a subset of proxy settings, but there is no guarantee that a particular app uses them. Typically, apps using Android System WebView or the built-in network stack do so. Android apps receive different information based on the setting you choose.

Values

  • Allow user to configure (default) — ChromeOS uses a direct connection by default. The device user can configure the connection settings to connect to a proxy server. Android apps are provided with the HTTP proxy server address and port, if the user configures one.
  • Never use a proxy — ChromeOS always uses a direct connection. Android apps are made aware that no proxy is configured.
  • Always auto detect the proxy — ChromeOS uses the Web Proxy Auto-Discovery Protocol (WPAD) to determine which proxy server to connect to. Android apps are made aware of the script URL http://wpad/wpad.dat. No other part of WPAD is used.
  • Always use the proxy specified in below — ChromeOS connects to the specified proxy server. Android apps are provided with the HTTP proxy server address and port. Enter the URL of the proxy server in the Proxy server URL policy, which becomes available when you choose this setting. The URLs which bypass the proxy policy also becomes available, which lets you specify URLs to connect to directly.
  • Always use the proxy auto-config specified in below — ChromeOS follows the proxy connection schema defined in a Proxy Auto-Configuration (PAC) file. Android apps are made aware of the URL of the PAC file. Enter the URL of the PAC file in the Proxy server auto configuration file URL, which becomes available when you choose this setting.
ChromeOS 99 and higher
> Proxy server URL

Specifies the address of the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

Enter the URL as IP address:port, for example 192.168.1.1:3128 .

ChromeOS 99 and higher
> URLs which bypass the proxy

Specifies an allowlist of websites and domains that bypass the proxy server. Only available if the Proxy mode policy is set to Always use the proxy specified in below.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Proxy server auto configuration file URL

The URL address of the PAC file to use to configure network connections. Only available if Proxy mode policy is set to Always use the proxy auto-config specified in below.

Values

Enter the URL to the PAC file.

ChromeOS 99 and higher
Ignore proxy on captive portals

Specifies whether ChromeOS can bypass a configured proxy server for captive portal authentication. Some examples of captive portal pages are landing or sign-in pages where users are prompted to accept terms or sign in before Chrome browser detects a successful internet connection.

Values

  • Ignore policies for captive portal pages — Chrome browser opens captive portal pages in a new window and ignores all settings and restrictions that are configured for the current user.
  • Keep policies for captive portal pages (default) — Chrome browser opens captive portal pages in a new browser tab and applies the current user's policies and restrictions.
ChromeOS 99 and higher
Supported authentication schemes

Specifies which HTTP authentication schemes are supported by Chrome browser. When a server or proxy accepts multiple authentication schemes, the supported authentication scheme with the highest security is used. You can override the default behavior by enabling specific authentication schemes.

Values

  • Basic — User credentials are required, but are unencrypted. The least secure method.
  • Digest — User credentials are required, and use simple encryption. More secure than basic.
  • NTLM (NT LAN Manager) — A challenge-response scheme that uses Microsoft's NTLM technology. More secure than digest.
  • Negotiate — A challenge-response scheme that uses the Kerberos protocol. More secure than NTLM.

If this value is unset, all four schemes are used.

ChromeOS 99 and higher
Allow Basic authentication for HTTP

Toggles the basic authentication scheme over a non-secure HTTP connection on Chrome browser.

Values

  • Basic authentication scheme is allowed on HTTP connections (default)
  • HTTPS is required to use Basic authentication scheme
ChromeOS 99 and higher
NTLMv2 authentication

Toggles NTLMv2 authentication.

Values

  • Enable NTLMv2 authentication (default)
  • Disable NTLMv2 authentication
ChromeOS 99 and higher
Minimum SSL version enabled

Specifies the minimum internet security protocol required in connections on Chrome browser.

Values

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • SSL3
ChromeOS 99 and higher
SSL error override

Specifies whether the device user can bypass SSL warnings when connecting to a page on Chrome browser.

Values

  • Allow users to click through SSL warnings and proceed to the page (default)
  • Block users from clicking through SSL warnings
ChromeOS 99 and higher
SSL error override allowed domains

Specifies an allowlist of origins for which the device user can bypass SSL warnings when connecting to a page on Chrome browser. This policy is ignored if the SSL error override policy is set to Allow users to click through SSL warnings and proceed to the page.

Values

To add an origin, enter it and click add. To remove one, click delete.

The path portion of the URL is ignored.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
WebRTC UDP ports

Restricts use of the UDP protocol with Web Real-Time Communication (WebRTC) to a specified port range on Chrome browser.

Values

  • Allow WebRTC to pick any UDP port (1024-65535) (default) — All ports are allowed.
  • Specify range of UDP ports allowed for WebRTC — A port range determines the allowed ports. This setting makes the Minimum value for allowed UDP ports and Maximum value for allowed UDP ports policies available.
ChromeOS 99 and higher
> Minimum value for allowed UDP ports

Specifies the lowest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the lower port.

The absolute minimum is port 1024. This value must be lower than the maximum.

ChromeOS 99 and higher
> Maximum value for allowed UDP ports

Specifies the highest UDP port in the allowed range for WebRTC. Only available if the WebRTC UDP ports policy is set to Specify range of UDP ports allowed for WebRTC.

Values

Enter the upper port.

The absolute maximum is port 65535. This value must be higher than the minimum.

ChromeOS 99 and higher
WebRTC ICE candidate URLs for local IPs

Specifies an allowlist of websites and domains that can view your local IPs as WebRTC Interactive Connectivity Establishment (ICE) candidates. Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, the local IP addresses are shown in ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames.

Caution

Enabling this policy can weaken the protection of your local IPs.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
QUIC protocol

Toggles the Quick UDP Internet Connections (QUIC) protocol on Chrome browser.

Values

  • Enable (default)
  • Disable
ChromeOS 99 and higher
Built-in DNS client

Toggles the Chrome browser's built-in DNS client.

Values

  • Use the built-in DNS client on macOS, Android and ChromeOS. Allow the user to change the setting (default)
  • Never use the built-in DNS client
  • Always use the built-in DNS client if available
ChromeOS 99 and higher
Integrated authentication servers

Specifies an allowlist of server domains for Integrated Windows Authentication (IWA). When Chrome browser gets an authentication challenge from a proxy or server in this allowlist, integrated authentication turns on.

Values

To add a domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Kerberos delegation servers

Specifies an allowlist of servers that can be used for Kerberos authentication.

Values

To add a server, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Kerberos ticket delegation

Specifies whether to respect the Key Distribution Center (KDC) policy that delegates Kerberos tickets.

Values

  • Respect KDC policy
  • Ignore KDC policy (default)
ChromeOS 99 and higher
Kerberos service principal name

Specifies the source of the name used to generate the Kerberos service principal name (SPN).

Values

  • Use original name entered
  • Use canonical DNS name (default)
ChromeOS 99 and higher
Kerberos SPN port

Specifies whether the generated Kerberos service principal name (SPN) includes a non-standard port.

Values

  • Include non-standard port
  • Do not include non-standard port (default)
ChromeOS 99 and higher
Cross-origin authentication

Allows third-party content on a page to prompt the device user for HTTP basic authentication on Chrome browser.

Values

  • Allow cross-origin authentication (default)
  • Block cross-origin authentication
ChromeOS 99 and higher
SharedArrayBuffer

Allows websites that are not cross-origin isolated to use SharedArrayBuffers.

Values

  • Allow sites that are not cross-origin isolated to use SharedArrayBuffers
  • Prevent sites that are not cross-origin isolated to use SharedArrayBuffers
ChromeOS 99 and higher
User-Agent client hints

Allows the Chrome browser to fulfill requests by servers for User-Agent client hints —identifying information about itself and the Chromebook.

Values

  • Allow User-Agent client hints (default)
  • Disable User-Agent client hints
ChromeOS 99 and higher
Signed HTTP Exchange (SXG) support

Allows Chrome browser to access pages served on a Signed HTTP Exchange.

Values

  • Accept web content server as Signed HTTP Exchanges (default)
  • Prevent Signed HTTP Exchanges from loading
ChromeOS 99 and higher
Globally scoped HTTP authentication cache

Toggles limiting the scope of Chrome browser's global cache of HTTP server authentication credentials. This policy is intended to give organizations that depend on legacy authentication methods time to update their sign-in procedures. Google plans to remove it in the future.

Values

  • HTTP authentication credentials entered in the context of one site will automatically be used in the context of another — All cached HTTP user authentication credentials are shared. This setting makes the device user vulnerable to cross-site-tracking schemes where malicious pages add entries to the HTTP authentication cache by embedding credentials ino URLs.
  • HTTP authentication credentials are scoped to top-level sites (default) — Cached HTTP authentication credentials are only shared within a top-level website. If two different websites use resources from the same authenticating domain, credentials need to be provided independently in the context of both websites. Cached proxy credentials are reused across websites.
ChromeOS 99 and higher
Require online OCSP/CRL checks for local trust anchors

Controls whether Chrome always performs revocation checks on validated server certificates that are signed by locally-installed CA certificates. If Chrome can't retrieve any revocation status information on a certificate, it treats it as revoked.

Values

  • Perform revocation checks for successfully validated server certificates signed by locally installed CA certificates
  • Use existing online revocation-checking settings (default)
ChromeOS 99 and higher
HSTS policy bypass list

Specifies an allowlist of hostnames that bypass the HTTP Strict Transport Security (HSTS) policy, which forces Chrome browser to only access websites that provide HTTPS encryption.

Values

To add a hostname, enter it and click add. To remove one, click delete.

Only enter single-label hostnames. Hostnames must be canonical, IDNs must be in A-label representation, and all ASCII letters must be lowercase. An entry only applies to the hostname specified, and not to subdomains of that hostname.

ChromeOS 99 and higher
DNS interception checks enabled

Toggles DNS interception checking on Chrome browser, which tests to see if the connection is behind a proxy that redirects unknown hostnames.

Values

  • Perform DNS interception checks (default)
  • Do not perform DNS interception checks
ChromeOS 99 and higher
Intranet Redirection Behavior

Toggles treating a single-word query in the omnibox as a hostname rather than a search term on Chrome browser. When enabled, if the device user searches for a single word, Chrome browser issues a DNS request for the term as a hostname, and then asks the user if they want to try and connect to the query as a URL rather than search for it. An example would be a search for calendar that matches an internal host http://calendar/ .

If your network resolves every DNS request for a single-word host, you should allow interception checks with the DNS interception checks enabled policy. However, this Intranet Redirection Behavior policy is more flexible because with it you can also enable the prompt (infobar) that the device user sees.

Values

  • Use default browser behavior (default) — DNS interception checks and intranet redirect suggestions are enabled. Google plans to deprecate this setting in the future.
  • Disable DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome treats a single-word query as a search, and does not check whether hostnames are being redirected by the DNS.
  • Disable DNS interception checks; allow did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and does not check whether hostnames are being redirected by the DNS.
  • Allow DNS interception checks and did-you-mean "http://intranetsite/" infobars — Chrome asks the device user whether it should redirect their single-word query to a hostname, and checks whether hostnames are being redirected by the DNS.
ChromeOS 99 and higher — Use default browser behavior is the default setting
WPAD optimization

Toggles Web Proxy Auto-Discovery (WPAD) optimization on Chrome browser. WPAD helps automatically locate and interface with cache services in a network, speeding up content delivery to the browser.

Values

  • Enable Web Proxy Auto-Discovery (WPAD) optimization (default)
  • Disable Web Proxy Auto-Discovery (WPAD) optimization
ChromeOS 99 and higher
Login credentials for network authentication

Controls whether usernames and passwords are used to authenticate to a managed proxy secured with NTLM authentication.

Values

  • Use login credentials for network authentication to a managed proxy — Credentials are used. If authentication fails, the device user is prompted to enter their username and password.
  • Don't use login credentials for network authentication — Credentials aren't used.
ChromeOS 99 and higher
Allowed network ports

Allows outbound connections on select ports that are normally restricted on the Chromebook. This policy is intended as a temporary workaround for errors with code ERR_UNSAFE_PORT when migrating a service running on a blocked port to a standard port such as port 80 or 443.

Overrides the --explicitly-allowed-ports command-line option.

Values

  • port 554 (expires 2021/10/15)
  • port 6566 (expires 2021/10/15)
  • port 10080 (expires 2022/04/01) If this value is unset, all restricted ports are blocked.
ChromeOS 99 and higher
CECPQ2 post-quantum key-agreement for TLS

Controls whether ChromeOS follows the default rollout process for Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2), a post-quantum key-agreement algorithm in Transport Layer Security (TLS). CECPQ2 helps evaluate the performance of post quantum key-exchange algorithms on devices. CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware.

Values

  • Enable default CECPQ2 rollout process (default)
  • Disable CECPQ2
ChromeOS 99 and higher
Freeze User-Agent string version

Controls Chrome browser's settings for the User-Agent string major version. Some websites may have compatibility issues if the major version of Chrome browser has a 3-digit User-Agent string instead of a 2-digit one. This policy controls if the User-Agent string can be frozen at 99 for Chrome versions 100 or higher to avoid these User-Agent string compatibility issues. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Default to browser settings for User-Agent string (default) — The device user chooses if they want to freeze the major version of the User-Agent string.
  • Do not freeze the major version — The device user can't choose to freeze the major version of the User-Agent string.
  • Freeze the major version as 99 — The Chrome major version will report the User-Agent string as 99 and set the browser's major version value to the minor position. For example, Chrome version 102.0.0.0 will report as 99.102.0.0.
  • If you select Freeze the major version as 99 and set the User-Agent Reduction policy to Enable reduction for all origins, the User-Agent string will always set to 99.0.0.0.

ChromeOS 99 and higher

Android applications

Policy Description Supported system
Control Android backup and restore service

Allows the device user to back up content, data, and settings from Android apps to their Google Account. When users sign in to another Chromebook, they can restore the data. App data can be any data that an app has saved, including potentially sensitive data such as contacts, messages, and photos. Backup data will not count toward the user's Drive storage quota.

Values

  • Backup and restore disabled (default) — Android apps can't back up during initial setup.
  • Let user decides whether to enabled backup and restore — Android apps can ask the device user whether to back up after initial setup.
ChromeOS 99 and higher
Google location services

Allows Android apps to track the Chromebook's physical location.

Values

  • Disable location services for Android apps in ChromeOS (default) — Android apps can't access location information during initial setup.
  • Allow the user to decide whether an Android app in ChromeOS can use location services — Android apps can ask user for location information after initial setup.
ChromeOS 99 and higher
Certificate synchronization

Toggles syncing of ChromeOS certificates to Android apps.

Values

  • Disable usage of ChromeOS CA Certificates in Android apps (default)
  • Enable usage of ChromeOS CA Certificates in Android apps
ChromeOS 99 and higher

Startup

Policy Description Supported system
Home button

Toggles the Home button on the toolbar on Chrome browser. This policy corresponds to the setting under Settings > Appearance > Show home button.

Values

  • Allow the user to decide (default)
  • Never show "Home" button
  • Always show "Home" button
ChromeOS 99 and higher
Homepage

Specifies the home page on Chrome browser.

Values

  • Allow user to configure (default) — The device user chooses the home page.
  • Homepage is always the URL set below — The home page is set to a specific address, which the device user can't override. This setting makes the Homepage URL policy available.
  • Homepage is always the new tab page — The home page is the special chrome://newtab page.
ChromeOS 99 and higher
> Homepage URL

Specifies the address of the home page on Chrome browser. Only available if the Homepage policy is set to Homepage is always the URL set below.

Values

Enter a URL for the home page.

ChromeOS 99 and higher
New tab page

Specifies the address of a new tab on Chrome browser. When left empty, the page will be used.

Values

Enter a URL for new tabs.

ChromeOS 99 and higher
New tab page background

Allows custom backgrounds on Google's new tab page.

Values

  • Allow users to customize the background on the New Tab page — New tabs use a custom background, if the device user sets one.
  • Do not allow users to customize the background on the New Tab page — New tabs only use the default background.

    Caution

    Using this setting deletes any custom backgrounds uploaded by the device user.

ChromeOS 99 and higher
Pages to load on startup

A list of pages to open when Chrome browser starts. Each page opens in a separate tab.

Values

To add a page, enter its URL and click add. To remove one, click delete.

ChromeOS 99 and higher
Profile picker availability on browser startup

Toggles the profile picker settings.

Values

  • Allow the user to decide — By default, Chrome browser shows the profile picker at startup, but the device user can disable it.
  • Do not show profile picker at browser startup — Chrome browser never shows profile picker and the device user can't enable it.
  • Always show profile picker at browser startup — Even if a device only has one profile, Chrome browser always shows profile picker.
ChromeOS 105 and higher

Content

Policy Description Supported system
SafeSearch and Restricted Mode ChromeOS 99 and higher ChromeOS 99 and higher
> SafeSearch for Google Search queries

Enforces SafeSearch filtering in search results. SafeSearch filters mature or explicit content, like pornography. For K-12 EDU domains, the default is Always use Safe Search for Google Web Search queries. For all other domains, the default is Do not enforce Safe Search for Google Web Search queries. For more details on SafeSearch enforcement, see Lock SafeSearch for accounts, devices & networks you manage.

Values

  • Always use SafeSearch for Google Search queries
  • Do not enforce SafeSearch for Google Search queries (default)
ChromeOS 99 and higher
> Restricted Mode for YouTube

Enforces the level of Restricted Mode on YouTube, which algorithmically limits which videos are viewable based on their content. The device user can raise, but not lower, the Restricted mode level that this policy enforces. For more details on Restricted Mode for YouTube, see Manage your organization's YouTube settings.

Values

  • Do not enforce Restricted Mode on YouTube (default) — The device user chooses the level of Restricted mode in their YouTube settings.
  • Enforce at least Moderate Restricted Mode on YouTube — Enforces Restricted Mode at a medium level, which filters a moderate number of videos.
  • Enforce Strict Restricted Mode on YouTube — Enforces Restricted Mode at the highest level, which filters a large number of videos.
ChromeOS 99 and higher
Screenshot

Allows the device user to take screenshots on the Chromebook. The policy applies to screenshots taken by any means, including the built-in keyboard shortcut, Android apps, and apps and extensions that use the screenshot functionality of the Chrome API.

Values

  • Do not allow users to take screenshots or video recordings
  • Allow users to take screenshots and video recordings (default)
ChromeOS 99 and higher
Screen video capture

Allows websites to prompt the device user to live stream a Chrome browser tab, window, or the entire screen.

Values

  • Allow sites to prompt the user to share a video stream of their screen (default)
  • Do not allow sites to prompt the user to share a video stream of their screen
ChromeOS 99 and higher
Client certificates

Specifies an allowlist of URL patterns for which Chrome browser automatically selects a client certificate. If a valid client certificate is installed and the browser accesses an allowlisted URL, the browser skips the client certificate selection prompt. The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

A URL pattern must be a JSON string with the following format:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter":{}}

ChromeOS 99 and higher
Security key attestation

Specifies an allowlist of websites and domains that do not prompt the device user when their security keys request attestation certificates. Additionally, when keys are requested, a signal is sent to the security key to indicate that individual attestation may be used.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

URLs will only match as Universal 2nd Factor (U2F) app IDs. Domains only match as WebAuthn relying party (RP) IDs. Thus, to cover both U2F and WebAuthn APIs for a website or domain, both its app ID URL and domain should be listed.

ChromeOS 99 and higher
3D content

Allows websites to use the Web-based Graphics Library (WebGL) API and plugins on Chrome browser. WebGL is a software library that enables JavaScript to allow it to generate interactive 3D graphics.

Values

  • Never allow display of 3D content
  • Always allow display of 3D content (default)
ChromeOS 99 and higher
Cookies

Allows websites on Chrome browser to store browsing information, such as the device user's website preferences and profile information. This policy corresponds to the cookie options in the browser's settings.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Allow cookies — Cookies are stored.
  • Block cookies — Cookies are never stored.
  • Session only — Cookies are stored for the duration of the session.
ChromeOS 99 and higher
> Allow cookies for URL patterns

Specifies an allowlist of websites and domains that are allowed to set cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block cookies for URL patterns

Specifies an allowlist of websites and domains that are not allowed to set cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Allow session-only cookies for URL patterns

Specifies an allowlist of websites and domains that are allowed to set session-only cookies.

Values

To add a website or domain, enter it and click add. To delete one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher

Controls third-party cookies.

Values

  • Allow the user to decide (default)
  • Allow third-party cookies
  • Disallow third-party cookies
ChromeOS 99 and higher

Allows legacy behavior for the SameSite cookie attribute on Chrome browser. The SameSite attribute allows cross-site cookies to be sent securely. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services. You can temporarily revert Chrome browser to the legacy behavior, which is less secure.

To test how Chrome browser treats cookies that don't specify a SameSite attribute on your websites and services, see Tips for testing and debugging SameSite-by-default.

Values

  • Revert to legacy SameSite behavior for cookies on all sites — Chrome browser doesn't require cookies with SameSite=None to include the Secure attribute. Cookies that don't specify any SameSite attribute are treated as if they have SameSite=None.
  • Use SameSite-by-default behavior for cookies on all sites — Chrome browser reverts to its default SameSite behavior, depending on its version.
  • Use the user's personal configuration for SameSite features (default) — Chrome browser uses the device user's SameSite settings, as configured in the browser's flags.
ChromeOS 79 to 92

Specifies an allowlist of websites for which Chrome browser uses its legacy behavior for the SameSite cookie attribute. Chrome browser 80 and higher is much stricter toward cookies with undefined SameSite attributes, which may break single-sign on and internal apps for legacy or out-of-date services.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Images

Controls whether Chrome browser allows websites to display images. Fo Show images on these sites and Block images on these sites, put one URL pattern on each line.

Values

  • Allow the user to decide (default)
  • Allow all sites to show all images
  • Do not allow any site to show images
ChromeOS 99 and higher
> Show images on these sites

Specifies an allowlist of websites and domains that can display images on Chrome browser.

Values

To add a website or domain, enter it URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block images on these sites

Specifies a blocklist of websites and domains that can't display images on Chrome browser.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
JavaScript

Controls whether Chrome browser allows websites to run JavaScript.

Values

  • Allow the user to decide (default)
  • Allow sites to run JavaScript
  • Do not allow any site to use JavaScript
ChromeOS 99 and higher
> Allow these sites to run JavaScript

Specifies an allowlist of websites and domains that can run JavaScript on Chrome browser.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block JavaScript on these sites

Specifies a blocklist of websites and domains for which Chrome browser blocks JavaScript.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
JavaScript IntensiveWakeUpThrottling

Suspends JavaScript timers on background tabs that haven't been used for 5 minutes or more on Chrome browser. For these suspended tabs, timers only execute their code once per minute, which can significantly decrease CPU load and battery consumption. This policy is applied per-website, with the most recent setting applied to a tab when it loads. The user must perform a full restart of Chrome browser for the setting to apply to all loaded tabs.

Values

  • Allow throttling of background javascript timers to be controlled by Chrome's logic and configurable by users (default) — Background tabs have JavaScript throttled based on the browser's internal logic, and the policy can be manually configured by the device user.
  • Force no throttling of background javajscript timers — Background tabs never have JavaScript throttled.
  • Force throttling of background javascript timers — Background tabs have JavaScript throttled after they are suspended.
ChromeOS 99 and higher
JavaScript setTimeout() clamping

Specifies the JavaScript setTimeout() clamping settings. SetTimeout() sets a timer to run a section of code at a specified time. Some browsers will clamp or change the number of milliseconds you specify for your timeout rate. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Default behavior for setTimeout() function nested clamp — The setTimeout() function clamp setting will default to the browser's settings.
  • JavaScript setTimeout() will be clamped after a normal nesting threshold — If a setTimeout rate is longer than 4 milliseconds, it'll be clamped. This may change task ordering on websites which could lead to unanticipated behavior if they depend on specific forms of ordering.
  • JavaScript setTimeout() will not be clamped as aggressively — If a setTimeout rate is shorter than 4 milliseconds, it won't be clamped as forcefully. This may help short term performance, but webpages may eventually have their setTimeouts clamped.
ChromeOS 101 to 109
Clipboard

Allows you to configure clipboard access for websites. This policy doesn't impact any operations not controlled by the clipboard site permission, such as copy and paste. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Allow the user to decide (default) — The device user can decide if websites can request clipboard access.
  • Allow sites to ask the user to grant the clipboard site permission — Websites can ask the device user for clipboard access.
  • Do not allow any site to use the clipboard site permission — No websites have clipboard access.
ChromeOS 103 and higher
> Allow these sites to access the clipboard

Specifies an allowlist of websites and domains that can request clipboard access from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 103 and higher
> Block these sites from accessing the clipboard

Specifies a blocklist of websites and domains that can't request clipboard access from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 103 and higher
Notifications

Allows websites to display desktop notifications.

Note

If you block desktop notifications for all websites, some web apps that rely on desktop notifications, such as Google Calendar and Slack, may provide a poorer user experience. To enable expected behavior and experiences, you should add these apps' URLs to the Allow these sites to show notifications allowlist.

Values

  • Allow the user to decide (default)
  • Allow sites to show desktop notifications
  • Do not allow sites to show desktop notifications
  • Always ask the user if a site can show desktop notifications
ChromeOS 99 and higher
> Allow these sites to show notifications

Specifies an allowlist of websites and domains that can display desktop notifications.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block notifications on these sites

Specifies a blocklist of websites and domains that can't display desktop notifications.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Autoplay video

Specifies an allowlist of websites and domains that can automatically play video content with sound on Chrome browser without the device user's consent. If you change this policy on deployed Chromebooks, it only applies to newly opened tabs.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Custom protocol handlers

Specifies a list of protocol handlers available to the device user. The device user can't remove any protocol handlers that you've added, but they can register their own. If a device is handling Android intents, it won't use protocol handlers set through this setting.

Values

  • URL — The URL pattern of the application handling the protocol.
  • Protocol — Select a protocol from the drop down list.
  • Custom Protocol — Only available if you select the web+ protocol.
  • To add a protocol handler, click add. To remove one, click delete.

ChromeOS 99 and higher
Auto open downloaded files

Specifies an allowlist of file types to automatically open after download on Chrome browser. If Safe Browsing is turned on, the browser still checks whether they are malicious or dangerous, and only opens them if they pass. When this list is blank, only file types that the device user allows can automatically open.

Values

To add a file type, enter it and click add. To remove one, click delete.

Do not include the leading separator when listing the type. For example, enter txt, not . txt.

ChromeOS 99 and higher
> Auto open URLs

Specifies an allowlist of websites and domains that can automatically open the file types that you specify in Auto open downloaded files policy. Chrome continues to automatically open file types that the device user chooses to automatically open.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

If this value is unset, Chrome automatically opens all file types specified in the Auto open downloaded files policy, no matter their origin.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Pop-ups

Allows websites to open pop-ups on Chrome browser. When a website's pop-ups are blocked, the device user can click the blocked pop-ups button in the omnibox to allow them.

Values

  • Let the user decide (default)
  • Allow all pop-ups
  • Block all pop-ups
ChromeOS 99 and higher
> Allow pop-ups on these sites

Specifies an allowlist of websites and domains that can open popups.

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block pop-ups on these sites

Specifies a blocklist of websites and domains that can't open pop-ups.

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Cross-origin JavaScript dialogs

Allows cross-origin iframes on websites to prompt the device user on Chrome browser. Starting with Chrome browser 91, cross-origin iframes can't trigger JavaScript prompts ( window.alert, window.confirm, and window.prompt ). This change was made to prevent embedded content from spoofing messages from the origin website or Chrome browser.

Values

  • Block JavaScript dialogs triggered from a cross-origin iframe (default)
  • Allow JavaScript dialogs triggered from a cross-origin iframe
ChromeOS 91 to 94
URL blocking

Specifies a blocklist of URLs on the Chromebook. You can add up to 1,000 URLs. When an exact URL is blocked by this policy and excepted by the Blocked URL exceptions policy, the exception takes precedence.

Tip

To block OS and browser setting URLs, such as chrome://flags, use the Disabled system features policy instead of blocking the URL here.

Block URLs on Android apps

Android apps on Chromebooks that use Android System WebView do not honor the blocked URL and blocked URL exception lists. To enforce a blocklist on these apps, manually configure these policies as JSON data in a text file. See Apply managed configurations to an Android app for more details. Here is an example configuration of these two policies:

{
    "com.android.browser:URLBlocklist": "[\"*\"]",
    "com.android.browser:URLAllowlist": "[
        \"www.example.com\",
        \"www.my-enterprise.com\"
    ]"
}

For apps that don't use Android System WebView, consult their documentation for information about how to block URLs.

Values

To add a URL, enter it and click add. To remove one, click delete.

The URL formatting for this policy differs from Google's typical enterprise policy URL pattern syntax. Each URL must contain a valid hostname (such as google.com), an IP address, or a wildcard (*) host. URLs can include:

  • The URL scheme, which is http, https, or ftp, followed by ://
  • A valid port value from 1–65,535
  • The path to the resource
  • Query parameters

Note

  • To disable subdomain matching, put an extra period before the host.
  • You cannot use user:password fields, such as http://user:pass@ftp.example.com/pub/file.iso. Instead, enter http://ftp.example.com/pub/file.iso.
  • If an extra period precedes the host, the policy filters exact host matches only.
  • Wildcards (*) are allowed when appended to a URL, but cannot be entered alone.
  • You cannot use a wildcard at the end of a URL, such as https://www.google.com/* and https://google.com/*.
  • The policy searches wildcards (*) last.
  • The optional query is a set of key-value and key-only tokens delimited by &.
  • The key-value tokens are separated by =.
  • A query token can optionally end with a wildcard (*) to indicate prefix match. Token order is ignored during matching.
ChromeOS 99 and higher
> Blocked URL exceptions

Specifies a list of exceptions to the URL blocklist on the Chromebook. Maximum of 1000 URLs.

Values

See the URL blocking policy description for instructions and syntax details.

ChromeOS 99 and higher
Google Drive syncing

Controls whether the device user can sync with Google Drive on the Chromebook. This policy has no effect on the Google Drive Android app. To completely disable any syncing with Google Drive, select Disable Google Drive syncing and block the Google Drive Android app from being installed on the Chromebook. For more details, see Deploy Android apps to managed users on ChromeOS devices.

Values

  • Disable Google Drive syncing
  • Enable Google Drive syncing (default)
ChromeOS 99 and higher
Google Drive syncing over cellular

Controls whether the device user can sync with Google Drive on the Chromebook over a cellular connection. This policy has no effect on the Google Drive Android app.

Values

  • Disable Google Drive syncing over cellular connections
  • Enable Google Drive syncing over cellular connections (default)
ChromeOS 99 and higher
Cast

Allows the device user to use a Chromecast device to cast from a Chrome tab.

Values

  • Allow users to Cast (default)
  • Do not allow users to Cast
ChromeOS 99 and higher
> Show the Cast icon in the toolbar

Toggles the Cast icon on the toolbar. Only available if the Cast policy is set to Allow users to Cast.

Values

  • Always show the Cast icon in the toolbar — The Cast icon is added the toolbar, and the device user can't remove it.
  • Do not show the Cast icon in the toolbar, but let users choose (default) — The Cast icon isn't added to the toolbar, but the device user can add it.
ChromeOS 99 and higher
Control use of insecure content exceptions

Allows the device user to enable mixed content on websites and domains on Chrome browser. By default, on an HTTPS website, Chrome browser blocks all active content (scripts and iframes) available through HTTP.

Values

  • Do not allow any sites to load blockable mixed content (default) — All mixed content on secure website and domains is blocked.
  • Allow users to add exceptions to allow blockable mixed content — The device user can allow specific websites and domains to load active mixed content. To add a website or domain, the device user must:

    1. Open Chrome.
    2. At the top-right, click the Chrome browser menu > Settings.
    3. Navigate to Privacy and security > Site settings > Additional content settings > Insecure content.
    4. Under Allowed to show insecure content, select Add.
    5. Enter the URL of the website. The URL syntax follows the Enterprise policy URL pattern format.
ChromeOS 99 and higher
Allow insecure content on these sites

Specifies an allowlist of websites and domains that can display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Block insecure content on these sites

Specifies a blocklist of websites and domains that can't display active mixed content (scripts and iframes).

Values

To add a website or domain, enter its URL and click add. To remove one, click delete.

For examples and more details about URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Insecure forms

Toggles warnings when a website delivers a form through HTTP on Chrome browser.

Values

  • Show warnings and disable autofill on insecure forms
  • Do not show warnings and disable autofill on insecure forms
ChromeOS 99 and lower
Re-enable window.webkitStorageInfo API

Enables the window.webkitStorageInfo API after the non-standard API window.webkitStorageInfo is deprecated. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Disable window.webkitStorageInfo
  • Enable window.webkitStorageInfo
ChromeOS 106 to 111
Re-enable the Event.path API until Chrome 115

Enables the Event.path API until Chrome 115. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Enable Event.path API until Chrome 108 (default) — The Event.path API is available until Chrome 108.
  • Disable Event.path API — The Event.path API is unavailable.
  • Enable Event.path API until Chrome 115 — The Event.path API is available until Chrome 115.
ChromeOS 105 to 115
Network file shares

Toggles network file sharing on the Chromebook.

Values

  • Allow network file shares
  • Block allow network file shares
ChromeOS 99 and higher
> Net Bios Share discovery

Allows the NetBIOS name query request protocol to discover shares on the network. If this policy is not set, NetBIOS discovery is allowed for managed user accounts, but not for unmanaged accounts. Only available when Network file shares policy is set to Allow network file shares.

Values

  • Use NetBIOS discovery
  • Do not allow NetBIOS discovery (default)
ChromeOS 99 and higher
> NTLM Share authentication

Toggles NTLM as an authentication protocol for mounted server message block (SMB) shares. Only available when Network file shares policy is set to Allow network file shares.

Values

  • Use NTLM authentication — Authentication for shares is required for all accounts.
  • Do not use NTLM authentication (default) — Authentication for shares is required for managed user accounts, but not for non-managed accounts.
ChromeOS 99 and higher
> Preconfigured network file shares

Specifies a list of pre-configured network file shares available to the Chromebook. Only available when Network file shares is set to Allow network file shares.

Values

To add a file share, enter its URL, select a Mode, then click add. To remove one, click delete.

  • URL — The URL of the file or resource to share. For examples, smb://server/share or \shared\resource.
  • Mode — How the file or resource is shared:
    • Drop down — Adds the URL to the share discovery menu.
    • Pre mount — Automatically shares the file or resource.
ChromeOS 99 and higher
Scroll to text fragment

Allows links to highlight and scroll to text on a webpage on Chrome browser. Links with special fragment syntax can target text on a page. When the page is fully loaded, the browser scrolls to the text.

Values

  • Allow sites to scroll to specific text fragments via URL (default)
  • Do not allow sites to scroll to specific text fragments via URL
ChromeOS 99 and higher
Enable URL-keyed anonymized data collection

Toggles URL-keyed anonymized data collection, which sends Google the URL of each website that Chrome browser visits in order to improve searching and browsing.

Values

  • Allow the user to decide (default)
  • Data collection is never active
  • Data collection is always active
ChromeOS 99 and higher
AppCache

Allows websites to use the deprecated application cache (AppCache) technology on Chrome browser. AppCache was designed to permanently store website content on the local system, but was deprecated on all major browsers due to the security vulnerabilities it introduced.

Values

  • Allow websites to use the deprecated AppCache feature
  • Do not allow websites to use the deprecated AppCache feature
ChromeOS 84 to 95
Web Bluetooth API

Specifies whether websites can request access to Bluetooth devices via the Web Bluetooth API.

Values

  • Allow the user to decide (default)
  • Do not allow sites to request access to Bluetooth devices via the Web Bluetooth API
  • Allow sites to request access to Bluetooth devices via the Web Bluetooth API
ChromeOS 99 and higher
PDF Annotations

Allows annotations on the PDF viewer.

Values

  • Allow the PDF viewer to annotate PDFs (default)
  • Do not allow the PDF viewer to annotate PDFs
ChromeOS 99 and higher

Printing

Policy Description Supported system
Printing

Toggles printing.

Values

  • Enable printing (default) — The device user can print.
  • Disable printing — The device user can't print from the Chrome browser, including with extensions and JavaScript apps. Android apps are unaffected.
ChromeOS 99 and higher
Deprecated privet printing

Toggles whether available Privet cloud printers appear in the print preview dialog.

Values

  • Enable deprecated privet printing (default)
  • Disable deprecated privet printing
ChromeOS 89 to 93
Print preview default

Specifies the default printer. This policy has no effect on Android apps. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Define the default printer — When the device user prints, the system looks for a printer that matches the printer type and ID or name you specify. It then selects it as the default printer.
  • Use default printer behavior (default) — When the device user prints, the system selects the most recently used printer.
ChromeOS 99 and higher
> Printer types

Specifies the type of printer to search for and use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

  • Cloud and local — Search for both types of printers.
  • Cloud only — Search for cloud printers.
  • Local only — Search for local printers.
ChromeOS 99 and higher
> Printer matching

Specifies how to search for a printer to use as the default printer. Only available if Print preview default is set to Define the default printer.

Values

  • Match by name — Search for the printer's name.
  • Match by ID — Search for the printer's ID.
ChromeOS 99 and higher
> Default printer

Specifies the name or ID of the printer to match as the default printer. The print preview dialog defaults to the first printer that matches. This policy has no effect on Android apps. Only available if Print preview default is set to Define the default printer.

Values

Enter a pattern that matches a printer name or ID.

The pattern is case-sensitive. Wildcards (.*) and number substitution (.$) are supported.

Examples:

  • office-north would match a printer named office-north.
  • office-.* would match printers named office-north or office-south.
  • office-floor.$-north would match printers named office-floor1-north or office-floor2-north.
ChromeOS 99 and higher
Printer management

Allows the device user to add local printers. For more details about printing on Chromebooks, see Manage local and network printers.

Values

  • Allow users to add new printers (default)
  • Do not allow users to add new printers
ChromeOS 99 and higher
Default color printing mode

Specifies whether to print in color or black and white by default. On individual print jobs, the device user can choose the color mode.

Values

  • Colo (default)
  • Black and white
ChromeOS 99 and higher
Restrict color printing mode

Forces printing in color or black and white and prevents the device user from choosing the mode.

Values

  • Do not restrict color printing mode (default)
  • Color only
  • Black and white only
ChromeOS 99 and higher
Default page sides

Specifies how many paper sides to print on by default. Two-sided printing is only available on duplex and multi-function printers. On individual print jobs, the device user can choose whether to print on one or two sides.

Values

  • One-sided (default)
  • Short-edge two-sided printing
  • Long-edge two-sided printing
ChromeOS 99 and higher
Restrict page sides

Forces printing in one-sided (simplex) or two-sided (duplex) mode and prevents the device user from choosing the mode. Duplex mode only applies to duplex printers.

Values

  • Do not restrict duplex printing mode (default)
  • One-sided only
  • Two-sided only
ChromeOS 99 and higher
Background graphics printing default

Specifies whether to print background graphics by default. On individual print jobs, the device can choose whether to print background graphics.

Values

  • Disable background graphics printing mode by default
  • Enable background graphics printing mode by default
ChromeOS 99 and higher
Background graphics printing restriction

Forces whether to print background graphics and prevents the device user from choosing.

Values

  • Allow the user to decide (default)
  • Always require printing of background graphics
  • Do not allow printing of background graphics
ChromeOS 99 and higher
CUPS Print job information

Toggles tracking the user account and file name in print jobs that are sent using IPP over HTTPS (IPPS).

Values

  • Include user account and filename in job — The user account and file name are included in the IPPS print job header. If set, third-party printing features, such as secure printing and print-usage tracking, can also be used.

    Important

    This setting prevents printing on printers that do not support IPPS.

  • Do not include user account and filename in print job (default) — The user account and file name are not included in the IPPS print job header.

ChromeOS 72 and higher

IPPS printers only

Print job history retention period

Specifies how long the metadata for completed print jobs is stored on the Chromebook.

Values

Enter a period, in days.

To store indefinitely, enter -1. To disable storage, enter 0.

If this value is unset, the period is 90 days.

ChromeOS 99 and higher
Print job history deletion

Allows the device user to delete their print job history using the print management app or by deleting their browser history.

Values

  • Allow print job history to be deleted (default)
  • Do not allow print job history to be deleted
ChromeOS 99 and higher
Restrict PIN printing mode

Forces whether print jobs on PIN-compatible printers always require PIN authentication.

Values

  • Do not restrict PIN printing mode (default)
  • Always require PIN printing
  • Do not allow PIN printing

ChromeOS 75 and higher

Printers with PIN capability only

Default PIN printing mode

Toggles whether print jobs on PIN-compatible printers require PIN authentication by default.

Values

  • With PIN
  • Without PIN

ChromeOS 75 and higher

Printers with PIN capability only

Maximum sheets

Specifies the maximum number of sheets of paper a single print job can use.

Values

Enter a maximum number of sheets.

If this value is unset, no limit is applied.

ChromeOS 99 and higher
Default printing page size

Specifies the default page size. If the device user chooses a printer that doesn't support the page size defined by this policy, the policy is ignored.

Values

  • Letter
  • Legal
  • A4
  • Tabloid
  • A3
  • Custom — Enter the height and width, in millimeters. If you enter values not supported by the printer chosen by the device user, this policy is ignored.
ChromeOS 99 and higher
> Page width (in millimeters)

Specifies the custom page width. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page width, in millimeters.

ChromeOS 99 and higher
> Page height (in millimeters)

Specifies the custom page height. Only available if the Default printing page size policy is set to Custom.

Values

Enter the page height, in millimeters.

ChromeOS 99 and higher
Print headers and footers

Forces printing headers and footers.

Values

  • Allow the user to decide (default)
  • Never print headers and footers
  • Always print headers and footers
ChromeOS 99 and higher
Blocked printer types

Disables printer types or destinations from being available for printing. Selecting all printer types effectively disables printing.

Values

Select the printer types to disable:

  • Zeroconf-based (mDNS + DNS-SD) protocol
  • Local printer — Also known as native printing destinations, and include destinations available to the local machine and shared network printers.
  • Extension-based — Also known as print provider destinations, and include any destination that belongs to a Chrome browser extension.
  • Google Cloud Print and 'Save to Google Drive'
  • Save as PDF
ChromeOS 99 and higher
Print PDF as image

Allows the device user to print PDFs as images. For better resolution, some PDFs need to be rasterized to images before printing. If enabled, you can specify how you want this setting to be available. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Do not allow users to print PDF documents as images
  • Allow users to print PDF documents as images
    • Default to printing PDFs without being rasterized
    • Default to printing PDFs as images when available
ChromeOS 99 and higher
> DPI used to rasterize PDFs when printed as an image

DPI is used to rasterize PDFs when printed as an image.

Values

Enter a number in the DPI field. Enter 0 to use the system default resolution.

ChromeOS 99 and higher

User experience

Policy Description Supported system
Managed bookmarks

Defines a collection of bookmarks to push to Chrome browser. The bookmarks appear in a folder on the bookmarks bar on Chrome Browser. The device user can hide the folder, but they can't modify its contents. The default folder name for managed bookmarks is "Managed bookmarks", but it can be changed.

Manage bookmarks

Begin managing the bookmarks by clicking Add. The Manage Folders & Bookmarks dialog opens.

To add a folder:

  1. Click Add Folder.
  2. Choose a Parent folder for the new folder.
  3. Enter a new Folder Name.
  4. Click OK.

To add a bookmark:

  1. Click Add Bookmark.
  2. Choose a Parent Folder for the new bookmark.
  3. Enter a name for the bookmark in the Bookmark field.
  4. Enter the URL of the bookmark.
  5. Click OK.

To change a folder or bookmark:

  1. Select it.
  2. Click Modify.
  3. If you selected a folder, you can rename it and change its parent folder. If you selected a bookmark, you can rename it, changes its parent folder, and edit its URL.
  4. Click Save.

To reorder a folder or bookmark:

  1. Select it.
  2. Click or .

To delete a folder or bookmark:

  1. Select it.
  2. Click Delete.

Once you finish making changes, Save the bookmarks.

ChromeOS 99 and higher
Bookmark bar

Toggles the bookmarks bar on Chrome browser.

Values

  • Allow the user to decide (default)
  • Disable bookmark bar
  • Enable bookmark bar
ChromeOS 99 and higher
Shelf position

Specifies the position of the shelf.

Values

  • Allow the user to decide (default)
  • Bottom
  • Left
  • Right
ChromeOS 99 and higher
Shelf auto-hiding

Toggles the shelf automatic hiding behavior.

Values

  • Allow the user to decide (default)
  • Always auto-hide the shelf
  • Never auto-hide the shelf
ChromeOS 99 and higher
Bookmark editing

Allows the device user to add, edit, or remove items from the bookmarks bar on Chrome browser.

Values

  • Enable bookmark editing (default)
  • Disable bookmark editing
ChromeOS 99 and higher
Download location

Specifies the default download location on Chrome browser. This policy applies to downloaded files only—if the user saves a page or file, the save file dialog is used. This setting has no effect on Android apps. This policy has no effect on Android apps, which always download files to the default Downloads folder.

Values

  • Set local Downloads folder as default, but allow user to change — Downloads save to the Downloads folder unless the device user chooses a different default location.
  • Set Google Drive as default, but allow user to change — Downloads save to Google Drive unless the device user chooses a different default location.
  • Force Google Drive — Downloads save to Google Drive, and the device user can't select a different location. For Chrome version 90 and later, this setting has no effect on screenshots taken on ChromeOS. Screenshots save to the default ChromeOS downloads folder.
ChromeOS 99 and higher
Download location prompt

Specifies whether to ask the device user where to save each download on Chrome browser.

Values

  • Allow the user to decide (default) — The device user chooses whether they want to be asked where to save each download.
  • Do not ask the user (downloads start immediately) — The device user is never asked where they want to save each download.
  • Ask the user where to save the file before downloading — The device user is always asked where they want to save each download.
ChromeOS 99 and higher
Spell check

Toggles spell check on Chrome browser.

Values

  • Allow the user to decide (default) — The device user can enable spell check.
  • Disable spell check — Turn off spell check from all sources, and prevent the device user from enabling it. Selecting this setting makes the Spell check service policy have no effect.
  • Enable spell check — Turn on spell check and prevent the device user from disabling it. The device user can still disable spell check for individual languages, and if they disable it for all languages, then they effectively disable spell check.
ChromeOS 99 and higher
Spell check service

Toggles Google's online spell checking service, also known as Enhanced spell check in the Chrome browser settings. If the Spell check policy is set to Disable spell check, this policy has no effect.

Values

  • Allow the user to decide (default) — The device user can toggle Enhanced spell check in the Chrome browser settings.
  • Disable the spell checking web service — Chrome browser never uses Google's online service to check for spelling errors.
  • Enable the spell checking web service — Chrome browser always uses Google's online service to check for spelling errors.
ChromeOS 99 and higher
Google Translate

Toggle Google Translate on Chrome browser. When the browser detects that page content is in a different language than the one configured for the user account, it offers to translate it.

Values

  • Allow the user to decide (default)
  • Never offer translation
  • Always offer translation
ChromeOS 99 and higher
Alternate error pages

Toggles navigation suggestions when Chrome browser is unable to connect to an address. The browser suggests opening another page on the website, or to search for the page.

Values

  • Allow the user to decide (default)
  • Never use alternate error pages
  • Always use alternate error pages
ChromeOS 99 and higher
Developer tools

Allows the device user to access the developer tools on Chrome browser.

Note

If the device user has access to the Android Developer Options, they can enable them by opening the Settings app > About phone or Software information > tapping Build number seven times.

Values

  • Always allow use of built-in developer tools (default for unmanaged user accounts) — The device user can access the developer tools by all methods, including in extensions that are installed by policy. They can also access the Android Developer Options.
  • Allow use of built-in developer tools except for force-installed extensions (default for managed user accounts) — The device user can access the developer tools by all methods (keyboard shortcuts, menu entries, and context menu entries) in general, but not in extensions that are installed by policy. They can also can access the Android Developer Options.
  • Never allow use of built-in developer tools — The device user can't access the developer tools by any method or context, and can't access the Android Developer Options. If this value is unset, the device user can access the Android Developer Options.
ChromeOS 99 and higher
Payment methods

Allows websites check if the device user has stored payment methods on Chrome browser.

Values

  • Allow websites to check if the user has payment methods saved
  • Always tell websites that no payment methods are saved
ChromeOS 99 and higher
Emoji suggestions

Toggle emoji suggestions as the device user types.

Values

  • Enable emoji suggestions when users type (default) — Emoji suggestions appear as the device user types, and they can toggle the feature.
  • Disable emoji suggestions when users type — Emoji suggestions are disabled, and the device user can't enable the feature.
ChromeOS 99 and higher
Multiple sign-in access

Allow multiple user accounts to sign in at the same time. This setting allows device users to switch between multiple accounts on the Chromebook without having to sign out. To ensure that ChromeOS policies always apply to your users, use the Block multiple sign-in access for users in this organization setting. When any other setting is used, there is no guarantee that all policies apply to every user account.

Important

To use Android apps, a user account must be both managed and primary (the first to sign in).

Values

  • Managed user must be the primary use(secondary users are allowed)
  • Unrestricted user access (allow any user to be added to any other user's session)
  • Block multiple sign-in access for users in this organization
ChromeOS 99 and higher
Sign-in to secondary accounts

Allows device users to switch between accounts in Chrome browser and Google Play, or sign ins to specific Google Workspace domains. If you allow devices users to only sign in to specific Google Workspace domains, or block them from signing in or out in the browser, you should also disable Incognito mode with the Incognito mode policy.

Values

  • Allow users to sign in to any secondary Google Accounts — Device users can sign in to other Google accounts in Chrome browser.
  • Block users from signing in or out of secondary Google Accounts — Device users can't sign in or out of Google accounts in Chrome browser.
  • Allow users to sign in to the Google Workspace domains set in below — Device users can only access Google services from accounts belonging to Google Workspaces domains specified by the Allowed domains policy.
ChromeOS 99 and higher
> Allowed domains

Specifies an allowlist of Google Workspace domains for user accounts. Make sure you list all of your organization's domains. Otherwise, device users might not have access to Google services. To see a list of your domains, click organization's domains under the domain list on the Google Admin console.

Values

To add a domain, enter it and click add. To remove a domain, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

To include consumer Google accounts, such as @gmail.com and @googlemail.com, add consumer_accounts to the list. You can also allow access to certain accounts and block access to others. For details, see Blocking access to consumer accounts.

ChromeOS 99 and higher
Unified Desktop (BETA)

Allows the device user to span an app across multiple displays.

Values

  • Make Unified Desktop mode available to use
  • Do not make Unified Desktop mode available to use (default)
ChromeOS 99 and higher
WebRTC event log collection

Allows Google services to call the Chrome API to collect WebRTC events for device users who have opted in. The initial value is inherited from Google Meet log upload settings. These logs help Google identify and resolve issues with audio and video meetings, and have no video or audio content from the meetings.

Values

  • Allow WebRTC event log collection — Allow Google to collect WebRTC event logs. To fully enable these event logs, you must also enable the Client logs upload policy on the Google Admin console.
  • Do not allow WebRTC event log collection — Block Google from collecting WebRTC event logs.
ChromeOS 99 and higher
Quick answers

Enables the device user to use Quick Answers. Quick Answers sends content chosen by the device user to the Google server to get definition, translation, or unit conversion information. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Disable Quick Answers
  • Enable Quick Answers
    • Enable Quick Answers definition
    • Disable Quick Answers definition
    • Enable Quick Answers translation
    • Disable Quick Answers translation
    • Enable Quick Answers unit conversion
    • Disable Quick Answers unit conversion

If this value is unset, the device user can choose to enable or disable Quick Answers.

ChromeOS 99 and higher
Disabled system features

Specifies which system features to disable on the Chromebook. Use this policy to block the features listed below instead of using the URL blocking policy or blocking apps and extensions by ID. When the device user tries to use a disabled feature, a message tells them that it has been blocked by their administrator.

Values

Choose the features to disable:

  • Camera
  • Scanning (ChromeOS 87 and higher)
  • OS settings
  • Browser settings
ChromeOS 99 and higher
Dinosaur game

Toggles the dinosaur game easter egg.

Values

  • Allow users to play the dinosaur game when the device is offline on Chrome Browser, but not on enrolled ChromeOS devices — When the device is offline, the device user can't play the dinosaur game on enrolled Chrome devices, but they can play it on Chrome Browser.
  • Do not allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can't play the dinosaur game.
  • Allow users to play the dinosaur game when the device is offline — When the device is offline, the device user can play the dinosaur game.
ChromeOS 99 and higher
Previously installed app recommendations

Toggles app recommendations in the launcher for apps that the device user installed on other devices. These results appear when the search box is empty.

Values

  • Show app recommendations in the ChromeOS launcher
  • Do not show app recommendations in the ChromeOS launcher
ChromeOS 99 and higher
Suggested content

Toggles online content recommendations in the launcher.

Values

  • Enable suggested content
  • Disable suggested content If this value is unset, online content is recommended to unmanaged device users, but not managed device users.
ChromeOS 99 and higher
URLs in the address bar

Toggles the page's full URL in the address bar on Chrome browser. This helps to protect the device user from some common phishing tactics.

Values

  • Display the default URL. Users may switch to the full URL, unless on a managed Chrome device
  • Display the default URL
  • Display the full URL
ChromeOS 99 and higher
Shared clipboard

Allows the device user to copy and paste text between different devices when Chrome sync is enabled and each device is signed in to the same Google account.

Values

  • Enable the shared clipboard feature (default)
  • Disable the shared clipboard feature
ChromeOS 99 and higher
Fullscreen mode

Allows fullscreen mode for user accounts, apps, and extensions with appropriate permissions.

Values

  • Allow fullscreen mode (default)
  • Do not allow fullscreen mode
ChromeOS 99 and higher
Fullscreen alert

Toggles whether a fullscreen alert shows when the device returns from sleep or dark screen in order to remind the device user to exit fullscreen before entering their password.

Values

  • Enable fullscreen alert when waking the device (default)
  • Disable fullscreen alert when waking the device
ChromeOS 99 and higher
Show cards on the New Tab Page

Toggle the content cards on the New Tab Page. These cards remind the device about recent searches and are based on their browsing behavior.

Values

  • Allow the user to decide (default)
  • Do not show cards on the New Tab Page
  • Show cards on the New Tab Page if content is available
ChromeOS 99 and higher
Maximize window on first run

Toggles whether Chrome browser maximizes its first window on launch.

Values

  • Maximize the first browser window on first run
  • Default system behavior (based on screen size)
ChromeOS 99 and higher
Allow user feedback

Allows the device user to send feedback to Google on Chrome browser.

Values

  • Allow user feedback (default)
  • Do not allow user feedback
ChromeOS 99 and higher
Media recommendations

Toggle whether Chrome browser shows personalized media recommendations to the device user. These recommendations are based on the device user's browsing and search behavior.

Values

  • Show personalized media recommendations (default)
  • Do not show personalized media recommendations
ChromeOS 99 and higher

Allows the device user to see and use the Google Lens region search menu item in the context menu when Google Len region search is supported. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Enable Google Lens region search
  • Disable Google Lens region search
ChromeOS 99 and higher

Connected devices

Policy Description Supported system
Smart Lock

Allows the device user to sign in or unlock the Chromebook with the aid of a paired Android device. If the Android device is unlocked and connected to the Chromebook through Bluetooth, the device user can sign in with one click.

Values

  • Allow Smart Lock (default for unmanaged user accounts)
  • Do not allow Smart Lock (default for managed user accounts)
ChromeOS 99 and higher
Instant Tethering

Allows the device user to use Instant Tethering, which automatically connects the Chromebook to a paired Android device through Wi-Fi in order to use its mobile data connection. The Android device must be in hotspot mode, and there must be no known Wi-Fi access points available nearby. Not all Chromebooks support Instant Tethering. See ChromeOS Devices Which Do Not Support Instant Tethering.

Values

  • Allow users to use Instant Tethering (default for unmanaged user accounts)
  • Do not allow users to use Instant Tethering (default for managed user accounts)
ChromeOS 99 and higher
Messages

Allows the device user to sync their SMS messages between their phone and the Chromebook.

Values

  • Allow users to sync SMS messages between their phone and Chromebook (default for unmanaged users)
  • Do not allow users to sync SMS messages between their phone and Chromebook (default for managed users)
ChromeOS 99 and higher
Click to Call

Allows the device user to share phone numbers from the Chromebook to an Android device.

Values

  • Allow the user to decide (default)
  • Do not allow users to send phone numbers from Chrome to their phone
  • Allow users to send phone numbers from Chrome to their phone
ChromeOS 99 and higher
Nearby Share

Allows the device user to use Nearby Share, which lets them share files, images, web pages, and text, with nearby Chromebooks and Android devices.

Values

  • Allow users to enable Nearby Share
  • Prevent users from enabling Nearby Share
ChromeOS 99 and higher
Phone Hub

Allows the device user to control and receive select features and notifications on their Android phone from the Chromebook.

Values

  • Allow Phone Hub to be enabled (default for unmanaged user accounts)
  • Do not allow Phone Hub to be enabled (default for managed user accounts)
ChromeOS 99 and higher
> Notifications

Toggles pushing notifications from the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

  • Allow Phone Hub notifications to be enabled (default)
  • Do not allow Phone Hub notifications to be enabled
ChromeOS 99 and higher
> Task continuation

Toggles passing the most recent Chrome browser tabs accessed on the phone to the Chromebook. Only available if the Phone Hub policy is set to Allow Phone Hub to be enabled.

Values

  • Allow Phone Hub task continuation to be enabled (default)
  • Do not allow Phone Hub task continuation to be enabled
ChromeOS 99 and higher

Accessibility

Policy Description Supported system
Spoken feedback

Toggles the screen reader, also known as ChromeVox.

Values

  • Allow the user to decide (default)
  • Disable spoken feedback
  • Enable spoken feedback
ChromeOS 99 and higher
Select to speak

Toggles selective screen reading, including text selections and sections of the screen.

Values

  • Allow the user to decide (default)
  • Disable select to speak
  • Enable select to speak
ChromeOS 99 and higher
High contrast

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

  • Allow the user to decide (default)
  • Disable high contrast
  • Enable high contrast
ChromeOS 99 and higher
Screen magnifier

Toggles the screen magnification feature, which allows the device user to zoom in their screen by up to 20x.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Disable screen magnifier — Screen magnification is disabled.
  • Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
  • Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.
ChromeOS 99 and higher
Sticky keys

Toggles inputting key combinations separately and in sequence rather than simultaneously.

Values

  • Allow the user to decide (default)
  • Disable sticky keys
  • Enable sticky keys
ChromeOS 99 and higher
On-screen keyboard

Toggles the on-screen keyboard.

Values

  • Allow the user to decide (default)
  • Disable on-screen keyboard
  • Enable on-screen keyboard
ChromeOS 99 and higher
Dictation

Toggles speech-to-text input.

Values

  • Allow the user to decide (default)
  • Disable dictation
  • Enable dictation
ChromeOS 99 and higher
Keyboard focus highlighting

Toggles enhanced object highlighting during keyboard navigation.

Values

  • Allow the user to decide (default)
  • Disable keyboard focus highlighting
  • Enable keyboard focus highlighting
ChromeOS 99 and higher
Caret highlight

Toggles a ring around the caret (keyboard cursor) during typing.

Values

  • Allow the user to decide (default)
  • Disable caret highlight
  • Enable caret highlight
ChromeOS 99 and higher
Auto-click enabled

Toggles mouse clicking when the cursor stops moving.

Values

  • Allow the user to decide (default)
  • Disable auto-click
  • Enable auto-click
ChromeOS 99 and higher
Large cursor

Toggles a bigger mouse cursor.

Values

  • Allow the user to decide (default)
  • Disable large cursor
  • Enable large cursor
ChromeOS 99 and higher
Cursor highlight

Toggles a ring around the mouse cursor during mouse movement.

Values

  • Allow the user to decide (default)
  • Disable cursor highlight
  • Enable cursor highlight
ChromeOS 99 and higher
Primary mouse button

Specifies which mouse button performs primary interactions.

Values

  • Allow the user to decide (default)
  • Left button is primary
  • Right button is primary

If this value is unset, the left mouse button is primary.

ChromeOS 99 and higher
Mono audio

Toggles single-channel audio.

Values

  • Allow the user to decide (default)
  • Disable mono audio
  • Enable mono audio
ChromeOS 99 and higher
Accessibility shortcuts

Toggles the built-in accessibility shortcuts.

Values

  • Allow the user to decide (default)
  • Disable accessibility shortcuts
  • Enable accessibility shortcuts
ChromeOS 99 and higher
Accessibility options in the system tray menu

Toggle the accessibility options entry in the system tray menu. If accessibility options are enabled by other means, they still appear in the system menu tray.

Values

  • Allow the user to decide (default)
  • Hide accessibility options in the system tray menu
  • Show accessibility options in the system tray menu
ChromeOS 99 and higher
Image descriptions

Toggles automatically-generated labels for online images that lack descriptions such as alt text. This feature provides text descriptions for screen readers by sending image data to a Google service. No cookies or other user data is sent, and Google does not save or log any image content. For more details, see Get image descriptions on Chrome.

Values

  • Let users choose to use an anonymous Google service to provide automatic descriptions for unlabeled images (default)
  • Do not use Google services to provide automatic image descriptions
  • Use an anonymous service to provide automatic descriptions for unlabeled images
ChromeOS 99 and higher

Power and shutdown

Policy Description Supported system
Wake locks

Toggles wake locks, which is a power management feature that keeps the screen on or the CPU running when the Chromebook is in standby mode. This can be helpful if idle power conservation is undesirable, for example if the Chromebook requires a Wi-Fi connection to stay at full performance at all times. Extensions and apps can request wake locks through the power management extension API.

Values

  • Allow wake locks (default)
  • Do not allow wake locks
ChromeOS 99 and higher
> Screen wake locks

Toggles screen wake locks, which are a sub-type of wake lock requests that prevent the screen from dimming or locking when an extension or app is running. Only available if the Wake locks policy is set to Allow wake locks.

Values

  • Allow screen wake locks for power management (default)
  • Demote screen wake lock requests to system wake lock requests — Screen wake lock requests are treated like standard wake lock requests.
ChromeOS 28 and higher

Omnibox search provider

Policy Description Supported system
Search suggest

Toggles predictive search queries and suggestions in the address bar on Chrome browser.

Values

  • Allow the user to decide (default)
  • Never allow users to use search suggest
  • Always allow users to use search suggest
ChromeOS 99 and higher

Hardware

Policy Description Supported system
External storage devices

Allows the device user to connect and mount external storage devices on the Chromebook. These devices include:

  • External drives — USB flash drives, external hard drives, external optical drives
  • Memory cards — SD, MMC, other memory cards
  • MTP devices — Phones, cameras, media players. If the device user attempts to mount an external drive when mounting is blocked, ChromeOS notifies them that the policy is in effect. This policy does not affect Google Drive or internal storage, such as files saved in the Download folder.

Values

  • Allow external storage devices — The Chromebook can read and write data from external storage devices.
  • Allow external storage devices (read-only) — The Chromebook can read data from external storage devices, but can't write data to it or format it.
  • Disallow external storage devices — The Chromebook can't mount external storage devices.
ChromeOS 99 and higher
Controls which websites can ask for USB access

Controls whether websites on Chrome browser can access USB devices connected to the Chromebook.

Values

  • Do not allow any site to request access — Websites can't ask for access to connected USB devices.
  • Allow sites to ask the user for access — Websites can ask for access to connected USB devices.
  • Allow the user to decide if sites can ask (default) — Websites can ask for access to connected USB devices. The device user can locally change this setting.
ChromeOS 99 and higher
> Allow these sites to ask for USB access

Specifies an allowlist of websites and domains on Chrome browser that can request access to connected USB devices without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block these sites from asking for USB access

Specifies a blocklist of websites and domains on Chrome browser that can't request access to connected USB devices. If a website or domain is not blocked, access is determined first by the Controls which websites can ask for USB access policy's setting, then by the device user's Chrome browser settings.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
WebUSB API allowed devices

Specifies an allowlist of websites and domains on Chrome browser that can automatically access connected USB devices with specific product and vendor IDs. This policy and its sub-policies also apply to managed guest session devices.

Values

To add a website or domain, enter it in the URL field. To add a product or vendor ID, add it to the device IDs field. To add an item click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Audio input (microphone)

Controls whether websites on Chrome browser can request access to the Chromebook's audio input devices.

Values

  • Prompt user to allow each time — Websites can ask for access to audio input devices.
  • Disable audio input — Websites can't access audio input devices. All Android apps are blocked from accessing the built-in microphone.

If this value is unset, websites can ask for access, but the device user can choose to block all requests.

ChromeOS 99 and higher
Audio input allowed URLs

Specifies an allowlist of websites and domains on Chrome browser that can access the Chromebook's audio input devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For details on the URL format, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Audio output

Toggles all audio output devices on the Chromebook. Audio output devices include:

  • Internal speakers
  • Connected audio devices — Headphone jack, Bluetooth, and other connectors

This policy has no effect on the Google Drive Android app.

Values

  • Enable audio output (default) — The Chromebook outputs audio. The device user can adjust audio controls.
  • Disable audio output — The Chromebook shows as muted. The audio controls are still available, but the device user can't adjust them.
ChromeOS 99 and higher
Built-in camera access

Controls whether websites on Chrome browser and apps can access the Chromebook's video input devices. Video input devices include:

  • Internal webcam
  • Connected video devices — USB, HDMI, Ethernet, Wi-Fi

Values

  • Enable camera input for websites and apps (default) — Websites and apps can ask for access to video input devices. The device user can choose to block all requests.
  • Disable camera input for websites and apps — Websites and apps can't access audio input devices.
ChromeOS 99 and higher
Video input allowed URLs

Specifies an allowlist of websites, domains, and apps that can access video capture devices without consent from the device user. Patterns in this list will be matched against the security origin of the requesting URL.

Values

To add a website, domain, or app ID, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Keyboard

Specifies the behavior of the top row of keys on the keyboard.

Values

  • Treat top-row keys as media keys, but allow user to change (default)
  • Treat top-row keys as function keys, but allow user to change
ChromeOS 99 and higher
Serial Port API

Controls whether websites on Chrome browser can access serial ports available through the Web Serial API. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Do not allow any site to request access to serial ports via the Serial Port API — Websites can't access serial ports on the Chromebook.
  • Allow sites to ask the user to grant access to serial ports via the Serial Port API — Websites can ask for access to serial ports.
  • Allow the user to decide (default) — Websites can ask for access to serial ports on the Chromebook. The device user can locally change this setting.
ChromeOS 99 and higher
> Allow the Serial API on these sites

Specifies an allowlist of websites and domains on Chrome browser that can request access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block the Serial API on these sites

Specifies a blocklist of websites and domains on Chrome browser that can't ask for access to serial ports on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Privacy screen

Toggles the integrated hardware privacy screen on supported Chromebooks.

Values

  • Allow the user to decide (default) — The privacy screen is disabled. The device user can locally change this setting.
  • Always disable the privacy screen
  • Always enable the privacy screen
ChromeOS 99 and higher
File system read access

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's settings on Chrome browser.

Values

  • Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
  • Allow sites to ask the user to grant read access to files and directories — Websites can ask for read access to the file system.
  • Do not allow sites to request read access to files and directories — Websites don't have read access to the file system.
ChromeOS 99 and higher
> Allow file system read access on these sites

Specifies an allowlist of websites and domains on Chrome browser that have read access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block read access on these sites

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system on the Chromebook.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
File system write access

Controls whether websites on Chrome browser can request read access to the file system on the Chromebook. If a website isn't allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Allow the user to decide (default) — Websites can ask for read access to the file system. The device user can locally change this setting.
  • Allow sites to ask the user to grant write access to files and directories — Websites can ask for read access to the file system.
  • Do not allow sites to request write access to files and directories — Websites don't have read access to the file system.
ChromeOS 99 and higher
> Allow write access to files and directories on these sites

Specifies an allowlist of websites and domains on Chrome browser that have write access to the file system without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block write access to files and directories on these sites

Specifies a blocklist of websites and domains on Chrome browser that don't have write access to the file system.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Sensors

Controls whether websites on Chrome browser can access built-in motion and light sensors on the Chromebook. If a website is not allowed or blocked, access is determined first by this policy, then by the device user's Chrome browser settings.

Values

  • Allow sites to access sensors — Websites can access built-in sensors.
  • Do not allow any site to access sensors — Websites can't access built-in sensors.
  • Allow the user to decide if a site may access sensors (default) — Websites can ask for access to built-in sensors. The device user can locally change this setting.
ChromeOS 99 and higher
> Allow access to sensors on these sites

Specifies an allowlist of websites and domains on Chrome browser that can access built-in sensors without consent from the device user.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
> Block access to sensors on these sites

Specifies a blocklist of websites and domains on Chrome browser that can't access built-in sensors.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Enterprise Hardware Platform API

Allows extensions added by a managed profile to use the Enterprise Hardware Platform API. This API handles requests from extensions for information about the Chromebook's manufacturer and model. This policy also affects Chrome browser component extensions.

Values

  • Allow managed extensions to use the Enterprise Hardware Platform API
  • Do not allow managed extensions to use the Enterprise Hardware Platform API
ChromeOS 99 and higher

User verification

Policy Description Supported system
Verified Mode

Controls whether Verified Access can attest the Chromebook if it boots in developer mode.

Values

  • Require verified mode boot for Verified Access — If the Chromebook boots into developer mode, it won't pass Verified Access.
  • Skip boot mode check for Verified Access — If the Chromebook boots into developer mode, it can pass Verified Access.
ChromeOS 99 and higher
> Service accounts which are allowed to receive user data

Specifies an allowlist of email addresses of service accounts that have full access to the Google Verified Access API. These are the service accounts created on the Google API Console.

Values

To add an account, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher
> Service accounts which can verify users but do not receive user data

Specifies an allowlist of email addresses of service accounts that have limited access to the Google Verified Access API. These are the service accounts created on the Google API Console.

Values

To add an account, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher

Chrome Safe Browsing

Policy Description Supported system
Safe Browsing Protection Level

Toggles Chrome Browser's Safe Browsing feature, which helps to protect the device user from potentially unsafe websites. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Allow the user to decide (default) — The device user can enable or disable Safe Browsing and choose the protection mode that they'd like.
  • Safe Browsing is never active — Disables Safe Browsing.
  • Safe Browsing is active in the standard mode — Standard mode helps provide a standard level of protection against malware and phishing.
  • Safe Browsing is active in the enhanced mode. This mode provides better security, but requires showing more browsing information with Google — Enhanced mode helps provide an enhanced level of protection against malware and phishing in Chrome and Gmail.
  • If this value is unset, Safe Browsing will use the Standard protection mode.

ChromeOS 99 and higher
Help improve Safe Browsing

Toggles Extended Reporting for Safe Browsing on Chrome browser, which automatically sends some system information and page content to Google to help detect dangerous apps and websites.

Values

  • Allow the user to decide (default)
  • Disable sending extra information to help improve Safe Browsing
  • Enable sending extra information to help improve Safe Browsing
ChromeOS 99 and higher
Safe Browsing allowed domains

Specifies an allowlist of trusted websites and domains on Chrome browser. Safe Browsing will not check for phishing, malware, unwanted software, or password reuse for listed URLs, and its download protection service will not check downloads hosted on listed domains.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Download restrictions

Prevents the device user from downloading dangerous files on Chrome browser, such as malware, infected files, or dangerous file types like SWF and EXE. For more information about Chrome's flags for potentially harmful files, see Google Chrome blocks downloads.

Values

  • No special restrictions (default) — Downloads are allowed. The browser warns the device user about websites identified as dangerous, but they can bypass the warning.
  • Block all malicious downloads — Downloads are allowed, except for those flagged as malware. Dangerous files are allowed. Recommended by Google.
  • Block dangerous downloads — Most downloads are allowed, except those flagged as dangerous.
  • Block potentially dangerous downloads — Downloads are allowed, except those flagged as potentially dangerous. The device user cannot bypass the warning.
  • Block all downloads — Downloads are blocked.
ChromeOS 99 and higher
Disable bypassing Safe Browsing warnings

Allows the device user to bypass Safe Browsing warnings and access deceptive or dangerous websites or download potentially harmful files on Chrome browser.

Values

  • Do not allow users to bypass Safe Browsing warnings — The device user can't bypass this setting.
  • Allow user to bypass Safe Browsing warnings (default) — Safe Browsing warnings can by bypassed. The device user can locally change this setting.
ChromeOS 99 and higher
Password alert

Toggles the password protection warning, which alerts the device user when they try to save their protected password on a dangerous website on Chrome browser.

Values

  • No password protection warning
  • Trigger on password reuse
  • Trigger on password reuse on phishing page (default)
ChromeOS 99 and higher
> URL for password change

Specifies the web address to show to the device user when they receive a warning to change their password on Chrome browser. This address should be a secure page that provides a salted and hashed password generation form. To help ChromeOS correctly capture the new password on this page, the page should follow the guidelines at Create amazing password forms.

Values

Enter a URL.

ChromeOS 99 and higher
> Login URLs

Specifies an allowlist of web pages where the device user will enter their enterprise password to sign in to their Google account. If a sign-in process is split across 2 pages, add the page that contains the password field. When the device user enters their password, a non-reversible hash is stored locally on the Chromebook and later used to detect password reuse. Make sure that the password change page that you specify follows these guidelines.

Values

To add a web page, enter it and click add. To remove one, click delete.

If this value is unset, the password protection service only captures the password hashes on https://accounts.google.com.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
SafeSites URL filter

Toggles the SafeSites URL filter on Chrome browser. This filter uses the Google Safe Search API to classify whether websites contain pornography.

Values

  • Do not filter sites for adult content (default for non-K-12 EDU domains)
  • Filter top level sites (but not embedded iframes) for adult content (default for K-12 EDU domains)
ChromeOS 99 and higher
Suppress lookalike domain warnings on domains

Specifies an allowlist of websites and domains that bypass Chrome browser's lookalike URL warnings. Lookalike websites are spoof and phishing websites with URLs that are made to look identical to those of familiar or popular safe websites. When one is detected, the browser warns the device user that the address might be a spoof.

Values

To add a website or domain, enter it and click add. To remove one, click delete.

For detailed information on valid URL patterns, see Enterprise policy URL pattern format.

ChromeOS 99 and higher
Sites with intrusive ads

Allows ads on websites that are known to have intrusive ads on Chrome browser.

Values

  • Allow ads on all sites (default)
  • Block ads on sites with intrusive ads
ChromeOS 99 and higher
Abusive Experience intervention

Allows websites that are flagged as containing abusive experience from opening new windows or tabs.

Values

  • Prevent sites with abusive experiences from opening new windows or tabs (default)
  • Allow sites with abusive experiences to open new windows or tabs
ChromeOS 99 and higher

Chrome updates

Policy Description Supported system
Component updates

Toggles automatic updates for Chrome browser components. Some components can't have automatic updates disabled, such as:

  • Components that don't contain executable code
  • Components that don't significantly alter the behavior of the browse
  • Components that are critical for its security will not be disabled

Caution

Disabling this policy may prevent the Chromebook from obtaining critical security fixes in a timely manner, and is therefore not recommended.

Values

  • Enable updates for all components (default)
  • Disable updates for components
ChromeOS 99 and higher
Relaunch notification

Controls how the device user is notified that Chrome Browser must be relaunched to apply an update.

Values

  • No relaunch notification — The device user receives no warning notification to relaunch Chrome Browser.
  • Show notification recommending relaunch — The device user receives a recurring warning notification to relaunch Chrome Browser, which they can close.

    • Time period (hours) — Enter the time period, during which, the device user is repeatedly notified to relaunch Chrome browser or restart their Chromebook. If this value is unset, the system default is 168 hours or 7 days.
    • Initial quiet period (hours) — Enter the initial quiet period, during which, the device user won't be asked to relaunch Chrome browser or restart their Chromebook.
  • Force relaunch after a period — The device user receives a recurring warning notification to relaunch Chrome Browser. They can close this message, but will see a recurring warning message to relaunch Chrome Browser within a set amount of time.

    • Time period (hours) — Enter the time period, during which, the device user is repeatedly notified to relaunch Chrome browser or restart their Chromebook. If this value is unset, the system default is 168 hours or 7 days.
    • Initial quiet period (hours) — Enter the initial quiet period, during which, the device user won't be asked to relaunch Chrome browser or restart their Chromebook.
ChromeOS 99 and higher

Virtual machines (VMs) and developers

Policy Description Supported system
Command line access

Toggles command line (CLI) tools on the virtual machine (VM) management console.

Values

  • Disable VM command line access
  • Enable VM command line access (default)
ChromeOS 99 and higher
Linux virtual machines (BETA)

Toggles the Crostini container technology, which provides support for running Linux containers on the Chromebook in order to run Linux apps. Once this policy if modified, it applies to new Linux containers, not to those already running.

Note

This feature is no longer in Beta for consumer ChromeOS devices. It remains in Beta for managed devices and users.

Values

  • Allow usage for virtual machines needed to support Linux apps for users — The device user can run Linux VMs as long as these additional policies are also set:

    Virtual machines Always enable virtual machines
    Linux virtual machines for unaffiliated users (BETA) Allow usage for virtual machines needed to support Linux apps for unaffiliated users
  • Block usage for virtual machines needed to support Linux apps for users (default) — The device user can't run Linux VMs.
ChromeOS 99 and higher
Port forwarding

Allows the device user to configure port forwarding into Linux containers.

Values

  • Allow users to enable and configure port forwarding into the VM container (default)
  • Do not allow users to enable and configure port forwarding into the VM container
ChromeOS 99 and higher
Android apps from untrusted sources

Toggles installation of Android apps from untrusted sources. This policy does not apply to apps on the Google Play store.

Values

  • Prevent the user from using Android apps from untrusted sources (default)
  • Allow the user to use Android apps from untrusted sources — The device user can install Android apps from untrusted sources, provided they also locally allow this setting.
ChromeOS 99 and higher

Parallels© Desktop

Policy Description Supported system
Parallels Desktop

Toggles Parallels© Desktop for Chromebook to access Microsoft Windows apps and files on the Chromebook.

Values

  • Allow users to use Parallels desktop — Enables Parallels Desktop. When set, you must accept the end-user license agreement.
  • Do not allow users to use Parallels desktop — Disables Parallels Desktop.
ChromeOS 99 and higher
Parallels Desktop Windows image

The policy set for configuring the Windows OS image that the device user downloads on their Chromebooks in order to use Parallels Desktop.

ChromeOS 99 and higher
> URL

Specifies the address for the Windows image.

Values

Enter the URL.

ChromeOS 99 and higher
> SHA-256 hash

Specifies the SHA-256 hash of the Windows image.

Values

Enter the hash.

ChromeOS 99 and higher
Required disk space

Specifies the free disk space required for Parallels Desktop. When deciding on a value, you should take the size of your uncompressed Windows image and add how much space is needed for the additional data or apps you expect to install. If you set a required free disk space value and the Chromebook detects that the remaining space is smaller than that value, it cannot run Parallels Desktop.

Values

Enter the disk space, in gigabytes (GB).

If this value is unset, the default disk space is 20 GB.

ChromeOS 99 and higher
Diagnostic information

Toggles the generation and collection of event logs pertaining to Parallels Desktop usage. For details on the information collected in the logs, see Parallels Customer Experience Program.

Values

  • Enable sharing diagnostics data to Parallels
  • Disable sharing diagnostics data to Parallels
ChromeOS 99 and higher

Setting sources

Policy Description Supported system
Policy mergelist

Specifies an allowlist of list and dictionary device policies that can merge even if they are from different sources. If policies from different sources conflict, but they have the same scopes and levels, their settings merge to create a new policy. If policies from different sources conflict, but they have different scopes and levels, the policy with the highest priority takes precedence.

For more information, see Understand Chrome policy management.

Values

Enter one policy per line in the field or enter the wildcard character (*) to allow all supported policies to merge.

ChromeOS 99 and higher

Other Settings

Policy Description Supported system
Policy fetch delay

Specifies the maximum delay between when a policy invalidation signal is received and the new policy is fetched from the device management service.

Values

Enter a delay, in milliseconds.

Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values above or below the range are clamped.

If this value is unset, the default delay is 10 seconds.

ChromeOS 99 and higher
Wi-Fi network configurations sync

Allows the device user to sync Wi-Fi network configurations between the Chromebook and a connected Android phone.

Values

  • Allow Wi-Fi network configurations to be synced across Google ChromeOS devices and a connected Android phone — Wi-Fi network configurations can be synced. The device user must first explicitly opt-in to this feature by completing a setup flow.
  • Do not allow Wi-Fi network configurations to be synced across Google ChromeOS devices and a connected Android phone —Wi-Fi network configurations can't be synced.
ChromeOS 99 and higher
Persistent quota for webkitRequestFileSystem

Enables persistent quota functionality for the webkitRequestFileSystem until ChromeOS 107.

This policy has been deprecated.

Values

  • Disable persistent quota — The persistent type webkitRequestFileSystem uses temporary quota.
  • Enable persistent quota — The persistent type webkitRequestFileSystem uses persistent quota.
ChromeOS 106 to 107

Device

To access the following policies, go to Profile details > Modify Policy.

Enrollment and access

Policy Description Supported system
Forced re-enrollment

Controls if a device is forced to re-enroll in your account after it's wiped. Re-enrolling a wiped device to your account ensures that the policies you set are still enforced.

Values

  • Force device to automatically re-enroll after wiping — A wiped device re-enrolls automatically without the device user's credentials.
  • Force device to re-enroll with user credentials after wiping — The device user needs to enter their credentials to re-enroll a wiped device.
  • Device is not forced to re-enroll after wiping — A wiped device isn't forced to re-enroll.
ChromeOS 99 and higher
Powerwash

Allows the device user to factory reset the Chromebook.

Values

  • Allow users to trigger powerwash (default)
  • Do not allow users to trigger powerwash
ChromeOS 99 and higher
Verified access

Enables a web service that requests proof that the Chromebook is unmodified and policy-compliant. For more details on this topic, see Enable Verified Access with ChromeOS devices.

Values

  • Ensure devices in your organization will verify their identity to content providers using a unique key — Enables Verified Access on the Chromebook.
  • Do not require devices to verify their identity to content providers — Verified Access on the Chromebook. If set, some premium web content might be unavailable to the device user.
ChromeOS 99 and higher
Verified mode

Controls whether Verified Access can attest the Chromebook if it boots into developer mode. For more details, see Enable Verified Access with ChromeOS devices.

Values

  • Require verified mode boot for verified access — If the Chromebook boots into developer mode, it fails verification by Verified Access.
  • Skip boot mode for verified access — If the Chromebook boots into developer mode, it can be verified by Verified Access.
ChromeOS 99 and higher
> Services with full access

Specifies an allowlist of email addresses of Google service accounts with full access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher
> Services with limited access

Specifies an allowlist of email addresses of Google service accounts with limited access to the Google Verified Access API. These are the service accounts created on the Google Cloud Platform Console.

Values

To add an account, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher
Disabled device return instructions

Specifies a custom message to display on lost or stolen devices that have been disabled by an administrator. By default, a disabled device states that it's locked by an administrator, and this custom message displays below that statement.

Values

Enter the message text.

When unset, no custom message displays.

ChromeOS 99 and higher
Integrated FIDO second facto

Allows 2-factor authentication (2FA) on devices with a Titan M security chip.

Values

  • Allow the user to device (default)
  • Disable integrated second facto
  • Enable integrated second facto
ChromeOS 99 and higher

Sign-in settings

Policy Description Supported system
Guest mode

Enables guest user sessions on the Chromebook.

Values

  • Disable guest mode — A Google Account or Google Workspace account must be used to sign in to the Chromebook. Default for K-12 EDU domains.
  • Allow guest mode — Device users can sign in to the Chromebook as a guest. Default for all other domains.
ChromeOS 99 and higher
Sign in restriction

Controls which device users can sign in to the Chromebook.

Note

If you allow guest sessions or managed guest sessions, users will be able to sign in to the device regardless of the restrictions chosen.

Values

  • Restrict sign-in to a list of users — Only allowed managed users set by the Allowed users policy can sign in to the Chromebook. Managed users not on the allowlist are shown an error message.
  • Allow any user to sign in — Any managed user can sign in to the Chromebook. The Add person button is available on the sign-in screen.
  • Do not allow any user to sign in — Nobody can sign in to the Chromebook. The Add person button is unavailable.
ChromeOS 99 and higher
> Allowed users

Specifies an allowlist of email addresses that can sign in to the Chromebook. Only available if the Sign-in restriction policy is set to Restrict sign-in to a list of users. If the list allows entire domains, the Add person button is always available on the sign-in screen. If the list allows specific user accounts, the Add person button is disabled when all of the accounts are signed in.

Values

To add an account, enter it and click add. To remove one, click delete.

You can allow all email addresses in a domain with the wildcard (*) token. For example, *@corp.example.com.

ChromeOS 99 and higher
Autocomplete domain

Specifies a default account domain name to present to device users on the sign-in page. If this policy is enabled, users don't need to enter the @domain.com part of their account name during sign-in.

Values

  • Use the domain name set the field below for autocomplete at sign in — Presents the domain name specified by the Autocomplete domain prefix policy to device users on the sign-in page.
  • Do not display an autocomplete domain on the sign-in screen (default)
ChromeOS 99 and higher
> Autocomplete domain prefix

Specifies the default account domain name to present to device users on the sign-in page. Only available if the Autocomplete domain policy is set to Use the domain name set the field below for autocomplete at sign in.

Values

Enter the domain name.

ChromeOS 99 and higher
Sign-in screen

Toggles cards on the sign-in screen that contain the names and profile pictures of user accounts that have previously signed in to the device. The device user can select the card representing their account to sign-in instantly. If 2-Step Verification is enabled, the sign in flow still requires the device user to provide a second factor.

Values

  • Always show usernames and photos (default) — Account cards are enabled, and the device user can select their account.
  • Never show usernames and photos — Account cards are disabled, and the device user must enter their credentials each time they sign in. If SAML single sign-on (SSO) is enabled and the SAML identity provider page opens, the page redirects to the SSO sign-in page without the device user having to enter their account name.
ChromeOS 99 and higher
Device wallpaper image

Sets the wallpaper on the sign-in screen.

Values

To add an image, click upload. To inspect the current image, click View. To remove the current image, click Delete.

The image file can be JPG or JPEG format and can't exceed 16 MB in size.

ChromeOS 99 and higher

Allows single sign-on (SSO) user accounts to sign in to internal websites and cloud services from your enterprise's identity provider on subsequent sign-ins. The Chromebook must have SAML SSO.

SAML SSO cookies transfer the first time the user account signs in on the Chromebook. If this policy is enabled, the cookies also transfer during subsequent sign-ins.

Cookies will not be transferred to Android apps on supported devices.

Values

  • Enable transfer of SAML SSO Cookies into user session during sign-in
  • Disable transfer of SAML SSO Cookies into user session during sign-in (default)
ChromeOS 99 and higher
Single sign-on camera permissions

Specifies an allowlist of third-party apps or services that can access the Chromebook's internal camera during SAML single sign-on (SSO). The Chromebook must have SAML SSO.

Values

To add an identity provider, enter it and click add. To remove one, click delete.

ChromeOS 99 and higher
Autofill username on SAML ldP login page

Specifies the URL parameter name used to autofill the username field on the SAML IdP sign-in and lock screens so that the device user won't need to manually enter their username twice. If this policy is set, the value for the URL parameter will be the device user's Chrome email.

For more information on URL parameters, see About URL parameters.

Values

Enter the URL parameter name in the entry field.

ChromeOS 99 and higher
Single sign-on client certificates

Specifies an allowlist of single sign-on (SSO) URL patterns for which Chrome browser automatically chooses the client certificate. When the browser connects to a site matching one of these patterns, if a valid client certificate is installed, it uses the certificate and skips the certificate selection prompt.

The ISSUER and CN values specify the common name of the certificate authority that client certificates must report as their issuer in order to be chosen. Devices must have SAML SSO.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

A URL pattern must be a JSON string with the following format:

{"pattern":"https://www.example.com","filter":{"ISSUER":{"CN":"certificate issuer name"}}}

The wildcard (*) token is supported, but the pattern can't consist of one wildcard on its own. Prefix a domain with [*.] to include all of its subdomains. Newline characters are not supported, and are stripped out if copy-pasted into the field.

Here are some example URL patterns:

{"pattern": "https://[*.]ext.example.com", "filter":{}}

{"pattern": "https://[*.]corp.example.com", "filter":{}}

{"pattern": "https://[*.]intranet.usercontent.com","filter":{}}

ChromeOS 99 and higher
Sign-in language

Controls the language displayed on the sign-in screen.

Values

  • Use the language of the last user session (default)
  • Choose a language — Select from a list of supported languages. For example, English (United States), Portuguese (Brazil) - Português (Brasil), Chinese (Simplified) - 简体中文 , Korean - 한국어
ChromeOS 99 and higher
Single sign-on verified access

Specifies an allowlist of URL patterns of websites and endpoints that can perform verified access checks during SAML authentication on the sign-in screen. If a website matches an allowlisted pattern, it receives an HTTP header attesting device identity and device state.

If no URLs are added, no websites or endpoints can perform remote attestation on the sign-in screen.

Values

To add a URL pattern, enter it and click add. To remove one, click delete.

URLs must have HTTPS scheme. For example, https://example.com.

For details on the URL format, see Enterprise policy URL pattern format

ChromeOS 99 and higher
System info on sign-in screen

Allows the device user to toggle device system information on the sign-in screen, or displays it by default.

Values

  • Allow users to display system information on the sign-in screen by pressing Alt + V (default)
  • Do not allow users to display system information on the sign-in screen
  • Always display system information on the sign-in screen
ChromeOS 99 and higher
Privacy screen on sign-in screen

Toggles the privacy screen on the sign-in screen. Only applicable to Chromebooks with an integrated hardware privacy screen.

Values

  • Allow the user to decide (default)
  • Always disable the privacy screen on sign-in screen
  • Always enable the privacy screen on sign-in screen
ChromeOS 99 and higher
Show numeric keyboard for password input

Toggles the numeric keyboard for password input on Chromebooks with a touchscreen.

Values

  • Default to a numeric keyboard for password input — Enables the numeric keyboard by default. The device user can switch to the standard keyboard.
  • Default to a standard keyboard for password input (default)
ChromeOS 99 and higher

Sign-in screen accessibility

Policy Description Supported system
Spoken feedback

Toggles the screen reader, also known as ChromeVox. For more details about this feature, see Use the built-in screen reader and Use a braille device with your Chromebook.

Values

  • Allow the user to decide (default)
  • Disable spoken feedback
  • Enable spoken feedback
ChromeOS 99 and higher
Select to speak

Toggles selective screen reading, where only parts of the screen are read, such as text selections and certain sections. For more details about this feature, see Hear text read aloud.

Values

  • Allow the user to decide (default)
  • Disable select to speak
  • Enable select to speak
ChromeOS 99 and higher
High contrast

Toggles high contrast mode, which changes the font and background color scheme to make pages easier to read.

Values

  • Allow the user to decide (default)
  • Disable high contrast
  • Enable high contrast
ChromeOS 99 and higher
Screen magnifier

Toggles the screen magnification feature. For more details about this feature, see Zoom in or magnify your Chromebook screen.

Values

  • Allow the user to decide (default) — The device user chooses one of the settings below.
  • Disable screen magnifier — Screen magnification is disabled.
  • Enable full-screen magnifier — When magnification is active, the entire screen is zoomed in.
  • Enable docked magnifier — When magnification is active, the top-third of the screen shows a zoomed-in slice of the bottom two-thirds.
ChromeOS 99 and higher
Sticky keys

Toggles inputting key combinations one keypress at a time, without holding any keys down. For more details about this feature, see Use keyboard shortcuts one key at a time.

Values

  • Allow the user to decide (default)
  • Disable sticky keys
  • Enable sticky keys
ChromeOS 99 and higher
On-screen keyboard

Toggles the on-screen keyboard. For more details about this feature, see Use the on-screen keyboard.

Values

  • Allow the user to decide (default)
  • Disable on-screen keyboard
  • Enable on-screen keyboard
ChromeOS 99 and higher
Dictation

Toggles speech-to-text input. For more details about this feature, see Type text with your voice.

Values

  • Allow the user to decide (default)
  • Disable dictation
  • Enable dictation
ChromeOS 99 and higher
Keyboard focus highlighting

Toggles enhanced object highlighting during keyboard navigation of the sign-in screen.

Values

  • Allow the user to decide (default)
  • Disable keyboard focus highlighting
  • Enable keyboard focus highlighting
ChromeOS 99 and higher
Caret highlight

Toggles a ring around the caret (keyboard cursor) during typing.

Values

  • Allow the user to decide (default)
  • Disable caret highlight
  • Enable caret highlight
ChromeOS 99 and higher
Auto-click enabled

Toggles mouse clicking when the cursor stops moving. For more details about this feature, see Automatically click objects on your Chromebook.

Values

  • Allow the user to decide (default)
  • Disable auto-click
  • Enable auto-click
ChromeOS 99 and higher
Large cursor

Toggles a bigger mouse cursor.

Values

  • Allow the user to decide (default)
  • Disable large cursor
  • Enable large cursor
ChromeOS 99 and higher
Cursor highlight

Toggles a ring around the mouse cursor during mouse movement.

Values

  • Allow the user to decide (default)
  • Disable cursor highlight
  • Enable cursor highlight
ChromeOS 99 and higher
Primary mouse button

Specifies which mouse button performs primary interactions.

Values

  • Allow the user to decide (default)
  • Left button is primary
  • Right button is primary

If this value is unset, the left mouse button is primary.

ChromeOS 99 and higher
Mono audio

Toggles single-channel audio.

Values

  • Allow the user to decide (default)
  • Disable mono audio
  • Enable mono audio
ChromeOS 99 and higher
Accessibility shortcuts

Toggles the built-in accessibility shortcuts.

Values

  • Allow the user to decide (default)
  • Disable accessibility shortcuts
  • Enable accessibility shortcuts
ChromeOS 99 and higher

Device update settings

Policy Description Supported system
Auto-update settings

Controls if your devices will automatically update to new ChromeOS versions.

Values

  • Allow updates
  • Block updates
ChromeOS 99 and higher
> Target version

Controls if your devices use an earlier ChromeOS version. If newer versions may create compatibility issues across your organization's devices, consider using the long-term support candidate or long-term support channels to maintain device stability. These channels release security fixes every 2 weeks and feature updates every 6 months.

Values

  • No restriction
  • 107.*
  • 108.*
  • 109.*
  • 110.*
  • 108.*(long-term support candidate)
  • 102.*(long-term support)
> Roll back to target version

Controls if devices roll back to the target version.

Values

  • Do not roll back OS
  • Roll back OS
> Release channel

Controls which of the five ChromeOS channels your devices are on. The Stable channel is the default.

For details on these channels, see ChromeOS release best practices.

Values

  • Allow user to configure
  • Stable channel
  • Beta channel
  • Long-term support channel
  • Long-term support candidate channel
  • Dev channel (may be unstable)
> Rollout plan

Specifies the rollout schedule for your devices.

Values

  • Default (devices should update as soon as a new version is available)
  • Roll out updates over a specific schedule — Configure the roll out stages, including the update period (in days) and the percentage of devices initially updated.
  • Scatter updates — Downloads occur at random intervals to avoid causing network issues. Select how many days you want to scatter updates over.
> Additional blackout windows

Specifies the blackout periods when Chrome stops automatically checking for device updates. Blackout periods temporarily pause updates for devices currently updating.

Values

To add a blackout window, configure it and click add. To remove one, click delete.

> Auto reboot after updates

Specifies if a device automatically restarts after updating.

Values

  • Disallow auto-reboots — Auto-reboots are disabled.
  • Allow auto-reboots — Auto-reboots are enabled. After updating, a kiosk configured device will restart automatically. Devices configured as user or managed guest sessions restart after the device user signs out.
> Updates over cellular

Specifies how devices can connect to automatically update to new ChromeOS versions. The default is that devices only update automatically if connected to Wi-Fi and Ethernet.

Values

  • Allow automatic updates over Wi-Fi and Ethernet only
  • Allow automatic updates on all connections, including cellular
> Peer to pee

Controls if devices can use peer to peer networking to automatically update Chrome through close by devices of the same model. This policy requires that your organization allows peer to peer network connectivity and that your local area network doesn't block multicast DNS.

Values

  • Allow peer to peer update downloads
  • Do not allow peer to peer update downloads
> Enforce updates

Specifies when to sign the device user out of their device if they haven't updated to a ChromeOS version that you allow.

Values

  • Block devices & user sessions after — Select a time from the list after which the device user is signed out of their device.
  • if they are not running at least version — Select the ChromeOS version from the drop down list that is the oldest version allowed on devices.
  • Extend this period for Auto Update Expiration devices to — Select a value from the list to set when the device user is signed out of their device after the Auto Update Expiration (AUE) passes and the device no longer receives automatic updates from Google. For more information on AUE, see Auto Update policy.
> Enforce updates Auto Update Expiration (AUE) message

Specifies a message shown to the device user if they have not updated to a ChromeOS version that you allow and their device reached its AUE date. For more information on AUE, see Auto Update policy.

Values

  • Enter an Auto Update Expiration (AUE) message in plain text with no formatting in the field. The device user will see the default message if this field is blank.
> Update downloads

Specifies what ChromeOS devices download ChromeOS updates over, HTTP or HTTPS.

Values

  • Use HTTP for update downloads
  • Use HTTPS for update downloads
Variations

Enables the Chrome variations framework. If this policy is enabled, Google can selectively deliver security fixes and experimental features to ChromeOS.

Caution

Disabling variations significantly increases the risk of future security and compatibility issues and isn't recommended.

Values

  • Enable Chrome variations (default)
  • Enable variations for critical fixes only
  • Disable variations
ChromeOS 99 and higher

Display settings

Policy Description Supported system
Screen settings

Allows the device user to set the display resolution and scale factor.

Values

  • Allow users to overwrite predefined display settings (default)
  • Do not allow user changes for predefined display settings
ChromeOS 99 and higher
> External resolution

Sets the display resolution and scale factor for external displays.

Values

ChromeOS 99 and higher
> External display width (in pixels)

Specifies the width of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display width, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

ChromeOS 99 and higher
> External display height (in pixels)

Specifies the height of the external display. This policy only applies if the External resolution policy is set to Use custom resolution.

Values

Enter the display height, in pixels.

If this value is unset or not supported, the display reverts to its native resolution.

ChromeOS 99 and higher
> External display scale (percentage)

Specifies the scale of the external display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

  • Not set
  • 50%
  • 55%
  • 60%
  • 65%
  • 70%
  • 75%
  • 80%
  • 85%
  • 90%
  • 95%
  • 100%
  • 105%
  • 110%
  • 115%
  • 120%
  • 125%
  • 130%
  • 135%
  • 140%
  • 145%
  • 150%
ChromeOS 99 and higher
> Internal display scale (percentage)

Specifies the scale of the internal display. This policy only applies if the External resolution policy is set to Use custom resolution

Values

Choose a display scale:

  • Not set
  • 50%
  • 55%
  • 60%
  • 65%
  • 70%
  • 75%
  • 80%
  • 85%
  • 90%
  • 95%
  • 100%
  • 105%
  • 110%
  • 115%
  • 120%
  • 125%
  • 130%
  • 135%
  • 140%
  • 145%
  • 150%
ChromeOS 99 and higher

Power and shutdown

Policy Description Supported system
Power management

Controls whether the Chromebook should stay awake or go to sleep or shut down after no device user has signed in for some time.

Values

  • Allow device to sleep/shut down when idle on the sign-in screen (default)
  • Do not allow device to sleep/shut down when idle on the sign-in screen
ChromeOS 99 and higher
Reboot after uptime limit

Specifies the number of days the Chromebook remains powered on before it automatically restarts. If a user session is running when the time elapses, there is a grace period of 24 hours before restart. Only applicable to Chromebooks in kiosk mode and with a sign-in screen.

Values

    Enter the uptime duration, in days.

    If this value is unset, the Chromebook doesn't restart automatically.

ChromeOS 99 and higher
Allow shutdown

Controls whether users can use the keyboard, mouse, or screen to power off the Chromebook.

Values

  • Only allow users to turn off the device using the physical power button
  • Allow users to turn off the device using either the shut down button or the physical power button (default)
ChromeOS 99 and higher
Reboot on sign-out

Controls if you force devices to reboot when the device user signs out or if an ARC (Android runtime on ChromeOS) or VM session has started.

Values

  • Do not reboot on user sign-out
  • Reboot on user sign-out if Android has started
  • Always reboot on user sign-out
  • Reboot on user sign-out if Android or a VM has started
ChromeOS 99 and higher

Virtual machines

Policy Description Supported system
Linux virtual machines for unaffiliated users (BETA)

Controls whether unaffiliated device users can run Linux virtual machines on the Chromebook. Once this policy is modified, it applies to new Linux containers, not to those already running. For more details, see Linux virtual machines (BETA).

Values

  • Allow device to sleep/shut down when idle on the sign-in screen
  • Block usage for virtual machines needed to support Linux apps for unaffiliated (default)
ChromeOS 99 and higher
Android apps from untrusted sources

Allows the device user to install Android apps from untrusted sources. This policy does not apply to apps from Google Play.

Values

  • Prevent users of this device from using ADB sideloading (default) — Prevents the installation of Android apps from untrusted sources.
  • Block usage for virtual machines needed to support Linux apps for unaffiliated — Prevents the installation of Android apps from untrusted sources, and factory resets the Chromebook if ADB sideloading was previously allowed.
  • Allow affiliated users of this device to use ADB sideloading — The device user can install Android apps from untrusted sources, provided they also locally enable this setting.
ChromeOS 99 and higher

Other settings

Policy Description Supported system
Device network hostname template

Specifies the hostname passed to the DHCP server in DHCP requests.

Values

Enter a hostname. If this value is set to a non-empty string, the string is used as the device's hostname during the DHCP request. The following string substitution tokens are supported:

  • ${ASSET_ID}
  • ${SERIAL_NUM}
  • ${MAC_ADDR}
  • ${MACHINE_NAME}
  • ${LOCATION}

The substitution should be a valid hostname pe RFC 1035, section 3.1.

If this value isn't set or isn't valid, no hostname will be used in the DHCP request.

ChromeOS 99 and higher
Timezone

Configures the time zone settings on the device.

You can set up to two timezone policies:

ChromeOS 99 and higher
> System timezone

Sets the time zone on the Chromebook. Only available if the Timezone policy is locally applied.

Values

  • Keep as it is on device currently (default)
  • Select which timezone to set — Determines the time zone.
ChromeOS 99 and higher
> System timezone automatic detection

Controls how the Chromebook detects and sets the current time zone. Only available if the Timezone policy is locally applied.

Values

  • Let users decide (default) — The device user chooses how the time zone is set.
  • Always use coarse timezone detection — The Chromebook determines the time zone based on the geolocation of its public IP address.
  • Always send WiFi access-points to server while resolving — The Chromebook determines the time zone based on the geolocation of the Wi-Fi access point that it's connected to.
  • Send all location information — The Chromebook uses a combination of all of the information from the preceding values to determine the time zone.
ChromeOS 99 and higher
Mobile data roaming

Allows connecting to a mobile network maintained by a different carrier to access the Internet. Mobile data roaming must be allowed on the Chromebook, and roaming charges may apply.

Values

  • Allow mobile data roaming (default)
  • Do not allow mobile data roaming
ChromeOS 99 and higher
USB access

Specifies an allowlist list of USB devices that ChromeOS apps can access through the chrome.usb API.

Values

To add a USB device, enter the USB vendor identifier (VID) and product identifier (PID) as a colon-separated hexadecimal pair (VID:PID), and then click add. To remove one, click delete.

For example, to add a mouse with a VID of 046E and a PID of D626, enter 046E:D626.

ChromeOS 99 and higher
Bluetooth

Enables Bluetooth.

Values

  • Do not disable Bluetooth (default)
  • Disable Bluetooth

If the value is changed from Disable Bluetooth to Do not disable Bluetooth, the device must be restarted for the change to take effect.

If the value is changed from Do not disable Bluetooth to Disable Bluetooth, the change is immediate and no action is required.

ChromeOS 99 and higher
Bluetooth services allowed

Specifies an allowlist of Bluetooth services the Chromebook can connect to. This policy only applies if Bluetooth is enabled.

Values

Enter the UUID of the service, and click add. To remove one, click delete.

UUIDs can be in short form (abcd or 0xabcd) or long form (aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee).

If no values are specified, all services are allowed.

ChromeOS 99 and higher
Throttle device bandwidth

Controls device-level bandwidth consumption. If enabled, throttles all network interfaces on a device, including Wi-Fi, Ethernet, USB Ethernet adapters, USB cellular dongles, and USB wireless cards. All network traffic is also throttled, including OS updates.

This policy is only applicable to devices in managed guest session, kiosk, or user & browser mode running ChromeOS 56 or higher.

Values

  • Disable network throttling (default)
  • Enable network throttling
ChromeOS 99 and higher
> Download rate (kbits)

Specifies the maximum allowed download rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter a download rate, in kbps. The minimum speed allowed is 513 kbps.

ChromeOS 99 and higher
> Upload rate (kbits)

Specifies the maximum allowed upload rate. This policy only applies if the Throttle device bandwidth policy is set to Enable network throttling.

Values

Enter an upload rate, in kbps. The minimum speed allowed is 513 kbps.

ChromeOS 99 and higher
TPM firmware update

Allows the device user to update the Trusted Platform Module (TPM) firmware on the Chromebook.

Note

Updating the TPM firmware may factory reset the Chromebook. Repeated update failures may render it unusable.

For more details about how to install firmware updates, see Update your Chromebook's security

Values

  • Allow users to perform TPM firmware update
  • Block users from performing TPM firmware update (default)
ChromeOS 99 and higher
Authenticated Proxy Traffic

Sends system traffic through an Internet proxy server with authentication.

Values

  • Block system traffic from going through a proxy with authentication (default)
  • Allow system traffic to go through a proxy with authentication — All system traffic is sent through a proxy server and authenticated with the credentials of a service account. You can specify the credentials with the Username and Password sub-policies.

Note

  • Only HTTPS system traffic can be sent through the authenticated proxy.
  • If your network can't support ChromeOS updates over HTTPS, see Authenticated Proxy Traffic and Update downloads.
  • The service account credentials specified by the Username and Password sub-policies only apply to system traffic. For browser traffic, the device user account credentials authenticate to the proxy.
ChromeOS 99 and higher
> Username

Specifies the service account username used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the username.

> Password

Specifies the service account password used to authenticate system traffic. Only available if the Authenticated Proxy Traffic policy is set to Allow system traffic to go through a proxy with authentication.

Values

Enter the password.

System clock format

Specifies the clock format displayed on the sign-in screen and for managed guest sessions.

Values

  • Automatic, based on current language (default)
  • 12 hour clock format
  • 24 hour clock format
ChromeOS 99 and higher
Apps and extensions cache size

Specifies the amount of storage space used for caching installation of apps and extensions by multiple users of a single Chromebook.

Values

Enter the cache size, in bytes. Must be at least 1 MB (1048576 bytes). Leave empty for a default of 256 MB.

ChromeOS 99 and higher
Hardware profiles

Allows hardware profiles to be downloaded from Google servers.

Values

  • Allow hardware profiles to be downloaded from Google servers (default)
  • Disable hardware profile downloads from Google servers
ChromeOS 99 and higher
Low disk space notification

Enables notifications for low disk space. Applies to all users on the device. If the Chromebook is unmanaged or only has one user, the policy is ignored and low disk space notifications are always displayed.

Values

  • Show notification when disk space is low — Displays low disk space notifications for managed devices with multiple user accounts.
  • Do not show notification when disk space is low (default)
ChromeOS 99 and higher
Redeem offers through ChromeOS registration

Allows device users to redeem offers through ChromeOS registration.

Values

  • Allow users to redeem offers through ChromeOS registration (default)
  • Prevent users from redeeming offers through ChromeOS registration
ChromeOS 99 and higher
Debug network packet captures

Allows the device user to enable network packet captures on the Chromebook for debugging.

Values

  • Allow user to perform network packet captures (default)
  • Do not allow user to perform network packet captures
ChromeOS 99 and higher
Prompt when multiple certificates match on the sign-in screen

Specifies whether the device user is prompted to select a client certificate on the sign-in screen when the Single sign-on certificates policy matches multiple certificates from the certificate allowlist. For more details about certificates on ChromeOS, see Single sign-on client certificates.

If your enterprise uses Personal Identity Verification (PIV) cards for sign-in, the DriveLock Smart Card Middleware (CSSI) app parameter filter_auth_cert can be set to automatically filter authentication certificates. For details, see Auto-select certificates during sign-in.

This policy only applies if an allowlist has been specified in the Single sign-on certificates policy.

Values

  • Prompt the user to select the client certificate whenever the auto-selection policy matches multiple certificates on the sign-in screen
  • Do not prompt the user to select a client certificate on the sign-in screen (default)
ChromeOS 99 and higher

Kiosks

To access the following policies, go to Profile details > Modify Policy.

Kiosk settings

Policy Description Supported system
Managed guest session

Allows you to set a Chromebook as a managed guest session, allowing multiple users to use the same device without signing in to their Google Accounts. This policy is only available for devices with the Chrome Education or Chrome Enterprise upgrades. This policy and its sub-policies also apply to managed guest session devices.

Values

  • Allow managed guest sessions
  • Do not allow managed guest sessions
  • Auto-launch managed guest session
ChromeOS 99 and higher
> Auto-launch delay

Specifies the auto-launch delay if you want to auto-launch a managed guest session.

Values

Enter an auto-launch delay value in seconds in the field.

>> Device health monitoring

Enables you to monitor kiosk health.

Values

  • Disable device health monitoring
  • Enable device health monitoring
  • >> Device system log upload

    Enables kiosk devices to automatically capture system logs and upload them to your Google Admin console. For more information, see Monitor kiosk health.

    Values

  • Disable device system log upload
  • Enable device system log upload
  • > Screen Rotation (clockwise)

    Specifies the screen orientation for kiosk devices.

    Values

    • No policy set (allow the device to keep its current display rotation)
    • 0 degrees
    • 90 degrees
    • 180 degrees
    • 270 degrees

    Apps & extensions

    To access the following policies, go to Profile details > Modify Policy.

    Additional settings

    Policy Description Supported system
    Android applications on Chrome devices

    Allows Android apps to be installed on the Chromebook by the device user or a managed profile. For more details on how to deploy Android apps, see Deploy Android apps to managed users on ChromeOS devices.

    Values

    • Do not allow (default)
    • Allow

    See ChromeOS Systems Supporting Android Apps.

    Allowed types of apps and extensions

    Specifies the app types to block the device user from installing.

    Values

    Choose which app types to block:

    ChromeOS 99 and higher
    App and extension install sources

    Specifies an allowlist of sources from which the device user can directly install extensions, apps, and themes on Chrome browser. If a URL linking to a CRX file (Chrome extension) matches an allowlisted pattern, the browser will prompt the user to immediately install it.

    Note

    This policy has no effect on Android apps. To set policies for Android apps, see Deploy Android apps to managed users on ChromeOS devices.

    Values

    To add a website or domain, enter it and click add. To remove one, click delete.

    For detailed information on valid URL patterns, see Match patterns.

    ChromeOS 99 and higher
    Allow insecure extension packaging

    Allows insecure extension packaging.

    Values

    • Allow insecurely packaged extensions
    • Do not allow insecurely packaged extensions
    ChromeOS 99 and lower
    External extensions

    Allows the installation of external extensions, which are extensions from outside the Chrome Web Store. For more information about deploying external extensions, see Alternative extension distribution options.

    Values

    • Block external extensions from being installed
    • Allow external extensions to be installed
    ChromeOS 99 and higher
    Permissions and URLs

    Specifies extensions to block based on the permissions they require. For details, see Block apps and extensions based on permissions.

    Values

    Choose which required permissions to use as a basis to block extensions. If an extension requires a chosen permission, it is blocked:

    • Alarms
    • Audio capture
    • Certificate provide
    • Clipboard read
    • Clipboard write
    • Context menus
    • Desktop capture
    • Document scan
    • Enterprise device attributes
    • Experimental APIs
    • Fullscreen apps
    • File browser handle
    • File system
    • File system provide
    • HID
    • Override fullscreen escape
    • Detect idle
    • Identity
    • Google cloud messaging
    • Geo location
    • Media galleries
    • Native messaging
    • Captive portal authenticator
    • Power
    • Notifications
    • Printers
    • Serial
    • Set proxy
    • Platform keys
    • Storage
    • Sync file system
    • CPU metadata
    • Memory metadata
    • Network metadata
    • Display metadata
    • Storage metadata
    • Text to speech
    • Unlimited storage
    • USB
    • Video capture
    • VPN provide
    • Web requests
    • Block web requests
    ChromeOS 99 and higher
    > Runtime blocked hosts

    Specifies a blocklist of websites that apps and extensions can't modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

    Values

    To add a website, enter it and click add. To remove one, click delete.

    The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

    ChromeOS 99 and higher
    > Runtime allowed hosts

    Specifies an allowlist of websites that apps and extensions can modify. Modifications can include injecting Javascript, viewing and altering web requests, viewing and altering cookies, and making exceptions to the same-origin policy. Maximum of 100 URLs.

    Values

    To add a website, enter it and click add. To remove one, click delete.

    The format of the pattern is a full URL up but not including the resource path. For example, *://*.example.com.

    ChromeOS 99 and higher
    Chrome Web Store app icon

    Toggles the Chrome Web Store app link in the footer of the new tab page on Chrome Browser and in its app launcher.

    Values

    • Do not show the Chrome Web Store icon in the ChromeOS launcher or on the new tab page
    • Show the Chrome Web Store icon in the ChromeOS launcher or on the new tab page
    ChromeOS 99 and higher
    Chrome Web Store homepage

    Configure the home page of the Chrome Web Store for the device user.

    Values

    • Use the default homepage (default) — The front page of the Chrome Web Store.
    • Use the Chrome Web Store collection — A custom collection of apps and extensions hosted on the Chrome Web Store that is tailored to your device users. For more details on custom collections, see Create a Chrome app collection.
    • Use a custom page — A custom page not hosted on the Chrome Web Store.
    ChromeOS 99 and higher
    > Collection include private apps

    Toggles whether all or only some private apps are available in your enterprise's collection. Private apps appear alongside public apps in the Chrome Web Store. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

    Values

    • Include all private apps from this domain
    • Choose which apps are included in this collection
    > Collection name

    Specifies the name of your enterprise's custom collection as displayed on the page. Only available if the Chrome Web Store homepage policy is set to Use the Chrome Web Store collection.

    Values

    Enter a name.

    > Collection URL

    Specifies the path to your enterprise's custom collection page on the Chrome Web Store. The full URL would be https://chrome.google.com/webstore/path. Only available if the Chrome Web Store homepage policy is set to Use a custom page.

    Values

    Enter a path to the page.

    Chrome Web Store permissions

    Allows the device user to publish private apps that are restricted to your domain on the public Chrome Web Store. For more details, see Create a Chrome app collection and Create and publish custom Chrome apps & extensions.

    Values

    • Allow users to publish private apps that are restricted to your domain on Chrome Web Store
    • Do not allow users to publish private apps that are restricted to your domain on Chrome Web Store
    ChromeOS 99 and higher
    > Allow Web Store Publish Unverified

    Allows the device user to publish private apps that are restricted to your domain but whose packaged URLs don't actually match the domain on the Chrome Web Store. Only available if the Chrome Web Store permissions policy is set to Allow users to publish private apps that are restricted to your domain on Chrome Web Store.

    Values

    • Allow users to publish private hosted apps even if the domain name of the app's web_launch_url or app_url is not owned by the organization
    • Do not allow users to publish private hosted apps if the domain name of the app's web_launch_url or app_url is not owned by the organization
    Android reporting for users and devices

    Toggles the monitoring and reporting of Android app installations forced by policy. For more details on this reporting tool, see Monitor forced Android app installs.

    Values

    • Enable Android reporting
    • Disable Android reporting
    ChromeOS 99 and higher

    Is this page helpful?