The Chrome Enterprise policy list is moving! Please update your bookmarks to https://cloud.google.com/docs/chrome-enterprise/policies/.
Both Chromium and Google Chrome support the same set of policies. Please note that this document may include unreleased policies (i.e. their 'Supported on' entry refers to a not-yet released version of Google Chrome) which are subject to change or removal without notice and for which no guarantees of any kind are provided, including no guarantees with respect to their security and privacy properties.
These policies are strictly intended to be used to configure instances of Google Chrome internal to your organization. Use of these policies outside of your organization (for example, in a publicly distributed program) is considered malware and will likely be labeled as malware by Google and anti-virus vendors.
These settings don't need to be configured manually! Easy-to-use templates for Windows, Mac and Linux are available for download from https://www.chromium.org/administrators/policy-templates.
The recommended way to configure policy on Windows is via GPO, although provisioning policy via registry is still supported for Windows instances that are joined to a Microsoft® Active Directory® domain.
Policy Name | Description |
Accessibility settings | |
ShowAccessibilityOptionsInSystemTrayMenu | Show accessibility options in system tray menu |
LargeCursorEnabled | Enable large cursor |
SpokenFeedbackEnabled | Enable spoken feedback |
HighContrastEnabled | Enable high contrast mode |
VirtualKeyboardEnabled | Enable on-screen keyboard |
VirtualKeyboardFeatures | Enable or disable various features on the on-screen keyboard |
StickyKeysEnabled | Enable sticky keys |
KeyboardDefaultToFunctionKeys | Media keys default to function keys |
ScreenMagnifierType | Set screen magnifier type |
DictationEnabled | Enable the dictation accessibility feature |
SelectToSpeakEnabled | Enable select to speak |
KeyboardFocusHighlightEnabled | Enable the keyboard focus highlighting accessibility feature |
CursorHighlightEnabled | Enable the cursor highlight accessibility feature |
CaretHighlightEnabled | Enable the caret highlight accessibility feature |
MonoAudioEnabled | Enable the mono audio accessibility feature |
AccessibilityShortcutsEnabled | Enable accessibility features shortcuts |
AutoclickEnabled | Enable the autoclick accessibility feature |
DeviceLoginScreenDefaultLargeCursorEnabled | Set default state of the large cursor on the login screen |
DeviceLoginScreenDefaultSpokenFeedbackEnabled | Set the default state of spoken feedback on the login screen |
DeviceLoginScreenDefaultHighContrastEnabled | Set the default state of high contrast mode on the login screen |
DeviceLoginScreenDefaultVirtualKeyboardEnabled | Set default state of the on-screen keyboard on the login screen |
DeviceLoginScreenDefaultScreenMagnifierType | Set the default screen magnifier type enabled on the login screen |
DeviceLoginScreenLargeCursorEnabled | Enable the large cursor on the login screen |
DeviceLoginScreenSpokenFeedbackEnabled | Enable the spoken feedback on the login screen |
DeviceLoginScreenHighContrastEnabled | Enable the high contrast on the login screen |
DeviceLoginScreenVirtualKeyboardEnabled | Enable the virtual keyboard on the login screen |
DeviceLoginScreenDictationEnabled | Enable the dictation on the login screen |
DeviceLoginScreenSelectToSpeakEnabled | Enable the select to speak on the login screen |
DeviceLoginScreenCursorHighlightEnabled | Enable the cursor highlight on the login screen |
DeviceLoginScreenCaretHighlightEnabled | Enable the caret highlight on the login screen |
DeviceLoginScreenMonoAudioEnabled | Enable the mono audio on the login screen |
DeviceLoginScreenAutoclickEnabled | Enable the autoclick on the login screen |
DeviceLoginScreenStickyKeysEnabled | Enable the sticky keys on the login screen |
DeviceLoginScreenKeyboardFocusHighlightEnabled | Enable the keyboard focus highlighting accessibility feature |
DeviceLoginScreenScreenMagnifierType | Set the screen magnifier type on the login screen |
DeviceLoginScreenShowOptionsInSystemTrayMenu | Show accessibility options in system tray menu in the login screen |
DeviceLoginScreenAccessibilityShortcutsEnabled | Enable accessibility features shortcuts on the login screen |
FloatingAccessibilityMenuEnabled | Enables the floating accessibility menu |
EnhancedNetworkVoicesInSelectToSpeakAllowed | Allow the enhanced network text-to-speech voices in Select-to-speak |
Allow or deny screen capture | |
ScreenCaptureAllowed | Allow or deny screen capture |
ScreenCaptureAllowedByOrigins | Allow Desktop, Window, and Tab capture by these origins |
WindowCaptureAllowedByOrigins | Allow Window and Tab capture by these origins |
TabCaptureAllowedByOrigins | Allow Tab capture by these origins |
SameOriginTabCaptureAllowedByOrigins | Allow Same Origin Tab capture by these origins |
Android settings | |
ArcEnabled | Enable ARC |
UnaffiliatedArcAllowed | Allow unaffiliated users to use ARC |
ArcPolicy | Configure ARC |
ArcAppInstallEventLoggingEnabled | Log events for Android app installs |
ArcBackupRestoreServiceEnabled | Control Android backup and restore service |
ArcGoogleLocationServicesEnabled | Control Android Google location services |
ArcCertificatesSyncMode | Set certificate availability for ARC-apps |
AppRecommendationZeroStateEnabled | Enable App Recommendations in Zero State of Search Box |
DeviceArcDataSnapshotHours | Intervals when ARC data snapshot update process can be started for Managed Guest Sessions |
ArcAppToWebAppSharingEnabled | Enable sharing from Android apps to Web apps |
Borealis | |
DeviceBorealisAllowed | Allow devices to use Borealis on Google Chrome OS |
UserBorealisAllowed | Allow users to use Borealis on Google Chrome OS |
Certificate management settings | |
RequiredClientCertificateForDevice | Required device-wide Client Certificates |
RequiredClientCertificateForUser | Required Client Certificates |
Content settings | |
DefaultClipboardSetting | Default clipboard setting |
DefaultCookiesSetting | Default cookies setting |
DefaultFileSystemReadGuardSetting | Control use of the File System API for reading |
DefaultFileSystemWriteGuardSetting | Control use of the File System API for writing |
DefaultImagesSetting | Default images setting |
DefaultInsecureContentSetting | Control use of insecure content exceptions |
DefaultJavaScriptSetting | Default JavaScript setting |
DefaultJavaScriptJitSetting | Control use of JavaScript JIT |
DefaultLocalFontsSetting | Default Local Fonts permission setting |
DefaultPopupsSetting | Default pop-ups setting |
DefaultNotificationsSetting | Default notification setting |
DefaultGeolocationSetting | Default geolocation setting |
DefaultMediaStreamSetting | Default mediastream setting |
DefaultSensorsSetting | Default sensors setting |
DefaultWebBluetoothGuardSetting | Control use of the Web Bluetooth API |
DefaultWebUsbGuardSetting | Control use of the WebUSB API |
DefaultSerialGuardSetting | Control use of the Serial API |
DefaultWebHidGuardSetting | Control use of the WebHID API |
DefaultWindowPlacementSetting | Default Window Placement permission setting |
ClipboardAllowedForUrls | Allow clipboard on these sites |
ClipboardBlockedForUrls | Block clipboard on these sites |
AutoSelectCertificateForUrls | Automatically select client certificates for these sites |
CookiesAllowedForUrls | Allow cookies on these sites |
CookiesBlockedForUrls | Block cookies on these sites |
CookiesSessionOnlyForUrls | Limit cookies from matching URLs to the current session |
FileSystemReadAskForUrls | Allow read access via the File System API on these sites |
FileSystemReadBlockedForUrls | Block read access via the File System API on these sites |
FileSystemWriteAskForUrls | Allow write access to files and directories on these sites |
FileSystemWriteBlockedForUrls | Block write access to files and directories on these sites |
ImagesAllowedForUrls | Allow images on these sites |
ImagesBlockedForUrls | Block images on these sites |
InsecureContentAllowedForUrls | Allow insecure content on these sites |
InsecureContentBlockedForUrls | Block insecure content on these sites |
JavaScriptAllowedForUrls | Allow JavaScript on these sites |
JavaScriptBlockedForUrls | Block JavaScript on these sites |
JavaScriptJitAllowedForSites | Allow JavaScript to use JIT on these sites |
JavaScriptJitBlockedForSites | Block JavaScript from using JIT on these sites |
LegacySameSiteCookieBehaviorEnabledForDomainList | Revert to legacy SameSite behavior for cookies on these sites |
LocalFontsAllowedForUrls | Allow Local Fonts permission on these sites |
LocalFontsBlockedForUrls | Block Local Fonts permission on these sites |
PopupsAllowedForUrls | Allow pop-ups on these sites |
RegisteredProtocolHandlers | Register protocol handlers |
PopupsBlockedForUrls | Block pop-ups on these sites |
NotificationsAllowedForUrls | Allow notifications on these sites |
NotificationsBlockedForUrls | Block notifications on these sites |
SensorsAllowedForUrls | Allow access to sensors on these sites |
SensorsBlockedForUrls | Block access to sensors on these sites |
WebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs. |
WebUsbAskForUrls | Allow WebUSB on these sites |
WebUsbBlockedForUrls | Block WebUSB on these sites |
SerialAskForUrls | Allow the Serial API on these sites |
SerialBlockedForUrls | Block the Serial API on these sites |
SerialAllowAllPortsForUrls | Automatically grant permission to sites to connect all serial ports. |
SerialAllowUsbDevicesForUrls | Automatically grant permission to sites to connect to USB serial devices. |
WebHidAskForUrls | Allow the WebHID API on these sites |
WebHidBlockedForUrls | Block the WebHID API on these sites |
WebHidAllowAllDevicesForUrls | Automatically grant permission to sites to connect to any HID device. |
WebHidAllowDevicesForUrls | Automatically grant permission to these sites to connect to HID devices with the given vendor and product IDs. |
WebHidAllowDevicesWithHidUsagesForUrls | Automatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usage. |
WindowPlacementAllowedForUrls | Allow Window Placement permission on these sites |
WindowPlacementBlockedForUrls | Block Window Placement permission on these sites |
Date and time | |
SystemTimezone | Timezone |
SystemTimezoneAutomaticDetection | Configure the automatic timezone detection method |
SystemUse24HourClock | Use 24 hour clock by default |
Default search provider | |
DefaultSearchProviderEnabled | Enable the default search provider |
DefaultSearchProviderName | Default search provider name |
DefaultSearchProviderKeyword | Default search provider keyword |
DefaultSearchProviderSearchURL | Default search provider search URL |
DefaultSearchProviderSuggestURL | Default search provider suggest URL |
DefaultSearchProviderIconURL | Default search provider icon |
DefaultSearchProviderEncodings | Default search provider encodings |
DefaultSearchProviderAlternateURLs | List of alternate URLs for the default search provider |
DefaultSearchProviderImageURL | Parameter providing search-by-image feature for the default search provider |
DefaultSearchProviderNewTabURL | Default search provider new tab page URL |
DefaultSearchProviderSearchURLPostParams | Parameters for search URL which uses POST |
DefaultSearchProviderSuggestURLPostParams | Parameters for suggest URL which uses POST |
DefaultSearchProviderImageURLPostParams | Parameters for image URL which uses POST |
Device update settings | |
ChromeOsReleaseChannel | Release channel |
ChromeOsReleaseChannelDelegated | Users may configure the Google Chrome OS release channel |
DeviceAutoUpdateDisabled | Disable Auto Update |
DeviceAutoUpdateP2PEnabled | Auto update P2P enabled |
DeviceAutoUpdateTimeRestrictions | Update Time Restrictions |
DeviceTargetVersionPrefix | Target Auto Update Version |
DeviceTargetVersionSelector | Allow devices to select a specific version to update to |
DeviceUpdateStagingSchedule | The staging schedule for applying a new update |
DeviceUpdateScatterFactor | Auto update scatter factor |
DeviceUpdateAllowedConnectionTypes | Connection types allowed for updates |
DeviceUpdateHttpDownloadsEnabled | Allow autoupdate downloads via HTTP |
RebootAfterUpdate | Automatically reboot after update |
DeviceRollbackToTargetVersion | Rollback to target version |
DeviceRollbackAllowedMilestones | Number of milestones rollback is allowed |
DeviceQuickFixBuildToken | Provide users with Quick Fix Build |
DeviceMinimumVersion | Configure minimum allowed Google Chrome OS version for the device. |
DeviceMinimumVersionAueMessage | Configure auto update expiration message for DeviceMinimumVersion policy |
Display | |
DeviceDisplayResolution | Set display resolution and scale factor |
DisplayRotationDefault | Set default display rotation, reapplied on every reboot |
Extensions | |
ExtensionInstallAllowlist | Configure extension installation allow list |
ExtensionInstallBlocklist | Configure extension installation blocklist |
ExtensionInstallForcelist | Configure the list of force-installed apps and extensions |
ExtensionInstallSources | Configure extension, app, and user script install sources |
ExtensionAllowedTypes | Configure allowed app/extension types |
ExtensionSettings | Extension management settings |
BlockExternalExtensions | Blocks external extensions from being installed |
Gaia user identity management settings | |
GaiaOfflineSigninTimeLimitDays | Limit the time for which a user authenticated via GAIA without SAML can log in offline |
Google Assistant | |
VoiceInteractionContextEnabled | Allow Google Assistant to access screen context |
VoiceInteractionHotwordEnabled | Allow Google Assistant to listen for the voice activation phrase |
AssistantVoiceMatchEnabledDuringOobe | Enable Google Assistant voice match flow |
Google Cast | |
EnableMediaRouter | Enable Google Cast |
ShowCastIconInToolbar | Show the Google Cast toolbar icon |
Google Drive | |
DriveDisabled | Disable Drive in the Google Chrome OS Files app |
DriveDisabledOverCellular | Disable Google Drive over cellular connections in the Google Chrome OS Files app |
HTTP authentication | |
AuthSchemes | Supported authentication schemes |
AllHttpAuthSchemesAllowedForOrigins | List of origins allowing all HTTP authentication |
DisableAuthNegotiateCnameLookup | Disable CNAME lookup when negotiating Kerberos authentication |
EnableAuthNegotiatePort | Include non-standard port in Kerberos SPN |
BasicAuthOverHttpEnabled | Allow Basic authentication for HTTP |
AuthServerAllowlist | Authentication server allowlist |
AuthNegotiateDelegateAllowlist | Kerberos delegation server allowlist |
AuthNegotiateDelegateByKdcPolicy | Use KDC policy to delegate credentials. |
GSSAPILibraryName | GSSAPI library name |
AuthAndroidNegotiateAccountType | Account type for HTTP Negotiate authentication |
AllowCrossOriginAuthPrompt | Cross-origin HTTP Authentication prompts |
NtlmV2Enabled | Enable NTLMv2 authentication. |
Kerberos | |
KerberosEnabled | Enable Kerberos functionality |
KerberosRememberPasswordEnabled | Enable 'Remember password' feature |
KerberosAddAccountsAllowed | Users can add Kerberos accounts |
KerberosAccounts | Configure Kerberos accounts |
Kiosk settings | |
DeviceLocalAccounts | Device-local accounts |
DeviceLocalAccountAutoLoginId | Device-local account for auto-login |
DeviceLocalAccountAutoLoginDelay | Device-local account auto-login timer |
DeviceLocalAccountAutoLoginBailoutEnabled | Enable bailout keyboard shortcut for auto-login |
DeviceLocalAccountPromptForNetworkWhenOffline | Enable network configuration prompt when offline |
AllowKioskAppControlChromeVersion | Allow the auto launched with zero delay kiosk app to control Google Chrome OS version |
Legacy Browser Support | |
AlternativeBrowserPath | Alternative browser to launch for configured websites. |
AlternativeBrowserParameters | Command-line parameters for the alternative browser. |
BrowserSwitcherChromePath | Path to Chrome for switching from the alternative browser. |
BrowserSwitcherChromeParameters | Command-line parameters for switching from the alternative browser. |
BrowserSwitcherDelay | Delay before launching alternative browser (milliseconds) |
BrowserSwitcherEnabled | Enable the Legacy Browser Support feature. |
BrowserSwitcherExternalSitelistUrl | URL of an XML file that contains URLs to load in an alternative browser. |
BrowserSwitcherExternalGreylistUrl | URL of an XML file that contains URLs that should never trigger a browser switch. |
BrowserSwitcherKeepLastChromeTab | Keep last tab open in Chrome. |
BrowserSwitcherParsingMode | Sitelist parsing mode |
BrowserSwitcherUrlList | Websites to open in alternative browser |
BrowserSwitcherUrlGreylist | Websites that should never trigger a browser switch. |
BrowserSwitcherUseIeSitelist | Use Internet Explorer's SiteList policy for Legacy Browser Support. |
Linux container | |
VirtualMachinesAllowed | Allow devices to run virtual machines on ChromeOS |
CrostiniAllowed | User is enabled to run Crostini |
DeviceUnaffiliatedCrostiniAllowed | Allow unaffiliated users to use Crostini |
CrostiniExportImportUIAllowed | User is enabled to export / import Crostini containers via the UI |
CrostiniAnsiblePlaybook | Crostini Ansible playbook |
CrostiniPortForwardingAllowed | Allow users to [enable/configure] Crostini port forwarding |
SystemTerminalSshAllowed | Allow SSH outgoing client connections in Terminal System App |
Microsoft® Active Directory® management settings | |
DeviceMachinePasswordChangeRate | Machine password change rate |
DeviceUserPolicyLoopbackProcessingMode | User policy loopback processing mode |
DeviceKerberosEncryptionTypes | Allowed Kerberos encryption types |
DeviceGpoCacheLifetime | GPO cache lifetime |
DeviceAuthDataCacheLifetime | Authentication data cache lifetime |
ChromadToCloudMigrationEnabled | Enable the migration of Chromad devices into cloud management |
Native Messaging | |
NativeMessagingBlocklist | Configure native messaging blocklist |
NativeMessagingAllowlist | Configure native messaging allowlist |
NativeMessagingUserLevelHosts | Allow user-level Native Messaging hosts (installed without admin permissions) |
Network File Shares settings | |
NetworkFileSharesAllowed | Controls Network File Shares for ChromeOS availability |
NetBiosShareDiscoveryEnabled | Controls Network File Share discovery via NetBIOS |
NTLMShareAuthenticationEnabled | Controls enabling NTLM as an authentication protocol for SMB mounts |
NetworkFileSharesPreconfiguredShares | List of preconfigured network file shares. |
Network settings | |
DeviceOpenNetworkConfiguration | Device-level network configuration |
DeviceDataRoamingEnabled | Enable data roaming |
NetworkThrottlingEnabled | Enable throttling network bandwidth |
DeviceHostnameTemplate | Device network hostname template |
DeviceHostnameUserConfigurable | Allow user to configure their device hostname |
DeviceWiFiFastTransitionEnabled | Enable 802.11r Fast Transition |
DeviceWiFiAllowed | Enable WiFi |
DeviceDockMacAddressSource | Device MAC address source when docked |
Other | |
UsbDetachableAllowlist | Allowlist of USB detachable devices |
DeviceAllowBluetooth | Allow bluetooth on device |
TPMFirmwareUpdateSettings | Configure TPM firmware update behavior |
DevicePolicyRefreshRate | Refresh rate for Device Policy |
DeviceBlockDevmode | Block developer mode |
DeviceAllowRedeemChromeOsRegistrationOffers | Allow users to redeem offers through Google Chrome OS Registration |
DeviceQuirksDownloadEnabled | Enable queries to Quirks Server for hardware profiles |
ExtensionCacheSize | Set Apps and Extensions cache size (in bytes) |
DeviceOffHours | Off hours intervals when the specified device policies are released |
SuggestedContentEnabled | Enable Suggested Content |
DeviceShowLowDiskSpaceNotification | Show notification when disk space is low |
WebXRImmersiveArEnabled | Allow creating WebXR's "immersive-ar" sessions |
PromptOnMultipleMatchingCertificates | Prompt when multiple certificates match |
DeviceKeylockerForStorageEncryptionEnabled | Controls use of AES Keylocker for user storage encryption if supported |
Parental supervision settings | |
ParentAccessCodeConfig | Parent Access Code Configuration |
PerAppTimeLimits | Per-App Time Limits |
PerAppTimeLimitsAllowlist | Per-App Time Limits Allowlist |
UsageTimeLimit | Time Limit |
EduCoexistenceToSVersion | The valid version of Edu Coexistence Terms of Service |
Password manager | |
PasswordManagerEnabled | Enable saving passwords to the password manager |
PasswordLeakDetectionEnabled | Enable leak detection for entered credentials |
PasswordDismissCompromisedAlertEnabled | Enable dismissing compromised password alerts for entered credentials |
PluginVm | |
PluginVmAllowed | Allow devices to use a PluginVm on Google Chrome OS |
PluginVmDataCollectionAllowed | Allow PluginVm Product Analytics |
PluginVmImage | PluginVm image |
PluginVmRequiredFreeDiskSpace | Required free disk space for PluginVm |
PluginVmUserId | PluginVm user id |
UserPluginVmAllowed | Allow users to use a PluginVm on Google Chrome OS |
Power and shutdown | |
DeviceLoginScreenPowerManagement | Power management on the login screen |
UptimeLimit | Limit device uptime by automatically rebooting |
DeviceRebootOnShutdown | Automatic reboot on device shutdown |
Power management | |
ScreenDimDelayAC | Screen dim delay when running on AC power |
ScreenOffDelayAC | Screen off delay when running on AC power |
ScreenLockDelayAC | Screen lock delay when running on AC power |
IdleWarningDelayAC | Idle warning delay when running on AC power |
IdleDelayAC | Idle delay when running on AC power |
ScreenDimDelayBattery | Screen dim delay when running on battery power |
ScreenOffDelayBattery | Screen off delay when running on battery power |
ScreenLockDelayBattery | Screen lock delay when running on battery power |
IdleWarningDelayBattery | Idle warning delay when running on battery power |
IdleDelayBattery | Idle delay when running on battery power |
IdleAction | Action to take when the idle delay is reached |
IdleActionAC | Action to take when the idle delay is reached while running on AC power |
IdleActionBattery | Action to take when the idle delay is reached while running on battery power |
LidCloseAction | Action to take when the user closes the lid |
PowerManagementUsesAudioActivity | Specify whether audio activity affects power management |
PowerManagementUsesVideoActivity | Specify whether video activity affects power management |
PresentationScreenDimDelayScale | Percentage by which to scale the screen dim delay in presentation mode |
AllowWakeLocks | Allow wake locks |
AllowScreenWakeLocks | Allow screen wake locks |
UserActivityScreenDimDelayScale | Percentage by which to scale the screen dim delay if the user becomes active after dimming |
WaitForInitialUserActivity | Wait for initial user activity |
PowerManagementIdleSettings | Power management settings when the user becomes idle |
ScreenLockDelays | Screen lock delays |
PowerSmartDimEnabled | Enable smart dim model to extend the time until the screen is dimmed |
ScreenBrightnessPercent | Screen brightness percent |
DevicePowerPeakShiftBatteryThreshold | Set power peak shift battery threshold in percent |
DevicePowerPeakShiftDayConfig | Set power peak shift day config |
DevicePowerPeakShiftEnabled | Enable peak shift power management |
DeviceBootOnAcEnabled | Enable boot on AC (alternating current) |
DeviceAdvancedBatteryChargeModeEnabled | Enable advanced battery charge mode |
DeviceAdvancedBatteryChargeModeDayConfig | Set advanced battery charge mode day config |
DeviceBatteryChargeMode | Battery charge mode |
DeviceBatteryChargeCustomStartCharging | Set battery charge custom start charging in percent |
DeviceBatteryChargeCustomStopCharging | Set battery charge custom stop charging in percent |
DeviceUsbPowerShareEnabled | Enable USB power share |
DevicePowerAdaptiveChargingEnabled | Enable adaptive charging model to hold charging process to extend battery life |
Printing | |
PrintingEnabled | Enable printing |
CloudPrintProxyEnabled | Enable Google Cloud Print proxy |
PrintingAllowedColorModes | Restrict printing color mode |
PrintingAllowedDuplexModes | Restrict printing duplex mode |
PrintingAllowedPinModes | Restrict PIN printing mode |
PrintingAllowedBackgroundGraphicsModes | Restrict background graphics printing mode |
PrintingColorDefault | Default printing color mode |
PrintingDuplexDefault | Default printing duplex mode |
PrintingPinDefault | Default PIN printing mode |
PrintingBackgroundGraphicsDefault | Default background graphics printing mode |
PrintingPaperSizeDefault | Default printing page size |
PrintingSendUsernameAndFilenameEnabled | Send username and filename to native printers |
PrintingMaxSheetsAllowed | Maximal number of sheets allowed to use for a single print job |
PrintJobHistoryExpirationPeriod | Set the time period in days for storing print jobs metadata |
PrintingAPIExtensionsAllowlist | Extensions allowed to skip confirmation dialog when sending print jobs via chrome.printing API |
DisablePrintPreview | Disable Print Preview |
PrintHeaderFooter | Print Headers and Footers |
DefaultPrinterSelection | Default printer selection rules |
Printers | Configures a list of printers |
PrintersBulkConfiguration | Enterprise printer configuration file |
PrintersBulkAccessMode | Printer configuration access policy. |
PrintersBulkBlocklist | Disabled enterprise printers |
PrintersBulkAllowlist | Enabled enterprise printers |
DevicePrinters | Enterprise printer configuration file for devices |
DevicePrintersAccessMode | Device printers configuration access policy. |
DevicePrintersBlocklist | Disabled enterprise device printers |
DevicePrintersAllowlist | Enabled enterprise device printers |
PrintPreviewUseSystemDefaultPrinter | Use System Default Printer as Default |
UserPrintersAllowed | Allow access to CUPS printers |
ExternalPrintServers | External print servers |
ExternalPrintServersAllowlist | Enabled external print servers |
PrinterTypeDenyList | Disable printer types on the deny list |
PrintRasterizationMode | Print Rasterization Mode |
PrintPdfAsImageAvailability | Print PDF as Image Available |
PrintRasterizePdfDpi | Print Rasterize PDF DPI |
DeletePrintJobHistoryAllowed | Allow print job history to be deleted |
PrintPostScriptMode | Print PostScript Mode |
PrintPdfAsImageDefault | Print PDF as Image Default |
Privacy screen settings | |
DeviceLoginScreenPrivacyScreenEnabled | Set the state of privacy screen on the login screen |
PrivacyScreenEnabled | Enable privacy screen |
Projector | |
ProjectorEnabled | Enable Projector |
ProjectorDogfoodForFamilyLinkEnabled | Enable Projector dogfood for Family Link users |
Proxy server | |
ProxyMode | Choose how to specify proxy server settings |
ProxyServerMode | Choose how to specify proxy server settings |
ProxyServer | Address or URL of proxy server |
ProxyPacUrl | URL to a proxy .pac file |
ProxyBypassList | Proxy bypass rules |
Quick Answers | |
QuickAnswersEnabled | Enable Quick Answers |
QuickAnswersDefinitionEnabled | Enable Quick Answers Definition |
QuickAnswersTranslationEnabled | Enable Quick Answers Translation |
QuickAnswersUnitConversionEnabled | Enable Quick Answers Unit Conversion |
Quick unlock | |
QuickUnlockModeAllowlist | Configure allowed quick unlock modes |
QuickUnlockTimeout | Set how often user has to enter password to use quick unlock |
PinUnlockMinimumLength | Set the minimum length of the lock screen PIN |
PinUnlockMaximumLength | Set the maximum length of the lock screen PIN |
PinUnlockWeakPinsAllowed | Enable users to set weak PINs for the lock screen PIN |
PinUnlockAutosubmitEnabled | Enable PIN auto-submit feature on the lock and login screen. |
Remote access | |
RemoteAccessHostClientDomain | Configure the required domain name for remote access clients |
RemoteAccessHostClientDomainList | Configure the required domain names for remote access clients |
RemoteAccessHostFirewallTraversal | Enable firewall traversal from remote access host |
RemoteAccessHostDomain | Configure the required domain name for remote access hosts |
RemoteAccessHostDomainList | Configure the required domain names for remote access hosts |
RemoteAccessHostRequireCurtain | Enable curtaining of remote access hosts |
RemoteAccessHostAllowClientPairing | Enable or disable PIN-less authentication for remote access hosts |
RemoteAccessHostAllowRelayedConnection | Enable the use of relay servers by the remote access host |
RemoteAccessHostUdpPortRange | Restrict the UDP port range used by the remote access host |
RemoteAccessHostMatchUsername | Require that the name of the local user and the remote access host owner match |
RemoteAccessHostAllowUiAccessForRemoteAssistance | Allow remote users to interact with elevated windows in remote assistance sessions |
RemoteAccessHostAllowFileTransfer | Allow remote access users to transfer files to/from the host |
RemoteAccessHostAllowRemoteAccessConnections | Allow remote access connections to this machine |
RemoteAccessHostMaximumSessionDurationMinutes | Maximum session duration allowed for remote access connections |
RemoteAccessHostClipboardSizeBytes | The maximum size, in bytes, that can be transferred between client and host via clipboard synchronization |
RemoteAccessHostAllowRemoteSupportConnections | Allow remote support connections to this machine |
Remote attestation | |
AttestationEnabledForDevice | Enable remote attestation for the device |
AttestationEnabledForUser | Enable remote attestation for the user |
AttestationExtensionAllowlist | Extensions allowed to to use the remote attestation API |
AttestationForContentProtectionEnabled | Enable the use of remote attestation for content protection for the device |
DeviceWebBasedAttestationAllowedUrls | URLs that will be granted access to perform the device attestation during SAML authentication |
Safe Browsing settings | |
SafeBrowsingEnabled | Enable Safe Browsing |
SafeBrowsingExtendedReportingEnabled | Enable Safe Browsing Extended Reporting |
SafeBrowsingProtectionLevel | Safe Browsing Protection Level |
SafeBrowsingAllowlistDomains | Configure the list of domains on which Safe Browsing will not trigger warnings. |
PasswordProtectionWarningTrigger | Password protection warning trigger |
PasswordProtectionLoginURLs | Configure the list of enterprise login URLs where password protection service should capture salted hashes of passwords. |
PasswordProtectionChangePasswordURL | Configure the change password URL. |
Saml user identity management settings | |
SamlInSessionPasswordChangeEnabled | Password synchronization between third-party SSO providers and Chrome devices |
SamlPasswordExpirationAdvanceWarningDays | How many days in advance to notify SAML users when their password is due to expire |
LockScreenReauthenticationEnabled | Enables online re-authentication on lock screen for SAML users |
SAMLOfflineSigninTimeLimit | Limit the time for which a user authenticated via SAML can log in offline |
Sign-in settings | |
DeviceGuestModeEnabled | Enable guest mode |
DeviceUserAllowlist | Login user allow list |
DeviceAllowNewUsers | Allow creation of new user accounts |
DeviceLoginScreenDomainAutoComplete | Enable domain name autocomplete during user sign in |
DeviceShowUserNamesOnSignin | Show usernames on login screen |
DeviceWallpaperImage | Device wallpaper image |
DeviceEphemeralUsersEnabled | Wipe user data on sign-out |
LoginAuthenticationBehavior | Configure the login authentication behavior |
DeviceTransferSAMLCookies | Transfer SAML IdP cookies during login |
LoginVideoCaptureAllowedUrls | URLs that will be granted access to video capture devices on SAML login pages |
DeviceLoginScreenExtensions | Configure the list of installed apps and extensions on the login screen |
DeviceLoginScreenLocales | Device sign-in screen locale |
DeviceLoginScreenInputMethods | Device sign-in screen keyboard layouts |
DeviceLoginScreenSystemInfoEnforced | Force the sign-in screen to show or hide system information. |
DeviceSecondFactorAuthentication | Integrated second factor authentication mode |
DeviceLoginScreenAutoSelectCertificateForUrls | Automatically select client certificates for these sites on the sign-in screen |
DeviceShowNumericKeyboardForPassword | Show numeric keyboard for password |
DeviceFamilyLinkAccountsAllowed | Allow addition of Family Link accounts to the device |
DeviceLoginScreenPromptOnMultipleMatchingCertificates | Prompt when multiple certificates match on the sign-in screen |
DeviceRunAutomaticCleanupOnLogin | Control automatic cleanup during login |
Startup, Home page and New Tab page | |
ShowHomeButton | Show Home button on toolbar |
HomepageLocation | Configure the home page URL |
HomepageIsNewTabPage | Use New Tab Page as homepage |
NewTabPageLocation | Configure the New Tab page URL |
RestoreOnStartup | Action on startup |
RestoreOnStartupURLs | URLs to open on startup |
User and device reporting | |
EnableDeviceGranularReporting | Enable granular reporting controls |
ReportDeviceVersionInfo | Report OS and firmware version |
ReportDeviceBootMode | Report device boot mode |
ReportDeviceUsers | Report device users |
ReportDeviceActivityTimes | Report device activity times |
ReportDeviceAudioStatus | Report device audio status |
ReportDeviceNetworkConfiguration | Report network configuration |
ReportDeviceNetworkInterfaces | Report device network interfaces |
ReportDeviceNetworkStatus | Report network status |
ReportDeviceHardwareStatus | Report hardware status |
ReportDeviceSessionStatus | Report information about active kiosk sessions |
ReportDeviceGraphicsStatus | Report display and graphics statuses |
ReportDeviceCrashReportInfo | Report information about crash reports. |
ReportDeviceOsUpdateStatus | Report OS update status |
ReportDeviceBoardStatus | Report board status |
ReportDeviceCpuInfo | Report CPU info |
ReportDeviceTimezoneInfo | Report Timezone info |
ReportDeviceMemoryInfo | Report memory info |
ReportDeviceBacklightInfo | Report backlight info |
ReportDevicePeripherals | Report peripheral details |
ReportDevicePowerStatus | Report power status |
ReportDeviceSecurityStatus | Report device security status |
ReportDeviceStorageStatus | Report storage status |
ReportDeviceAppInfo | Report applications information |
ReportDeviceBluetoothInfo | Report Bluetooth info |
ReportDeviceFanInfo | Report fan info |
ReportDeviceVpdInfo | Report VPD info |
ReportDeviceSystemInfo | Report system info |
ReportDeviceLoginLogout | Report login/logout |
ReportCRDSessions | Report CRD sessions |
ReportUploadFrequency | Frequency of device status report uploads |
ReportArcStatusEnabled | Report information about status of Android |
HeartbeatEnabled | Send network packets to the management server to monitor online status |
HeartbeatFrequency | Frequency of monitoring network packets |
LogUploadEnabled | Send system logs to the management server |
DeviceMetricsReportingEnabled | Enable metrics reporting |
Wilco DTC | |
DeviceWilcoDtcAllowed | Allows wilco diagnostics and telemetry controller |
DeviceWilcoDtcConfiguration | Wilco DTC configuration |
AbusiveExperienceInterventionEnforce | Abusive Experience Intervention Enforce |
AccessCodeCastDeviceDuration | Specifies how long (in seconds) a cast device selected with an access code or QR code stays in the Google Cast menu's list of cast devices. |
AccessCodeCastEnabled | Allow users to select cast devices with an access code or QR code from within the Google Cast menu. |
AccessibilityImageLabelsEnabled | Enable Get Image Descriptions from Google. |
AdditionalDnsQueryTypesEnabled | Allow DNS queries for additional DNS record types |
AdsSettingForIntrusiveAdsSites | Ads setting for sites with intrusive ads |
AdvancedProtectionAllowed | Enable additional protections for users enrolled in the Advanced Protection program |
AllowDeletingBrowserHistory | Enable deleting browser and download history |
AllowDinosaurEasterEgg | Allow Dinosaur Easter Egg Game |
AllowFileSelectionDialogs | Allow invocation of file selection dialogs |
AllowScreenLock | Permit locking the screen |
AllowSystemNotifications | Allows system notifications |
AllowedDomainsForApps | Define domains allowed to access Google Workspace |
AllowedInputMethods | Configure the allowed input methods in a user session |
AllowedLanguages | Configure the allowed languages in a user session |
AlternateErrorPagesEnabled | Enable alternate error pages |
AlwaysOpenPdfExternally | Always Open PDF files externally |
AmbientAuthenticationInPrivateModesEnabled | Enable Ambient Authentication for profile types. |
ApplicationLocaleValue | Application locale |
AudioCaptureAllowed | Allow or deny audio capture |
AudioCaptureAllowedUrls | URLs that will be granted access to audio capture devices without prompt |
AudioOutputAllowed | Allow playing audio |
AudioProcessHighPriorityEnabled | Allow the audio process to run with priority above normal on Windows |
AudioSandboxEnabled | Allow the audio sandbox to run |
AutoFillEnabled | Enable AutoFill |
AutoLaunchProtocolsFromOrigins | Define a list of protocols that can launch an external application from listed origins without prompting the user |
AutoOpenAllowedForURLs | URLs where AutoOpenFileTypes can apply |
AutoOpenFileTypes | List of file types that should be automatically opened on download |
AutofillAddressEnabled | Enable AutoFill for addresses |
AutofillCreditCardEnabled | Enable AutoFill for credit cards |
AutoplayAllowed | Allow media autoplay |
AutoplayAllowlist | Allow media autoplay on a allowlist of URL patterns |
BackForwardCacheEnabled | Control the BackForwardCache feature. |
BackgroundModeEnabled | Continue running background apps when Google Chrome is closed |
BlockThirdPartyCookies | Block third party cookies |
BookmarkBarEnabled | Enable Bookmark Bar |
BrowserAddPersonEnabled | Enable add person in user manager |
BrowserGuestModeEnabled | Enable guest mode in browser |
BrowserGuestModeEnforced | Enforce browser guest mode |
BrowserLabsEnabled | Browser experiments icon in toolbar |
BrowserLegacyExtensionPointsBlocked | Block Browser Legacy Extension Points |
BrowserNetworkTimeQueriesEnabled | Allow queries to a Google time service |
BrowserSignin | Browser sign in settings |
BrowserThemeColor | Configure the color of the browser's theme |
BrowsingDataLifetime | Browsing Data Lifetime Settings |
BuiltInDnsClientEnabled | Use built-in DNS client |
BuiltinCertificateVerifierEnabled | Determines whether the built-in certificate verifier will be used to verify server certificates |
CACertificateManagementAllowed | Allow users to manage installed CA certificates. |
CECPQ2Enabled | CECPQ2 post-quantum key-agreement enabled for TLS |
CORSNonWildcardRequestHeadersSupport | CORS non-wildcard request headers support |
CaptivePortalAuthenticationIgnoresProxy | Captive portal authentication ignores proxy |
CertificateTransparencyEnforcementDisabledForCas | Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes |
CertificateTransparencyEnforcementDisabledForLegacyCas | Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities |
CertificateTransparencyEnforcementDisabledForUrls | Disable Certificate Transparency enforcement for a list of URLs |
ChromeCleanupEnabled | Enable Chrome Cleanup on Windows |
ChromeCleanupReportingEnabled | Control how Chrome Cleanup reports data to Google |
ChromeOsLockOnIdleSuspend | Enable lock when the device become idle or suspended |
ChromeOsMultiProfileUserBehavior | Control the user behavior in a multiprofile session |
ChromeVariations | Determine the availability of variations |
ClearBrowsingDataOnExitList | Clear Browsing Data on Exit |
ClickToCallEnabled | Enable the Click to Call Feature |
ClientCertificateManagementAllowed | Allow users to manage installed client certificates. |
CloudManagementEnrollmentMandatory | Enable mandatory cloud management enrollment |
CloudManagementEnrollmentToken | The enrollment token of cloud policy |
CloudPolicyOverridesPlatformPolicy | Google Chrome cloud policy overrides Platform policy. |
CloudUserPolicyMerge | Enables merging of user cloud policies into machine-level policies |
CloudUserPolicyOverridesCloudMachinePolicy | Allow user cloud policies to override Chrome Browser Cloud Management policies. |
CommandLineFlagSecurityWarningsEnabled | Enable security warnings for command-line flags |
ComponentUpdatesEnabled | Enable component updates in Google Chrome |
ContextualSearchEnabled | Enable Touch to Search |
DNSInterceptionChecksEnabled | DNS interception checks enabled |
DataLeakPreventionClipboardCheckSizeLimit | Set minimal size limit for data leak prevention clipboard restriction |
DataLeakPreventionReportingEnabled | Enable data leak prevention reporting |
DataLeakPreventionRulesList | Sets a list of data leak prevention rules. |
DefaultBrowserSettingEnabled | Set Google Chrome as Default Browser |
DefaultDownloadDirectory | Set default download directory |
DefaultSearchProviderContextMenuAccessAllowed | Allow default search provider context menu search access |
DesktopSharingHubEnabled | Enable desktop sharing in the omnibox and 3-dot menu |
DeveloperToolsAvailability | Control where Developer Tools can be used |
DeveloperToolsDisabled | Disable Developer Tools |
DeviceAllowMGSToStoreDisplayProperties | Allow Managed guest session to persist display properties |
DeviceAllowedBluetoothServices | Only allow connection to the Bluetooth services in the list |
DeviceAttributesAllowedForOrigins | Allow origins to query for device attributes |
DeviceChromeVariations | Determine the availability of variations on Google Chrome OS |
DeviceDebugPacketCaptureAllowed | Allow debug network packet captures |
DeviceEncryptedReportingPipelineEnabled | Enable the Encrypted Reporting Pipeline |
DeviceI18nShortcutsEnabled | Allows enabling/disabling international shortcut keys remaps |
DeviceLocalAccountManagedSessionEnabled | Allow managed session on device |
DeviceLoginScreenPrimaryMouseButtonSwitch | Switch the primary mouse button to the right button on the login screen |
DeviceLoginScreenWebUsbAllowDevicesForUrls | Automatically grant permission to these sites to connect to USB devices with the given vendor and product IDs on the login screen. |
DevicePciPeripheralDataAccessEnabled | Enable Thunderbolt/USB4 peripheral data access |
DevicePowerwashAllowed | Allow the device to request powerwash |
DeviceRebootOnUserSignout | Force device reboot when user sign out |
DeviceReleaseLtsTag | Allow device to receive LTS updates |
DeviceRestrictedManagedGuestSessionEnabled | Restricted managed guest sessions |
DeviceScheduledReboot | Set custom schedule to reboot kiosk devices |
DeviceScheduledUpdateCheck | Set custom schedule to check for updates |
DeviceSystemWideTracingEnabled | Allow collection of system-wide performance trace |
Disable3DAPIs | Disable support for 3D graphics APIs |
DisableSafeBrowsingProceedAnyway | Disable proceeding from the Safe Browsing warning page |
DisableScreenshots | Disable taking screenshots |
DisabledSchemes | Disable URL protocol schemes |
DiskCacheDir | Set disk cache directory |
DiskCacheSize | Set disk cache size in bytes |
DisplayCapturePermissionsPolicyEnabled | Specifies whether the display-capture permissions-policy is checked or skipped. |
DnsOverHttpsMode | Controls the mode of DNS-over-HTTPS |
DnsOverHttpsTemplates | Specify URI template of desired DNS-over-HTTPS resolver |
DownloadBubbleEnabled | Enable download bubble UI |
DownloadDirectory | Set download directory |
DownloadRestrictions | Allow download restrictions |
EasyUnlockAllowed | Allow Smart Lock to be used |
EcheAllowed | Allow Eche to be enabled. |
EditBookmarksEnabled | Enable or disable bookmark editing |
EmojiSuggestionEnabled | Enable Emoji Suggestion |
EnableExperimentalPolicies | Enables experimental policies |
EnableOnlineRevocationChecks | Enable online OCSP/CRL checks |
EnableSyncConsent | Enable displaying Sync Consent during sign-in |
EnterpriseHardwarePlatformAPIEnabled | Enables managed extensions to use the Enterprise Hardware Platform API |
ExemptDomainFileTypePairsFromFileTypeDownloadWarnings | Disable download file type extension-based warnings for specified file types on domains |
ExplicitlyAllowedNetworkPorts | Explicitly allowed network ports |
ExtensionInstallEventLoggingEnabled | Log events for policy based extension installs |
ExternalProtocolDialogShowAlwaysOpenCheckbox | Show an "Always open" checkbox in external protocol dialog. |
ExternalStorageDisabled | Disable mounting of external storage |
ExternalStorageReadOnly | Treat external storage devices as read-only |
FastPairEnabled | Enable Fast Pair (fast Bluetooth pairing) |
FetchKeepaliveDurationSecondsOnShutdown | Fetch keepalive duration on Shutdown |
FloatingWorkspaceEnabled | Enable Floating Workspace Service |
ForceBrowserSignin | Enable force sign in for Google Chrome |
ForceEphemeralProfiles | Ephemeral profile |
ForceGoogleSafeSearch | Force Google SafeSearch |
ForceLogoutUnauthenticatedUserEnabled | Force logout the user when their account becomes unauthenticated |
ForceMajorVersionToMinorPositionInUserAgent | Freeze User-Agent string major version at 99 |
ForceMaximizeOnFirstRun | Maximize the first browser window on first run |
ForceSafeSearch | Force SafeSearch |
ForceYouTubeRestrict | Force minimum YouTube Restricted Mode |
ForceYouTubeSafetyMode | Force YouTube Safety Mode |
ForcedLanguages | Configure the content and order of preferred languages |
FullRestoreEnabled | Enable the full restore feature |
FullscreenAlertEnabled | Enable fullscreen alert |
FullscreenAllowed | Allow fullscreen mode |
GaiaLockScreenOfflineSigninTimeLimitDays | Limit the time for which a user authenticated via GAIA without SAML can log in offline at the lock screen |
GetDisplayMediaSetSelectAllScreensAllowedForUrls | Enables auto-select for multi screen captures |
GhostWindowEnabled | Enable the ghost window feature |
GloballyScopeHTTPAuthCacheEnabled | Enable globally scoped HTTP auth cache |
HSTSPolicyBypassList | List of names that will bypass the HSTS policy check |
HardwareAccelerationModeEnabled | Use hardware acceleration when available |
HeadlessMode | Control use of the Headless Mode |
HideWebStoreIcon | Hide the web store from the New Tab Page and app launcher |
HistoryClustersVisible | Show Journeys on the Chrome history page |
HttpsOnlyMode | Allow HTTPS-Only Mode to be enabled |
ImportAutofillFormData | Import autofill form data from default browser on first run |
ImportBookmarks | Import bookmarks from default browser on first run |
ImportHistory | Import browsing history from default browser on first run |
ImportHomepage | Import of homepage from default browser on first run |
ImportSavedPasswords | Import saved passwords from default browser on first run |
ImportSearchEngine | Import search engines from default browser on first run |
IncognitoEnabled | Enable Incognito mode |
IncognitoModeAvailability | Incognito mode availability |
InsecureFormsWarningsEnabled | Enable warnings for insecure forms |
InsecurePrivateNetworkRequestsAllowed | Specifies whether to allow websites to make requests to more-private network endpoints in an insecure manner |
InsecurePrivateNetworkRequestsAllowedForUrls | Allow the listed sites to make requests to more-private network endpoints in an insecure manner. |
InsightsExtensionEnabled | Enable insights extension for reporting usage metrics |
InstantTetheringAllowed | Allow Instant Tethering to be used. |
IntensiveWakeUpThrottlingEnabled | Control the IntensiveWakeUpThrottling feature. |
IntranetRedirectBehavior | Intranet Redirection Behavior |
IsolateOrigins | Enable Site Isolation for specified origins |
IsolateOriginsAndroid | Enable Site Isolation for specified origins on Android devices |
JavascriptEnabled | Enable JavaScript |
KeepFullscreenWithoutNotificationUrlAllowList | List of URLs which are allowed to remain in full screen mode without showing a notification |
KeyPermissions | Key Permissions |
LacrosAvailability | Make the Lacros browser available |
LacrosSecondaryProfilesAllowed | Allow users to create and use secondary profiles, and use guest mode in the Lacros browser |
LensCameraAssistedSearchEnabled | Allow Google Lens camera assisted search |
LensRegionSearchEnabled | Allow Google Lens region search menu item to be shown in context menu if supported. |
LockScreenMediaPlaybackEnabled | Allows users to play media when the device is locked |
LoginDisplayPasswordButtonEnabled | Show the display password button on the login and lock screen |
LookalikeWarningAllowlistDomains | Suppress lookalike domain warnings on domains |
ManagedAccountsSigninRestriction | Add restrictions on managed accounts |
ManagedBookmarks | Managed Bookmarks |
ManagedConfigurationPerOrigin | Sets managed configuration values to websites to specific origins |
ManagedGuestSessionPrivacyWarningsEnabled | Reduce Managed-guest session auto-launch notifications |
MaxConnectionsPerProxy | Maximal number of concurrent connections to the proxy server |
MaxInvalidationFetchDelay | Maximum fetch delay after a policy invalidation |
MediaRecommendationsEnabled | Enable Media Recommendations |
MediaRouterCastAllowAllIPs | Allow Google Cast to connect to Cast devices on all IP addresses. |
MetricsReportingEnabled | Enable reporting of usage and crash-related data |
NTPCardsVisible | Show cards on the New Tab Page |
NTPContentSuggestionsEnabled | Show content suggestions on the New Tab page |
NTPCustomBackgroundEnabled | Allow users to customize the background on the New Tab page |
NTPMiddleSlotAnnouncementVisible | Show the middle slot announcement on the New Tab Page |
NearbyShareAllowed | Allow Nearby Share to be enabled. |
NetworkPredictionOptions | Enable network prediction |
NetworkServiceSandboxEnabled | Enable the network service sandbox |
NoteTakingAppsLockScreenAllowlist | The list of note-taking apps allowed on the Google Chrome OS lock screen |
OpenNetworkConfiguration | User-level network configuration |
OptimizationGuideFetchingEnabled | Enable Optimization Guide Fetching |
OriginAgentClusterDefaultEnabled | Allows origin-keyed agent clustering by default. |
OverrideSecurityRestrictionsOnInsecureOrigin | Origins or hostname patterns for which restrictions on insecure origins should not apply |
PaymentMethodQueryEnabled | Allow websites to query for available payment methods. |
PdfAnnotationsEnabled | Enable PDF Annotations |
PhoneHubAllowed | Allow Phone Hub to be enabled. |
PhoneHubNotificationsAllowed | Allow Phone Hub notifications to be enabled. |
PhoneHubTaskContinuationAllowed | Allow Phone Hub task continuation to be enabled. |
PinnedLauncherApps | List of pinned apps to show in the launcher |
PolicyAtomicGroupsEnabled | Enables the concept of policy atomic groups |
PolicyDictionaryMultipleSourceMergeList | Allow merging dictionary policies from different sources |
PolicyListMultipleSourceMergeList | Allow merging list policies from different sources |
PolicyRefreshRate | Refresh rate for user policy |
PrimaryMouseButtonSwitch | Switch the primary mouse button to the right button |
ProfilePickerOnStartupAvailability | Profile picker availability on startup |
PromotionalTabsEnabled | Enable showing full-tab promotional content |
PromptForDownloadLocation | Ask where to save each file before downloading |
ProxySettings | Proxy settings |
QuicAllowed | Allow QUIC protocol |
RelaunchHeadsUpPeriod | Set the time of the first user relaunch notification |
RelaunchNotification | Notify a user that a browser relaunch or device restart is recommended or required |
RelaunchNotificationPeriod | Set the time period for update notifications |
RelaunchWindow | Set the time interval for relaunch |
RemoteDebuggingAllowed | Allow remote debugging |
RendererCodeIntegrityEnabled | Enable Renderer Code Integrity |
ReportCrostiniUsageEnabled | Report information about usage of Linux apps |
RequireOnlineRevocationChecksForLocalAnchors | Require online OCSP/CRL checks for local trust anchors |
RestrictAccountsToPatterns | Restrict accounts that are visible in Google Chrome |
RestrictSigninToPattern | Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome |
RestrictedManagedGuestSessionExtensionCleanupExemptList | Configure the list of extension IDs exempt from the restricted managed guest session clean-up procedure |
RoamingProfileLocation | Set the roaming profile directory |
RoamingProfileSupportEnabled | Enable the creation of roaming copies for Google Chrome profile data |
SSLErrorOverrideAllowed | Allow proceeding from the SSL warning page |
SSLErrorOverrideAllowedForOrigins | Allow proceeding from the SSL warning page on specific origins |
SSLVersionMin | Minimum SSL version enabled |
SafeBrowsingForTrustedSourcesEnabled | Enable Safe Browsing for trusted sources |
SafeSitesFilterBehavior | Control SafeSites adult content filtering. |
SamlLockScreenOfflineSigninTimeLimitDays | Limit the time for which a user authenticated via SAML can log in offline at the lock screen |
SandboxExternalProtocolBlocked | Allow Chrome to block navigations toward external protocols in sandboxed iframes |
SavingBrowserHistoryDisabled | Disable saving browser history |
SchedulerConfiguration | Select task scheduler configuration |
ScrollToTextFragmentEnabled | Enable scrolling to text specified in URL fragments |
SearchSuggestEnabled | Enable search suggestions |
SecondaryGoogleAccountSigninAllowed | Allow Sign-in To Additional Google Accounts |
SecurityKeyPermitAttestation | URLs/domains automatically permitted direct Security Key attestation |
SecurityTokenSessionBehavior | Action on security token removal (e.g., smart card) for Google Chrome OS. |
SecurityTokenSessionNotificationSeconds | Duration of the notification on smart card removal for Google Chrome OS. |
SessionLengthLimit | Limit the length of a user session |
SessionLocales | Set the recommended locales for a managed session |
SetTimeoutWithout1MsClampEnabled | Control Javascript setTimeout() function minimum timeout. |
SharedArrayBufferUnrestrictedAccessAllowed | Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context |
SharedClipboardEnabled | Enable the Shared Clipboard Feature |
ShelfAlignment | Control the shelf position |
ShelfAutoHideBehavior | Control shelf auto-hiding |
ShowAppsShortcutInBookmarkBar | Show the apps shortcut in the bookmark bar |
ShowFullUrlsInAddressBar | Show Full URLs |
ShowLogoutButtonInTray | Add a logout button to the system tray |
SideSearchEnabled | Allow showing the most recent default search engine results page in a Browser side panel |
SignedHTTPExchangeEnabled | Enable Signed HTTP Exchange (SXG) support |
SigninAllowed | Allow sign in to Google Chrome |
SigninInterceptionEnabled | Enable signin interception |
SitePerProcess | Require Site Isolation for every site |
SitePerProcessAndroid | Enable Site Isolation for every site |
SmartLockSigninAllowed | Allow Smart Lock Signin to be used. |
SmsMessagesAllowed | Allow SMS Messages to be synced from phone to Chromebook. |
SpellCheckServiceEnabled | Enable or disable spell checking web service |
SpellcheckEnabled | Enable spellcheck |
SpellcheckLanguage | Force enable spellcheck languages |
SpellcheckLanguageBlocklist | Force disable spellcheck languages |
StartupBrowserWindowLaunchSuppressed | Suppress launching of browser window |
StricterMixedContentTreatmentEnabled | Enable stricter treatment for mixed content |
SuggestLogoutAfterClosingLastWindow | Display the logout confirmation dialog |
SuppressDifferentOriginSubframeDialogs | Suppress JavaScript Dialogs triggered from different origin subframes |
SuppressUnsupportedOSWarning | Suppress the unsupported OS warning |
SyncDisabled | Disable synchronization of data with Google |
SyncTypesListDisabled | List of types that should be excluded from synchronization |
SystemFeaturesDisableList | Configure the camera, browser settings, os settings, scanning, web store, canvas, explore and crosh features to be disabled |
SystemFeaturesDisableMode | Set the user experience of disabled features |
SystemProxySettings | Configures System-proxy service for Google Chrome OS. |
TaskManagerEndProcessEnabled | Enable ending processes in Task Manager |
TermsOfServiceURL | Set the Terms of Service for a device-local account |
ThirdPartyBlockingEnabled | Enable third party software injection blocking |
TosDialogBehavior | Configuring the ToS behavior during first-run for CCT |
TotalMemoryLimitMb | Set limit on megabytes of memory a single Chrome instance can use. |
TouchVirtualKeyboardEnabled | Enable virtual keyboard |
TranslateEnabled | Enable Translate |
U2fSecurityKeyApiEnabled | Allow using the deprecated U2F Security Key API |
URLAllowlist | Allow access to a list of URLs |
URLBlocklist | Block access to a list of URLs |
UnifiedDesktopEnabledByDefault | Make Unified Desktop available and turn on by default |
UnsafelyTreatInsecureOriginAsSecure | Origins or hostname patterns for which restrictions on insecure origins should not apply |
UrlKeyedAnonymizedDataCollectionEnabled | Enable URL-keyed anonymized data collection |
UrlParamFilterEnabled | Control the URL parameter filter feature |
UserAgentClientHintsGREASEUpdateEnabled | Control the User-Agent Client Hints GREASE Update feature. |
UserAgentReduction | Enable or disable the User-Agent Reduction. |
UserAvatarImage | User avatar image |
UserDataDir | Set user data directory |
UserDataSnapshotRetentionLimit | Limits the number of user data snapshots retained for use in case of emergency rollback. |
UserDisplayName | Set the display name for device-local accounts |
UserFeedbackAllowed | Allow user feedback |
VideoCaptureAllowed | Allow or deny video capture |
VideoCaptureAllowedUrls | URLs that will be granted access to video capture devices without prompt |
VmManagementCliAllowed | Specify VM CLI permission |
VpnConfigAllowed | Allow the user to manage VPN connections |
WPADQuickCheckEnabled | Enable WPAD optimization |
WallpaperImage | Wallpaper image |
WarnBeforeQuittingEnabled | Show a warning dialog when the user is attempting to quit |
WebAppInstallForceList | Configure list of force-installed Web Apps |
WebAppSettings | Web App management settings |
WebAuthnFactors | Configure allowed WebAuthn factors |
WebRtcAllowLegacyTLSProtocols | Allow legacy TLS/DTLS downgrade in WebRTC |
WebRtcEventLogCollectionAllowed | Allow collection of WebRTC event logs from Google services |
WebRtcIPHandling | The IP handling policy of WebRTC |
WebRtcLocalIpsAllowedUrls | URLs for which local IPs are exposed in WebRTC ICE candidates |
WebRtcUdpPortRange | Restrict the range of local UDP ports used by WebRTC |
WebSQLAccess | Force WebSQL to be enabled. |
WifiSyncAndroidAllowed | Allow Wi-Fi network configurations to be synced across Google Chrome OS devices and a connected Android phone. |
WindowOcclusionEnabled | Enable Window Occlusion |
Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.
Setting the policy to True keeps the large cursor on. Setting the policy to False keeps the large cursor off.
If you set the policy, users can't change the feature. If not set, the large cursor is off at first, but users can turn it on any time.
Setting the policy to True keeps spoken feedback on. Setting the policy to False keeps spoken feedback off.
If you set the policy, users can't change it. If not set, spoken feedback is off at first, but users can turn it on any time.
Setting the policy to True keeps High-contrast mode on. Setting the policy to False keeps High-contrast mode off.
If you set the policy, users can't change it. If not set, High-contrast mode is off, but users can turn it on any time.
Setting the policy to True keeps the on-screen keyboard on. Setting the policy to False keeps the on-screen keyboard off unless other factors turn it on. See the TouchVirtualKeyboardEnabled policy as an example of these factors.
If you set the policy, users can't change it. If not set, the on-screen keyboard is off at first, but users can turn it on any time.
Enable or disable various features on the on-screen keyboard. This policy takes effect only when "VirtualKeyboardEnabled" policy is enabled.
If one feature in this policy is set to True, it will be enabled on the on-screen keyboard.
If one feature in this policy is set to False or left unset, it will be disabled on the on-screen keyboard.
NOTE: this policy is only supported in PWA Kiosk mode.
Setting the policy to True keeps sticky keys on. Setting the policy to False keeps sticky keys off.
If you set the policy, users can't change it. If not set, sticky keys is off at first, but users can turn it on any time.
Setting the policy to True makes the top row of keys on the keyboard act as function key commands. Pressing the Search key changes their behavior back to media keys.
If set to False or not set, the keyboard defaults to producing media key commands. Pressing the Search key changes them to function keys.
Setting the policy to None turns the screen magnifier off.
If you set the policy, users can't change it. If not set, the screen magnifier is off at first, but users can turn it on any time.
Enable the dictation accessibility feature.
If this policy is set to enabled, the dictation will always be enabled.
If this policy is set to disabled, the dictation will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled initially but can be enabled by the user anytime.
Enable the select to speak accessibility feature.
If this policy is set to true, the select to speak will always be enabled.
If this policy is set to false, the select to speak will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the select to speak is disabled initially but can be enabled by the user anytime.
Enable the keyboard focus highlighting accessibility feature.
This feature is responsible for highlighting the object that has the focus by the keyboard.
If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.
Enable the cursor highlight accessibility feature.
This feature is responsible for highlighting the area that surrounds the mouse cursor while moving it.
If this policy is set to enabled, the cursor highlight will always be enabled.
If this policy is set to disabled, the cursor highlight will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the cursor highlight is disabled initially but can be enabled by the user anytime.
Enable the caret highlight accessibility feature.
This feature is responsible for highlighting the area that surrounds the caret while editing.
If this policy is set to enabled, the caret highlight will always be enabled.
If this policy is set to disabled, the caret highlight will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the caret highlight is disabled initially but can be enabled by the user anytime.
Enable the mono audio accessibility feature.
This feature is responsible for outputing stereo audio which includes different left and right channels, so different ears get different sounds.
If this policy is set to enabled, the mono audio will always be enabled.
If this policy is set to disabled, the mono audio will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the mono audio is disabled initially but can be enabled by the user anytime.
Enable accessibility features shortcuts.
If this policy is set to true, accessibility features shortcuts will always be enabled.
If this policy is set to false, accessibility features shortcuts will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, accessibility features shortcuts will be enabled by default.
Enable the autoclick accessibility feature.
This feature is responsible to click without physically pressing your mouse or touchpad, hover over the object you'd like to click.
If this policy is set to enabled, the autoclick will always be enabled.
If this policy is set to disabled, the autoclick will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the autoclick is disabled initially but can be enabled by the user anytime.
Setting the policy to True turns the large cursor on at the sign-in screen. Setting the policy to False turns the large cursor off at the sign-in screen.
If you set the policy, users can temporarily turn the large cursor on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the large cursor is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: DeviceLoginScreenLargeCursorEnabled overrides this policy if the former is specified.
Setting the policy to True turns spoken feedback on at the sign-in screen. Setting the policy to False turns spoken feedback off at the screen.
If you set the policy, users can temporarily turn spoken feedback on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, spoken feedback is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: DeviceLoginScreenSpokenFeedbackEnabled overrides this policy if the former is specified.
Setting the policy to True turns High-contrast mode on at the sign-in screen. Setting the policy to False turns High-contrast mode off at the screen.
If you set the policy, users can temporarily change High-contrast mode, turning it on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, High-contrast mode is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: DeviceLoginScreenHighContrastEnabled overrides this policy if the former is specified.
This policy is deprecated, please use the DeviceLoginScreenVirtualKeyboardEnabled policy instead.
Setting the policy to True turns the on-screen keyboard on at sign-in. Setting the policy to False turns the on-screen keyboard off at sign-in.
If you set the policy, users can temporarily turn the on-screen keyboard on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the on-screen keyboard is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Note: DeviceLoginScreenVirtualKeyboardEnabled overrides this policy if the former is specified.
Setting the policy to None turns screen magnification off at the sign-in screen.
If you set the policy, users can temporarily turn the screen magnifier on or off. When the sign-in screen reloads or stays idle for a minute, it reverts to its original state.
If not set, the screen magnifier is off at the sign-in screen. Users can turn it on any time, and its status on the sign-in screen persists across users.
Valid values: • 0 = Off • 1 = On • 2 = Docked magnifier on
Note: DeviceLoginScreenScreenMagnifierType overrides this policy if the former is specified.
Enable the large cursor accessibility feature on the login screen.
If this policy is set to true, the large cursor will always be enabled on the login screen.
If this policy is set to false, the large cursor will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the large cursor is disabled on the login screen initially but can be enabled by the user anytime.
Enable the spoken feedback accessibility feature on the login screen.
If this policy is set to true, the spoken feedback will always be enabled on the login screen.
If this policy is set to false, the spoken feedback will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the spoken feedback is disabled on the login screen initially but can be enabled by the user anytime.
Enable the high contrast accessibility feature on the login screen.
If this policy is set to true, the high contrast will always be enabled on the login screen.
If this policy is set to false, the high contrast will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the high contrast is disabled on the login screen initially but can be enabled by the user anytime.
Enable the virtual keyboard accessibility feature on the login screen.
If this policy is set to true, the virtual keyboard will always be enabled on the login screen.
If this policy is set to false, the virtual keyboard will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the virtual keyboard is disabled on the login screen initially but can be enabled by the user anytime.
Enable the dictation accessibility feature on the login screen.
If this policy is set to true, the dictation will always be enabled on the login screen.
If this policy is set to false, the dictation will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.
Enable the select to speak accessibility feature on the login screen.
If this policy is set to true, the select to speak will always be enabled on the login screen.
If this policy is set to false, the select to speak will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the select to speak is disabled on the login screen initially but can be enabled by the user anytime.
Enable the cursor highlight accessibility feature on the login screen.
If this policy is set to true, the cursor highlight will always be enabled on the login screen.
If this policy is set to false, the cursor highlight will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the cursor highlight is disabled on the login screen initially but can be enabled by the user anytime.
Enable the caret highlight accessibility feature on the login screen.
If this policy is set to true, the caret highlight will always be enabled on the login screen.
If this policy is set to false, the caret highlight will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the caret highlight is disabled on the login screen initially but can be enabled by the user anytime.
Enable the mono audio accessibility feature on the login screen.
This feature allows to switch the device mode from the default stereo audio to the mono audio.
If this policy is set to true, the mono audio will always be enabled on the login screen.
If this policy is set to false, the mono audio will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the mono audio is disabled on the login screen initially but can be enabled by the user anytime.
Enable the autoclick accessibility feature on the login screen.
This feature allows to automatically click when the mouse cursor stops, without requiring the user to physically press the mouse or touchpad buttons.
If this policy is set to true, the autoclick will always be enabled on the login screen.
If this policy is set to false, the autoclick will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the autoclick is disabled on the login screen initially but can be enabled by the user anytime.
Enable the sticky keys accessibility feature on the login screen.
If this policy is set to true, the sticky keys will always be enabled on the login screen.
If this policy is set to false, the sticky keys will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the sticky keys is disabled on the login screen initially but can be enabled by the user anytime.
Enable the keyboard focus highlighting accessibility feature on the login screen.
This feature is responsible for highlighting the object that is focused by the keyboard.
If this policy is set to enabled, the keyboard focus highlighting will always be enabled.
If this policy is set to disabled, the keyboard focus highlighting will always be disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the keyboard focus highlighting is disabled initially but can be enabled by the user anytime.
If this policy is set, it controls the type of screen magnifier that is enabled.
If this policy is set to "Full-screen", the screen magnifier will always be enabled in full-screen magnifier mode on the login screen.
If this policy is set to "Docked", the screen magnifier will always be enabled in docked magnifier mode on the login screen.
If this policy is set to "None", the screen magnifier will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the dictation is disabled on the login screen initially but can be enabled by the user anytime.
Setting the policy to True displays the accessibility options in the system tray menu. If you set the policy to False, the options don't appear in the menu.
If you set the policy, users can't change it. If not set, accessibility options don't appear in the menu, but users can make them appear through the Settings page.
If you turn on accessibility features by other means (for example, by key combination), accessibility options always appear in the system tray menu.
Enable accessibility features shortcuts on the login screen.
If this policy is set to true, accessibility features shortcuts will always be enabled on the login screen.
If this policy is set to false, accessibility features shortcuts will always be disabled on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, accessibility features shortcuts will be enabled by default on the login screen.
In kiosk mode, controls whether the floating accessibility menu is being shown.
If this policy is set to enabled, the floating accessibility menu will be always shown.
If this policy is set to disabled or left unset, the floating accessibility menu will never be shown.
Allow the enhanced network text-to-speech voices in Select-to-speak accessibility feature. These voices send text to Google's servers to synthesize natural-sounding speech.
If this policy is set to false, the enhanced network text-to-speech voices feature in Select-to-speak will always be disabled.
If this policy is set to true or unset, the enhanced network text-to-speech voices feature in Select-to-speak can be enabled or disabled by the user.
If enabled or not configured (default), a Web page can use screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API) to prompt the user to select a tab, window or desktop to capture.
When this policy is disabled, any calls to screen-share APIs will fail with an error; however this policy is not considered (and a site will be allowed to use screen-share APIs) if the site matches an origin pattern in any of the following policies: ScreenCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
Setting the policy lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
This policy is not considered if a site matches a URL pattern in any of the following policies: WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
If a site matches a URL pattern in this policy, the ScreenCaptureAllowed will not be considered.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.
Setting the policy lets you set a list of URL patterns that can use Window and Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
This policy is not considered if a site matches a URL pattern in any of the following policies: TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
If a site matches a URL pattern in this policy, the following policies will not be considered: ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.
Setting the policy lets you set a list of URL patterns that can use Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of capture.
Note that windowed Chrome Apps will still be allowed to be captured.
This policy is not considered if a site matches a URL pattern in the SameOriginTabCaptureAllowedByOrigins policy.
If a site matches a URL pattern in this policy, the following policies will not be considered: WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.
Setting the policy lets you set a list of URL patterns that can capture tabs with their same Origin.
Leaving the policy unset means that sites will not be considered for an override at this level of capture.
Note that windowed Chrome Apps with the same origin as this site will still be allowed to be captured.
If a site matches a URL pattern in this policy, the following policies will not be considered: TabCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.
Unless Ephemeral mode or multiple sign-in is on during the user's session, setting ArcEnabled to True turns ARC on for the user. Setting the policy to False or leaving it unset means enterprise users can't use ARC.
Unless ARC is turned off by other means, then setting the policy to True or leaving it unset lets users use ARC. Setting the policy to False means unaffiliated users may not use ARC.
Changes to the policy only apply while ARC isn't running, for example, while starting ChromeOS.
Setting the policy specifies a set of policies to hand over to the ARC runtime. Admins can use it to select the Android apps that autoinstall. Enter value in valid JSON format.
To pin apps to the launcher, see PinnedLauncherApps.
Setting the policy to True sends reports of key, policy-triggered Android app installation events to Google. Setting the policy to False means no events are captured.
Setting the policy to BackupAndRestoreEnabled means Android backup and restore is initially on. Setting the policy to BackupAndRestoreDisabled or leaving it unset keeps backup and restore off during setup.
Setting the policy to BackupAndRestoreUnderUserControl means users see prompts to use backup and restore. If they turn on backup and restore, Android app data is uploaded to Android backup servers and restored during reinstallations of compatible apps.
After initial setup, users can turn backup and restore on or off.
Unless the DefaultGeolocationSetting policy is set to BlockGeolocation, then setting GoogleLocationServicesEnabled turns Google location services on during initial setup. Setting the policy to GoogleLocationServicesDisabled or leaving it unset keeps location services off during setup.
Setting policy to BackupAndRestoreUnderUserControl prompts users about whether or not to use Google location services. If they turn it on, Android apps use the services to search the device location and send anonymous location data to Google.
After initial setup, users can turn Google location services on or off.
Setting the policy to CopyCaCerts makes all ONC-installed CA certificates with Web TrustBit available for ARC-apps.
Setting to None or leaving it unset makes Google Chrome OS certificates unavailable for ARC-apps.
Setting this policy to Enabled will cause recommendations for apps previously installed by the user on other devices. These recommendations will appear in the launcher after the local app recomendations, if no search text has been entered.
Setting this policy as Disabled or leaving it unset means these recommendations do not appear.
If this policy is set, users cannot change it.
If "DeviceArcDataSnapshotHours" policy is set, then the ARC data snapshotting mechanism is turned on. And the ARC data snapshot update can be started automatically during the defined time intervals. When an interval starts, ARC data snapshot update is required and no user is logged-in, the ARC data snapshot update process is started without user notification. If the user session is active, the UI notification is shown and have to be accepted in order to reboot a device and start ARC data snapshot update process. Note: a device is blocked for usage during the ARC data snapshot update process.
Setting the policy to True enables sharing text/files from Android apps to supported Web Apps, using the built-in Android sharing system. When enabled, this will send metadata for installed Web Apps to Google to generate and install a shim Android app. Setting the policy to False disables this functionality.
Controls the availability of Borealis for this device.
If the policy is set to false, Borealis will be unavailable for all users of the device. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.
Controls the availability of Borealis for this user.
If the policy is set to false, Borealis will be unavailable. Otherwise (when the policy is unset, or true) Borealis will be available if and only if no other policy or setting disables it.
Specifies device-wide client certificates that should be enrolled using the device management protocol.
Specifies client certificates that should be enrolled using the device management protocol.
Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.
This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.
This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.
Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.
Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.
Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.
Setting the policy to 1 lets all websites display images. Setting the policy to 2 denies image display.
Leaving it unset allows images, but users can change this setting.
Allows you to set whether users can add exceptions to allow mixed content for specific sites.
This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.
If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.
Setting the policy to 1 lets websites run JavaScript. Setting the policy to 2 denies JavaScript.
Leaving it unset allows JavaScript, but users can change this setting.
Allows you to set whether Google Chrome will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.
Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.
This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.
If this policy is left not set, JavaScript JIT is enabled.
Setting the policy to BlockLocalFonts (value 2) automatically denies the local fonts permission to sites by default. This will limit the ability of sites to see information about local fonts.
Setting the policy to AskLocalFonts (value 3) will prompt the user when the local fonts permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about local fonts.
Leaving the policy unset means the default behavior applies which is to prompt the user, but users can change this setting
Setting the policy to 1 lets websites display pop-ups. Setting the policy to 2 denies pop-ups.
Leaving it unset means BlockPopups applies, but users can change this setting.
Setting the policy to 1 lets websites display desktop notifications. Setting the policy to 2 denies desktop notifications.
Leaving it unset means AskNotifications applies, but users can change this setting.
Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.
Leaving the policy unset means the AskGeolocation policy applies, but users can change this setting.
If this policy is set to BlockGeolocation, Android apps cannot access location information. If you set this policy to any other value or leave it unset, the user is asked to consent when an Android app wants to access location information.
Allows you to set whether websites are allowed to get access to media capture devices. Access to media capture devices can be allowed by default, or the user can be asked every time a website wants to get access to media capture devices.
If this policy is left not set, 'PromptOnAccess' will be used and the user will be able to change it.
Setting the policy to 1 lets websites access and use sensors such as motion and light. Setting the policy to 2 denies acess to sensors.
Leaving it unset means AllowSensors applies, but users can change this setting.
Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
Leaving the policy unset lets sites ask for access, but users can change this setting.
Setting the policy to 3 lets websites ask for access to connected USB devices. Setting the policy to 2 denies access to connected USB devices.
Leaving it unset lets websites ask for access, but users can change this setting.
Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.
Leaving it unset lets websites ask for access, but users can change this setting.
Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.
Leaving it unset lets websites ask for access, but users can change this setting.
This policy can be overridden for specific url patterns using the WebHidAskForUrls and WebHidBlockedForUrls policies.
Setting the policy to BlockWindowPlacement (value 2) automatically denies the window placement permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
Setting the policy to AskWindowPlacement (value 3) will prompt the user when the window placement permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
Leaving the policy unset means the AskWindowPlacement policy applies, but users can change this setting.
Setting the policy lets you set a list of URL patterns that specify sites that can use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify sites that can't use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you make a list of URL patterns that specify sites for which Chrome can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
Examples for the usage of the $FILTER section:
* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.
* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.
* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.
* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
Leaving the policy unset means there's no autoselection for any site.
Allows you to set a list of url patterns that specify sites which are allowed to set cookies.
If this policy is left not set the global default value will be used for all sites either from the DefaultCookiesSetting policy if it is set, or the user's personal configuration otherwise.
See also policies CookiesBlockedForUrls and CookiesSessionOnlyForUrls. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you make a list of URL patterns that specify sites that can't set cookies.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies.
While no specific policy takes precedence, see CookiesAllowedForUrls and CookiesSessionOnlyForUrls. URL patterns among these 3 policies must not conflict.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with FileSystemReadBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemReadAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with FileSystemWriteBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemWriteAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify sites that may display images.
Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.
Setting the policy lets you set a list of URL patterns that specify sites that can't display images.
Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.
Allows you to set a list of url patterns that specify sites which are allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades will be disabled.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, and users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Allows you to set a list of url patterns that specify sites which are not allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites), and for which optionally blockable (i.e. passive) mixed content will be upgraded.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, but users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can run JavaScript.
Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can't run JavaScript.
Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Allows you to set a list of site url patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.
For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitAllowedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT enabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise Javascript JIT is enabled for the site.
Allows you to set a list of site url patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.
Disabling the JavaScript JIT will mean that Google Chrome may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Google Chrome to render web content in a more secure configuration.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitBlockedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT disabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise JavaScript JIT is enabled for the site.
Cookies set for domains matching these patterns will revert to legacy SameSite behavior. Reverting to legacy behavior causes cookies that don't specify a SameSite attribute to be treated as if they were "SameSite=None", removes the requirement for "SameSite=None" cookies to carry the "Secure" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be the user's personal configuration.
For detailed information on valid patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
Note that patterns you list here are treated as domains, not URLs, so you should not specify a scheme or port.
Sets a list of site url patterns that specify sites which will automatically grant the local fonts permission. This will extend the ability of sites to see information about local fonts.
For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
Sets a list of site url patterns that specify sites which will automatically deny the local fonts permission. This will limit the ability of sites to see information about local fonts.
For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
Setting the policy lets you set a list of URL patterns that specify the sites that can open pop-ups.
Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.
Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.
The protocol handlers set via this policy are not used when handling Android intents.
Setting the policy lets you set a list of URL patterns that specify the sites that can't open pop-ups.
Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can display notifications.
Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can't display notifications.
Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can access sensors like motion and light sensors.
Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the SensorsBlockedForUrls policy, the latter is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you set a list of URL patterns that specify the sites that can't access sensors like motion and light sensors.
Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the SensorsAllowedForUrls policy, this policy is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.
The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.
Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatiblity in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requsting URL will be ignored entirely.
This policy overrides DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls and the user's preferences.
This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a USB device.
Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a USB device.
Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
URL patterns can't conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a serial port.
Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy SerialBlockedForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.
URL patterns must not conflict with SerialBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a serial port.
Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For URL patterns which do not match the policy SerialAskForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.
URL patterns can't conflict with SerialAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy allows you to list sites which are automatically granted permission to access all available serial ports.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On Google Chrome OS, this policy only applies to affiliated users.
This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.
Setting the policy allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On ChromeOS, this policy only applies to affiliated users.
This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.
This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.
Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a HID device.
Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy, the following take precedence, in this order:
* WebHidBlockedForUrls (if there is a match),
* DefaultWebHidGuardSetting (if set), or
* Users' personal settings.
URL patterns must not conflict with WebHidBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a HID device.
Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy, the following take precedence, in this order:
* WebHidAskForUrls (if there is a match),
* DefaultWebHidGuardSetting (if set), or
* Users' personal settings.
URL patterns can't conflict with WebHidAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy.
Setting the policy allows you to list sites which are automatically granted permission to access all available devices.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On ChromeOS, this policy only applies to affiliated users.
This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls and the user's preferences.
Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the item to be valid, otherwise the item is ignored. Each item in the devices field must have a vendor_id and may have a product_id field. Omitting the product_id field will create a policy matching any device with the specified vendor ID. An item which has a product_id field without a vendor_id field is invalid and is ignored.
Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.
Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device containing a top-level collection with the given HID usage. Each item in the list requires both usages and urls fields for the policy to be valid. Each item in the usages field must have a usage_page and may have a usage field. Omitting the usage field will create a policy matching any device containing a top-level collection with a usage from the specified usage page. An item which has a usage field without a usage_page field is invalid and is ignored.
Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.
Allows you to set a list of site url patterns that specify sites which will automatically grant the window placement permission. This will extend the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultWindowPlacementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
Allows you to set a list of site url patterns that specify sites which will automatically deny the window placement permission. This will limit the ability of sites to see information about the device's screens and use that information to open and place windows or request fullscreen on specific screens.
For detailed information on valid site url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultWindowPlacementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
Setting the policy specifies a device's time zone and turns off location-based automatic time zone adjustment while overriding the SystemTimezoneAutomaticDetection policy. Users can't change the time zone.
New devices start with the time zone set to US Pacific. Value format follows the names in the IANA Time Zone Database ( https://en.wikipedia.org/wiki/Tz_database ). Entering an invalid value activates the policy using GMT.
If not set or if you enter an empty string, the device uses the currently active time zone, but users can change it.
Unless the SystemTimezone policy turns off automatic time zone detection, then setting the policy outlines the automatic time zone detection method, which users can't change.
Setting the policy to: * TimezoneAutomaticDetectionDisabled keeps automatic time zone detection off. * TimezoneAutomaticDetectionIPOnly keeps automatic time zone detection on, using the IP-only method. * TimezoneAutomaticDetectionSendWiFiAccessPoints keeps automatic time zone detection on, continually sending the list of visible Wi-Fi access-points to the Geolocation API server for finer-grained time zone detection. * TimezoneAutomaticDetectionSendAllLocationInfo keeps automatic time zone detection on, continually sending location information (such as Wi-Fi access points, reachable cell towers, GPS) to a server for the most fine-grained time zone detection.
If not set, set to Let users decide, or set to None, then users control automatic time zone detection using normal controls in chrome://settings.
Setting the policy to True gives a device's sign-in screen a 24-hour clock format.
Setting the policy to False gives a device's sign-in screen a 12-hour clock format.
Leaving the policy unset makes a device use the format from the current locale.
User sessions also default to the device format, but users can change an account's clock format.
Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.
If you set the policy, users can't change it in Google Chrome. If not set, the default search provider is on, and users can set the search provider list.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderName specifies the default search provider's name.
Leaving DefaultSearchProviderName unset means the hostname specified by the search URL is used.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderKeyword specifies the keyword or shortcut used in the address bar to trigger the search for this provider.
Leaving DefaultSearchProviderKeyword unset means no keyword activates the search provider.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURL specifies the URL of the search engine used during a default search. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.
You can specify Google's search URL as: '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURL specifies the URL of the search engine to provide search suggestions. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.
You can specify Google's search URL as: '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderIconURL specifies the default search provider's favorite icon URL.
Leaving DefaultSearchProviderIconURL unset means there's no icon for the search provider.
If DefaultSearchProviderEnabled is on, setting DefaultSearchProviderEncodings specifies the character encodings supported by the search provider. Encodings are code page names such as UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.
Leaving DefaultSearchProviderEncodings unset puts UTF-8 in use.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderAlternateURLs specifies a list of alternate URLs for extracting search terms from the search engine. The URLs should include the string '{searchTerms}'.
Leaving DefaultSearchProviderAlternateURLs unset means no alternate URLs are used to extract search terms.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURL specifies the URL of the search engine used for image search. (If DefaultSearchProviderImageURLPostParams is set, then image search requests use the POST method instead.)
Leaving DefaultSearchProviderImageURL unset means no image search is used.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderNewTabURL specifies the URL of the search engine used to provide a New Tab page.
Leaving DefaultSearchProviderNewTabURL unset means no new tab page is provided.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURLPostParams specifies the parameters when searching a URL with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.
Leaving DefaultSearchProviderSearchURLPostParams unset means search requests are sent using the GET method.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURLPostParams specifies the parameters during suggestion search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.
Leaving DefaultSearchProviderSuggestURLPostParams unset unset means suggest search requests are sent using the GET method.
If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURLPostParams specifies the parameters during image search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as {imageThumbnail}, real image thumbnail data replaces it.
Leaving DefaultSearchProviderImageURLPostParams unset means image search request is sent using the GET method.
Specifies the release channel that this device should be locked to.
Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.
Users are only allowed to change the release channel of the device if this policy is set to True. If this policy is False or not set, users are not allowed to change the channel.
Setting ChromeOsReleaseChannel only has an effect if ChromeOsReleaseChannelDelegated is set to False.
Disables automatic updates when set to True.
Google Chrome OS devices automatically check for updates when this setting is not configured or set to False.
Warning: It is recommended to keep auto-updates enabled so that users receive software updates and critical security fixes. Turning off auto-updates might leave users at risk.
Specifies whether P2P is to be used for OS update payloads. If set to True, devices will share and attempt to consume update payloads on the LAN, potentially reducing Internet bandwidth usage and congestion. If the update payload is not available on the LAN, the device will fall back to downloading from an update server. If set to False, P2P will not be used.
NOTE: The default behavior for consumer and enterprise devices differs: on managed devices P2P will be enabled, while on non-managed devices it will not be enabled.
This policy controls the time frames during which the Google Chrome OS device is not allowed to check for updates automatically. When this policy is set to a non-empty list of time intervals: Devices will not be able to check for updates automatically during the specified time intervals. Devices that require an enterprise rollback or are below the minimum Google Chrome OS version will not be affected by this policy due to potential security issues. Furthermore, this policy will not block update checks requested by users or administrators. Starting from M88, this policy cancels an ongoing update when a restricted time interval is reached. The next auto update after the restricted time interval ends will automatically resume the update. Devices updating to a Quick Fix Build will not be affected by this policy. When this policy is unset or contains no time intervals: No automatic update checks will be blocked by this policy, but they may be blocked by other policies. Till M88, this feature is only enabled on Google Chrome OS devices configured as auto-launch kiosks. Other devices will not be restricted by this policy. However starting from M89, this policy is enabled on all Google Chrome OS devices.
Sets a target version for Auto Updates.
Specifies the prefix of a target version Google Chrome OS should update to. If the device is running a version that's before the specified prefix, it will update to the latest version with the given prefix. If the device is already on a later version, effects depend on the value of DeviceRollbackToTargetVersion. The prefix format works component-wise as is demonstrated in the following example:
"" (or not configured): update to latest version available. "1412.": update to any minor version of 1412 (e.g. 1412.24.34 or 1412.60.2) "1412.2.": update to any minor version of 1412.2 (e.g. 1412.2.34 or 1412.2.2) "1412.24.34": update to this specific version only
Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version prefix might leave users at risk.
This setting allows devices to select a specific target version of Google Chrome OS they will update to.
If not set, devices will update according to other settings or to the latest available version.
If set, devices will update up to a selected version.
The exact format of this policy value is an implementation detail of the update service and may change. The policy value is not processed on the device.
If used together with DeviceTargetVersionPrefix, this policy will be checked first by update service. Unlike DeviceTargetVersionPrefix (which may allow minor updates), devices will stay on the selected version until the value of this policy is changed.
If used together with DeviceRollbackToTargetVersion, device version can be reverted to a specific previous version.
Warning: It is not recommended to configure version restrictions as they may prevent users from receiving software updates and critical security fixes. Restricting updates to a specific version might leave users at risk.
This policy defines a list of percentages that will define the fraction of Google Chrome OS devices in the OU to update per day starting from the day the update is first discovered. The discovery time is later than the update published time, since it could be a while after the update publishing until the device checks for updates.
Each (day, percentage) pair contains which percentage of the fleet has to be updated by the given number of days since the update has been discovered. For example, if we have the pairs [(4, 40), (10, 70), (15, 100)], then 40% of the fleet should have been updated 4 days after seeing the update. 70% should be updated after 10 days, and so on.
If there is a value defined for this policy, updates will ignore the DeviceUpdateScatterFactor policy and follow this policy instead.
If this list is empty, there will be no staging and updates will be applied according to other device policies.
This policy does not apply for channel switches.
Specifies the number of seconds up to which a device may randomly delay its download of an update from the time the update was first pushed out to the server. The device may wait a portion of this time in terms of wall-clock-time and the remaining portion in terms of the number of update checks. In any case, the scatter is upper bounded to a constant amount of time so that a device does not ever get stuck waiting to download an update forever.
The types of connections that are allowed to use for OS updates. OS updates potentially put heavy strain on the connection due to their size and may incur additional cost. Therefore, they are by default not enabled for connection types that are considered expensive (currently only "cellular").
The recognized connection type identifiers are "ethernet", "wifi", and "cellular".
Auto-update payloads on Google Chrome OS can be downloaded via HTTP instead of HTTPS. This allows transparent HTTP caching of HTTP downloads.
If this policy is set to true, Google Chrome OS will attempt to download auto-update payloads via HTTP. If the policy is set to false or not set, HTTPS will be used for downloading auto-update payloads.
Schedule an automatic reboot after a Google Chrome OS update has been applied.
When this policy is set to true, an automatic reboot is scheduled when a Google Chrome OS update has been applied and a reboot is required to complete the update process. The reboot is scheduled immediately but may be delayed on the device by up to 24 hours if a user is currently using the device.
When this policy is set to false, no automatic reboot is scheduled after applying a Google Chrome OS update. The update process is completed when the user next reboots the device.
If you set this policy, users cannot change or override it.
Note: Currently, automatic reboots are only enabled while the login screen is being shown or a kiosk app session is in progress. This will change in the future and the policy will always apply, regardless of whether a session of any particular type is in progress or not.
Specifies whether the device should roll back to the version set by DeviceTargetVersionPrefix if it's already running a later version.
Default is RollbackDisabled.
Specifies the minimum number of Google Chrome OS milestones rollback should be allowed starting from the stable version at any time.
Default is 0 for consumer, 4 (approx. half a year) for enterprise enrolled devices.
Setting this policy prevents rollback protection to apply for at least this number of milestones.
Setting this policy to a lower value has a permanent effect: the device MAY not be able to roll back to earlier versions even after the policy is reset to a larger value.
Actual rollback possibilities may also depend on the board and critical vulnerability patches.
This policy controls whether or not the device should be updated to a Quick Fix Build.
If policy value is set to a token that maps to a Quick Fix Build, the device will be updated to the corresponding Quick Fix Build if the update is not blocked by another policy.
If this policy is not set, or if its value does not map to a Quick Fix Build, then the device won't be updated to a Quick Fix Build. If the device is already running a Quick Fix Build and the policy is not set anymore or its value does not map to a Quick Fix Build anymore, then the device will be updated to a regular build if the update is not blocked by another policy.
Configures the requirement of the minimum allowed version of Google Chrome OS.
When this policy is set to a non-empty list: If none of the entries has a chromeos_version greater than the current version of the device, then no restrictions are applied and the already existing restrictions are revoked. If at least one of the entries has a chromeos_version greater than the current version, the entry whose version is greater and closest to the current version is chosen. In case of conflict, preference is given to the entry with lower warning_period or aue_warning_period and the policy is applied using that entry.
If the current version becomes obsolete during user session and the current network limits auto updates, an on-screen notification is shown to update the device within the warning_period shown in the notification. No notifications are shown if the current network allows auto updates and the device must be updated within the warning_period. The warning_period starts from the time the policy is applied. If the device is not updated till the expiry of the warning_period, the user is signed out of the session. If the current version is found to be obsolete at the time of login with expired warning_period, the user is required to update the device before signing in.
If the current version becomes obsolete during user session and the device has reached auto update expiration, an on-screen notification is shown to return the device within aue_warning_period. If the device is found to have reached auto update expiration at the time of login with expired aue_warning_period, the device is blocked for any user to sign in.
Unmanaged user sessions do not receive notifications and force log out if unmanaged_user_restricted is unset or set to False.
If this policy is not set or set to empty, no restrictions are applied, already existing restrictions are revoked and user can sign in regardless of Google Chrome OS version.
Here chromeos_version can be either an exact version like '13305.0.0' or a version prefix, like '13305'. The warning_period and aue_warning_period are optional values specified in number of days. Default value for them is 0 days, which means that there is no warning period. The unmanaged_user_restricted is an optional property with default value as False.
This policy is only effective when the device has reached auto update expiration and does not meet the minimum allowed version of Google Chrome OS set through DeviceMinimumVersion policy.
When this policy is set to a non-empty string : If the warning time mentioned in DeviceMinimumVersion policy has expired, this message is shown at the login screen when the device is blocked for any user to sign in. If the warning time mentioned in DeviceMinimumVersion policy has not expired, this message is shown on the Chrome management page after user sign in.
If this policy is not set or set to empty, the default auto update expiration message is shown to the user in both of the above cases. The auto update expiration message must be plain text without any formatting. No markup is allowed.
Setting the policy sets the resolution and scale factor for each display. External display settings apply to connected displays. (The policy doesn't apply if a display doesn't support the specified resolution or scale.)
Setting external_use_native to True means the policy ignores external_width and external_height and sets external displays to their native resolution. Setting external_use_native to False or leaving it and external_width or external_height unset means the policy doesn't affect external displays.
Setting the recommended flag to True lets users change resolution and scale factor of any display through the settings page, but their settings change back at the next reboot. Setting the recommended flag to False or leaving it unset means users can't change the display settings.
Note: Set external_width and external_height in pixels and external_scale_percentage and internal_scale_percentage in percents.
Setting the policy has each display rotate to the specified orientation on every reboot and the first time it's connected after the policy value changes. Users may change the display rotation through the settings page after signing in, but it changes back at the next reboot. This policy applies to primary and secondary displays.
If not set, the default value is 0 degrees and users are free to change it. In this case, the default value isn't reapplied at restart.
Setting the policy specifies which extensions are not subject to the blocklist.
A blocklist value of * means all extensions are blocked and users can only install extensions listed in the allow list.
By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.
Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. Once an extension disabled due to the blocklist is removed from it, it will automatically get re-enabled.
A blocklist value of '*' means all extensions are blocked unless they are explicitly listed in the allowlist.
If this policy is left not set the user can install any extension in Google Chrome.
Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)
Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in Google Chrome.
This policy superseeds ExtensionInstallBlocklist policy. If a previously force-installed app or extension is removed from this list, Google Chrome automatically uninstalls it.
On Microsoft® Windows® instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.
On macOS instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, or joined to a domain via MCX.
The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the DeveloperToolsDisabled policy.
Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the "update" URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). By default, the Chrome Web Store's update URL is used. The "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest.
Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).
Android apps can be force-installed from the Google Admin console using Google Play. They do not use this policy.
Setting the policy specifies which URLs may install extensions, apps, and themes. Before Google Chrome 21, users could click on a link to a *.crx file, and Google Chrome would offer to install the file after a few warnings. Afterwards, such files must be downloaded and dragged to the Google Chrome settings page. This setting allows specific URLs to have the old, easier installation flow.
Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns.
ExtensionInstallBlocklist takes precedence over this policy. That is, an extension on the blocklist won't be installed, even if it happens from a site on this list.
Setting the policy controls which apps and extensions may be installed in Google Chrome, which hosts they can interact with, and limits runtime access.
Leaving the policy unset results in no restrictions on the acceptable extension and app types.
Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:
* "extension"
* "theme"
* "user_script"
* "hosted_app"
* "legacy_packaged_app"
* "platform_app"
See the Google Chrome extensions documentation for more information on these types.
Versions earlier than 75 that use multiple comma separated extension IDs aren't supported and are skipped. The rest of the policy applies.
Note: This policy also affects extensions and apps to be force-installed using ExtensionInstallForcelist.
Setting the policy controls extension management settings for Google Chrome, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.
This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID "*", which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the ExtensionInstallForcelist policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
Note: For Microsoft® Windows® instances not joined to a Microsoft® Active Directory® domain and macOS instances not managed via MDM or joined to a domain via MCX, forced installation is limited to apps and extensions listed in the Chrome Web Store.
Controls external extensions installation.
Enabling this setting blocks external extensions from being installed.
Disabling this setting or leaving it unset allows external extensions to be installed.
External extensions and their installation are documented at https://developer.chrome.com/apps/external_extensions.
During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).
When this policy is set to a value of -1, this policy will not enforce online authentication and will allow the user to use offline authentication until a different reason than this policy enforces an online login. If the policy is set to a value of 0, online login will always be required. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again in the next sign-in.
Leaving this policy not set will make Google Chrome OS use offline login.
This policy affects only users who authenticated using GAIA without SAML.
The policy value should be specified in days.
Setting the policy to Enabled lets Google Assistant access screen context and send that data to a server. Setting the policy to Disabled keeps Google Assistant from screen context.
Leaving the policy unset lets users decide to turn this feature on or off.
Setting the policy to Enabled lets Google Assistant listen for the voice activation phrase. Setting the policy to Disabled keeps Google Assistant from listening for the phrase.
Leaving the policy unset lets users decide to turn this feature on or off.
Setting the policy to Enabled lets show Google Assistant voice match flow during initial setup. Setting the policy to Disabled keeps Google Assistant from showing voice match flow during initial setup.
Leaving the policy unset means it is Enabled.
Setting the policy to Enabled or leaving it unset turns on Google Cast, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
Setting the policy to Disabled turns off Google Cast.
Setting the policy to Enabled displays the Cast toolbar icon on the toolbar or the overflow menu, and users can't remove it.
Setting the policy to Disabled or leaving it unset lets users pin or remove the icon through its contextual menu.
If the policy EnableMediaRouter is set to Disabled, then this policy's value has no effect, and the toolbar icon doesn't appear.
Setting the policy to Enabled turns off Google Drive syncing in the Google Chrome OS Files app. No data is uploaded to Drive.
Setting the policy to Disabled or leaving it unset lets users transfer files to Drive.
This policy does not prevent the user from using the Android Google Drive app. If you want to prevent access to Google Drive, you should disallow installation of the Android Google Drive app as well.
Setting the policy to Enabled turns off Google Drive syncing in the Google Chrome OS Files app when on a cellular connection. Data is only synced to Drive when connected through Wi-Fi or Ethernet.
Setting the policy to Disabled or leaving it unset lets users transfer files to Drive on cellular connections.
This policy has no effect on the Android Google Drive app. If you want to prevent use of Google Drive over cellular connections, you should disallow installation of the Android Google Drive app.
Setting the policy specifies which HTTP authentication schemes Google Chrome supports.
Leaving the policy unset employs all 4 schemes.
Valid values:
* basic
* digest
* ntlm
* negotiate
Note: Separate multiple values with commas.
Setting the policy specifies for which origins to allow all the HTTP authentication schemes Google Chrome supports regardless of the AuthSchemes policy.
Format the origin pattern according to this format (https://www.chromium.org/administrators/url-blocklist-filter-format). Up to 1,000 exceptions can be defined in AllHttpAuthSchemesAllowedForOrigins. Wildcards are allowed for the whole origin or parts of the origin, either the scheme, host, port.
Setting the policy to Enabled skips CNAME lookup. The server name is used as entered when generating the Kerberos SPN.
Setting the policy to Disabled or leaving it unset means CNAME lookup determines the canonical name of the server when generating the Kerberos SPN.
Setting the policy to Enabled and entering a nonstandard port (in other words, a port other than 80 or 443) includes it in the generated Kerberos SPN.
Setting the policy to Disabled or leaving it unset means the generated Kerberos SPN won't include a port.
Setting the policy to Enabled or leaving it unset will allow Basic authentication challenges received over non-secure HTTP.
Setting the policy to Disabled forbids non-secure HTTP requests from using the Basic authentication scheme; only secure HTTPS is allowed.
This policy setting is ignored (and Basic is always forbidden) if the AuthSchemes policy is set and does not include Basic.
Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when Google Chrome gets an authentication challenge from a proxy or from a server in this permitted list.
Leaving the policy unset means Google Chrome tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then Google Chrome ignores IWA requests from it.
Note: Separate multiple server names with commas. Wildcards, *, are allowed.
Setting the policy assigns servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards, *, are allowed.
Leaving the policy unset means Google Chrome won't delegate user credentials, even if a server is detected as intranet.
Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, Google Chrome delegates user credentials to the service being accessed if the KDC sets OK-AS-DELEGATE on the service ticket. See RFC 5896 ( https://tools.ietf.org/html/rfc5896.html ). The service should also be allowed by AuthNegotiateDelegateAllowlist.
Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only AuthNegotiateDelegateAllowlist is respected.
On Microsoft® Windows®, KDC policy is always respected.
Setting the policy specifies which GSSAPI library to use for HTTP authentication. Set the policy to either a library name or a full path.
Leaving the policy unset means Google Chrome uses a default library name.
Setting the policy specifies the type of accounts provided by the Android authentication app that supports HTTP Negotiate authentication (such as Kerberos authentication). This information should be available from the supplier of the authentication app. For details, see The Chromium Projects ( https://goo.gl/hajyfN )
Leaving the policy unset turns off HTTP Negotiate authentication on Android.
Setting the policy to Enabled allows third-party images on a page to show an authentication prompt.
Setting the policy to Disabled or leaving it unset renders third-party images unable to show an authentication prompt.
Typically, this policy is Disabled as a phishing defense.
Setting the policy to Enabled or leaving it unset turns NTLMv2 on.
Setting the policy to Disabled turns NTLMv2 off.
All recent versions of Samba and Microsoft® Windows® servers support NTLMv2. This should only be turned off for backward compatibility as it reduces the security of authentication.
Controls whether the Kerberos functionality is enabled. Kerberos is an authentication protocol that can be used to authenticate to web apps and file shares.
If this policy is enabled, Kerberos functionality is enabled. Kerberos accounts can be added either through the 'Configure Kerberos accounts' policy or through the Kerberos Accounts settings in the Kerberos settings page.
If this policy is disabled or not set, the Kerberos Accounts settings are disabled. No Kerberos accounts can be added and Kerberos authentication cannot be used. All existing Kerberos accounts are deleted, all stored passwords are deleted.
Controls whether the 'Remember password' feature is enabled in the Kerberos authentication dialog. Passwords are stored encryped on disk, only accessible to the Kerberos system daemon and during a user session.
If this policy is enabled or not set, users can decide whether Kerberos passwords are remembered, so that they do not have to be entered again. Kerberos tickets are automatically fetched unless additional authentication is required (two-factor authentication).
If this policy is disabled, passwords are never remembered and all previously stored passwords are removed. Users have to enter their password every time they need to authenticate with the Kerberos system. Depending on server settings, this usually happens between every 8 hours to several months.
Controls whether users may add Kerberos accounts.
If this policy is enabled or not set, users may add Kerberos accounts via the Kerberos Accounts settings in the Kerberos settings page. Users have full control over accounts they added and may modify or remove them.
If this policy is disabled, users may not add Kerberos accounts. Accounts can only be added via the 'Configure Kerberos accounts' policy. This is an effective way to lock down accounts.
Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '${{LOGIN_EMAIL}}' and ${{PASSWORD}}' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically unless two-factor authentication is configured. Users cannot modify accounts added via this policy.
If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.
If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.
Setting the policy specifies the list of device-local accounts to display on the sign-in screen. Identifiers tell the different device-local accounts apart.
If the policy is unset or an empty list, there are no device-local accounts.
Setting the policy means the specified session is automatically signed if there is no user interaction at the sign-in screen within the time specified in DeviceLocalAccountAutoLoginDelay. The device-local account must already be set up (see DeviceLocalAccounts).
Leaving it unset means there's no automatic sign-in.
Setting the policy determines the amount of time in milliseconds without user activity before automatically signing in to the device-local account specified by the DeviceLocalAccountAutoLoginId policy.
Leaving it unset means 0 milliseconds is used as the timeout.
If the DeviceLocalAccountAutoLoginId policy is unset, this policy has no effect.
Setting the policy to Enabled or leaving it unset means a device-local account is set up for zero-delay, automatic sign-in. Google Chrome OS honors the keyboard shortcut Ctrl+Alt+S for bypassing automatic sign-in and showing the sign-in screen.
Setting the policy to Disabled means users can't bypass zero-delay automatic sign-in (if configured).
Setting the policy to Enabled or leaving it unset means when a device is offline, if a device-local account is set for zero-delay, automatic sign-in, Google Chrome OS shows a network-configuration prompt.
Setting the policy to Disabled has an error message displayed instead.
Setting the policy to Enabled means the value of the required_platform_version manifest key of the zero-delay, autolaunched kiosk app is used as the autoupdate target version prefix.
Setting the policy to Disabled or leaving it unset means the required_platform_version manifest key is ignored and autoupdate proceeds as normal.
Warning: Do not delegate control of the Google Chrome OS version to a kiosk app, because it might prevent the device from getting software updates and critical security fixes. Delegating control of the Google Chrome OS version might leave users at risk.
If the kiosk app is an Android app, it will have no control over the Google Chrome OS version, even if this policy is set to True.
Setting the policy controls which command to use to open URLs in an alternative browser. The policy can be set to one of ${ie}, ${firefox}, ${safari}, ${opera}, ${edge} or a file path. When this policy is set to a file path, that file is used as an executable file. ${ie} is only available on Microsoft® Windows®. ${safari} and ${edge} are only available on Microsoft® Windows® and macOS.
Leaving the policy unset puts a platform-specific default in use: Internet Explorer® for Microsoft® Windows®, or Safari® for macOS. On Linux®, launching an alternative browser will fail.
Setting the policy to a list of strings means each string is passed to the alternative browser as separate command-line parameters. On Microsoft® Windows®, the parameters are joined with spaces. On macOS and Linux®, a parameter can have spaces and still be treated as a single parameter.
If an parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.
Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable. On macOS and Linux®, ${ABC} is replaced with the value of the ABC environment variable.
Leaving the policy unset means only the URL is passed as a command-line parameter.
This policy controls the command to use to open URLs in Google Chrome when switching from Internet Explorer®. This policy can be set to an executable file path or ${chrome} to autodetect the location of Google Chrome.
Leaving the policy unset means Internet Explorer® autodetects Google Chrome's own executable path when launching Google Chrome from Internet Explorer.
Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.
Setting the policy to a list of strings means the strings are joined with spaces and passed from Internet Explorer® to Google Chrome as command-line parameters. If an parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.
Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable.
Leaving the policy unset means Internet Explorer® only passes the URL to Google Chrome as a command-line parameter.
Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.
Setting the policy to a number has Google Chrome show a message for that number of milliseconds, then it opens an alternative browser.
Leaving the policy unset or set to 0 means navigating to a designated URL immediately opens it in an alternative browser.
Setting the policy to Enabled means Google Chrome will try to launch some URLs in an alternate browser, such as Internet Explorer®. This feature is set using the policies in the Legacy Browser support group.
Setting the policy to Disabled or leaving it unset means Google Chrome won't try to launch designated URLs in an alternate browser.
Setting the policy to a valid URL has Google Chrome download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlList policy.
Leaving it unset (or set to a invalid URL) means Google Chrome doesn't use the policy as a source of rules for switching browsers.
Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode)
Setting the policy to a valid URL has Google Chrome download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlGreylist policy. These policies prevent Google Chrome and the alternative browser from opening one another.
Leaving it unset (or set to a invalid URL) means Google Chrome doesn't use the policy as a source of rules for not switching browsers.
Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode )
Setting the policy to Enabled or leaving it unset has Google Chrome keep at least one tab open, after switching to an alternate browser.
Setting the policy to Disabled has Google Chrome close the tab after switching to an alternate browser, even if it was the last tab. This causes Google Chrome to exit completely.
This policy controls how Google Chrome interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.
If 'Default' (0) or unset, URL matching is less strict. Rules that do not contain "/" look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.
If 'IESiteListMode' (1), URL matching is more strict. Rules that do not contain "/" only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive. This is more compatible with Microsoft® Internet Explorer® and Microsoft® Edge®.
For example, with the rules "example.com" and "acme.com/abc":
"http://example.com/", "http://subdomain.example.com/" and "http://acme.com/abc" match regardless of parsing mode.
"http://notexample.com/", "http://example.com.invalid.com/", "http://example.comabc/" only match in 'Default' mode.
"http://acme.com/ABC" only matches in 'IESiteListMode'.
Setting the policy controls the list of websites to open in an alternative browser. Each item is treated as a rule for something to open in an alternative browser. Google Chrome uses those rules when choosing if a URL should open in an alternative browser. When the Internet Explorer® add-in is on, Internet Explorer® switches back to Google Chrome when the rules don't match. If rules contradict each other, Google Chrome uses the most specific rule.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl policies.
Setting the policy controls the list of websites that will never cause a browser switch. Each item is treated as a rule. Those rules that match won't open an alternative browser. Unlike the BrowserSwitcherUrlList policy, rules apply to both directions. When the Internet Explorer® add-in is on, it also controls whether Internet Explorer® should open these URLs in Google Chrome.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the BrowserSwitcherExternalGreylistUrl policy.
This policy controls whether to load rules from Internet Explorer®'s SiteList policy.
When this policy is set to true, Google Chrome reads Internet Explorer®'s SiteList to obtain the site list's URL. Google Chrome then downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlList policy.
When this policy is false or unset, Google Chrome does not use Internet Explorer®'s SiteList policy as a source of rules for switching browsers.
For more information on Internet Explorer's SiteList policy: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode
Setting the policy to Enabled lets the device run virtual machines on Google Chrome OS. VirtualMachinesAllowed and CrostiniAllowed must be Enabled to use Crostini. Setting the policy to Disabled means the device can't run virtual machines. Changing it to Disabled starts applying the policy to starting new virtual machines, not those already running.
When this policy is not set on a managed device, the device can't run virtual machines. Unmanaged devices can run virtual machines.
Setting the policy to Enabled or leaving it unset lets users run Crostini, as long as VirtualMachinesAllowed and CrostiniAllowed are set to Enabled. Setting the policy to Disabled turns Crostini off for the user. Changing it to Disabled starts applying the policy to starting new Crostini containers, not those already running.
Setting the policy to Enabled or leaving it unset lets all users use Crostini as long as all 3 policies, VirtualMachinesAllowed, CrostiniAllowed, and DeviceUnaffiliatedCrostiniAllowed are set to Enabled. Setting the policy to Disabled means unaffiliated users can't use Crostini. Changing it to Disabled starts applying the policy to starting new Crostini containers, not those already running.
Setting the policy to Enabled or leaving it unset makes the export-import UI available to users. Setting the policy to Disabled renders the export-import UI unavailable to users.
Provides an Ansible playbook that should be executed in the default Crostini container.
This policy allows to provide an Ansible playbook to be applied to the default Crostini container if it is available on the given device and allowed by policies.
The size of the data must not exceed 1MB (1000000 bytes) and must be encoded in YAML. The cryptographic hash is used to verify the integrity of the download.
The configuration is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If you set the policy, users can't change it. If not set, users can continue using default Crostini container in its ongoing configuration if Crostini is allowed by policies.
Specifies whether port forwarding into Crostini containers is allowed.
If this policy is set to True or not set, users will be able to configure port forwarding into their Crostini containers.
If this policy is set to False, port forwarding into Crostini containers will be disabled.
If this policy doesn't exist (e.g. for unmanaged users), the SSH (Secure SHell) outgoing client connections feature in Terminal System App is enabled (default True). If the user is managed, and the policy is unset or Disabled, the feature is disabled in Terminal. Setting the policy to Enabled allows managed users to create outgoing client SSH connections in Terminal.
Setting the policy specifies in days how often a client changes their machine account password. The password is randomly generated by the client and not visible to the user. Disabling this policy or setting a high number of days can negatively impact security, because it gives potential attackers more time to find and use the machine account password.
Leaving the policy unset means the machine account password is changed every 30 days.
Setting the policy to 0 turns off machine account password change.
Note: Passwords might get older than the specified number of days if the client has been offline for a longer period of time.
Setting the policy specifies whether and how user policy from computer Group Policy Object (GPO) is processed.
* Default or leaving it unset has user policy read only from user GPOs. Computer GPOs are ignored.
* Merge will merge user policy in user GPOs with that of computer GPOs. Computer GPOs take precedence.
* Replace will replace user policy in user GPOs with that of computer GPOs. User GPOs are ignored.
Setting the policy designates which encryption types are allowed when requesting Kerberos tickets from a Microsoft® Active Directory® server.
Setting the policy to:
* All allows the AES encryption types aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96, as well as the RC4 encryption type rc4-hmac. AES takes precedence if the server supports AES and RC4 encryption types.
* Strong or leaving it unset allows only the AES types.
* Legacy allows only the RC4 type. RC4 is insecure. It should only be needed in very specific circumstances. If possible, reconfigure the server to support AES encryption.
Also see https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types.
Setting the policy specifies in hours the Group Policy Object (GPO) cache lifetime—the maximum duration GPOs can be reused before they're redownloaded. Instead of redownloading them on every policy fetch, the system reuses cached GPOs as long as their version doesn't change.
Setting the policy to 0 turns GPO caching off. Doing this increases server load, because GPOs are redownloaded on every policy fetch, even if they didn't change.
Leaving the policy unset means cached GPOs can be reused for up to 25 hours.
Note: Restarting and signing out clears the cache.
Setting the policy specifies in hours the authentication data cache lifetime. The cache has data about realms trusted by the machine realm (affiliated realms). So, authentication data caching helps speed up sign-in. User-specific data and data for unaffiliated realms isn't cached.
Setting the policy to 0 turns authentication data caching off. Realm-specific data is fetched on every sign-in, so turning off authentication data caching can significantly slow down user sign-in.
Leaving the policy unset means cached authentication data can be reused for up to 73 hours.
Note: Restarting the device clears the cache. Even ephemeral users' realm data is cached. Turn off the cache to prevent the tracing of an ephemeral user's realm.
Enable the migration of Microsoft® Active Directory® managed devices into cloud management. This policy allows for a remote start of a touchless migration of multiple devices in a company. Additionally, the migration will be as transparent as possible to the end users.
If this policy is enabled and the enrollment ID has already been uploaded to the DMServer, a remote device powerwash will be triggered.
If this policy is disabled or not set, the remote device powerwash is not trigged, independently of the enrollment ID upload status.
This check is triggered whenever the login screen is loaded, then retried every hour (if the device stays on the login screen). This prevents the migration from starting in the middle of a user session, causing potential problems to end users.
Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.
Leaving the policy unset means Google Chrome loads all installed native messaging hosts.
Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.
All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.
Setting the policy to Enabled or leaving it unset means Google Chrome can use native messaging hosts installed at the user level.
Setting the policy to Disabled means Google Chrome can only use these hosts if installed at the system level.
Setting the policy to Enabled lets users use Network File Shares for Google Chrome OS. Setting the policy to Disabled means users can't use this feature.
Setting the policy to Enabled means share discovery (the Network File Shares feature for Google Chrome OS) uses the NetBIOS Name Query Request protocol to discover shares on the network. Setting the policy to Disabled means share discovery won't use this protocol to discover shares.
Leaving the policy unset means the behavior defaults to off for managed users and on for other users.
Setting the policy to Enabled means the Network File Shares feature for Google Chrome OS uses NTLM for authentication to SMB shares if necessary. Setting the policy to Disabled turns off NTLM authentication to SMB shares.
Leaving the policy unset means the behavior defaults to off for managed users and on for other users.
Setting the policy specifies a list of preset network file shares. Each item is an object with 2 properties: share_url and mode.
The share URL should be share_url.
For mode, it should be drop_down or pre_mount:
* drop_down indicates that share_url will be added to the share discovery list.
* pre_mount indicates that share_url will be mounted.
Setting the policy allows pushing network configuration for all users of a Google Chrome OS device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.
Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.
Setting the policy to Enabled allows data roaming for the device.
Setting the policy to Disabled or leaving it unset renders data roaming unavailable.
Setting the policy turns network throttling on or off. This means that the system is throttled to achieve the provided upload and download rates (in kbits/s). It applies to all users and interfaces on the device.
Setting the policy to a string applies the string as the device hostname during DHCP request. The string can have variables ${ASSET_ID}, ${SERIAL_NUM}, ${MAC_ADDR}, ${MACHINE_NAME}, ${LOCATION} to be replaced with values on the device before using it as a hostname. The resulting substitution should be a valid hostname (per RFC 1035, section 3.1).
Leaving the policy unset or if the value after substitution isn't a valid hostname, no hostname is set in DHCP request.
Determine whether a user is allowed to configure the device hostname.
If DeviceHostnameTemplate is set, the admininistrator sets hostname and the user cannot choose regardless of what this policy is set to. If this policy is set to True and DeviceHostnameTemplate is not set, the admininistrator does not set hostname and the user can choose one. If this policy is set to False and DeviceHostnameTemplate is not set, the admininistrator does not set hostname and the user cannot choose one, hence the default name is used.
Setting the policy to Enabled means that Fast Transition is used when the wireless access point supports it. It applies to all users and interfaces on the device.
Setting the policy to Disabled or leaving it unset means that Fast Transition isn't used.
Setting the policy to Disabled means Google Chrome OS turns off Wi-Fi, and users can't change it.
Setting the policy to Enabled or leaving it unset lets users turn Wi-Fi on or off.
Setting the policy lets the administrator change the MAC (media access control) address when connecting a device to the dock. When a dock is connected to some device models, by default, the device's designated dock's MAC address helps identify the device on Ethernet.
If 'DeviceDockMacAddress' is selected or the policy is left unset, the device's designated dock MAC address will be used.
If 'DeviceNicMacAddress' is selected, the device's NIC (network interface controller) MAC address will be used.
If 'DockNicMacAddress' is selected, the dock's NIC MAC address will be used.
Users can't change this setting.
Setting the policy defines the list of USB devices users can detach from their kernel driver to use through the chrome.usb API directly inside a web app. Entries are pairs of USB Vendor Identifier and Product Identifier to identify specific hardware.
If not set, the list of a detachable USB devices is empty.
Setting the policy to Enabled or leaving it unset lets users turn Bluetooth on or off.
Setting the policy to Disabled means Google Chrome OS turns Bluetooth off, and users can't turn it on.
Note: To turn on Bluetooth, users must sign out and in again.
Setting the policy configures availability and behavior of TPM firmware updates.
Specify individual settings in JSON properties:
* allow-user-initiated-powerwash: If set to true, users can trigger the powerwash flow to install a TPM firmware update.
* allow-user-initiated-preserve-device-state (available starting in Google Chrome version 68): If set to true, users can invoke the TPM firmware update flow that preserves device-wide state, including enterprise enrollment, but loses user data.
* auto-update-mode (available starting in Google Chrome version 75): Controls how automatic TPM firmware updates are enforced for vulnerable TPM firmware. All flows preserve local device state. If set to:
* 1 or left not set, TPM firmware updates are not enforced.
* 2, TPM firmware updates at the next reboot after user acknowledges the update.
* 3, TPM firmware updates at the next reboot.
* 4, TPM firmware updates after enrollment, before user sign-in.
Leaving the policy unset renders TPM firmware update unavailable.
Setting the policy specifies the period in milliseconds at which the device management service is queried for device policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset means Google Chrome OS uses the default value of 3 hours.
Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).
Setting the policy to Enabled means Google Chrome OS stops the device from going into Developer mode.
Setting the policy to Disabled or leaving it unset keeps Developer mode available for the device.
This policy controls Google Chrome OS developer mode only. If you want to prevent access to Android Developer Options, you need to set the DeveloperToolsDisabled policy.
Setting the policy to Enabled or leaving it unset lets enterprise device users redeem offers through Google Chrome OS Registration.
Setting the policy to Disabled means users can't redeem these offers.
The Quirks Server provides hardware-specific configuration files, like ICC display profiles to adjust monitor calibration.
When this policy is set to false, the device will not attempt to contact the Quirks Server to download configuration files.
If this policy is true or not configured then Google Chrome OS will automatically contact the Quirks Server and download configuration files, if available, and store them on the device. Such files might, for example, be used to improve display quality of attached monitors.
Setting to lower than 1 MB or leaving it unset means Google Chrome OS uses the default size of 256 MiB for caching apps and extensions for installation by multiple users of a single device, avoiding the need to redownload each one for every user.
The cache is not used for Android apps. If multiple users install the same Android app, it will be downloaded anew for each user.
Setting the policy means the specified device policies are ignored (use these policies' default settings) during the specified intervals. Device policies are reapplied by Google Chrome when the policy period starts or ends. The user is notified and forced to sign out when this period changes and device policy settings change (for example, when a user signs in with a disallowed account).
This feature enables suggestions for new content to explore. Includes apps, webpages, and more. If this policy is set to True, then suggestions for new content to explore will be enabled. If this policy is set to False, then suggestions for new content to explore will be disabled. If this policy is left unset, then suggestions for new content to explore will be disabled for managed users and enabled for other users.
Allows enabling or disabling a notification when disk space is low. This applies to all users on the device.
Setting policy to Enabled, an notification will be shown when remaining disk space is low.
Setting policy to Disabled or not set, there won't be any low disk space notification.
This policy is ignored and the notification is always shown if the device is unmanaged or there is only one user.
If there are multiple user accounts on a managed device, the notification will only be shown when this policy is enabled.
Configures whether the sites that the user navigates to are allowed to create immersive Augmented Reality sessions using WebXR Device API.
When this policy is unset or enabled, the WebXR Device API will accept "immersive-ar" during session creation, thus allowing the users to enter Augmented Reality experiences.
When this policy is disabled, the WebXR Device API will reject requests to create sessions with mode set to "immersive-ar". The existing "immersive-ar" sessions (if any) will not be terminated.
For more details about "immersive-ar" sessions, please see WebXR Augmented Reality Module specfication.
This policy controls whether the user is prompted to select a client certificate when more than one certificate matches AutoSelectCertificateForUrls. If this policy is set to Enabled, the user is prompted to select a client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to Disabled or not set, the user may only be prompted when no certificate matches the auto-selection.
This policy controls whether the AES Keylocker implementation is enabled for user storage encryption for dm-crypt user homes on ChromeOS, if supported.
This policy only applies to user homes which use dm-crypt) for encryption. Legacy user homes (those which do not use dm-crypt) do not support the use of AES Keylocker and will default to using AESNI.
If the policy value changes, existing dm-crypt user homes will be accessed using the encryption implementation configured by the policy because the AES implementations are compatible. If the policy is disabled or not set, user storage encryption for dm-crypt user homes will default to using AESNI.
This policy specifies configuration that is used to generate and verify Parent Access Code.
|current_config| is always used for generating access code and should be used for validating access code only when it cannot be validated with |future_config|. |future_config| is the primary config used for validating access code. |old_configs| should be used for validating access code only when it cannot be validated with |future_config| nor |current_config|.
The expected way of using this policy is to gradually rotate access code configuration. New configuration is always put into |future_config| and at the same time the existing value is moved into |current_config|. |current_config|'s previous values are moved into |old_configs| and removed after rotation cycle is finished.
This policy applies only to child user. When this policy is set Parent Access Code can be verified on child user's device. When this policy is unset it is not possible to verify Parent Access Code on child user's device.
Allows to set per-app usage restrictions. Usage restrictions can be applied to the apps installed on Google Chrome OS for the given user. Restrictions should be passed in |app_limits| list. Only one entry per-app is allowed. Apps not included in the list have no restrictions. It is not possible to block apps that are essential for the operating system, the restrictions for such apps will be ignored. App is uniquely identified by |app_id|. Since different types of apps can use different id format |app_type| needs to be specified next to |app_id|. Per-App Time Limits only support |ARC| apps currently. Android package name is used as |app_id|. Support for other types of applications will be added in the future, for now they can be specified in the policy, but the restrictions will take no effect. There are two types of available restrictions: |BLOCK| and |TIME_LIMIT|. |BLOCK| makes app unavailable for the user. If |daily_limit_mins| is specified with |BLOCK| restriction |daily_limit_mins| will be ignored. |TIME_LIMITS| applies daily usage limit and makes app unavailable after the limit is reached on the given day. Usage limit is specified in |daily_limit_mins|. Usage limit is reset daily at the UTC time passed in |reset_at|. This policy is only used for child users. This policy is complementary to 'UsageTimeLimit'. Restrictions specified in 'UsageTimeLimit' like screen time and bedtime will be enforced regardless of 'PerAppTimeLimits'.
This policy specifies which applications and URLs should be allowed for per-app usage restrictions. The configured allowlist is applied to the apps installed on Google Chrome OS for the given user with per-app time limits. The configured allowlist can only be applied to child user accounts and take effect when PerAppTimeLimits policy is set. The configured allowlist is applied to applications and URLs so that they will not be blocked by per-app time limits. Accessing allowed URLs will not count towards the chrome time limit. Add url regular expressions to |url_list| to allow urls that match any of the regular expressions in the list. Add an application with its |app_id| and |app_type| to |app_list| to allow the application.
Allows you to lock the user's session based on the client time or the usage quota of the day.
The |time_window_limit| specifies a daily window in which the user's session should be locked. We only support one rule for each day of the week, therefore the |entries| array may vary from 0-7 in size. |starts_at| and |ends_at| are the beginning and the end of the window limit, when |ends_at| is smaller than |starts_at| it means that the |time_limit_window| ends on the following day. |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
The |time_usage_limit| specifies a daily screen quota, so when the user reaches it, the user's session is locked. There is a property for each day of the week, and it should be set only if there is an active quota for that day. |usage_quota_mins| is the amount of time that the managed device can be use in a day and |reset_at| is the time when the usage quota is renewed. The default value for |reset_at| is midnight ({'hour': 0, 'minute': 0}). |last_updated_millis| is the UTC timestamp for the last time this entry was updated, it is sent as a string because the timestamp wouldn't fit in an integer.
|overrides| is provided to invalidate temporarily one or more of the previous rules. * If neither time_window_limit nor time_usage_limit is active |LOCK| can be used to lock the device. * |LOCK| temporarily locks a user session until the next time_window_limit or time_usage_limit starts. * |UNLOCK| unlocks a user's session locked by time_window_limit or time_usage_limit. |created_time_millis| is the UTC timestamp for the override creation, it is sent as a String because the timestamp wouldn't fit in an integer It is used to determine whether this override should still be applied. If the current active time limit feature (time usage limit or time window limit) started after the override was created, it should not take action. Also if the override was created before the last change of the active time_window_limit or time_usage_window it should not be applied.
Multiple overrides may be sent, the newest valid entry is the one that is going to be applied.
This policy indicates current valid version of Edu Coexistence Terms of Service. It is compared with the version last accepted by the parent and used to prompt parent permission renewal when needed.
When this policy is set Terms of Service version can be validated. When this policy is unset it is not possible to verify validity of Edu Coexistence Terms of Service.
This policy is only used for Family Link users.
Setting the policy to Enabled means users have Google Chrome remember passwords and provide them the next time they sign in to a site.
Setting the policy to Disabled means users can't save new passwords, but previously saved passwords will still work.
If the policy is set, users can't change it in Google Chrome. If not set, the user can turn off password saving.
This policy has no effect on Android apps.
Setting the policy to Enabled lets users have Google Chrome check whether usernames and passwords entered were part of a leak.
If the policy is set, users can't change it in Google Chrome. If not set, credential leak checking is allowed, but the user can turn it off.
This behavior will not trigger if Safe Browsing is disabled (either by policy or by the user). In order to force Safe Browsing on, use the SafeBrowsingEnabled policy or the SafeBrowsingProtectionLevel policy.
Setting the policy to Enabled or leaving it unset gives the user the option to dismiss/restore compromised password alerts.
If you disable this setting, users will not be able to dismiss alerts about compromised passwords. If enabled, users will be able to dismiss alerts about compromised passwords.
Setting the policy to Enabled turns on PluginVm for the device, as long as other settings also allow it. PluginVmAllowed and UserPluginVmAllowed must be True, and either PluginVmLicenseKey or PluginVmUserId must be set for PluginVm to run.
Setting the policy to Disabled or leaving it unset means PluginVm isn't on for the device.
Allow PluginVm to collect PluginVm usage data.
If the policy is set to false or left unset, PluginVm is not allowed to collect data. If set to true, PluginVm might collect PluginVm usage data that is then combined and thoroughly analyzed to improve PluginVm experience.
Setting the policy specifies the PluginVm image for a user. Specify this policy as a JSON format string, with URL stating where to download the image and hash as a SHA-256 hash used to verify the integrity of the download.
Free disk space (in GB) required to install PluginVm.
If this policy is left unset, PluginVm installation fails if free disk space available on the device is less than 20 GB (default value). If this policy is set, PluginVm installation fails if free disk space available on the device is less than required by policy.
This policy specifies the PluginVm licensing user id for this device.
Allow this user to run PluginVm.
If the policy is set to false or left unset, PluginVm is not enabled for the user. If set to true, PluginVm is enabled for the user as long as other settings also allow it. PluginVmAllowed and UserPluginVmAllowed need to be true, and either PluginVmLicenseKey or PluginVmUserId need to be set for PluginVm to be allowed to run.
Setting the policy lets you set how Google Chrome OS behaves when there is no user activity for some amount of time while the sign-in screen appears. The policy controls multiple settings. For their individual semantics and value ranges, see the corresponding policies that control power management within a session.
The deviations from these policies are:
* The actions to take on idle or lid close cannot be to end the session.
* The default action taken on idle when running on AC power is to shut down.
Leaving the policy or any of its settings unset results in the use of the default values for the various power settings.
Setting the policy limits the device uptime by scheduling automatic restarts, which you can delay by up to 24 hours if a user is on the device. The policy value should be specified in seconds. Values are clamped to be at least 3,600 (one hour).
If you set the policy, users can't change it. If not set, the device uptime isn't limited.
Note: Automatic restarts are only on while the sign-in screen appears or during a kiosk app session.
Setting the policy to Enabled means Google Chrome OS triggers a restart when users shut down the device. Google Chrome OS replaces all shutdown buttons in the UI with restart buttons. If the users shut down devices using the power button, they won't automatically restart, even if the policy is on.
Setting the policy to Disabled or leaving it unset means Google Chrome OS lets them shut down the device.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the screen is dimmed when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.
When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the screen is turned off when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.
When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use ScreenLockDelays instead.
Specifies the length of time without user input after which the screen is locked when running on AC power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.
When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which a warning dialog is shown when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
The warning message is only shown if the idle action is to logout or shut down.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the idle action is taken when running on AC power.
When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the screen is dimmed when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS dims the screen.
When this policy is set to zero, Google Chrome OS does not dim the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the screen off delay (if set) and the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the screen is turned off when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS turns off the screen.
When this policy is set to zero, Google Chrome OS does not turn off the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use ScreenLockDelays instead.
Specifies the length of time without user input after which the screen is locked when running on battery power.
When this policy is set to a value greater than zero, it specifies the length of time that the user must remain idle before Google Chrome OS locks the screen.
When this policy is set to zero, Google Chrome OS does not lock the screen when the user becomes idle.
When this policy is unset, a default length of time is used.
The recommended way to lock the screen on idle is to enable screen locking on suspend and have Google Chrome OS suspend after the idle delay. This policy should only be used when screen locking should occur a significant amount of time sooner than suspend or when suspend on idle is not desired at all.
The policy value should be specified in milliseconds. Values are clamped to be less than the idle delay.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which a warning dialog is shown when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS shows a warning dialog telling the user that the idle action is about to be taken.
When this policy is unset, no warning dialog is shown.
The policy value should be specified in milliseconds. Values are clamped to be less than or equal the idle delay.
The warning message is only shown if the idle action is to logout or shut down.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
Specifies the length of time without user input after which the idle action is taken when running on battery power.
When this policy is set, it specifies the length of time that the user must remain idle before Google Chrome OS takes the idle action, which can be configured separately.
When this policy is unset, a default length of time is used.
The policy value should be specified in milliseconds.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
This policy provides a fallback value for the more-specific IdleActionAC and IdleActionBattery policies. If this policy is set, its value gets used if the respective more-specific policy is not set.
When this policy is unset, behavior of the more-specific policies remains unaffected.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.
Note that this policy is deprecated and will be removed in Google Chrome OS version 85. Please use PowerManagementIdleSettings instead.
When this policy is set, it specifies the action that Google Chrome OS takes when the user remains idle for the length of time given by the idle delay, which can be configured separately.
When this policy is unset, the default action is taken, which is suspend.
If the action is suspend, Google Chrome OS can separately be configured to either lock or not lock the screen before suspending.
Setting the policy specifies the action that Google Chrome OS takes when the user closes the device's lid.
Leaving the policy unset means the Suspend action is taken.
Note: If the action is Suspend, Google Chrome OS can separately be set up to lock or not lock the screen before suspending.
Setting the policy to Enabled or leaving it unset means the user is not considered idle while audio plays. This prevents the idle timeout from being reached and the idle action from being taken. However, screen dimming, screen off, and screen lock will still occur after their configured timeouts despite audio activity.
Setting the policy to Disabled means the system can consider users idle despite audio activity.
Setting the policy to Enabled or leaving it unset means the user is not considered idle while video plays. This prevents the idle delay, screen dim delay, screen off delay, and screen lock delay from being reached and the corresponding actions from being taken.
Setting the policy to Disabled means the system can consider users idle despite video activity.
Video playing in Android apps is not taken into consideration, even if this policy is set to True.
If PowerSmartDimEnabled is Disabled, then setting PresentationScreenDimDelayScale specifies the percent that the screen dim delay scales when the device is presenting. When the screen dim delay scales, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Leaving the policy unset puts a default scale factor in use.
Note: The scale factor must be 100% or more.
Setting the policy to Enabled or leaving it unset allows wake locks for power management. Extensions can request wake locks through the power management extension API and ARC apps.
Setting the policy to Disabled means wake lock requests are ignored.
Unless AllowWakeLocks is set to Disabled, setting AllowScreenWakeLocks to Enabled or leaving it unset allows screen wake locks for power management. Extensions can request screen wake locks through the power management extension API and ARC apps.
Setting the policy to Disabled demotes screen wake lock requests to system wake lock requests.
If PowerSmartDimEnabled is Disabled, then setting UserActivityScreenDimDelayScale specifies the percent that the screen dim delay scales when there's user activity while the screen dims or soon after the screen turns off. When the dim delay scales, the screen off, screen lock and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Leaving the policy unset puts a default scale factor in use.
Note: The scale factor must be 100% or more.
Setting the policy to Enabled means that power management delays and session length limits don't start until after the first user activity occurs in a session.
Setting the policy to Disabled or leaving it unset means power management delays and the time limit begin immediately at session start.
Setting the policy controls the power management strategy when the user idles.
There are 4 actions:
* The screen dims if the user is idle for the time specified by ScreenDim.
* The screen turns off if the user is idle for the time specified by ScreenOff.
* A warning dialog appears if the user remains idle for the time specified by IdleWarning. It warns the user that the idle action will be taken and only appears if the idle action is to sign out or shut down.
* The action specified by IdleAction is taken if the user is idle for the time specified by Idle.
For each of the above actions, the delay should be specified in milliseconds and must be set to a value greater than zero to trigger the corresponding action. If the delay is set to zero, Google Chrome OS won't take the corresponding action.
For each of the above delays, when the time is unset, a default value is used.
ScreenDim values will be clamped to be less than or equal to ScreenOff. ScreenOff and IdleWarning will be clamped to be less than or equal to Idle.
IdleAction can be one of 4 actions:
* Suspend
* Logout
* Shutdown
* DoNothing
If the IdleAction is not set, Suspend is taken.
Note: There are separate settings for AC power and battery.
Setting the policy specifies the length of time in milliseconds without user input after which the screen locks when running on AC power or battery. Values are clamped to be less than the idle delay in PowerManagementIdleSettings.
When set to zero, Google Chrome OS doesn't lock the screen when the user becomes idle. If unset, a default time is used.
Recommendation: Lock the screen on idle by turning on screen locking on suspend and have Google Chrome OS suspend after the idle delay. Only use this policy when screen locking should occur a significant amount of time sooner than suspend or when you don't want suspend on idle.
Setting the policy to Enabled or leaving it unset turns the smart dim model on and can extend the time until the screen dims. If it delays the time, the screen off, screen lock, and idle delays adjust to maintain the same distances from the screen dim delay as originally set.
Setting the policy to Disabled means the smart dim model won't influence screen dimming.
Setting the policy specifies screen brightness percent, turning autobrightness features off. Initial screen brightness adjusts to the policy value, but users can change it.
Leaving the policy unset doesn't affect user screen controls or autobrightness features.
Note: The policy values should be specified in percents from 0 to 100.
If DevicePowerPeakShiftEnabled is Enabled, then setting DevicePowerPeakShiftBatteryThreshold sets power peak shift battery threshold in percent.
Leaving the policy unset keeps power peak shift off.
If DevicePowerPeakShiftEnabled is Enabled, setting DevicePowerPeakShiftDayConfig sets power peak shift day configuration.
Leaving the policy unset keeps power peak shift off.
Valid values for the minute field in start_time, end_time and charge_start_time are 0, 15, 30, 45.
Setting the policy to Enabled and setting DevicePowerPeakShiftBatteryThreshold and DevicePowerPeakShiftDayConfig keeps power peak shift on, if supported on the device. Power peak shift power management policy is a power-saving policy that minimizes alternating current usage during peak times. For each weekday, you can set a start and end time to run in power peak shift mode. As long as the battery stays above the threshold specified, during these times, the device runs from the battery (even if the alternating current is attached). After the specified end time, the device runs from alternating current (if attached), but won't charge the battery. The device will again function normally using alternating current and recharging the battery after the specified charge start time.
Setting the policy to Disabled keeps power peak shift off.
If unset, power peak shift is off at first. Users can't change this setting.
Setting the policy to Enabled keeps boot on AC on, if supported on the device. Boot on AC provides an opportunity for the system to restart from Off or Hibernate after inserting the line power.
Setting the policy to Disabled keeps boot on AC off.
If you set this policy, users can't change it. If not set, boot on AC is off, and users can't turn it on.
If DeviceAdvancedBatteryChargeModeDayConfig is set, setting DeviceAdvancedBatteryChargeModeEnabled to Enabled keeps advanced battery charge mode power management policy on (if supported on the device). Using a standard charging algorithm and other techniques outside work hours, this mode lets users maximize battery health. During work hours, the system uses an express charge, which lets the battery charge faster. Specify the time when the system is used most each day by the start time and the duration.
Setting the policy to Disabled or leaving it unset keeps advanced battery charge mode off.
Users are unable to change this setting.
If DeviceAdvancedBatteryChargeModeEnabled is set to Enabled, then setting DeviceAdvancedBatteryChargeModeDayConfig lets you set up advanced battery charge mode. The value for charge_start_time must be less than charge_end_time.
Leaving the policy unset keeps advanced battery charge mode off.
Valid values for minute field in charge_start_time and charge_end_time are 0, 15, 30, 45.
Unless DeviceAdvancedBatteryChargeModeEnabled is specified, which overrides DeviceBatteryChargeMode, then setting DeviceBatteryChargeMode specifies battery charge mode power management policy (if supported on the device). To extend battery life, the policy dynamically controls battery charging by minimizing stress and wear-out.
Leaving the policy unset (if supported on the device) applies the standard battery charge mode, and users can't change it.
Note: If Custom battery charge mode is selected, then also specify DeviceBatteryChargeCustomStartCharging and DeviceBatteryChargeCustomStopCharging.
If DeviceBatteryChargeMode is set to "custom", then setting DeviceBatteryChargeCustomStartCharging customizes when the battery starts charging, based the percentage of battery charge. The value must be at least 5 percentage points below DeviceBatteryChargeCustomStopCharging.
Leaving the policy unset applies the standard battery charge mode.
If DeviceBatteryChargeMode is set to "custom", then setting DeviceBatteryChargeCustomStopCharging customizes when the battery stops charging, based on the percentage of battery charge. DeviceBatteryChargeCustomStartCharging must be at least 5 percentage points below DeviceBatteryChargeCustomStopCharging.
Leaving the policy unset applies the "standard" battery charge mode.
Setting the policy to Enabled turns on the USB power share power management policy.
Certain devices have a specific USB port with a lightning bolt or battery icon for charging devices using the system battery. This policy affects the charging behavior of this port while the system is in sleep and shut down modes. It doesn't affect the other USB ports and the charging behavior while the system is awake, when the USB port always provides power.
When sleeping, power is supplied to the USB port when the device is plugged in to the wall charger or if the battery level exceeds 50%. When shut down, power is supplied to the USB port when the device is plugged in to the wall charger.
Setting the policy to Disabled means no power is supplied.
Leaving the policy unset means the policy is on, and users can't turn it off.
Specifies whether an adaptive charging model is allowed to hold charging process to extend battery life.
When the device is on AC, the adaptive charging model evaluates if charging process should be hold to extend battery life. If the adaptive charging model holds the charging process, it'll keep the battery at a certain level (i.e. 80%) and then charge the device to 100% when the user need it. If this policy is set to True or left not set, the adaptive charging model will be enabled and allowed to hold the charging process to extend battery life. If this policy is set to False, the adaptive charging model will not influence the charging process.
Setting the policy to Enabled or leaving it unset lets users print in Google Chrome, and users can't change this setting.
Setting the policy to Disabled means users can't print from Google Chrome. Printing is off in the three dots menu, extensions, and JavaScript applications.
This policy has no effect on Android apps.
Setting the policy to Enabled or leaving it unset lets Google Chrome act as a proxy between Google Cloud Print and legacy printers connected to the machine. Using their Google Account, users may turn on the cloud print proxy by authentication.
Setting the policy to Disabled means users can't turn on the proxy, and the machine can't share its printers with Google Cloud Print.
Setting the policy sets printing to color only, monochrome only, or no color mode restriction. Leaving the policy unset results in no restriction.
Setting the policy restricts printing duplex mode.
Leaving the policy unset or empty results in no restriction.
Restricts PIN printing mode. Unset policy is treated as no restriction. If the mode is unavailable this policy is ignored. Note that PIN printing feature is enabled only for printers that use one of IPPS, HTTPS, USB or IPP-over-USB protocols.
Restricts background graphics printing mode. Unset policy is treated as no restriction.
Setting the policy overrides the default printing color mode. If the mode is unavailable, this policy is ignored.
Setting the policy overrides the default printing duplex mode. If the mode is unavailable, this policy is ignored.
Overrides default PIN printing mode. If the mode is unavailable this policy is ignored.
Overrides default background graphics printing mode.
Overrides default printing page size.
name should contain one of the listed formats or 'custom' if required paper size is not in the list. If 'custom' value is provided custom_size property should be specified. It describes the desired height and width in micrometers. Otherwise custom_size property shouldn't be specified. Policy that violates these rules is ignored.
If the page size is unavailable on the printer chosen by the user this policy is ignored.
Send username and filename to native printers server with every print job. The default is not to send.
Setting this policy to true also disables printers that use protocols other than IPPS, USB, or IPP-over-USB since username and filename shouldn't be sent over the network openly.
Specifies the maximal number of sheets user is allowed to print for a single print job.
If not set, no limitations are applied and user can print any documents.
This policy controls how long print jobs metadata is stored on the device, in days.
When this policy is set to a value of -1, the print jobs metadata is stored indefinitely. When this policy is set to a value of 0, the print jobs metadata is not stored at all. When this policy is set to any other value, it specifies the period of time during which the metadata of completed print jobs is stored on the device.
If not set, the default period of 90 days is used for Google Chrome OS devices.
The policy value should be specified in days.
This policy specifies the allowed extensions to skip print job confirmation dialog when they use the Printing API function chrome.printing.submitJob() for sending a print job.
If an extension is not in the list, or the list is not set, the print job confirmation dialog will be shown to the user for every chrome.printing.submitJob() function call.
Setting the policy to Enabled has Google Chrome open the system print dialog instead of the built-in print preview when users request a printout.
Setting the policy to Disabled or leaving it unset has print commands trigger the print preview screen.
Setting the policy to Enabled turns headers and footers on in print preview. Setting the policy to Disabled turns them off in print preview.
If you set the policy, users can't change it. If unset, users decides whether headers and footers appear.
Setting the policy sets the rules for selecting the default printer in Google Chrome, overriding the default rules. Printer selection occurs the first time users try to print, when Google Chrome seeks a printer matching the specified attributes. In case of a less than perfect match, Google Chrome can be set to select any matching printer, depending on the order printers are discovered.
Leaving the policy unset or set to attributes for which there's no match means the built-in PDF printer is the default. If there's no PDF printer, Google Chrome defaults to none.
Printers connected to Google Cloud Print are considered "cloud", the rest of the printers are classified as "local".
Note: Omitting a field means all values match. For example, not specifying connectivity causes Print Preview to start discovery of all kinds of printers, "local" and "cloud". Regular expression patterns must follow the JavaScript RegExp syntax, and matches are case sensistive.
This policy has no effect on Android apps.
Setting the policy lets administrators set up a list of printers for their users. Printer selection occurs the first time users try to print.
Using the policy:
* Customize free-form display_name and description for ease of printer selection.
* Help users identify printers using manufacturer and model.
* uri should be an address reachable from a client computer, including the scheme, port, and queue.
* Optionally provide uuid to help deduplicate zeroconf printers.
* Either use the model name for effective_model or set autoconf to True. Printers with both or no properties get ignored.
PPDs are downloaded after the printer is used, and frequently used PPDs are cached. This policy doesn't affect whether users can configure printers on individual devices.
Note: For Microsoft® Active Directory® managed devices, this policy supports expansion of ${MACHINE_NAME[,pos[,count]]} to the Microsoft® Active Directory® machine name or a substring of it. For example, if the machine name is CHROMEBOOK, then ${MACHINE_NAME,6,4} gets replaced by the 4 characters starting after the 6th position, in other words, BOOK. The position is zero-based.
Setting this policy configure enterprise printers. Its format matches the Printers dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. Google Chrome OS downloads the file for printer configurations and makes printers available along with PrintersBulkAccessMode, PrintersBulkAllowlist, and PrintersBulkBlocklist.
This policy has no effect on whether users can configure printers on individual devices. It is intended to be supplementary to the configuration of printers by individual users.
If you set the policy, users can't change it.
Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from PrintersBulkConfiguration are available for users.
* BlocklistRestriction (value 0) uses PrintersBulkBlocklist to restrict access to the specified printers
* AllowlistPrintersOnly (value 1) uses PrintersBulkAllowlist to designate only those printers which are selectable
* AllowAll (value 2) displays all printers
Leaving the policy unset puts AllowAll in use.
If BlocklistRestriction is chosen for PrintersBulkAccessMode, then setting PrintersBulkBlocklist specifies which printers users can't use. All printers are provided to the user, except for the IDs listed in this policy. The IDs must correspond to the "id" or "guid" fields in the file specified in PrintersBulkConfiguration.
If AllowlistPrintersOnly is chosen for PrintersBulkAccessMode, then setting PRINTERS_BULK_ALLOWLIST specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to the user. The IDs must correspond to the "id" or "guid" fields in the file specified in PrintersBulkConfiguration.
Setting the policy provides configurations for enterprise printers bound to devices. Its format matches the Printers dictionary, with an additional required "id" or "guid" field for each printer for allow listing or deny listing. The file size can't exceed 5MB and is in JSON format. A file with about 21,000 printers encodes as a 5MB file. The cryptographic hash helps verify download integrity. The file is downloaded, cached, and redownloaded when the URL or the hash changes. Google Chrome OS downloads the file for printer configurations and makes printers available along with DevicePrintersAccessMode, DevicePrintersAllowlist, and DevicePrintersBlocklist.
This policy:
* doesn't affect whether users can configure printers on individual devices
* supplements PrintersBulkConfiguration and individual users' printer setups
If unset, there are no device printers, and the other DevicePrinter* policies are ignored.
Setting the policy designates which access policy applies to bulk printer configuration, controlling which printers from DevicePrinters are available for users.
* BlocklistRestriction (value 0), DevicePrintersBlocklist can restrict access to the specified printers
* AllowlistPrintersOnly (value 1), DevicePrintersAllowlist designates only those printers which are selectable
* AllowAll (value 2), all printers are allowed.
Leaving the policy unset applies AllowAll.
If BlocklistRestriction is chosen for DevicePrintersAccessMode, then setting DevicePrintersBlocklist specifies which printers users can't use. All printers are provided to users, except for the IDs listed in this policy. The IDs must correspond to the "id" or "guid" fields in the file specified in DevicePrinters.
If AllowlistPrintersOnly is chosen for DevicePrintersAccessMode, then setting DevicePrintersAllowlist specifies which printers users can use. Only the printers with IDs matching the values in this policy are available to users. The IDs must correspond to the "id" or "guid" fields in the file specified in DevicePrinters
Setting the policy to Enabled means Google Chrome uses the OS default printer as the default destination for print preview.
Setting the policy to Disabled or leaving it unset means Google Chrome uses the most recently used printer as the default destination for print preview.
Allows you to control if users can access non-enterprise printers
If the policy is set to True, or not set at all, users will be able to add, configure, and print using their own printers.
If the policy is set to False, users will not be able to add and configure their own printers. They will also not be able to print using any previously configured printers.
Provides configurations of available print servers.
This policy allows you to provide configuration of external print servers to Google Chrome OS devices as JSON file.
The size of the file must not exceed 1MB and must contain an array of records (JSON objects). Each record must contain fields "id", "url" and "display_name" with strings as values. Values of "id" fields must be unique.
The file is downloaded and cached. The cryptographic hash is used to verify the integrity of the download. The file will be re-downloaded whenever the URL or the hash changes.
When this policy is set to correct value, devices will try to query specified print servers for available printers using IPP protocol.
If this policy is unset or set to incorrect value, none of the provided server printers are visible to users.
Currently, the number of print servers is limited to 16. Only the first 16 print servers from the list will be queried.
Specifies the subset of print servers that will be queried for server printers.
If this policy is used, only the server printers with ids matching the values in this policy are available to the user.
The ids must correspond to the "id" field in the file specified in ExternalPrintServers.
If this policy is not set, filtering is omitted and all print servers are taken into account.
The printers of types placed on the deny list will be disabled from being discovered or having their capabilities fetched.
Placing all printer types on the deny list effectively disables printing, as there would be no available destinations to send a document for printing.
In versions before 102, including cloud on the deny list has the same effect as setting the CloudPrintSubmitEnabled policy to false. In order to keep Google Cloud Print destinations discoverable, the CloudPrintSubmitEnabled policy must be set to true and cloud must not be on the deny list. Beginning in version 102, Google Cloud Print destinations are not supported and will not appear regardless of policy values.
If the policy is not set, or is set to an empty list, all printer types will be available for discovery.
Extension printers are also known as print provider destinations, and include any destination that belongs to a Google Chrome extension.
Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers.
Controls how Google Chrome prints on Microsoft® Windows®.
When printing to a non-PostScript printer on Microsoft® Windows®, sometimes print jobs need to be rasterized to print correctly.
When this policy is set to Full, Google Chrome will do full page rasterization if necessary.
When this policy is set to Fast, Google Chrome will avoid rasterization if possible, reducing the amount of rasterization can help reduce print job sizes and increase printing speed.
When this policy is not set, Google Chrome will be in Full mode.
Controls how Google Chrome makes the Print as image option available on Microsoft® Windows® and macOS when printing PDFs.
When printing a PDF on Microsoft® Windows® or macOS, sometimes print jobs need to be rasterized to an image for certain printers to get correct looking output.
When this policy is set to Enabled, Google Chrome will make the Print as image option available in the Print Preview when printing a PDF.
When this policy is set to Disabled or not set Google Chrome the Print as image option will not be available to users in Print Preview and PDFs will be printed as usual without being rasterized to an image before being sent to the destination.
Controls print image resolution when Google Chrome prints PDFs with rasterization.
When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default. A high resolution will significantly increase the processing and printing time while a low resolution can lead to poor imaging quality.
This policy allows a particular resolution to be specified for use when rasterizing PDFs for printing.
If this policy is set to zero or not set at all then the system default resolution will be used during rasterization of page images.
Controls whether print job history can be deleted.
Locally stored print jobs can be deleted through the print management app or through deleting the users's browser history.
When this policy is enabled or unset, the user will be able to delete their print job history through the print mangement app or through deleting their browser history.
When this policy is disabled, the user will not be able to delete their print job history through the print management app or through deleting their browser history.
Controls how Google Chrome prints on Microsoft® Windows®.
When printing to a PostScript printer on Microsoft® Windows® different PostScript generation methods can affect printing performance.
When this policy is set to Default, Google Chrome will use a set of default options when generating PostScript. For text in particular, text will always be rendered using Type 3 fonts.
When this policy is set to Type42, Google Chrome will render text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers.
When this policy is not set, Google Chrome will be in Default mode.
Controls if Google Chrome makes the Print as image option default to set when printing PDFs.
When this policy is set to Enabled, Google Chrome will default to setting the Print as image option in the Print Preview when printing a PDF.
When this policy is set to Disabled or not set Google Chrome then the user selection for Print as image option will be initially unset. The user will be allowed to select it for each individual PDFs print job, if the option is available.
For Microsoft® Windows® or macOS this policy only has an effect if PrintPdfAsImageAvailability is also enabled.
Set the state of the privacy screen feature on the login screen.
If this policy is set to True, privacy screen will be enabled when the login screen is shown.
If this policy is set to False, privacy screen will be disabled when the login screen is shown.
When this policy is set, the user cannot override the value when the login screen is shown.
If this policy is left unset, the privacy screen is disabled initially, but remains controllable by the user when the login screen is shown.
Enable/disable the privacy screen feature.
If this policy is set to True, privacy screen will always be enabled.
If this policy is set to False, privacy screen will always be disabled.
When this policy is set, the user cannot override the value.
If this policy is left unset, privacy screen is disabled initially but can be controlled by the user.
This policy gives Projector permission to create and transcribe screen recording and upload to Drive for enterprise users. This policy does not affect Family Link users. This policy does not affect ProjectorDogfoodForFamilyLinkEnabled policy for Family Link users.
If the policy is enabled, Projector will be enabled. If the policy is disabled, Projector will be disabled. If the policy is not set, Projector will by default disabled.
This policy enables Projector feature for Family Link users and gives it permission to create and transcribe screen recording and upload to Drive. This policy does not affect other types of users. This policy does not affect ProjectorEnabled policy for enterprise users.
If the policy is enabled, Projector dogfood will be enabled for Family Link users. If the policy is disabled, Projector dogfood will be disabled for Family Link users. If the policy is not set, Projector dogfood will be by default disabled for Family Link users.
This policy is deprecated, please use ProxySettings instead.
Setting the policy to Enabled lets you specify the proxy server Chrome uses and prevents users from changing proxy settings. Chrome and ARC-apps ignore all proxy-related options specified from the command line. The policy only takes effect if the ProxySettings policy isn't specified.
Other options are ignored if you choose: * direct = Never use a proxy server and always connect directly * system = Use system proxy settings * auto_detect = Auto detect the proxy server
If you choose to use: * fixed_servers = Fixed proxy servers. You can specify further options with ProxyServer and ProxyBypassList. Only the HTTP proxy server with the highest priority is available for ARC-apps. * pac_script = A .pac proxy script. Use ProxyPacUrl to set the URL to a proxy .pac file.
Leaving the policy unset lets users choose the proxy settings.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
This policy is deprecated, use ProxyMode instead.
Allows you to specify the proxy server used by Google Chrome and prevents users from changing proxy settings.
This policy only takes effect if the ProxySettings policy has not been specified.
If you choose to never use a proxy server and always connect directly, all other options are ignored.
If you choose to use system proxy settings or auto detect the proxy server, all other options are ignored.
If you choose manual proxy settings, you can specify further options in 'Address or URL of proxy server', 'URL to a proxy .pac file' and 'Comma-separated list of proxy bypass rules'. Only the HTTP proxy server with the highest priority is available for ARC-apps.
For detailed examples, visit: https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett.
If you enable this setting, Google Chrome ignores all proxy-related options specified from the command line.
Leaving this policy not set will allow the users to choose the proxy settings on their own.
You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.
This policy is deprecated, please use ProxySettings instead.
Setting the policy lets you specify the URL of the proxy server. This policy only takes effect if the ProxySettings policy isn't specified and you selected fixed_servers with ProxyMode.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.
This policy is deprecated, please use ProxySettings instead.
Setting the policy lets you specify a URL to a proxy .pac file. This policy only takes effect if the ProxySettings policy isn't specified and you selected pac_script with ProxyMode.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.
This policy is deprecated, please use ProxySettings instead.
Setting the policy means Google Chrome bypasses any proxy for the list of hosts given here. This policy only takes effect if the ProxySettings policy isn't specified and you specified either fixed_servers or pac_script for ProxyMode.
Leave this policy unset if you selected any other mode for setting proxy policies.
Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
You cannot force Android apps to use a proxy. A subset of proxy settings is made available to Android apps, which they may voluntarily choose to honor. See the ProxyMode policy for more details.
This policy gives Quick Answers permission to access selected content and send the info to the server.
If the policy is enabled, Quick Answers will be enabled. If the policy is disabled, Quick Answers will be disabled. If the policy is not set, users can decide whether to enable or disable Quick Answers.
This policy gives Quick Answers permission to access selected content and send the info to the server to get definition results.
If the policy is enabled or not set, Quick Answers Definition will be enabled. If the policy is disabled, Quick Answers Definition will be disabled.
This policy gives Quick Answers permission to access selected content and send the info to the server to get translation results.
If the policy is enabled or not set, Quick Answers translation will be enabled. If the policy is disabled, Quick Answers translation will be disabled.
This policy gives Quick Answers permission to access selected content and send the info to the server to get unit conversion results.
If the policy is enabled or not set, Quick Answers unit conversion will be enabled. If the policy is disabled, Quick Answers unit conversion will be disabled.
Setting the policy controls which quick unlock modes can unlock the lock screen.
To allow:
* Every quick unlock mode, use ["all"] (includes modes added in the future).
* Only PIN unlock, use ["PIN"].
* PIN and fingerprint, use ["PIN", "FINGERPRINT"].
If the policy is unset or set to an empty list, no quick unlock modes are available for managed devices.
Setting the policy controls how often the lock screen requests the password for quick unlock. Each time the lock screen appears, if the last password entry occurred before the time window specified by the value chosen, quick unlock won't be available. If users stay on the lock screen past this amount of time, a password is requested next time they enter the wrong code or re-enter the lock screen, whichever comes first.
Leaving the policy unset means users using quick unlock enter their password on the lock screen daily.
Setting the policy enforces the minimum PIN length chosen. (Values below 1 are rounded up to the minimum of 1.)
Leaving the policy unset enforces a minimal PIN length of 6 digits, the recommended minimum.
Setting the policy means the configured maximum PIN length is enforced. A value of 0 or less means the user may set a PIN of any length. If the value is less than PinUnlockMinimumLength but greater than 0, the maximum length is set to the minimum length.
Leaving the policy unset means no maximum length is enforced.
Setting the policy to Enabled allows weak PINs. Some characteristics of weak PINs: only one digit (1111), digits increase by 1 (1234), digits decrease by 1 (4321), and common PINs. Setting the policy to Disabled means users can't set weak, easy-to-guess PINs.
By default, users get a warning, not an error, for a weak PIN.
The PIN auto-submit feature changes how PINs are entered in ChromeOS. Instead of showing the same textfield that is used for password input, this feature shows a special UI that clearly shows to the user how many digits are necessary for their PIN. As a consequence, the user's PIN length will be stored outside the user encrypted data. Only supports PINs that are between 6 and 12 digits long.
If this policy is set to false, users will not have the option of enabling the feature on the Settings page.
This policy is deprecated. Please use RemoteAccessHostClientDomainList instead.
Setting the policy specifies the client domain names that are imposed on remote access clients, and users can't change them. Only clients from one of the specified domains can connect to the host.
Setting the policy to an empty list or leaving it unset applies the default policy for the connection type. For remote assistance, this allows clients from any domain to connect to the host. For anytime remote access, only the host owner can connect.
See also RemoteAccessHostDomainList.
Note: This setting overrides RemoteAccessHostClientDomain, if present.
Setting the policy to Enabled or leaving it unset allows the usage of STUN servers, letting remote clients discover and connect to this machine, even if separated by a firewall.
Setting the policy to Disabled when outgoing UDP connections are filtered by the firewall means the machine only allows connections from client machines within the local network.
This policy is deprecated. Please use RemoteAccessHostDomainList instead.
Setting the policy specifies the host domain names that are imposed on remote access hosts, and users can't change them. Hosts can be shared only using accounts registered on one of the specified domain names.
Setting the policy to an empty list or leaving it unset means hosts can be shared using any account.
See also RemoteAccessHostClientDomainList.
Note: This setting will override RemoteAccessHostDomain, if present.
Setting the policy to Enabled turns off remote access hosts' physical input and output devices during a remote connection.
Setting the policy to Disabled or leaving it unset lets both local and remote users interact with the host while it's shared.
Setting the policy to Enabled or leaving it unset lets users pair clients and hosts at connection time, eliminating the need to enter a PIN every time.
Setting the policy to Disabled makes this feature unavailable.
If RemoteAccessHostFirewallTraversal is set to Enabled, setting RemoteAccessHostAllowRelayedConnection to Enabled or leaving it unset allows the use of remote clients to use relay servers to connect to this machine when a direct connection is not available, for example, because of firewall restrictions.
Setting the policy to Disabled doesn't turn remote access off, but only allows connections from the same network (not NAT traversal or relay).
Setting the policy restricts the UDP port range used by the remote access host in this machine.
Leaving the policy unset or set to an empty string means the remote access host can use any available port.
Note: If RemoteAccessHostFirewallTraversal is Disabled, the remote access host will use UDP ports in the 12400-12409 range.
Setting the policy to Enabled has the remote access host compare the name of the local user the host is associated with and the name of the Google Account registered as the host owner ("johndoe," if the host is owned by "johndoe@example.com"). This host won't start if the host owner's name differs from the name of the local user that the host is associated with. To enforce that the owner's Google Account is associated with a specific domain, use the policy with RemoteAccessHostDomain.
Setting the policy to Disabled or leaving it unset means the remote access host can be associated with any local user.
Setting the policy to Enabled means the remote assistance host runs in a process with uiAccess permissions. This lets remote users interact with elevated windows on the local user's desktop.
Setting the policy to Disabled or leaving it unset means the remote assistance host runs in the user's context, and remote users can't interact with elevated windows on the desktop.
Setting the policy to Enabled or leaving it unset allows users connected to a remote access host to transfer files between the client and the host. This doesn't apply to remote assistance connections, which don't support file transfer.
Setting the policy to Disabled disallows file transfer.
If this policy is Disabled, the remote access host service cannot be started or configured to accept incoming connections. This policy does not affect remote support scenarios.
This policy has no effect if it is set to Enabled, left empty, or is not set.
If this policy is set, remote access connections will automatically disconnect after the number of minutes defined in the policy have elapsed. This does not prevent the client from reconnecting after the maximum session duration has been reached. Setting the policy to a value that is not within the min/max range may prevent the host from starting. This policy does not affect remote support scenarios.
This policy has no effect if it is not set. In this case, remote access connections will have no maximum duration on this machine.
If this policy is set, clipboard data sent to and from the host will be truncated to the limit set by this policy.
If a value of 0 is set, then clipboard sync is disabled.
This policy affects both remote access and remote support scenarios.
This policy has no effect if it is not set.
Setting the policy to a value that is not within the min/max range may prevent the host from starting.
Please note that the actual upper bound for the clipboard size is based on the maximum WebRTC data channel message size which this policy does not control.
If this policy is disabled, the remote support host cannot be started or configured to accept incoming connections.
This policy does not affect remote access scenarios.
This policy does not prevent enterprise admins from connecting to managed Google Chrome OS devices.
This policy has no effect if enabled, left empty, or is not set.
Setting the policy to Enabled allows remote attestation for the device. A certificate is automatically generated and uploaded to the Device Management Server.
Setting the policy to Disabled or leaving it unset means no certificate is generated and calls to the Enterprise Platform Keys API fail.
Setting the policy to Enabled lets users use the hardware on Google Chrome OS devices to remotely attest its identity to the privacy CA through the Enterprise Platform Keys API using chrome.enterprise.platformKeys.challengeUserKey().
Setting the policy to Disabled or leaving it unset has calls to the API fail with an error code.
Setting the policy specifies the allowed extensions to use the Enterprise Platform Keys API functions for remote attestation. Extensions must be on this list to use the API.
If an extension is not in the list, or the list is not set, the call to the API fails with an error code.
Setting the policy to Enabled or leaving it unset lets Google Chrome OS devices use remote attestation (Verified Access) to get a certificate issued by the Google Chrome OS CA that asserts the device is eligible to play protected content. This process involves sending hardware endorsement information to the Google Chrome OS CA which uniquely identifies the device.
Setting the policy to Disabled means the device won't use remote attestation for content protection, and the device may not play protected content.
This policy configures which URLs will be granted access to use remote attestation of device identity during the SAML flow on the sign-in screen.
Specifically, if a URL matches one of the patterns provided through this policy, it will be allowed to receive a HTTP header containing a response to a remote attestation challenge, attesting device identity and device state.
If this policy is not set or is set to an empty list, no URL is allowed to use remote attestation on the sign-in screen.
URLs must have HTTPS scheme, e.g. "https://example.com".
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
This policy is deprecated in Google Chrome 83, please use SafeBrowsingProtectionLevel instead.
Setting the policy to Enabled keeps Chrome's Safe Browsing feature on. Setting the policy to Disabled keeps Safe Browsing off.
If you set this policy, users can't change it or override the "Enable phishing and malware protection" setting in Chrome. If not set, "Enable phishing and malware protection" is set to True, but the user can change it.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
If the policy SafeBrowsingProtectionLevel is set, the value of the policy SafeBrowsingEnabled is ignored.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy to Enabled turns on Google Chrome's Safe Browsing Extended Reporting, which sends some system information and page content to Google servers to help detect dangerous apps and sites.
Setting the policy to Disabled means reports are never sent.
If you set this policy, users can't change it. If not set, users can decide whether to send reports or not.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
This policy is not supported within Arc.
Allows you to control whether Google Chrome's Safe Browsing feature is enabled and the mode it operates in.
If this policy is set to 'NoProtection' (value 0), Safe Browsing is never active.
If this policy is set to 'StandardProtection' (value 1, which is the default), Safe Browsing is always active in the standard mode.
If this policy is set to 'EnhancedProtection' (value 2), Safe Browsing is always active in the enhanced mode, which provides better security, but requires sharing more browsing information with Google.
If you set this policy as mandatory, users cannot change or override the Safe Browsing setting in Google Chrome.
If this policy is left not set, Safe Browsing will operate in Standard Protection mode but users can change this setting.
See https://developers.google.com/safe-browsing for more info on Safe Browsing.
This policy is not supported within Arc.
Setting the policy to Enabled means Safe Browsing will trust the domains you designate. It won't check them for dangerous resources such as phishing, malware, or unwanted software. Safe Browsing's download protection service won't check downloads hosted on these domains. Its password protection service won't check for password reuse.
Leaving the policy unset means default Safe Browsing protection applies to all resources.
This policy must be set as a list of fully qualified domain names. It does not support regular expressions, and will not allowlist subdomains of domains listed in the policy.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy lets you control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.
Use PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL to set which password to protect.
If this policy is set to:
* PasswordProtectionWarningOff, no password protection warning will be shown.
* PasswordProtectionWarningOnPasswordReuse, password protection warning will be shown when the user reuses their protected password on a non-allowed site.
* PasswordProtectionWarningOnPhishingReuse, password protection warning will be shown when the user reuses their protected password on a phishing site.
Leaving the policy unset has the password protection service only protect Google passwords, but users can change this setting.
Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS protocols only). Password protection service will capture salted hashes of passwords on these URLs and use them for password reuse detection. For Google Chrome to correctly capture password salted hashes, ensure your sign-in pages follow these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
Turning this setting off or leaving it unset means the password protection service only captures the password salted hashes on https://accounts.google.com.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy sets the URL for users to change their password after seeing a warning in the browser. The password protection service sends users to the URL (HTTP and HTTPS protocols only) you designate through this policy. For Google Chrome to correctly capture the salted hash of the new password on this change password page, make sure your change password page follows these guidelines ( https://www.chromium.org/developers/design-documents/create-amazing-password-forms ).
Turning the policy off or leaving it unset means the service sends users to https://myaccount.google.com to change their password.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Enables SAML password sync between multiple Chrome devices by monitoring the value of password sync token and sending a user through the online re-authentication if password was updated and needs to be synchronized.
Enables a page at chrome://password-change that lets SAML users change their SAML passwords while in-session, which ensures that the SAML password and the device lockscreen password are kept in-sync.
This policy also enables notifications that warn SAML users if their SAML passwords are soon to expire so that they can deal with this immediately by doing an in-session password change. But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow.
Setting this policy to Disabled or not set, SAML password can't be changed at chrome://password-change and there won't be any notification when SAML passwords are soon to expire.
This policy has no effect unless SamlInSessionPasswordChangeEnabled is true. If that policy is true, and this policy is set to (for example) 14, that means SAML users will be notified 14 days in advance that their password is due to expire on a certain date. Then they can deal with this immediately by doing an in-session password change and updating their password before it expires. But, these notifications will only be shown if password expiry information is sent to the device by the SAML identity provider during the SAML login flow. Setting this policy to zero means the users will not be notified in advance - they will only be notified once the password has already expired.
If this policy is set, the user cannot change or override it.
Enables online user signin on a lock screen. If the policy is set to true online re-authentication on the lock screen is triggered e.g. by SAMLOfflineSigninTimeLimit. The re-authentication is enforced immediately when on the lock screen or next time a user locks the screen after the condition is met. If the policy is set to false or unset users can always unlock the screen with their local credentials.
During login, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).
When this policy is set to a value of -1, the user can authenticate offline indefinitely. When this policy is set to any other value, it specifies the length of time since the last online authentication after which the user must use online authentication again.
Leaving this policy not set will make Google Chrome OS use a default time limit of 14 days after which the user must use online authentication again.
This policy affects only users who authenticated using SAML.
The policy value should be specified in seconds.
If this policy is set to true or not configured, Google Chrome OS will enable guest logins. Guest logins are anonymous user sessions and do not require a password.
If this policy is set to false, Google Chrome OS will not allow guest sessions to be started.
Defines the list of users that are allowed to login to the device. Entries are of the form user@domain, such as madmax@managedchrome.com. To allow arbitrary users on a domain, use entries of the form *@domain.
If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the DeviceAllowNewUsers policy to be configured appropriately. If DeviceFamilyLinkAccountsAllowed is enabled, Family Link users will be allowed additionally to the accounts defined in this policy.
This policy controls who may start a Google Chrome OS session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.
Controls whether Google Chrome OS allows new user accounts to be created.
If this policy is set to false, only users present in DeviceUserAllowlist will be able to login.
If this policy is set to true or not configured, all users will be able to login.
This policy controls whether new users can be added to Google Chrome OS. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific accountTypesWithManagementDisabled policy as part of ArcPolicy.
If this policy is set to a blank string or not configured, Google Chrome OS will not show an autocomplete option during user sign-in flow. If this policy is set to a string representing a domain name, Google Chrome OS will show an autocomplete option during user sign-in allowing the user to type in only their user name without the domain name extension. The user will be able to overwrite this domain name extension. If the value of the policy is not a valid domain, the policy will not be applied.
If this policy is set to true or not configured, Google Chrome OS will show existing users on the login screen and allow to pick one.
If this policy is set to false, Google Chrome OS will not show existing users on the login screen. The normal sign-in screen (prompting for the user email and password or phone) or the SAML interstitial screen (if enabled via the LoginAuthenticationBehavior policy) will be shown, unless a Managed Session is configured. When a Managed Session is configured, only the Managed Session accounts will be shown, allowing to pick one of them.
Note that this policy does not affect whether the device keeps or discards the local user data.
Configure device-level wallpaper image that is shown on the login screen if no user has yet signed in to the device. The policy is set by specifying the URL from which the ChromeOS device can download the wallpaper image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its file size must not exceed 16MB. The URL must be accessible without any authentication. The wallpaper image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If the device wallpaper policy is set, the ChromeOS device will download and use the wallpaper image on the login screen if no user has yet signed in to the device. Once the user logs in, the user's wallpaper policy kicks in.
If the device wallpaper policy is left not set, it's the user's wallpaper policy to decide what to show if the user's wallpaper policy is set.
Determines whether Google Chrome OS keeps local account data after logout. If set to true, no persistent accounts are kept by Google Chrome OS and all data from the user session will be discarded after logout. If this policy is set to false or not configured, the device may keep (encrypted) local user data.
When this policy is set, the login authentication flow will be in one of the following ways depending on the value of the setting:
If set to GAIA, login will be done via the normal GAIA authentication flow.
If set to SAML_INTERSTITIAL, login will show an interstitial screen offering the user to go forward with authentication via the SAML IdP of the device's enrollment domain, or go back to the normal GAIA login flow.
Specifies whether authentication cookies set by a SAML IdP during login should be transferred to the user's profile.
When a user authenticates via a SAML IdP during login, cookies set by the IdP are written to a temporary profile at first. These cookies can be transferred to the user's profile to carry forward the authentication state.
When this policy is set to true, cookies set by the IdP are transferred to the user's profile every time they authenticate against the SAML IdP during login.
When this policy is set to false or unset, cookies set by the IdP are transferred to the user's profile during their first login on a device only.
This policy affects users whose domain matches the device's enrollment domain only. For all other users, cookies set by the IdP are transferred to the user's profile during their first login on the device only.
Cookies transferred to the user's profile are not accessible to Android apps.
Patterns in this list will be matched against the security origin of the requesting URL. If a match is found, access to video capture devices will be granted on SAML login pages. If no match is found, access will be automatically denied. Wildcard patterns are not allowed.
Specifies a list of apps and extensions that are installed silently on the login screen, without user interaction, and which cannot be uninstalled or disabled by the user.
Permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. Google Chrome restricts the set of permissions that the extensions can request.
Note that, for security and privacy reasons, only apps and extensions that belong to the allow list bundled into Google Chrome can be installed. All other items will be ignored.
If an app or extension that previously had been force-installed is removed from this list, it is automatically uninstalled by Google Chrome.
Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in developer mode. The "update" URL, if specified, should point to an update manifest XML document as described at https://developer.chrome.com/extensions/autoupdate. By default, the Chrome Web Store's update URL is used (which currently is "https://clients2.google.com/service/update2/crx"). Note that the "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension employ the update URL indicated in the extension's manifest.
For example, khpfeaanjngmcnplbdlpegiifgpfgdco;https://clients2.google.com/service/update2/crx installs the Smart Card Connector app from the standard Chrome Web Store "update" URL. For more information about hosting extensions, see: https://developer.chrome.com/extensions/hosting.
Configures the locale which is enforced on the Google Chrome OS sign-in screen.
If this policy is set, the sign-in screen will always be displayed in the locale which is given by the first value of this policy (the policy is defined as a list for forward compatibility). If this policy is not set or is set to an empty list, the sign-in screen will be displayed in the locale of the last user session. If this policy is set to a value which is not a valid locale, the sign-in screen will be displayed in a fallback locale (currently, en-US).
Configures which keyboard layouts are allowed on the Google Chrome OS sign-in screen.
If this policy is set to a list of input method identifiers, the given input methods will be available on the sign-in screen. The first given input method will be preselected. While a user pod is focused on the sign-in screen, the user's last used input method will be available in addition to the input methods given by this policy. If this policy is not set, the input methods on the sign-in screen will be derived from the locale in which the sign-in screen is displayed. Values which are not valid input method identifiers will be ignored.
Specify whether the system information (e.g. ChromeOS version, device serial number) is always shown (or hidden) on the login screen.
If the policy is set to true, the system information will be shown forcedly. If the policy is set to false, the system information will be hidden forcedly. If the policy is unset, default hehavior (being shown for Canary / Dev channel) is effective. Users can toggle the visibility by specific operations (e.g., Alt-V).
Specifies how the on-board secure element hardware can be used to provide a second-factor authentication if it is compatible with this feature. The machine power button is used to detect the user physical presence.
If 'Disabled' is selected, no second factor is provided.
If 'U2F' is selected, the integrated second factor will behave according the FIDO U2F specification.
If 'U2F_EXTENDED' is selected, the integrated second factor will provide the U2F functions plus some extensions for individual attestation.
Allows you to specify a list of url patterns that specify sites for which a client certificate is automatically selected on the sign-in screen in the frame hosting the SAML flow, if the site requests a certificate. An example usage is to configure a device-wide certificate to be presented to the SAML IdP.
The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected.
Examples for the usage of the $FILTER section:
* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.
* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.
* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.
* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
If this policy is left not set, no auto-selection will be done for any site.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
Setting the policy to true displays numeric keyboard by default for entering password on the login screen. Users still could switch to the normal keyboard.
If you set the policy, users can't change it. If not set or set to false, it has no effect.
Controls whether Google Chrome OS allows new Family Link user accounts to be added on the device. This policy is only useful in combination with DeviceUserAllowlist. It allows Family Link accounts additionally to the accounts defined in the allowlist. This policy does not affect the behavior of other sign-in policies. Particularly it will not have any effect when: - Adding new users to the device is disabled with DeviceAllowNewUsers policy. - Adding all users is allowed with DeviceUserAllowlist policy.
If this policy is set to false (or not configured), no additional rules will be applied to Family Link accounts. If this policy is set to true, new Family Link user accounts will be allowed additionally to those defined in DeviceUserAllowlist.
This policy controls whether the user is prompted to select a client certificate on the sign-in screen in the frame hosting the SAML flow when more than one certificate matches DeviceLoginScreenAutoSelectCertificateForUrls. If this policy is set to Enabled, the user is asked to select the client certificate whenever the auto-selection policy matches multiple certificates. If this policy is set to Disabled or not set, the user is never prompted to select a client certificate on the sign-in screen. Note: This policy is in general not recommended, since it imposes potential privacy risks (in case device-wide TPM-backed certificates are used) and presents poor user experience.
When this policy is set to true, automatic cleanup is executed during login to ensure enough free disk space is available. Cleanup will only run when strictly necessary, but will still impact the login time. Setting the policy to false (the default) ensures the login time is not affected.
Setting the policy to Enabled shows the Home button on Google Chrome's toolbar. Setting the policy to Disabled keeps the Home button from appearing.
If you set the policy, users can't change it in Google Chrome. If not set, users chooses whether to show the Home button.
Setting the policy sets the default homepage URL in Google Chrome. You open the homepage using the Home button. On desktop, the RestoreOnStartup policies control the pages that open on startup.
If the homepage is set to the New Tab Page, by the user or HomepageIsNewTabPage, this policy has no effect.
The URL needs a standard scheme, such as http://example.com or https://example.com. When this policy is set, users can't change their homepage URL in Google Chrome.
Leaving both HomepageLocation and HomepageIsNewTabPage unset lets users choose their homepage.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.
If you set the policy, users can't change their homepage type in Google Chrome. If not set, the user decides whether or not the New Tab page is their homepage.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy configures the default New Tab page URL and prevents users from changing it.
The New Tab page opens with new tabs and windows.
This policy doesn't decide which pages open on start up. Those are controlled by the RestoreOnStartup policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.
It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized Google Chrome will default to https://.
Leaving the policy unset or empty puts the default New Tab page in use.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy lets you specify system behavior on startup. Turning this setting off amounts to leaving it unset as Google Chrome must have specified start up behavior.
If you set the policy, users can't change it in Google Chrome. If not set, users can change it.
Setting this policy to RestoreOnStartupIsLastSession or RestoreOnStartupIsLastSessionAndURLs turns off some settings that rely on sessions or that perform actions on exit, such as clearing browsing data on exit or session-only cookies.
If this policy is set to RestoreOnStartupIsLastSessionAndURLs, browser will restore previous session and open a separate window to show URLs that are set from RestoreOnStartupURLs. Note that users can choose to keep those URLs open and they will also be restored in the future session.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
If RestoreOnStartup is set to RestoreOnStartupIsURLs, then setting RestoreOnStartupURLs to a list of URLs specify which URLs open.
If not set, the New Tab page opens on start up.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy to enabled or leaving it unset allows for the device to recieve granular reporting controls. Setting the policy to Disabled means enrolled devices won't receive granular reporting controls.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled or leaving it unset has enrolled devices periodically report their OS and firmware version.
Setting the policy to Disabled means enrolled devices don't report version info.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled or leaving it unset has enrolled devices report the state of the device's dev switch when the machine booted.
Setting the policy to Disabled means enrolled devices don't report the state of the dev switch.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled or leaving it unset has enrolled devices report the list of device users that signed in recently.
Setting the policy to Disabled means enrolled devices don't report the list of users.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled or leaving it unset has enrolled devices report time periods when a user is active on the device.
Setting the policy to Disabled means enrolled devices don't record or report activity times.
This policy has no effect on the logging done by Android.
Setting the policy to enabled or leaving it unset has enrolled devices report device audio volume.
Setting the policy to Disabled means enrolled devices don't record or report audio status. Exception: System volume level information is controlled by ReportDeviceHardwareStatus for M95 and below.
This policy has no effect on the logging done by Android.
Report users network configuration on enrolled devices.
If the policy is set to false, the information will not be reported. If set to true or unset, the device's network configuration will be reported.
This policy has no effect on the logging done by Android.
This policy is deprecated in M96. Please use ReportDeviceNetworkConfiguration and ReportDeviceNetworkStatus instead.
Setting the policy to Enabled or leaving it unset has enrolled devices report the list of network interfaces with their types and hardware addresses. Setting the policy to Disabled means enrolled devices don't report the network interface.
This policy has no effect on the logging done by Android.
Report users network status on enrolled devices.
If the policy is set to false, the information will not be reported. If set to true or unset, the device's network status will be reported.
This policy has no effect on the logging done by Android.
This policy is deprecated as of M96. Please use ReportDeviceCpuInfo, ReportDeviceMemoryInfo, ReportDeviceStorageStatus, ReportDeviceSecurityStatus, and ReportDeviceAudioStatus instead.
Setting the policy to Enabled or leaving it unset has enrolled devices report hardware statistics such as CPU/RAM usage. Setting the policy to Disabled means enrolled devices don't report the hardware statistics.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled or leaving it unset has enrolled devices report the active kiosk session information such as application ID and version.
Setting the policy to Disabled means enrolled devices don't report kiosk session information.
This policy has no effect on the logging done by Android.
Report information related to display, such as refresh rate, and information related to graphics, such as driver version.
If the policy is set to false or left unset, the display and graphics statuses will not be reported. If set to true, display and graphics statuses will be reported.
This policy has no effect on the logging done by Android.
Report information related to crash reports, such as remote id, capture timestamp and cause.
If the policy is set to false or left unset, the crash report information will not be reported. If set to true, crash report information will be reported.
This policy has no effect on the logging done by Android.
Report OS update information such as update status, platform version, last update check and last reboot.
If the policy is set to false or left unset, the OS update information will not be reported. If set to true, OS update information will be reported.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled has enrolled devices report hardware statistics for SoC components.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report the statistics.
This policy has no effect on the logging done by Android.
This policy is set to Enabled by default. It controls the enrolled devices to report the CPU model name, architecture, and maximum clock speed (and CPU utilization and temperature for M96 and above).
Setting the policy to Disabled means enrolled devices don’t report any CPU information. Exception CPU utilization and temperature reporting is controlled by ReportDeviceHardwareStatus for M95 and below.
This policy has no effect on the logging done by Android.
Report information for a device's timezone.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's currently set timezone will be reported.
This policy has no effect on the logging done by Android.
This policy is set to Enabled by default. It controls the enrolled devices to report the memory information.
Setting the policy to Disabled means enrolled devices don’t report any memory information. Exception: free memory information is controlled by ReportDeviceHardwareStatus for M95 or below.
This policy has no effect on the logging done by Android.
Report information about a device's backlights.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's backlight information will be reported.
This policy has no effect on the logging done by Android.
Setting the policy to True has enrolled devices report information related to peripherals that are plugged into the device.
Setting the policy to False or leaving it unset means enrolled devices don't report peripherals information.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled has enrolled devices report hardware statistics and identifiers related to power.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report power statistics.
This policy has no effect on the logging done by Android.
Setting the policy to enabled reports device TPM security status.
Setting the policy to Disabled or leaving it unset means enrolled devices don't record or report TPM security status. Exception: TPM information is controlled by ReportDeviceHardwareStatus for M95 and below.
This policy has no effect on the logging done by Android.
This policy is set to Enabled by default. It controls the enrolled devices to report hardware statistics and identifiers for storage devices.
Setting the policy to Disabled means enrolled devices don't report storage statistics. Eexception: Disk size and disk free space is controlled by ReportDeviceHardwareStatus for M95 and below.
This policy has no effect on the logging done by Android.
Report information for a device's application inventory and usage.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's applications and usage will be reported.
This policy has no effect on the logging done by Android.
Report a device's Bluetooth information.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's Bluetooth information will be reported.
This policy has no effect on the logging done by Android.
Report a device's fan information.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's fan information will be reported.
This policy has no effect on the logging done by Android.
Report a device's VPD information.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's VPD information will be reported. Vital Product Data (VPD) is a collection of configuration and informational data (such as part and serial numbers) associated with the device.
This policy has no effect on the logging done by Android.
Report a device's system information.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's system information will be reported.
This policy has no effect on the logging done by Android.
Report users login/logout events on enrolled devices including failed logins.
If the policy is set to false or left unset, the information will not be reported. If set to true, the device's login/logout events will be reported.
This policy has no effect on the logging done by Android.
Report CRD sessions events on enrolled devices for affiliated users.
If the policy is Disabled or left unset, the information will not be reported. If Enabled, the CRD events will be reported, if the user is affiliated
This policy has no effect on the logging done by Android.
Setting the policy determines how frequently to send device status uploads, in milliseconds. The minimum allowed is 60 seconds.
If not set, the default interval of 3 hours applies.
This policy has no effect on the logging done by Android.
If Android apps are on, then setting the policy to True has enrolled devices report Android status information.
Setting the policy to Disabled or leaving it unset means enrolled devices don't report Android status information
Setting the policy to Enabled sends monitoring network packets (heartbeats) to the management server to monitor online status, to allow the server to detect if the device is offline.
Setting the policy to Disabled or leaving it unset sends no packets.
This policy has no effect on the logging done by Android.
Setting the policy determines how frequently to send monitoring network packets, in milliseconds. Intervals range from 30 seconds to 24 hours. Values outside this range are clamped to this range.
If not set, the default interval of 3 minutes applies.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled sends system logs to the management server, to allow admins to monitor system logs.
Setting the policy to Disabled or leaving it unset reports no system logs.
This policy has no effect on the logging done by Android.
Setting the policy to Enabled has Google Chrome OS report usage metrics and diagnostic data, including crash reports, back to Google. Setting the policy to Disabled turns off metrics and diagnostic data reporting.
Leaving the policy unset keeps metrics and diagnostic data reporting off on unmanaged devices and on for managed devices.
This policy also controls Android usage and diagnostic data collection.
Setting the policy to Enabled when wilco diagnostics and telemetry controller (DTC) is available on the device turns collecting, processing, and reporting of telemetry and diagnostics data on.
Setting the policy to Disabled or leaving it unset turns DTC off. It can't collect, process, or report telemetry and diagnostics data from the device.
Setting the policy configures the wilco diagnostics and telemetry controller (DTC), if available on the device. The setup size can't exceed 1MB (1,000,000 bytes) and must be in JSON format. The wilco DTC is responsible for handling it. The cryptographic hash verifies the integrity of the download. The configuration is downloaded and cached. It's redownloaded whenever the URL or the hash changes.
If you set this policy, users can't change it.
If SafeBrowsingEnabled is not Disabled, then setting AbusiveExperienceInterventionEnforce to Enabled or leaving it unset prevents sites with abusive experiences from opening new windows or tabs.
Setting SafeBrowsingEnabled to Disabled or AbusiveExperienceInterventionEnforce to Disabled lets sites with abusive experiences open new windows or tabs.
This policy specifies how long (in seconds) a cast device that was previously selected via an access code or QR code can be seen within the Google Cast menu of cast devices. The lifetime of an entry starts at the time the access code was first entered or the QR code was first scanned. During this period the cast device will appear in the Google Cast menu's list of cast devices. After this period, in order to use the cast device again the access code must be reentered or the QR code must be rescanned. By default, the period is zero seconds, so cast devices will not stay in the Google Cast menu, and so the access code must be reentered, or the QR code rescanned, in order to initiate a new casting session. Note that this policy only affects how long a cast devices appears in the Google Cast menu, and has no effect on any ongoing cast session which will continue even if the period expires. This policy has no effect unless the AccessCodeCastEnabled policy is Enabled.
This policy controls whether a user will be presented with an option, within the Google Cast menu which allows them to cast to cast devices that do not appear in the Google Cast menu, using either the access code or QR code displayed on the cast devices's screen. By default, a user must reenter the access code or rescan the QR code in order to initiate a subsequent casting session, but if the AccessCodeCastDeviceDuration policy has been set to a non-zero value (the default is zero), then the cast device will remain in the list of available cast devices until the specified period of time has expired. When this policy is set to Enabled, users will be presented with the option to select cast devices by using an access code or by scanning a QR code. When this policy is set to Disabled or not set, users will not be given the option to select cast devices by using an access code or by scanning a QR code.
The Get Image Descriptions from Google accessibility feature enables visually-impaired screen reader users to get descriptions of unlabeled images on the web. Users who choose to enable it will have the option of using an anonymous Google service to provide automatic descriptions for unlabeled images they encounter on the web.
If this feature is enabled, the content of images will be sent to Google servers in order to generate a description. No cookies or other user data is sent, and Google does not save or log any image content.
If this policy is set to Enabled, the Get Image Descriptions from Google feature will be enabled, though it will only affect users who are using a screen reader or other similar assistive technology.
If this policy is set to Disabled, users will not have the option of enabling the feature.
If this policy is not set, user can choose to use this feature or not.
This policy controls whether Google Chrome may query additional DNS record types when making insecure DNS requests. This policy has no effect on DNS queries made via Secure DNS, which may always query additional DNS types.
If this policy is unset or set to Enabled, additional types such as HTTPS (DNS type 65) may be queried in addition to A (DNS type 1) and AAAA (DNS type 28).
If this policy is set to Disabled, DNS will only be queried for A (DNS type 1) and/or AAAA (DNS type 28).
This policy is a temporary measure and will be removed in future versions of Google Chrome. After removal of the policy, Google Chrome will always be able to query additional DNS types.
Unless SafeBrowsingEnabled is set to False, then setting AdsSettingForIntrusiveAdsSites to 1 or leaving it unset allows ads on all sites.
Setting the policy to 2 blocks ads on sites with intrusive ads.
This policy controls whether users enrolled in the Advanced Protection program receive extra protections. Some of these features may involve the sharing of data with Google (for example, Advanced Protection users will be able to send their downloads to Google for malware scanning). If set to True or not set, enrolled users will receive extra protections. If set to False, Advanced Protection users will receive only the standard consumer features.
Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Chrome, and users can't change this setting.
Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.
Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.
Leaving the policy unset means users can't play the game on enrolled Google Chrome OS, but can under other circumstances.
Setting the policy to Enabled or leaving it unset means Chrome can display, and users can open, file selection dialogs.
Setting the policy to Disabled means that whenever users perform actions provoking a file selection dialog, such as importing bookmarks, uploading files, and saving links, a message appears instead. The user is assumed to have clicked Cancel on the file selection dialog.
Setting the policy to Enabled or leaving it unset lets users who authenticate with a password lock the screen.
Setting the policy to Disabled means users can't lock the screen. (They can only sign out from the user session.)
Configures whether Google Chrome on Linux will use system notifications.
If set to True or not set, Google Chrome is allowed to use system notifications.
If set to False, Google Chrome will not use system notifications. Google Chrome's Message Center will be used as a fallback.
Setting the policy turns on Chrome's restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.
Leaving this setting empty or unset means users can access Google Workspace with any account.
Users cannot change or override this setting.
Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in https://support.google.com/a/answer/1668854.
Setting the policy lets users choose one of the input methods for Google Chrome OS sessions that you specify.
If you leave it unset or set to an empty list, users can select all supported input methods.
Note: If the current input method is unsupported, it switches to the hardware keyboard layout (if allowed) or the first valid entry in this list. Invalid or unsupported methods are ignored.
Setting the policy lets users add only one of the languages listed in this policy to the list of preferred languages.
If not set or set to an empty list, users can specify languages as preferred.
If set to a list with invalid values, those values are ignored. If users added languages not allowed by this policy to the list of preferred languages, they're removed. If they had Google Chrome OS displayed in a language not allowed by this policy, the next time they sign in, the display language switches to an allowed UI language. Otherwise, if this policy only has invalid entries, Google Chrome OS switches to the first valid value specified by this policy or a fallback locale such as en-US.
Setting the policy to True means Google Chrome uses alternate error pages built into (such as "page not found"). Setting the policy to False means Google Chrome never uses alternate error pages.
If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.
Setting the policy to Enabled turns the internal PDF viewer off in Google Chrome, treats PDF files as a download, and lets users open PDFs with the default application.
Setting the policy to Disabled means that unless users turns off the PDF plugin, it will open PDF files.
If you set the policy, users can't change it in Google Chrome. If not set, users can choose whether to open PDF externally or not.
Configuring this policy will allow/disallow ambient authentication for Incognito and Guest profiles in Google Chrome.
Ambient Authentication is http authentication with default credentials if explicit credentials are not provided via NTLM/Kerberos/Negotiate challenge/response schemes.
Setting the RegularOnly (value 0), allows ambient authentication for Regular sessions only. Incognito and Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the IncognitoAndRegular (value 1), allows ambient authentication for Incognito and Regular sessions. Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the GuestAndRegular (value 2), allows ambient authentication for Guest and Regular sessions. Incognito sessions wouldn't be allowed to ambiently authenticate.
Setting the All (value 3), allows ambient authentication for all sessions.
Note that, ambient authentication is always allowed on regular profiles.
In Google Chrome version 81 and later, if the policy is left not set, ambient authentication will be enabled in regular sessions only.
Setting the policy specifies the locale Google Chrome uses.
Turning it off or leaving it unset means the locale will be the first valid locale from: 1) The user specified locale (if configured). 2) The system locale. 3) The fallback locale (en-US).
Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the AudioCaptureAllowedUrls list, users get prompted for audio capture access.
Setting the policy to Disabled turns off prompts, and audio capture is only available to URLs set in the AudioCaptureAllowedUrls list.
Note: The policy affects all audio input (not just the built-in microphone).
For Android apps, this policy affects the microphone only. When this policy is set to true, the microphone is muted for all Android apps, with no exceptions.
Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to audio capture devices without prompt
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
Setting the policy to Enabled or leaving it unset allows all supported audio outputs on the users' devices.
Setting the policy to Disabled allows no audio output while users are signed in.
Note: The policy affects all audio output, including audio accessibility features. Do not turn the policy off if a user requires a screen reader.
This policy controls the priority of the audio process on Windows. If this policy is enabled, the audio process will run with above normal priority. If this policy is disabled, the audio process will run with normal priority. If this policy is not set, the default configuration for the audio process will be used. This policy is intended as a temporary measure to give enterprises the ability to run audio with higher priority to address certain performance issues with audio capture. This policy will be removed in the future.
This policy controls the audio process sandbox. If this policy is enabled, the audio process will run sandboxed. If this policy is disabled, the audio process will run unsandboxed and the WebRTC audio-processing module will run in the renderer process. This leaves users open to security risks related to running the audio subsystem unsandboxed. If this policy is not set, the default configuration for the audio sandbox will be used, which may differ per platform. This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.
This policy is deprecated in M70, please use AutofillAddressEnabled and AutofillCreditCardEnabled instead.
Enables Google Chrome's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information.
If you disable this setting, AutoFill will be inaccessible to users.
If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator should not be included when listing the protocol, so list "skype" instead of "skype:" or "skype://".
If this policy is set, a protocol will only be permitted to launch an external application without prompting by policy if the protocol is listed, and the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list. If either condition is false the external protocol launch prompt will not be omitted by policy.
If this policy is not set, no protocols can launch without a prompt by default. Users may opt out of prompts on a per-protocol/per-site basis unless the ExternalProtocolDialogShowAlwaysOpenCheckbox policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.
The origin matching patterns use a similar format to those for the 'URLBlocklist' policy, which are documented at http://www.chromium.org/administrators/url-blocklist-filter-format.
However, origin matching patterns for this policy cannot contain "/path" or "@query" elements. Any pattern that does contain a "/path" or "@query" element will be ignored.
List of URLs specifying which urls AutoOpenFileTypes will apply to. This policy has no impact on automatically open values set by users.
If this policy is set, files will only automatically open by policy if the url is part of this set and the file type is listed in AutoOpenFileTypes. If either condition is false the download won't automatically open by policy.
If this policy isn't set, all downloads where the file type is in AutoOpenFileTypes will automatically open.
A URL pattern has to be formatted according to https://www.chromium.org/administrators/url-blocklist-filter-format.
List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".
Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy to True or leaving it unset gives users control of Autofill for addresses in the UI.
Setting the policy to False means Autofill never suggests or fills address information, nor does it save additional address information that users submit while browsing the web.
Setting the policy to True or leaving it unset means users can control autofill suggestions for credit cards in the UI.
Setting the policy to False means autofill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web.
Setting the policy to True lets Google Chrome autoplay media. Setting the policy to False stops Google Chrome from autoplaying media.
By default, Google Chrome doesn't autoplay media. But, for certain URL patterns, you can use the AutoplayAllowlist policy to change this setting.
If this policy changes while Google Chrome is running, it only applies to newly opened tabs.
Setting the policy lets videos play automatically (without user consent) with audio content in Google Chrome. If AutoplayAllowed policy is set to True, then this policy has no effect. If AutoplayAllowed is set to False, then any URL patterns set in this policy can still play. If this policy changes while Google Chrome is running, it only applies to newly opened tabs.
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
When enabled the BackForwardCache feature allows the use of the back-forward cache. When navigating away from a page, its current state (document tree, script, etc.) may be preserved in the back-forward cache. If the browser navigates back to the page, the page may be restored from the back-forward cache and displayed in the state it was in before being cached.
This feature might cause issues for some websites that do not expect this caching. In particular, some websites depend on the "unload" event being dispatched when the browser navigates away from the page. The "unload" event will not be dispatched if the page enters the back-forward cache.
If this policy is set to enabled or not set, the BackForwardCache feature will be enabled.
If this policy is set to disabled then the feature will be force disabled.
Setting the policy to Enabled turns background mode on. In background mode, a Google Chrome process is started on OS sign-in and keeps running when the last browser window is closed, allowing background apps and the browsing session to remain active. The background process displays an icon in the system tray and can always be closed from there.
Setting the policy to Disabled turns background mode off.
If you set the policy, users can't change it in the browser settings. If unset, background mode is off at first, but users can change it.
Setting the policy to Enabled prevents webpage elements that aren't from the domain that's in the browser's address bar from setting cookies. Setting the policy to Disabled lets those elements set cookies and prevents users from changing this setting.
Leaving it unset turns third-party cookies on, but users can change this setting.
Setting the policy to True displays a bookmark bar in Google Chrome. Setting the policy to False means users never see the bookmark bar.
If you set the policy, users can't change it. If not set, users decide whether to use this function.
If this policy is set to true or not configured, Google Chrome and Lacros will allow to add a new person from the user manager.
If this policy is set to false, Google Chrome and Lacros will not allow adding a new person from the user manager.
Note: If this policy is not configured or set to true, but LacrosSecondaryProfilesAllowed is set to false, Lacros will not allow adding a new person from the user manager.
If this policy is set to true or not configured, Google Chrome and Lacros will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode.
If this policy is set to false, Google Chrome and Lacros will not allow guest profiles to be started.
Note: If this policy is not configured or set to true, but LacrosSecondaryProfilesAllowed is set to false, Lacros will not allow guest profiles to be started.
Setting the policy to Enabled means Google Chrome enforces guest sessions and prevents profile sign-ins. Guest sign-ins are Google Chrome profiles where windows are in Incognito mode.
Setting the policy to Disabled, leaving it unset, or disabling browser Guest mode (through BrowserGuestModeEnabled) allows the use of new and existing profiles.
Setting the policy to Enabled or leaving the policy unset means that users can access browser experimental features through an icon in the toolbar
Setting the policy to Disabled removes the browser experimental features icon from the toolbar.
chrome://flags and any other means of turning off and on browser features will still behave as expected regardless of whether this policy is Enabled or Disabled.
Setting the policy to Enabled or leaving it unset will permit Google Chrome to apply the additional extension point security mitigation to block legacy extension points in the Browser process.
Setting the policy to Disabled has a detrimental effect on Google Chrome's security and stability as unknown and potentially hostile code can load inside Google Chrome's browser process. Only turn off the policy if there are compatibility issues with third-party software that must run inside Google Chrome's browser process.
Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
Setting the policy to Enabled or leaving it unset means Google Chrome send occasional queries to a Google server to retrieve an accurate timestamp.
Setting the policy to Disabled stops Google Chrome from sending these queries.
This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to Google Chrome with their account and use account related services like Google Chrome Sync.
If the policy is set to "Disable browser sign-in" then the user cannot sign in to the browser and use account-based services. In this case browser-level features like Google Chrome Sync cannot be used and will be unavailable. On iOS, if the user was signed in and the policy is set to "Disabled" they will be signed out immediately. On other platforms, they will be signed out the next time they run Google Chrome. On all platforms, their local profile data like bookmarks, passwords etc. will be preserved and still usable. The user will still be able to sign into and use Google web services like Gmail.
If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser. On all platforms except iOS, the user is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Google Chrome Sync will be turned on by default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Google Chrome Sync, use the SyncDisabled policy.
If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. The default value of BrowserGuestModeEnabled will be set to disabled. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: https://support.google.com/chrome/a/answer/7572556 . This option is not supported on Linux, Android or iOS. It will fall back to "Enable browser sign-in" if used.
If this policy is not set then the user can decide if they want to enable browser sign-in in the Google Chrome settings and use it as they see fit.
This policy allows admins to configure the color of Google Chrome's theme. The input string should be a valid hex color string matching the format "#RRGGBB".
Setting the policy to a valid hex color causes a theme based on that color to be automatically generated and applied to the browser. Users won't be able to change the theme set by the policy.
Leaving the policy unset lets users change their browser's theme as preferred.
Configures browsing data lifetime settings for Google Chrome. This policy allows admins to configure (per data-type) when data is deleted by the browser. This is useful for customers that work with sensitive customer data. The policy will only take effect if SyncDisabled is set to true.
The available data types are 'browsing_history', 'download_history', 'cookies_and_other_site_data', 'cached_images_and_files', 'password_signin', 'autofill', 'site_settings' and 'hosted_app_data'.
The browser will automatically remove data of selected types that is older than 'time_to_live_in_hours'. The minimum value that can be set is 1 hour.
The deletion of expired data will happen 15 seconds after the browser starts then every hour while the browser is running.
This policy controls which software stack is used to communicate with the DNS server: the Operating System DNS client, or Google Chrome's built-in DNS client. This policy does not affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; Google Chrome will always use the built-in resolver for DNS-over-HTTPS requests. Please see the DnsOverHttpsMode policy for information on controlling DNS-over-HTTPS.
If this policy is set to Enabled, the built-in DNS client will be used, if available.
If this policy is set to Disabled, the built-in DNS client will only be used when DNS-over-HTTPS is in use.
If this policy is left unset, the built-in DNS client will be enabled by default on macOS, Android (when neither Private DNS nor VPN are enabled) and Google Chrome OS.
When this setting is enabled, Google Chrome will perform verification of server certificates using the built-in certificate verifier. When this setting is disabled, Google Chrome will perform verification of server certificates using the legacy certificate verifier provided by the platform. When this setting is not set, the built-in or the legacy certificate verifier may be used.
This policy is planned to be removed in Google Chrome for macOS version 107, when support for the legacy certificate verifier on macOS is planned to be removed.
Setting the policy to All (0) or leaving it unset lets users edit trust settings for all CA certificates, remove user-imported certificates, and import certificates using Certificate Manager. Setting the policy to UserOnly (1) lets users manage only user-imported certificates, but not change trust settings of built-in certificates. Setting it to None (2) lets users view (not manage) CA certificates.
If this policy is not configured, or is set to enabled, then Google Chrome will follow the default rollout process for CECPQ2, a post-quantum key-agreement algorithm in TLS.
CECPQ2 results in larger TLS messages which, in very rare cases, can trigger bugs in some networking hardware. This policy can be set to False to disable CECPQ2 while networking issues are resolved.
This policy is a temporary measure and will be removed in future versions of Google Chrome.
Configures support of CORS non-wildcard request headers.
Google Chrome version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See https://www.chromest atus.com/feature/5768642492891136 for more detail.
If this policy is not set, or set to True, Google Chrome will support the CORS non-wildcard request headers and behave as described above.
When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 103.
Setting the policy to Enabled lets Google Chrome OS bypass any proxy for captive portal authentication. These authentication webpages, starting from the captive portal sign-in page until Chrome detects a successful internet connection, open in a separate window, ignoring all policy settings and restrictions for the current user. This policy only takes effect if a proxy is set up (by policy, extension, or the user in chrome://settings).
Setting the policy to Disabled or leaving it unset means any captive portal authentication pages are shown in a (regular) new browser tab, using the current user's proxy settings.
Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of subjectPublicKeyInfo hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:
* It's of the server certificate's subjectPublicKeyInfo.
* It's of a subjectPublicKeyInfo that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.
* It's of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.
Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified subjectPublicKeyInfo hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the subjectPublicKeyInfo hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by Google Chrome, but not Android Open Source Project or Google Chrome OS.
Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.
Setting the policy turns off Certificate Transparency disclosure requirements for the hostnames in the specified URLs. While making it harder to detect misissued certificates, hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed).
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.
A URL pattern follows this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). However, because the validity of certificates for a given hostname is independent of the scheme, port, or path, Google Chrome only considers the hostname portion of the URL. Wildcard hosts aren't supported.
Setting the policy to Enabled or leaving it unset means Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is allowed.
Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.
Setting the policy to Enabled means if Chrome Cleanup detects unwanted software, it may, in line with policy set by SafeBrowsingExtendedReportingEnabled, report about the scan to Google. Chrome Cleanup asks users if they want the cleanup. It sends results to Google.
Setting the policy to Disabled means if Chrome Cleanup detects unwanted software, it won't report about the scan to Google, regardless of the value of SafeBrowsingExtendedReportingEnabled. Chrome Cleanup asks users if they want the cleanup. The results aren't reported to Google.
Leaving the policy unset means Chrome Cleanup may, in line with policy set by SafeBrowsingExtendedReportingEnabled, report about scans for detecting unwanted software to Google. Chrome Cleanup asks users if they want the cleanup and to share the results with Google to help with future unwanted software detection. These results have file metadata, automatically installed extensions, and registry keys, as described by the Chrome Privacy Whitepaper.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.
Setting the policy to Enabled means Google Chrome OS asks users for a password to unlock the device when it becomes idle.
Setting the policy to Disabled means users are not asked for a password to unlock the device from sleep.
Leaving the policy unset lets the user choose whether to be prompted for a password to unlock the device from sleep.
Control the user behavior in a multiprofile session on Google Chrome OS devices.
If this policy is set to 'MultiProfileUserBehaviorUnrestricted', the user can be either primary or secondary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorMustBePrimary', the user can only be the primary user in a multiprofile session.
If this policy is set to 'MultiProfileUserBehaviorNotAllowed', the user cannot be part of a multiprofile session.
If you set this setting, users cannot change or override it.
If the setting is changed while the user is signed into a multiprofile session, all users in the session will be checked against their corresponding settings. The session will be closed if any one of the users is no longer allowed to be in the session.
If the policy is left not set, the default value 'MultiProfileUserBehaviorMustBePrimary' applies for enterprise-managed users and 'MultiProfileUserBehaviorUnrestricted' will be used for non-managed users.
When multiple users are logged in, only the primary user can use Android apps.
Configuring this policy allows to specify which variations are allowed to be applied in Google Chrome.
Variations provide a means for offering modifications to Google Chrome without shipping a new version of the browser by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
Setting the VariationsEnabled (value 0), or leaving the policy not set allows all variations to be applied to the browser.
Setting the CriticalFixesOnly (value 1), allows only variations considered critical security or stability fixes to be applied to Google Chrome.
Setting the VariationsDisabled (value 2), prevent all variations from being applied to the browser. Please note that this mode can potentially prevent the Google Chrome developers from providing critical security fixes in a timely manner and is thus not recommended.
Configures a list of browsing data types that should be deleted when the user closes all browser windows. The available data types are browsing history (browsing_history), download history (download_history), cookies (cookies_and_other_site_data), cache(cached_images_and_files), autofill (autofill), passwords (password_signin), site settings (site_settings) and hosted apps data (hosted_app_data). This policy does not take precedence over AllowDeletingBrowserHistory.
This policy requires the SyncDisabled policy to be set to true, otherwise it will be ignored. If this policy is set at platform level, Sync should be disabled at platform level. If this policy is set at user level, Sync should be disabled for that user in order for this policy to take effect.
If Google Chrome does not exit cleanly (for example, if the browser or the OS crashes), the browsing data will be cleared the next time the profile is loaded.
Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in. For more information, see help center article: https://support.google.com/chrome/answer/9430554?hl=en.
If this policy is set to enabled, the capability of sending phone numbers to Android devices will be enabled for the Chrome user.
If this policy is set to disabled, the capability of sending phone numbers to Android devices will be disabled for the Chrome user.
If you set this policy, users cannot change or override it.
If this policy is left unset, the Click to Call feature is enabled by default.
Setting the policy to 'All' (value 0) or leaving it unset lets users manage certificates. Setting the policy to 'None' (value 2) means users can only view (not manage) certificates.
Setting the policy to 'UserOnly' (value 1) lets users manage user certificates, but not device-wide certificates.
Setting the policy to Enabled mandates Chrome Browser Cloud Management enrollment and blocks Google Chrome launch process if failed.
Setting the policy to Disabled or leaving it unset renders Chrome Browser Cloud Management optional and doesn't block Google Chrome launch process if failed.
Machine scope cloud policy enrollment on desktop uses this policy. See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.
Setting the policy means Google Chrome tries to register itself with Chrome Browser Cloud Management. The value of this policy is an enrollment token you can retrieve from the Google Admin console.
See https://support.google.com/chrome/a/answer/9301891?ref_topic=9301744 for details.
Setting the policy to Enabled means cloud policy takes precedence if it conflicts with platform policy.
Setting the policy to Disabled or leaving it unset means platform policy takes precedence if it conflicts with cloud policy.
This mandatory policy affects machine scope cloud policies.
Setting the policy to Enabled allows policies associated with a Google Workspace account to be merged into machine-level policies.
Only policies originating from secure users can be merged. A secure user is affiliated with the organization that manages their browser using Chrome Browser Cloud Management. All other user-level policies will always be ignored.
Policies that need to be merged also need to be set in either PolicyListMultipleSourceMergeList or PolicyDictionaryMultipleSourceMergeList. This policy will be ignored if neither of the two aforementioned policies is configured.
Leaving the policy unset or setting it to Disabled prevents user-level cloud policies from being merged with policies from any other sources.
Setting the policy to Enabled allows policies associated with a Google Workspace account to take precedence if they conflict with Chrome Browser Cloud Management policies.
Only policies originating from secure users can take precedence. A secure user is affiliated with the organization that manages their browser using Chrome Browser Cloud Management. All other user-level policies will have default precedence.
The policy can be combined with CloudPolicyOverridesPlatformPolicy. If both policies are enabled, user cloud policies will also take precedence over conflicting platform policies.
Leaving the policy unset or setting it to disabled causes user-level cloud policies to have default priority.
Setting the policy to Enabled or leaving it unset means security warnings appear when potentially dangerous command-line flags are used to launch Chrome.
Setting the policy to Disabled prevents security warnings from appearing when Chrome is launched with potentially dangerous command-line flags.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Enables component updates for all components in Google Chrome when not set or set to enabled.
If set to disabled, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code and is critical for the security of the browser will not be disabled. Examples of such components include the certificate revocation lists and subresource filters.
Setting the policy to True or leaving it unset makes Touch to Search available to the user, and they can turn the feature on or off.
Setting the policy to False turns Touch to Search off completely.
This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.
When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.
This policy sets the minimal data size (in bytes) of the data in the clipboard that will be checked against clipboard restriction rules defined in DataLeakPreventionRulesList policy. If not set, it defaults to 0 that means that all pastes from the clipboard will be checked according to the configured rules.
This policy is a general switch for all rules defined in the DataLeakPreventionRulesList policy. Setting this policy to True will switch on real-time reporting of data leak prevention events. Setting this policy to False or leaving it unset will switch off the reporting. Rules defined with ALLOW level restrictions in DataLeakPreventionRulesList will not report events in both cases.
Configures a list of rules to prevent data leak on Google Chrome OS. Data leak can happen by copying and pasting data, transferring files, printing, screensharing, or taking screenshots ...etc.
Each rule consists of the following: - A list of sources defined as URLs. Any data in the sources will be considered confidential data, to which the restrictions will be applied. - A list of destinations defined as URLs or components, to which the confidential data is either allowed or disallowed to be shared. - A list of restrictions to be applied on the data of the sources.
Rules can be added to: - Control the clipboard data shared between the sources and the destinations. - Control taking screenshots of any of the sources. - Control printing of any of the sources. - Control the privacy screen when any of the sources is visible. - Control screen sharing of any of the sources.
The restriction level can be set to BLOCK, ALLOW, REPORT, WARN. - If the restriction level is set to BLOCK, the action won't be allowed. If DataLeakPreventionReportingEnabled is set to True, the blocked action will be reported to the admin. - If the restriction level is set to ALLOW, the action will be allowed. - If the restriction level is set to REPORT and DataLeakPreventionReportingEnabled is set to True, the action will be reported to the admin. - If the restriction level is set to WARN, a user will be warned and may choose to proceed with or cancel the action. If DataLeakPreventionReportingEnabled is set to True, showing the warning will be reported to the admin; proceeding with the action will also be reported.
Notes: - PRIVACY_SCREEN restriction doesn't block the ability to turn on privacy screen, but enforces it when the restriction class is set to BLOCK. - Destinations cannot be empty in case one of the restrictions is CLIPBOARD, but they don't make any difference for the remaining restrictions. - Format the URL patterns according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ).
If the policy is left not set, no restrictions will be applied.
Setting the policy to True has Google Chrome always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops Google Chrome from ever checking if it's the default and turns user controls off for this option.
Leaving the policy unset means Google Chrome lets users control whether it's the default and, if not, whether user notifications should appear.
Note: For Microsoft®Windows® administrators, turning this setting on only works for machines running Windows 7. For later versions, you must deploy a "default application associations" file that makes Google Chrome the handler for the https and http protocols (and, optionally, the ftp protocol and other file formats). See Chrome Help ( https://support.google.com/chrome?p=make_chrome_default_win ).
Setting the policy changes the default directory that Chrome downloads files to, but users can change the directory.
Leaving the policy unset means Chrome uses its platform-specific default directory.
This policy has no effect if the policy DownloadDirectory is set.
Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
Enables the use of a default search provider on the context menu.
If you set this policy to disabled the search context menu item that relies on your default search provider will not be available.
If this policy is set to enabled or not set, the context menu item for your default search provider will be available.
The policy value is only appled when the DefaultSearchProviderEnabled policy is enabled, and is not applicable otherwise.
Setting the policy to True or leaving it unset lets users share or save the current webpage using actions provided by the desktop sharing hub. The sharing hub is accessed through either an omnibox icon or the 3-dot menu.
Setting the policy to False removes the sharing icon from the omnibox and the entry from the 3-dot menu.
Setting the policy to 0 (the default) means you can access the developer tools and the JavaScript console, but not in the context of extensions installed by enterprise policy. Setting the policy to 1 means you can access the developer tools and the JavaScript console in all contexts, including that of extensions installed by enterprise policy. Setting the policy to 2 means you can't acess developer tools, and you can't inspect website elements.
This setting also turns off keyboard shortcuts and menu or context menu entries to open developer tools or the JavaScript console.
As of Google Chrome version 99, this setting also controls entry points for the 'View page source' feature. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access source viewing via keyboard shortcut or the context menu. To fully block source viewing, you must also add 'view-source:*' to the URLBlocklist policy.
This policy also controls access to Android Developer Options. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access Developer Options. If you set this policy to another value or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.
This policy is deprecated in M68, please use DeveloperToolsAvailability instead.
Disables the Developer Tools and the JavaScript console.
If you enable this setting, the Developer Tools can not be accessed and web-site elements can not be inspected anymore. Any keyboard shortcuts and any menu or context menu entries to open the Developer Tools or the JavaScript Console will be disabled.
Setting this option to disabled or leaving it not set allows the user to use the Developer Tools and the JavaScript console.
If the policy DeveloperToolsAvailability is set, the value of the policy DeveloperToolsDisabled is ignored.
This policy also controls access to Android Developer Options. If you set this policy to true, users cannot access Developer Options. If you set this policy to false or leave it unset, users can access Developer Options by tapping seven times on the build number in the Android settings app.
If this policy is disabled or unset, all display settings that were set in Managed guest session will be reset as soon as the session finishes. If this policy is set to True, display properties will persist after exiting the managed guest session.
This policy allows admins to configure Bluetooth services that Google Chrome OS is allowed to connect to.
When this policy is set, Google Chrome OS only allows users to connect to the specified Bluetooth services with an exception when the list is empty which means any service is allowed to use. UUIDs reserved by the Bluetooth SIG can be represented as '0xABCD' or 'ABCD'. Custom UUIDs can be represented as 'AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE'. UUIDs are case insensitive. Leaving this policy unset lets users connect to any Bluetooth service.
Setting the policy to allow some origins of force-installed web applications to get device attributes (e.g. serial number, hostname) by using Device Attributes API.
Device Attributes API is a list of web APIs, please see https://wicg.github.io/WebApiDevice/device_attributes. They are only available to origins which correspond to force-installed web applications via WebAppInstallForceList or the one configured in the Kiosk session.
Configuring this policy allows to specify which variations are allowed to be applied on an enterprise-managed Google Chrome OS device.
Variations provide a means for offering modifications to Google Chrome OS without shipping a new version by selectively enabling or disabling already existing features. See https://support.google.com/chrome/a?p=Manage_the_Chrome_variations_framework for more information.
Setting the VariationsEnabled (value 0), or leaving the policy not set allows all variations to be applied to Google Chrome OS.
Setting the CriticalFixesOnly (value 1), allows only variations considered critical security or stability fixes to be applied to Google Chrome OS.
Setting the VariationsDisabled (value 2), will prevent all variations from being applied to the browser on the login screen. Please note that this mode can potentially prevent the Google Chrome OS developers from providing critical security fixes in a timely manner and is thus not recommended.
Allow network packet captures on device for debugging.
If the policy is set to true or left unset, user will be able to perform network packet captures on device. If set to false, network packet capture won't be available on the device.
This policy has no effect on the logging done by Android.
Setting the policy to True or leaving it unset allows for events, telemetry and info to be reported to the Encrypted Reporting Pipeline. Setting the policy to False disables the Encrypted Reporting Pipeline.
This policy has no effect on the logging done by Android.
This policy controls whether the improved international keyboard shortcut mapping is enabled. This feature ensures keyboard shortcuts work consistently with international keyboard layouts and deprecate legacy shortcuts.
If this policy is disabled, improved international keyboards shortcuts are disabled. If this policy is enabled, improved international keyboards shortcuts are enabled. If unset, this policy is enabled for managed devices and enabled for consumer-owned devices. Note this is only a temporarily policy to allow managed users to still be able to use deprecated legacy shortcuts. This policy will deprecate after customized keyboard shortcuts are available.
Note that this policy is deprecated and will be removed in Google Chrome OS version 88. Public sessions are no longer supported. Please use DeviceLocalAccounts to configure managed-guest sessions instead. If this policy is set to false, managed guest session will behave as documented in https://support.google.com/chrome/a/answer/3017014 - the standard "Public Session".
If this policy is set to true or left unset, managed guest session will take on "Managed Session" behaviour which lifts many of the restrictions that are in place for regular "Public Sessions".
If this policy is set, the user cannot change or override it.
Switch the primary mouse button to the right button on the login screen.
If this policy is set to enabled, the right button of the mouse will always be the primary key on the login screen.
If this policy is set to disabled, the left button of the mouse will always be the primary key on the login screen.
If you set this policy, users cannot change or override it.
If this policy is left unset, the left button of the mouse will be the primary key on the login screen initially, but can be switched by the user anytime.
Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs on the login screen. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.
The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.
Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatiblity in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requsting URL will be ignored entirely.
Leaving the policy unset puts the global default value in use for all sites (no automatic access).
If this policy is disabled user will not be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.
If this policy is enabled, user will be able to fully connect their Thunderbolt/USB4 peripheral device through PCIe tunneling.
If policy is left unset, defaults to false and the user will be able to select whichever state (true/false) for this setting.
Setting the policy to Enabled or leaving it unset lets a device trigger powerwash.
Setting the policy to Disabled doesn't let a device trigger powerwash. An exception to still allow a powerwash can occur if TPMFirmwareUpdateSettings is set to a value that lets the TPM firmware update, but it hasn't updated yet.
This policy, when set to ArcSession, forces the device to reboot when a user sign out if Android has started. This policy, when set to ArcSessionOrVMStart, forces the device to reboot when a user sign out if Android or a VM has started. When set to Always, it forces the device to reboot on every user sign out. If left unset, it has no effect and no reboot is forced on user sign out. The same applies if set to Never. This policy has effect only for unaffiliated users.
If this policy is set to "lts" it allows the device to receive LTS (long term support) updates.
The policy only applies to managed guest sessions. It has to be enabled for Imprivata's shared workstation mode to allow in-session user switches. Setting the policy to True will forcefully override certain policies for features, which persist sensitive user data and are not handled by the clean-up mechanism used for in-session user switches with Imprivata shared workstation mode. Setting the policy to False or leaving it unset will not override any policies.
Allows setting a custom schedule to reboot devices. The policy currently applies only to devices which have enabled auto-launch app in the Kiosk session. Once set to True, the device will reboot to the schedule. The policy must be removed to cancel any more scheduled reboots.
Allows setting a custom schedule to check for updates. This applies to all users, and to all interfaces on the device. Once set, the device will check for updates according to the schedule. The policy must be removed to cancel any more scheduled update checks.
This setting allows to collect a system-wide performance trace using the system tracing service.
If this policy is disabled, the user cannot collect a system-wide trace using the system tracing service. If this policy is enabled, the user can collect a system-wide trace using system tracing service. If unset, this policy is disabled for managed devices and enabled for consumer-owned devices. Note that setting this policy to disabled only disables system-wide trace collection. Browser trace collection is unaffected by this policy.
Setting the policy to True (or setting HardwareAccelerationModeEnabled to False) prevents webpages from accessing the WebGL API, and plugins can't use the Pepper 3D API.
Setting the policy to False or leaving it unset lets webpages use the WebGL API and plugins use the Pepper 3D API, but the browser's default settings might still require command line arguments to use these APIs.
Setting the policy to Enabled prevents users from proceeding past the warning page the Safe Browsing service shows to the malicious site. This policy only prevents users from proceeding on Safe Browsing warnings such as malware and phishing, not for SSL certificate-related issues such as invalid or expired certificates.
Setting the policy to Disabled or leaving it unset means users can choose to proceed to the flagged site after the warning appears.
See more about Safe Browsing ( https://developers.google.com/safe-browsing ).
Setting the policy to True disallows screenshots taken with keyboard shortcuts or extension APIs. Setting the policy to False allows screenshots.
This policy is deprecated, please use URLBlocklist instead.
Disables the listed protocol schemes in Google Chrome.
URLs using a scheme from this list will not load and can not be navigated to.
If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.
Setting the policy has Google Chrome use the directory you provide for storing cached files on the disk—whether or not users specify the --disk-cache-dir flag.
If not set, Google Chrome uses the default cache directory, but users can change that setting with the --disk-cache-dir command line flag.
Google Chrome manages the contents of a volume's root directory. So to avoid data loss or other errors, do not set this policy to the root directory or any directory used for other purposes. See the variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
Setting the policy to None has Google Chrome use the default cache size for storing cached files on the disk. Users can't change it.
If you set the policy, Google Chrome uses the cache size you provide—whether or not users specify the --disk-cache-size flag. (Values below a few megabytes are rounded up.)
If not set, Google Chrome uses the default size. Users can change that setting using the --disk-cache-size flag.
Note: The value specified in this policy is used as a hint to various cache subsystems in the browser. Therefore the actual total disk consumption of all caches will be higher but within the same order of magnitude as the value specified.
The display-capture permissions-policy gates access to getDisplayMedia(), as per this spec: https://www.w3.org/TR/screen-capture/#feature-policy-integration. However, if this policy is Disabled, this requirement is not enforced, and getDisplayMedia() is allowed from contexts that would otherwise be forbidden. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 100. It is intended to unblock Enterprise users whose application is non-spec compliant, but needs time to be fixed.
When enabled or not set, sites can only call getDisplayMedia() from contexts which are allowlisted by the display-capture permissions-policy.
When disabled, sites can call getDisplayMedia() even from contexts which are not allowlisted by the display-capture permissions policy. Note that other restrictions may still apply.
Controls the mode of the DNS-over-HTTPS resolver. Please note that this policy will only set the default mode for each query. The mode may be overridden for special types of queries such as requests to resolve a DNS-over-HTTPS server hostname.
The "off" mode will disable DNS-over-HTTPS.
The "automatic" mode will send DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and may fallback to sending insecure queries on error.
The "secure" mode will only send DNS-over-HTTPS queries and will fail to resolve on error.
On Android Pie and above, if DNS-over-TLS is active, Google Chrome will not send insecure DNS requests.
If this policy is unset the browser may send DNS-over-HTTPS requests to a resolver associated with the user's configured system resolver.
The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
If the DnsOverHttpsMode is set to "secure" then this policy must be set and not empty.
If the DnsOverHttpsMode is set to "automatic" and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
If the URI template contains a dns variable, requests to the resolver will use GET; otherwise requests will use POST.
Incorrectly formatted templates will be ignored.
Setting the policy to Enabled or leaving it unset shows the new download bubble UI in Google Chrome.
Setting the policy to Disabled means Google Chrome keeps showing the old download shelf UI.
Setting the policy sets up the directory Chrome uses for downloading files. It uses the provided directory, whether or not users specify one or turned on the flag to be prompted for download location every time.
This policy overrides the DefaultDownloadDirectory policy.
Leaving the policy unset means Chrome uses the default download directory, and users can change it.
Note: See a list of variables you can use ( https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables ).
This policy has no effect on Android apps. Android apps always use the default downloads directory and cannot access any files downloaded by Google Chrome OS into a non-default downloads directory.
Setting the policy means users can't bypass download security decisions.
There are many types of download warnings within Chrome, which roughly break down into these categories (learn more about Safe Browsing verdicts https://support.google.com/chrome/?p=ib_download_blocked):
* Malicious, as flagged by the Safe Browsing server * Uncommon or unwanted, as flagged by the Safe Browsing server * A dangerous file type (e.g. all SWF downloads and many EXE downloads)
Setting the policy blocks different subsets of these, depending on it's value:
0: No special restrictions. Default.
1: Blocks malicious files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
2: Blocks malicious files flagged by the Safe Browsing server AND Blocks uncommon or unwanted files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
3: Blocks all downloads. Not recommended, except for special use cases.
4: Blocks malicious files flagged by the Safe Browsing server, does not block dangerous file types. Recommended.
Note: These restrictions apply to downloads triggered from webpage content, as well as the Download link... menu option. They don't apply to the download of the currently displayed page or to saving as PDF from the printing options. Read more about Safe Browsing ( https://developers.google.com/safe-browsing ).
If you enable this setting, users will be allowed to use Smart Lock if the requirements for the feature are satisfied.
If you disable this setting, users will not be allowed to use Smart Lock.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
If this setting is enabled, users will be able to launch the Eche application, for example by clicking on a Phone Hub notification.
If this setting is disabled, users will not be able to launch the Eche application.
If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
Setting the policy to True or leaving it unset lets users add, remove, or modify bookmarks.
Setting the policy to False means users can't add, remove, or modify bookmarks. They can still use existing bookmarks.
This policy enables Google Chrome OS to suggest emojis when users type text with their virtual or physical keyboards. If this policy is set to true, the feature will be enabled, and users will be able to change it. This policy is defaulted to false, no emoji will be suggested and users cannot override it.
Allows Google Chrome to load experimental policies.
WARNING: Experimental policies are unsupported and subject to change or be removed without notice in future version of the browser!
An experimental policy may not be finished or still have known or unknown defects. It may be changed or even removed without any notification. By enabling experimental policies, you could lose browser data or compromise your security or privacy.
If a policy is not in the list and it's not officially released, its value will be ignored on Beta and Stable channel.
If a policy is in the list and it's not officially released, its value will be applied.
This policy has no effect on already released policies.
Setting the policy to True means online OCSP/CRL checks are performed.
Setting the policy to False or leaving it unset means Google Chrome won't perform online revocation checks in Google Chrome 19 and later.
Note: OCSP/CRL checks provide no effective security benefit.
This policy controls if Sync Consent can be shown to the user during first sign-in. It should be set to false if Sync Consent is never needed for the user. If set to false, Sync Consent will not be displayed. If set to true or unset, Sync Consent can be displayed.
Setting the policy to True lets extensions installed by enterprise policy use the Enterprise Hardware Platform API.
Setting the policy to False or leaving it unset prevents extensions from using this API.
Note: This policy also applies to component extensions, such as the Hangout Services extension.
You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that will be exempted from file type extension-based download warnings. This lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if the "jnlp" extension is associated with "website1.com", users would not see a warning when downloading "jnlp" files from "website1.com", but see a download warning when downloading "jnlp" files from "website2.com".
Files with file type extensions specified for domains identified by this policy will still be subject to non-file type extension-based security warnings such as mixed-content download warnings and Safe Browsing warnings.
If you disable this policy or don't configure it, file types that trigger extension-based download warnings will show warnings to the user.
If you enable this policy:
* The URL pattern should be formatted according to https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * The file type extension entered must be in lower-cased ASCII. The leading separator should not be included when listing the file type extension, so list "jnlp" should be used instead of ".jnlp".
Example:
The following example value would prevent file type extension-based download warnings on swf, exe, and jnlp extensions for *.example.com domains. It will show the user a file type extension-based download warning on any other domain for exe and jnlp files, but not for swf files.
[ { "file_extension": "jnlp", "domains": ["example.com"] }, { "file_extension": "exe", "domains": ["example.com"] }, { "file_extension": "swf", "domains": ["*"] } ]
Note that while the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension is not recommended due to security concerns. It is shown in the example merely to demonstrate the ability to do so.
If this policy is enabled alongside DownloadRestrictions and DownloadRestrictions is set to block dangerous file types, download blocks determined by DownloadRestrictions take precedence. For example, if this policy is set to enable "exe" extension downloads from "website1.com", and DownloadRestrictions is set to block malicious downloads and dangerous file types, then "exe" extension downloads will still be blocked in all domains. If DownloadRestrictions is not set to block dangerous file types, then file types specified in this policy will be exempted from file-type extension-based download warnings in the specified domains. Read more about DownloadRestrictions (https://chromeenterprise.google/policies/?policy=DownloadRestrictions).
There is a list of restricted ports built into Google Chrome. Connections to these ports will fail. This setting permits bypassing that list. The value is a comma-separated list of zero or more ports that outgoing connections will be permitted on.
Ports are restricted to prevent Google Chrome being used as a vector to exploit various network vulnerabilities. Setting this policy may expose your network to attacks. This policy is intended as a temporary workaround for errors with code "ERR_UNSAFE_PORT" while migrating a service running on a blocked port to a standard port (ie. port 80 or 443).
Malicious websites can easily detect that this policy is set, and for what ports, and use that information to target attacks.
Each port here is labelled with a date that it can be unblocked until. After that date the port will be restricted regardless of this setting.
Leaving the value empty or unset means that all restricted ports will be blocked. If there is a mixture of valid and invalid values, the valid ones will be applied.
This policy overrides the "--explicitly-allowed-ports" command-line option.
Setting the policy to True sends reports of key, policy-triggered extension installation events to Google. Setting the policy to False means no events are captured. If the policy is unset, default value is set to True.
This policy controls whether or not the "Always open" checkbox is shown on external protocol launch confirmation prompts.
If this policy is set to True or not set, when an external protocol confirmation is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
If this policy is set to False, the "Always allow" checkbox is not displayed and the user will be prompted each time an external protocol is invoked.
Setting the policy to True makes all types of external storage media (USB flash drives, external hard drives, SD and other memory cards, optical storage) unavailable in the file browser. Setting the policy to False or leaving it unset means users can use external storage on their device.
Note: The policy doesn't affect Google Drive and internal storage. Users can still access files saved in the Downloads folder.
Setting the policy to True prevents users from writing to external storage devices.
Unless external storage is blocked, if you set ExternalStorageReadOnly to False or leave it unset, users can create and modify files of physically writable, external storage devices. (You can block external storage by setting ExternalStorageDisable to True.)
Setting this policy will force Fast Pair to be enabled or disabled. Fast Pair is a new Bluetooth pairing flow that links paired peripherals with a GAIA account. This allows other ChromeOS (and Android) devices signed in with the same GAIA account to pair automatically. If unset, the default value is disabled for enterprise users and enabled for non managed accounts.
Controls the duration (in seconds) allowed for keepalive requests on browser shutdown.
When specified, browser shutdown can be blocked up to the specified seconds, to process keepalive (https://fetch.spec.whatwg.org/#request-keepalive-flag) requests.
The default value (0) means this feature is disabled.
Setting the policy to Enabled will launch browser windows from current user's last used device automatically upon login. Setting the policy to Disabled or leaving it unset will let full restore settings determine what to be launched upon login.
This policy is deprecated, consider using BrowserSignin instead.
If this policy is set to true, user has to sign in to Google Chrome with their profile before using the browser. And the default value of BrowserGuestModeEnabled will be set to false. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article.
If this policy is set to false or not configured, user can use the browser without sign in to Google Chrome.
If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.
In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.
If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.
If the policy is set to disabled or left not set signing in leads to regular profiles.
Setting the policy to Enabled means SafeSearch in Google Search is always active, and users can't change this setting.
Setting the policy to Disabled or leaving it unset means SafeSearch in Google Search is not enforced.
Force logout the user when their primary account's authentication token becomes invalid. This policy can protect the user from access to restricted content on Google web properties. If this policy is set to True, the user will be logged out as soon as their authentication token becomes invalid and attempts to restore this token fail. If this policy is set to False or unset, the user can continue working in an unauthenticated state.
This policy controls whether the User-Agent string major version should be frozen at 99.
The User-Agent request header lets websites identify the application, operating system, vendor, and/or version of the requesting user agent. Some websites make assumptions about how this header is formatted and may encounter issues with version strings that include three digits in the major position (e.g. 100.0.0.0).
Setting the policy to 'Default' or leaving it unset will default to browser settings for the User-Agent string major version. If set to 'ForceDisabled', the User-Agent string will not freeze the major version. If set to 'ForceEnabled', the User-Agent string will always report the major version as 99 and include the browser's major version in the minor position. For example, browser version 101.0.0.0 would send a User-Agent request header that reports version 99.101.0.0.
This policy is temporary and will be deprecated in the future. Note that if this policy and User-Agent Reduction are both enabled, the User-Agent version string will always be 99.0.0.0.
Setting the policy to True means Chrome maximizes the first window shown on first run.
Setting the policy to False or leaving it unset means that Chrome might maximize the first window, depending on the screen size.
This policy is deprecated, please use ForceGoogleSafeSearch and ForceYouTubeRestrict instead. This policy is ignored if either the ForceGoogleSafeSearch, the ForceYouTubeRestrict or the (deprecated) ForceYouTubeSafetyMode policies are set.
Forces queries in Google Web Search to be done with SafeSearch set to active and prevents users from changing this setting. This setting also forces Moderate Restricted Mode on YouTube.
If you enable this setting, SafeSearch in Google Search and Moderate Restricted Mode YouTube is always active.
If you disable this setting or do not set a value, SafeSearch in Google Search and Restricted Mode in YouTube is not enforced.
Setting the policy enforces a minimum Restricted mode on YouTube and prevents users from picking a less restricted mode. If you set it to:
* Strict, Strict Restricted mode on YouTube is always active.
* Moderate, the user may only pick Moderate Restricted mode and Strict Restricted mode on YouTube, but can't turn off Restricted mode.
* Off or if no value is set, Restricted mode on YouTube isn't enforced by Chrome. External policies such as YouTube policies might still enforce Restricted mode.
This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.
This policy is deprecated. Consider using ForceYouTubeRestrict, which overrides this policy and allows more fine-grained tuning.
Forces YouTube Moderate Restricted Mode and prevents users from changing this setting.
If this setting is enabled, Restricted Mode on YouTube is always enforced to be at least Moderate.
If this setting is disabled or no value is set, Restricted Mode on YouTube is not enforced by Google Chrome. External policies such as YouTube policies might still enforce Restricted Mode, though.
This policy has no effect on the Android YouTube app. If Safety Mode on YouTube should be enforced, installation of the Android YouTube app should be disallowed.
This policy allows admins to configure the order of the preferred languages in Google Chrome's settings.
The order of the list will appear in the same order under the "Order languages based on your preference" section in chrome://settings/languages. Users won't be able to remove or reorder languages set by the policy, but will be able to add languages underneath those set by the policy. Users will also have full control over the browser's UI language and translation/spell check settings, unless enforced by other policies.
Leaving the policy unset lets users manipulate the entire list of preferred languages.
Setting the policy to enable the full restore feature. If this policy is true, apps and app windows will be restored or not restored after a crash or reboot based on the restore app setting. If this policy is false, only browser windows are automatcially launched.
Specifies whether the fullscreen alert should be shown when the device returns from sleep or dark screen.
When the policy is unset or set to True, an alert will be shown to remind the users to exit fullscreen before entering password. When the policy is set to False, no alert would be shown.
Setting the policy to True or leaving it unset means that, with appropriate permissions, users, apps, and extensions can enter Fullscreen mode (in which only web content appears).
Setting the policy to False means users, apps, and extensions can't enter Fullscreen mode.
This policy has no effect on the Android apps. They will be able to enter fullscreen mode even if this policy is set to False.
While logging in through the lock screen, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).
When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from GaiaOfflineSigninTimeLimitDays.
When the policy is unset, or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.
If the policy is set to a value of 0, online authentication will always be required.
When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.
This policy affects users who authenticated using GAIA without SAML.
The policy value should be specified in days.
The getDisplayMediaSet API allows web applications to capture multiple surfaces at once. This policy unlocks the autoSelectAllScreens property for web applications at defined origins. If the autoSelectAllScreens property is defined in a getDisplayMediaSet request, all screen surfaces are automatically captured without requiring explicit user permission. If the policy is not set, autoSelectAllScreens is not available for any web application.
Setting the policy to enable the ghost window feature. If this policy is true, ARC ghost windows will be created before ARC boots after a crash or reboot based on the restore app setting. If this policy is false, there is no ghost window created before ARC boots. Arc apps are restored after ARC boots
This policy configures a single global per profile cache with HTTP server authentication credentials.
If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, which as of version 80, will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.
If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.
Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.
Setting the policy specifies a list of hostnames that bypass preloaded HSTS upgrades from http to https.
Only single-label hostnames are allowed in this policy, and this policy only applies to "static" HSTS-preloaded entries (for instance, "app", "new", "search", "play"). This policy does not prevent HSTS upgrades for servers that have "dynamically" requested HSTS upgrades using a Strict-Transport-Security response header.
Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific single-label hostnames specified, not to subdomains of those names.
Setting the policy to Enabled or leaving it unset turns on hardware acceleration, if available.
Setting the policy to Disabled turns off hardware acceleration.
Setting this policy to Enabled or leaving the policy unset allows use of the headless mode. Setting this policy to Disabled denies use of the headless mode.
Hide the Chrome Web Store app and footer link from the New Tab Page and Google Chrome OS app launcher.
When this policy is set to true, the icons are hidden.
When this policy is set to false or is not configured, the icons are visible.
This policy controls the visibility of Journeys on the Chrome history page.
If the policy is set to Enabled, Journeys will be visible at chrome://history/journeys.
If the policy is set to Disabled, Journeys will not be visible at chrome://history/journeys.
If the policy is left unset, Journeys will be visible at chrome://history/journeys by default and users can change the visibility of Journeys.
Please note, if ComponentUpdatesEnabled policy is set to Disabled, but HistoryClustersVisible is set to Enabled or unset, Journeys will still be available at chrome://history/journeys, but may be absent from the omnibox, and less relevant to the user.
This policy controls whether users can enable HTTPS-Only Mode in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS. If this setting is not set or set to allowed, users will be allowed to enable HTTPS-Only Mode. If this setting is set to disallowed, users will not be allowed to enable HTTPS-Only Mode. Force enabling HTTPS-Only Mode is not currently supported.
Setting the policy to Enabled imports autofill form data from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no autofill form data is imported on first run.
Users can trigger an import dialog and the autofill form data checkbox will be checked or unchecked to match this policy's value.
Setting the policy to Enabled imports bookmarks from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no bookmarks are imported on first run.
Users can trigger an import dialog and the bookmarks checkbox will be checked or unchecked to match this policy's value.
Setting the policy to Enabled imports browsing history from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no browsing history is imported on first run.
Users can trigger an import dialog and the browsing history checkbox will be checked or unchecked to match this policy's value.
Setting the policy to Enabled imports the homepage from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the homepage isn't imported on first run.
Users can trigger an import dialog and the homepage checkbox will be checked or unchecked to match this policy's value.
Setting the policy to Enabled imports saved passwords from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no saved passwords are imported on first run.
Users can trigger an import dialog and the saved passwords checkbox will be checked or unchecked to match this policy's value.
Setting the policy to Enabled imports the default search engine from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the default search engine isn't imported on first run.
Users can trigger an import dialog and the default search engine checkbox will be checked or unchecked to match this policy's value.
This policy is deprecated. Please, use IncognitoModeAvailability instead. Enables Incognito mode in Google Chrome.
If this setting is enabled or not configured, users can open web pages in incognito mode.
If this setting is disabled, users cannot open web pages in incognito mode.
If this policy is left not set, this will be enabled and the user will be able to use incognito mode.
Specifies whether the user may open pages in Incognito mode in Google Chrome.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome
Note: On iOS, if the policy is changed during a session, it will only take effect on relaunch.
This policy controls the treatment for insecure forms (forms that submit over HTTP) embedded in secure (HTTPS) sites in the browser. If the policy is enabled or unset, a full page warning will be shown when an insecure form is submitted. Additionally, a warning bubble will be shown next to the form fields when they are focused, and autofill will be disabled for those forms. If the policy is disabled, warnings will not be shown for insecure forms, and autofill will work normally.
Controls whether websites are allowed to make requests to more-private network endpoints in an insecure manner.
When this policy is set to true, all Private Network Access checks are disabled for all origins. This may allow attackers to perform CSRF attacks on private network servers.
When this policy is either not set or set to false, the default behavior for requests to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights, and PrivateNetworkAccessRespectPreflightResults feature flags, which may be set by field trials or on the command line.
This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.
A network endpoint is more private than another if: 1) Its IP address is localhost and the other is not. 2) Its IP address is private and the other is public. In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.
When this policy is set to true, websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.
List of URL patterns. Requests initiated from websites served by matching origins are not subject to Private Network Access checks.
If unset, this policy behaves as if set to the empty list.
For origins not covered by the patterns specified here, the global default value will be used either from the InsecurePrivateNetworkRequestsAllowed policy, if it is set, or the user's personal configuration otherwise.
For detailed information on valid URL patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
The insights extension reports user internet download and upload speed, user idle time, and application insights.
If the policy is set to enabled, the insights extension will be installed and report metrics.
If the policy is not set or set to disabled, then the insights extension will not be installed and will not report metrics.
This policy has no effect on the reporting done by Android.
If this setting is enabled, users will be allowed to use Instant Tethering, which allows their Google phone to share its mobile data with their device.
If this setting is disabled, users will not be allowed to use Instant Tethering.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
When enabled the IntensiveWakeUpThrottling feature causes Javascript timers in background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been backgrounded for 5 minutes or more.
This is a web standards compliant feature, but it may break functionality on some websites by causing certain actions to be delayed by up to a minute. However, it results in significant CPU and battery savings when enabled. See https://bit.ly/30b1XR4 for more details.
If this policy is set to enabled then the feature will be force enabled, and users will not be able to override this.
If this policy is set to disabled then the feature will be force disabled, and users will not be able to override this.
If this policy is left unset then the feature will be controlled by its own internal logic, which can be manually configured by users.
Note that the policy is applied per renderer process, with the most recent value of the policy setting in force when a renderer process starts. A full restart is required to ensure that all loaded tabs receive a consistent policy setting. It is harmless for processes to be running with different values of this policy.
This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.
DNSInterceptionChecksEnabled is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future. If either DNSInterceptionChecksEnabled or this policy requests to disable interception checks, the checks will be disabled.
Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com.
Since Google Chrome 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
Note that all sites (i.e., scheme plus eTLD+1, such as https://example.com) are already isolated by default on Desktop platforms, as noted in the SitePerProcess policy. This IsolateOrigins policy is useful to isolate specific origins at a finer granularity (e.g., https://a.example.com).
Also note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
Setting the policy to off or leaving it unset lets users change this setting.
Note: For Android, use the IsolateOriginsAndroid policy instead.
Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process on Android. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com. Note that Android isolates certain sensitive sites by default starting in Google Chrome version 77, and this policy extends that mode to isolate specific additional origins.
Since Google Chrome 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
Note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn on IsolateOrigins manually, through the command line flag.
Leaving the policy unset lets users change this setting.
Note: Isolating too many sites on Android may cause performance problems, especially on low-memory devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To apply the policy on non-Android platforms, use IsolateOrigins.
This policy is deprecated, please use DefaultJavaScriptSetting instead.
Can be used to disabled JavaScript in Google Chrome.
If this setting is disabled, web pages cannot use JavaScript and the user cannot change that setting.
If this setting is enabled or not set, web pages can use JavaScript but the user can change that setting.
Configure a list of URLs that are allowed to stay in full screen mode without showing a notification when the device returns from the lock screen.
Normally, full screen mode is turned off when returning from the lock screen in order to reduce the risk of phishing attacks. This policy allows to specify URLs that will be considered trusted sources which are permitted to continue full screen mode on unlock. It is set by specifying a list of URL patterns formatted according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). E.g., it is possible to always keep full screen mode on unlock and disable the notifications altogether by specifying the wildcard character * matching all URLs.
Setting this policy to an empty list or leaving it unset means no URLs are allowed to continue full screen mode without a notification.
Setting the policy grants access to corporate keys to extensions or Android applications. Keys are designated for corporate usage only if they're generated using the chrome.enterprise.platformKeys API on a managed account. Users can't grant or withdraw access to corporate keys to or from extensions or Android applications.
By default, an extension or an Android applications can't use a key designated for corporate usage, which is equivalent to setting allowCorporateKeyUsage to False for it. Only if allowCorporateKeyUsage is set to True for an extension or an Android application can it use any platform key marked for corporate usage to sign arbitrary data. Only grant this permission if the extension or the Android application is trusted to secure access to the key against attackers.
Corporate keys can be used by Android applications that are installed and listed in this policy.
This setting provides several availability options for the Lacros browser.
If the policy is set to user_choice, the user can enable Lacros and make it primary.
If the policy is set to lacros_disallowed, the user cannot use Lacros.
If the policy is set to side_by_side, Lacros is enabled but is not the primary browser.
If the policy is set to lacros_primary, Lacros is enabled and is the primary browser.
If the policy is unset, the default is lacros_disallowed for enterprise-managed users and user_choice for non-managed users.
In the future it will be possible to make Lacros the only available browser in Google Chrome OS with lacros_only value.
This setting allows users to create and use secondary profiles, and use guest mode in the Lacros browser.
Similar to both BrowserAddPersonEnabled and BrowserGuestModeEnabled, if this policy is set to false or unset, the user cannot create or use secondary profiles, and use guest mode. Previously created secondary profiles, if any, will be unavailable.
If this policy is set to true, the user can create and use secondary profiles, and use guest mode.
Note: If this policy is set to true but BrowserAddPersonEnabled is set to false, the user cannot create secondary profiles. The same for BrowserGuestModeEnabled and guest mode.
Leaving the policy unset or setting it to Enabled allows users to search with their cameras using Google Lens. Setting the policy to Disabled means users can't see the Google Lens button in the search box when Google Lens camera assisted search is supported.
Leaving the policy unset or setting it to Enabled allows users to view and use the Google Lens region search menu item in the context menu. Setting the policy to Disabled means users will not see the Google Lens region search menu item in the context menu when Google Lens region search is supported.
Setting the policy to Enabled or leaving it unset displays media controls on the lock screen if users lock the device when media is playing.
Setting the policy to Disabled turns media controls on the lock screen off.
When enabled, this feature shows a button on the login and lock screen that allows the password to be displayed. It is represented as an eye icon on the password textfield. The button is absent when the feature is disabled.
This policy prevents the display of lookalike URL warnings on the sites listed. These warnings are typically shown on sites that Google Chrome believes might be trying to spoof another site the user is familiar with.
If the policy is enabled and set to one or more domains, no lookalike warnings pages will be shown when the user visits pages on that domain.
If the policy is not set, or set to an empty list, warnings may appear on any site the user visits.
A hostname can be allowed with a complete host match, or any domain match. For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".
If this policy is set to 'primary_account', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account. If this policy is set to 'primary_account_keep_existing_data', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account with an option to keep any existing browsing data. This option is supported on Chrome 102 and higher version.
If this policy is set to 'primary_account_strict', after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account. This profile will not allow any secondary accounts. If this policy is set to 'primary_account_strict_keep_existing_data' after a signin into an a managed account subjected to this policy, the user be asked to create a new profile for the account with an option to keep any existing browsing data. This profile will not allow any secondary accounts. This option is supported on Chrome 102 and higher version.
If this policy is set to 'none' or not set, managed accounts have no restrictions. This may result in a managed account being a secondary account, which disables its ability to receive policies set on the account by the admin.
If this policy is set at the device level, all accounts in the browser are subjected to the policy. If this policy is set at an account level, only that account is affected in the browser.
Setting the policy sets up a list of bookmarks where each one is a dictionary with the keys "name" and "url". These keys hold the bookmark's name and target. Admins can set up a subfolder by defining a bookmark without a "url" key, but with an additional "children" key. This key also has a list of bookmarks, some of which can also be folders. Chrome amends incomplete URLs as if they were submitted through the address bar. For example, "google.com" becomes "https://google.com/".
Users can't change the folders the bookmarks are placed in (though they can hide it from the bookmark bar). The default folder name for managed bookmarks is "Managed bookmarks" but it can be changed by adding a new sub-dictionary to the policy with a single key named "toplevel_name" with the desired folder name as its value. Managed bookmarks are not synced to the user account and extensions can't modify them.
Setting the policy defines the return value of Managed Configuration API for given origin.
Managed configuration API is a key-value configuration that can be accessed via navigator.managed.getManagedConfiguration() javascript call. This API is only available to origins which correspond to force-installed web applications via WebAppInstallForceList.
Controls the privacy warning of the managed-guest session on Google Chrome OS.
If this policy is set to False, the privacy warnings on the login screen and the auto-launch notification inside the managed-guest session will get deactivated.
This policy should not be used for devices used by the general public.
If the policy is set to True or not set, the privacy warning notification in the auto-launched managed-guest session will be pinned until the user dismisses it.
Setting the policy specifies the maximal number of simultaneous connections to the proxy server. Some proxy servers can't handle a high number of concurrent connections per client, which is solved by setting this policy to a lower value. The value should be lower than 100 and higher than 6. Some web apps are known to consume many connections with hanging GETs, so setting a value below 32 may lead to browser networking hangs if there are too many web apps with hanging connections open. Lower below the default at your own risk.
Leaving the policy unset means a default of 32 is used.
Setting the policy specifies the maximum delay in milliseconds between receiving a policy invalidation and fetching the new policy from the device management service. Valid values range from 1,000 (1 second) to 300,000 (5 minutes). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset means Google Chrome uses the default value of 10 seconds.
By default the browser will show media recommendations that are personalized to the user. Setting this policy to Disabled will result in these recommendations being hidden from the user. Setting this policy to Enabled or leaving it unset will result in the media recommendations being shown to the user.
Unless EnableMediaRouter is set to Disabled, setting MediaRouterCastAllowAllIPs to Enabled connects Google Cast to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
Setting the policy to Disabled connects Google Cast to Cast devices only on RFC1918/RFC4193.
Leaving the policy unset connects Google Cast to Cast devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is turned on.
When this policy is enabled, anonymous reporting of usage and crash-related data about Chrome to Google is enabled by default. Users will still be able to change this setting in the Chrome settings.
When this policy is disabled, anonymous reporting is disabled and no usage or crash data is sent to Google. Users won't be able to change this setting.
When this policy isn't set, users can choose the anonymous reporting behavior at installation or first run, and can later change the setting in the Chrome settings.
This policy is available only on Windows instances that are joined to a Microsoft® Active Directory® domain or Windows 10 Pro or Enterprise instances that are enrolled for device management, and macOS instances that are managed via MDM or joined to a domain via MCX.
(For Google Chrome OS, see DeviceMetricsReportingEnabled.)
This policy controls the visibility of cards on the New Tab Page. Cards surface entry points to launch common user journeys based on the user's browsing behavior.
If the policy is set to Enabled, the New Tab Page will show cards if content is available.
If the policy is set to Disabled, the New Tab Page won't show cards.
If the policy is not set, the user can control the card visibility. The default is visible.
Setting the policy to True or leaving it unset displays autogenerated content suggestions on the New Tab page, based on the user's browsing history, interests, or location.
Setting the policy to False prevents autogenerated content suggestions from appearing on the New Tab page.
If the policy is set to false, the New Tab page won't allow users to customize the background. Any existing custom background will be permanently removed even if the policy is set to true later.
If the policy is set to true or unset, users can customize the background on the New Tab page.
This policy controls the visibility of the middle slot announcement on the New Tab Page.
If the policy is set to Enabled, the New Tab Page will show the middle slot announcement if it is available.
If the policy is set to Disabled, the New Tab Page will not show the middle slot announcement even if it is available.
If this setting is enabled, users will be allowed to opt in to Nearby Share, which allows them to send and receive files from people closeby.
If this setting is disabled, users will not be allowed to opt in to Nearby Share.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
This policy controls network prediction in Google Chrome. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.
If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.
This policy controls whether or not the network service process runs sandboxed. If this policy is enabled, the network service process will run sandboxed. If this policy is disabled, the network service process will run unsandboxed. This leaves users open to additional security risks related to running the network service unsandboxed. If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on Google Chrome release, currently running field trials, and platform. This policy is intended to give enterprises flexibility to disable the network sandbox if they use third party software that interferes with the network service sandbox.
Setting the policy specifies the apps that users can turn on as a note-taking app on the Google Chrome OS lock screen.
If the preferred app is on the lock screen, a UI element for launching the preferred note-taking app appears on the screen. When launched, the app can create a window on top of the lock screen and create notes in this context. The app can import created notes to the primary user session, when the session is unlocked. Only Google Chrome note-taking apps are supported on the lock screen.
Setting the policy means users can turn on an app on the lock screen if the app's extension ID is in the policy list value. So, setting it to an empty list will turn off note-taking on the lock screen. The policy with an app ID doesn't necessarily mean that users can turn the app on as a note-taking app on the lock screen. For example, on Google Chrome 61, the set of available apps is also restricted by the platform.
Leaving the policy unset amounts to no restrictions on the set of apps users can enable on the lock screen imposed by the policy.
Setting the policy allows pushing network configuration per-user for each Google Chrome device. The network configuration is a JSON-formatted string, as defined by the Open Network Configuration format.
Android apps can use the network configurations and CA certificates set via this policy, but do not have access to some configuration options.
Setting the policy to Enabled or leaving it unset will enable the fetching of page load metadata and machine learning models that enhance the browsing experience. Setting the policy to Disabled may cause some features to not work appropriately.
This policy allows origin-keyed agent clustering by default.
The Origin-Agent-Cluster: HTTP header controls whether a document is isolated in an origin-keyed agent cluster, or in a site-keyed agent cluster. This has security implications since an origin-keyed agent cluster allows isolating documents by origin. The developer-visible consequence of this is that the document.domain accessor can no longer be set.
The default behaviour - when no Origin-Agent-Cluster: header has been set - changes in M106 from site-keyed to origin-keyed. If this policy is enabled or not set, the browser will follow this new default from that version on. If this policy is disabled this change is reversed and documents without Origin-Agent-Cluster: headers will be assigned to site-keyed agent clusters. As a consequence, the document.domain accessor remains settable by default. This matches the legacy behaviour.
See https://developer.chrome.com/blog/immutable-document-domain/ for additional details.
Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.
Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.
For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).
Allows you to set whether websites are allowed to check if the user has payment methods saved.
If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.
If the setting is enabled or not set then websites are allowed to check if the user has payment methods saved.
Controls if the PDF viewer in Google Chrome can annotate PDFs.
When this policy is not set, or is set to true, then the PDF viewer will be able to annotate PDFs.
When this policy is set to false, then the PDF viewer will not be able to annotate PDFs.
If this setting is enabled, users will be allowed to opt in to Phone Hub, which allows them to interact with their phone on a ChromeOS device.
If this setting is disabled, users will not be allowed to opt in to Phone Hub.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
If this setting is enabled, users who have already opted in to Phone Hub, will be able to send/receive their phone's notifications on ChromeOS.
If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
If this setting is enabled, users who have already opted in to Phone Hub, will be able to continue tasks such as viewing their phone's webpages on ChromeOS.
If this setting is disabled, users will not be allowed to use this feature. If the PhoneHubAllowed policy is disabled, users also will not be allowed to use this feature.
If this policy is left not set, the default is allowed for both enterprise-managed users and non-managed users.
Setting the policy fixes which application identifiers Google Chrome OS shows as pinned apps in the launcher bar, and users can't change them.
Specify Chrome apps by their ID, such as pjkljhegncpnkpknbcohdijeoejaedia; Android apps by their package name, such as com.google.android.gm; and web apps by the URL used in WebAppInstallForceList, such as https://google.com/maps.
Leaving it unset lets users change the list of pinned apps in the launcher.
This policy can also be used to pin Android apps.
Setting the policy to Enabled means policies coming from an atomic group that don't share the source with the highest priority from that group get ignored.
Setting the policy to Disabled means no policy is ignored because of its source. Policies are ignored only if there's a conflict, and the policy doesn't have the highest priority.
If this policy is set from a cloud source, it can't target a specific user.
Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level. This merging is in the first level keys of the dictionary from each source. The key coming from the highest priority source takes precedence.
Use the wildcard character '*' to allow merging of all supported dictionary policies.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy dictionary.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.
Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level.
Use the wildcard character '*' to allow merging of all list policies.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy list.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.
Setting the policy specifies the period in milliseconds at which the device management service is queried for user policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset uses the default value of 3 hours.
Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).
Switch the primary mouse button to the right button.
If this policy is set to enabled, the right button of the mouse will always be the primary key.
If this policy is set to disabled, the left button of the mouse will always be the primary key.
If you set this policy, users cannot change or override it.
If this policy is left unset, the left button of the mouse will be the primary key initially, but can be switched by the user anytime.
Specifies whether the profile picker is enabled, disabled or forced at the browser startup.
By default the profile picker is not shown if the browser starts in guest or incognito mode, a profile directory and/or urls are specified by command line, an app is explicitly requested to open, the browser was launched by a native notification, there is only one profile available or the policy ForceBrowserSignin is set to true.
If 'Enabled' (0) is selected or the policy is left unset, the profile picker will be shown at startup by default, but users will be able to enable/disable it.
If 'Disabled' (1) is selected, the profile picker will never be shown, and users will not be able to change the setting.
If 'Forced' (2) is selected, the profile picker cannot be suppressed by the user. The profile picker will be shown even if there is only one profile available.
Setting the policy to True or leaving it unset lets Google Chrome show users product information as full-tab content.
Setting the policy to False prevents Google Chrome from showing product information as full-tab content.
Setting the policy controls the presentation of the welcome pages that help users sign in to Google Chrome, set Google Chrome as users' default browser, or otherwise inform them of product features.
Setting the policy to Enabled means users are asked where to save each file before downloading. Setting the policy to Disabled has downloads start immediately, and users aren't asked where to save the file.
Leaving the policy unset lets users change this setting.
Setting the policy configures the proxy settings for Chrome and ARC-apps, which ignore all proxy-related options specified from the command line.
Leaving the policy unset lets users choose their proxy settings.
Setting the ProxySettings policy accepts the following fields: * ProxyMode, which lets you specify the proxy server Chrome uses and prevents users from changing proxy settings * ProxyPacUrl, a URL to a proxy .pac file * ProxyPacMandatory, which prevents the network stack from falling back to direct connections with invalid or unavailable PAC script * ProxyServer, a URL of the proxy server * ProxyBypassList, a list of hosts for which the proxy will be bypassed
The ProxyServerMode field is deprecated in favor of the ProxyMode field.
For ProxyMode, if you choose the value: * direct, a proxy is never used and all other fields are ignored. * system, the systems's proxy is used and all other fields are ignored. * auto_detect, all other fields are ignored. * fixed_servers, the ProxyServer and ProxyBypassList fields are used. * pac_script, the ProxyPacUrl, ProxyPacMandatory and ProxyBypassList fields are used.
Note: For more detailed examples, visit The Chromium Projects ( https://www.chromium.org/developers/design-documents/network-settings#TOC-Command-line-options-for-proxy-sett ).
Only a subset of proxy configuration options are made available to Android apps. Android apps may voluntarily choose to use the proxy. You cannot force them to use a proxy.
Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in Google Chrome.
Setting the policy to Disabled disallows the use of QUIC protocol.
Allows you to set the time period, in milliseconds, between the first notification that a Google Chrome OS device must be restarted to apply a pending update and the end of the time period specified by the RelaunchNotificationPeriod policy.
If not set, the default period of 259200000 milliseconds (three days) is used for Google Chrome OS devices.
Notify users that Google Chrome must be relaunched or Google Chrome OS must be restarted to apply a pending update.
This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, Google Chrome indicates to the user that a relaunch is needed via subtle changes to its menu, while Google Chrome OS indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for Google Chrome and four days for Google Chrome OS, and may be configured via the RelaunchNotificationPeriod policy setting.
The user's session is restored following the relaunch/restart.
Allows you to set the time period, in milliseconds, over which users are notified that Google Chrome must be relaunched or that a Google Chrome OS device must be restarted to apply a pending update.
Over this time period, the user will be repeatedly informed of the need for an update. For Google Chrome OS devices, a restart notification appears in the system tray according to the RelaunchHeadsUpPeriod policy. For Google Chrome browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the RelaunchNotification policy follow this same schedule.
If not set, the default period of 604800000 milliseconds (one week) is used.
Specify a target time window for the end of the relaunch notification period.
Users are notified of the need for a browser relaunch or device restart based on the RelaunchNotification and RelaunchNotificationPeriod policy settings. Browsers and devices are forcibly restarted at the end of the notification period when the RelaunchNotification policy is set to 'Required'. This RelaunchWindow policy can be used to defer the end of the notification period so that it falls within a specific time window.
If this policy is not set, the default target time window for Google Chrome OS is between 2 AM and 4 AM. The default target time window for Google Chrome is the whole day (i.e., the end of the notification period is never deferred).
Note: Though the policy can accept multiple items in entries, all but the first item are ignored. Warning: Setting this policy may delay application of software updates.
Controls whether users may use remote debugging.
If this policy is set to Enabled or not set, users may use remote debugging by specifying --remote-debugging-port and --remote-debugging-pipe command line switches.
If this policy is set to Disabled, users are not allowed to use remote debugging.
Setting the policy to Enabled or leaving it unset turns Renderer Code Integrity on.
Setting the policy to Disabled has a detrimental effect on Google Chrome's security and stability as unknown and potentially hostile code can load inside Google Chrome's renderer processes. Only turn off the policy if there are compatibility issues with third-party software that must run inside Google Chrome's renderer processes.
Note: Read more about Process mitigation policies ( https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Process-mitigation-policies ).
If Linux app support is on, setting the policy to Enabled sends information about Linux apps usage back to the server.
Setting the policy to Disabled or leaving it unset means no usage information is reported.
Setting the policy to True means Google Chrome always performs revocation checking for successfully validated server certificates signed by locally installed CA certificates. If Google Chrome can't get revocation status information, Google Chrome treats these certificates as revoked (hard-fail).
Setting the policy to False or leaving it unset means Google Chrome uses existing online revocation-checking settings.
Contains a list of patterns which are used to control the visibility of accounts in Google Chrome.
Each Google account on the device will be compared to patterns stored in this policy to determine the account visibility in Google Chrome. The account will be visible if its name matches any pattern on the list. Otherwise, the account will be hidden.
Use the wildcard character '*' to match zero or more arbitrary characters. The escape character is '\', so to match actual '*' or '\' characters, put a '\' in front of them.
If this policy is not set, all Google accounts on the device will be visible in Google Chrome.
Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in Google Chrome (i.e. the account that is chosen during the Sync opt-in flow).
An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.
If this policy is left not set or blank, then the user can set any Google account as a browser primary account in Google Chrome.
The policy only applies to managed guest sessions. Setting the policy specifies a list of extension IDs that are exempt from the restricted managed guest session clean-up procedure (see DeviceRestrictedManagedGuestSessionEnabled). Leaving the policy unset means no extensions are exempt from the reset procedure.
Configures the directory that Google Chrome will use for storing the roaming copy of the profiles.
If you set this policy, Google Chrome will use the provided directory to store the roaming copy of the profiles if the RoamingProfileSupportEnabled policy has been enabled. If the RoamingProfileSupportEnabled policy is disabled or left unset the value stored in this policy is not used.
See https://www.chromium.org/administrators/policy-list-3/user-data-directory-variables for a list of variables that can be used.
On non-Windows platforms, this policy must be set for roaming profiles to work.
On Windows, if this policy is left unset, the default roaming profile path will be used.
If you enable this setting, the settings stored in Google Chrome profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the RoamingProfileLocation policy. Enabling this policy disables cloud sync.
If this policy is disabled or left not set only the regular local profiles will be used.
Setting the policy to Enabled or leaving it unset lets users click through warning pages Google Chrome shows when users navigate to sites that have SSL errors.
Setting the policy to Disabled prevent users from clicking through any warning pages.
If SSLErrorOverrideAllowed is Disabled, setting the policy lets you set a list of origin patterns that specify the sites where a user can click through warning pages Google Chrome shows when users navigate to sites that have SSL errors. Users will not be able to click through SSL warning pages on origins that are not on this list.
If SSLErrorOverrideAllowed is Enabled or unset, this policy does nothing.
Leaving the policy unset means SSLErrorOverrideAllowed applies for all sites.
For detailed information on valid input patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns. * is not an accepted value for this policy. This policy only matches based on origin, so any path in the URL pattern is ignored.
Setting the policy to a valid value means Google Chrome won't use SSL/TLS versions less than the specified version. Unrecognized values are ignored.
If this policy is not set, then Google Chrome will show an error for TLS 1.0 and TLS 1.1, but the user will be able to bypass it.
If this policy is set to "tls1.2", the user will not be able to bypass this error.
Support for setting this policy to "tls1" or "tls1.1" was removed in version 91. Suppressing the TLS 1.0/1.1 warning is no longer supported.
Setting the policy to Enabled or leaving it unset means downloaded files are sent to be analyzed by Safe Browsing, even when it's from a trusted source.
Setting the policy to Disabled means downloaded files won't be sent to be analyzed by Safe Browsing when it's from a trusted source.
These restrictions apply to downloads triggered from webpage content, as well as the Download link menu option. These restrictions don't apply to the save or download of the currently displayed page or to saving as PDF from the printing options.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Setting the policy controls the SafeSites URL filter, which uses the Google Safe Search API to classify URLs as pornographic or not.
When this policy is set to:
* Do not filter sites for adult content, or not set, sites aren't filtered
* Filter top level sites for adult content, pornographic sites are filtered
While logging in through the lock screen, Google Chrome OS can authenticate against a server (online) or using a cached password (offline).
When this policy is set to -2, it will match the value of the login screen offline signin time limit which comes from SAMLOfflineSigninTimeLimit.
When the policy is unset or set to a value of -1, it will not enforce online authentication on the lock screen and will allow the user to use offline authentication unless a different reason than this policy enforces an online authentication.
If the policy is set to a value of 0, online authentication will always be required.
When this policy is set to any other value, it specifies the number of days since the last online authentication after which the user must use online authentication again in the next login through the lock screen.
This policy affects users who authenticated using SAML.
The policy value should be specified in days.
Chrome will block navigations toward external protocols inside sandboxed iframe. See https://chromestatus.com/features/5680742077038592.
When True, this lets Chrome blocks those navigations.
When False, this prevents Chrome from blocking those navigations.
This defaults to True: security feature enabled.
This can be used by administrators who need more time to update their internal website affected by this new restriction. This Enterprise policy is temporary; it's intended to be removed after Google Chrome version 117.
Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.
Setting the policy to Disabled or leaving it unset saves browsing history.
Setting the policy instructs Google Chrome OS to use the task scheduler configuration identified by the specified name. This policy can be set to Conservative or Performance, which tune the task scheduler for stability or maximum performance, respectively.
If unset, users make their own choice.
This feature allows for hyperlinks and address bar URL navigations to target specific text within a web page, which will be scrolled to once the loading of the web page is complete.
If you enable or don't configure this policy, web page scrolling to specific text fragments via URL will be enabled.
If you disable this policy, web page scrolling to specific text fragments via URL will be disabled.
Setting the policy to True turns on search suggestions in Google Chrome's address bar. Setting the policy to False turns off these search suggestions.
Suggestions based on bookmarks or history are unaffected by the policy.
If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.
This setting allows users to switch between Google Accounts within the content area of their browser window and in Android applications, after they sign into their Google Chrome OS device.
If this policy is set to false, signing in to a different Google Account from a non-Incognito browser content area and Android applications will not be allowed.
If this policy is unset or set to true, the default behavior will be used: signing in to a different Google Account from the browser content area and Android applications will be allowed, except for child accounts where it will be blocked for non-Incognito content area.
In case signing in to a different account shouldn't be allowed via the Incognito mode, consider blocking that mode using the IncognitoModeAvailability policy.
Note that users will be able to access Google services in an unauthenticated state by blocking their cookies.
Setting the policy specifies URLs and domains for which no prompt appears when attestation certificates from Security Keys are requested. A signal is also sent to the Security Key indicating that individual attestation may be used. Without this, when sites request attestation of Security Keys, users are prompted in Google Chrome version 65 and later.
URLs will only match as U2F appIDs. Domains only match as webauthn RP IDs. So to cover both U2F and webauthn APIs, list the appID URL and domain for a given site.
Specifies what happens when a user who is authenticating via a security token (e.g., with a smart card) removes that token while in a session. IGNORE: Nothing happens. LOCK: The screen is locked until the user authenticates again. LOGOUT: The session is ended and the user is logged out. If this policy is not set, it defaults to IGNORE.
This policy only takes effect when the policy SecurityTokenSessionBehavior is set to LOCK or LOGOUT, and a user who authenticates via a smart card removes that smart card. Then, this policy specifies for how many seconds a notification which informs the user of the impending action is displayed. This notification is blocking the screen. The action will only happen after this notification expires. The user can prevent the action from happening by re-inserting the smart card before the notification expires. If this policy is set to zero, no notification will be displayed and the action happens immediately.
When this policy is set, it specifies the length of time after which a user is automatically logged out, terminating the session. The user is informed about the remaining time by a countdown timer shown in the system tray.
When this policy is not set, the session length is not limited.
If you set this policy, users cannot change or override it.
The policy value should be specified in milliseconds. Values are clamped to a range of 30 seconds to 24 hours.
Setting the policy (as recommended only) moves recommended locales for a managed session to the top of the list, in the order in which they appear in the policy. The first recommended locale is preselected.
If not set, the current UI locale is preselected.
For more than one recommended locale, the assumption is that users want to choose among these locales. Locale and keyboard layout selection is prominent when starting a managed session. Otherwise, the assumption is that most users want the preselected locale. Locale and keyboard layout selection is less prominent when starting a managed session.
If you set the policy and turn automatic sign-in on (see the DeviceLocalAccountAutoLoginId and DeviceLocalAccountAutoLoginDelay policies), the managed session uses the first recommended locale and the most popular matching keyboard layout.
The preselected keyboard layout is always the most popular layout matching the preselected locale. Users can always choose any locale supported by Google Chrome OS for their session.
When the policy is set to Enabled, the Javascript setTimeout() with a timeout of 0ms will not clamp to 1ms. When the policy is set to Disabled, the Javascript setTimeout() with a timeout of 0ms will clamp to 1ms. When the policy is unset, use the browser's default behavior for setTimeout() function clamp.
This is a web standards compliant feature, but it may change task ordering on a web page, leading to unexpected behavior on sites that are dependent on a certain ordering in some way. It also may affect sites with a lot of setTimeout() with a timeout of 0ms usage, e.g. increasing CPU load.
For users where this policy is unset, Chrome will roll out the change gradually on the stable channel.
This is a temporary policy that is planned be removed in Chrome 105. This deadline may be extended if there is a need for it among enterprises.
Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context. Google Chrome will require cross-origin isolation when using SharedArrayBuffers from Google Chrome 91 onward (2021-05-25) for Web Compatibility reasons. Additional details can be found on: https://developer.chrome.com/blog/enabling-shared-array-buffer/.
When set to Enabled, sites can use SharedArrayBuffer with no restrictions.
When set to Disabled or not set, sites can only use SharedArrayBuffers when cross-origin isolated.
Enable the Shared Clipboard feature which allows users to send text between Chrome Desktops and an Android device when Sync is enabled and the user is Signed-in.
If this policy is set to true, the capability of sending text, cross device, for chrome user is enabled.
If this policy is set to false, the capability of sending text, cross device, for chrome user is disabled.
If you set this policy, users cannot change or override it.
If this policy is left unset, the shared clipboard feature is enabled by default.
It is up to the admins to set policies in all platforms they care about. It's recommended to set this policy to one value in all platforms.
Control the position of the Google Chrome OS shelf.
If this policy is set to 'Bottom', the shelf will be placed at the bottom of the screen.
If this policy is set to 'Left', the shelf will be placed on the left side of the screen.
If this policy is set to 'Right', the shelf will be placed on the right side of the screen.
If you set this policy as mandatory, users cannot change or override it.
If the policy is left not set, the shelf will be be positioned at the bottom of the screen by default and the user can change the shelf's position.
Setting the policy to Always will autohide the Google Chrome OS shelf. Setting the policy to Never ensures the shelf never autohides.
If you set the policy, users can't change it. If not set, users decide whether the shelf autohides.
Setting the policy to True displays the apps shortcut. Setting the policy to False means this shortcut never appears.
If you set the policy, users can't change it. If not set, users decide to show or hide the apps shortcut from the bookmark bar context menu.
This feature enables display of the full URL in the address bar. If this policy is set to True, then the full URL will be shown in the address bar, including schemes and subdomains. If this policy is set to False, then the default URL display will apply. If this policy is left unset, then the default URL display will apply and the user will be able to toggle between default and full URL display with a context menu option.
Setting the policy to True displays a big, red sign-out button in the system tray during active sessions while the screen isn't locked.
Setting the policy to False or leaving it unset means no button appears.
Setting the policy to Enabled or leaving the policy unset means that users can bring up their most recent default search engine results page in a side panel via toggling an icon in the toolbar.
Setting the policy to Disabled removes the icon from the toolbar that opens the side panel with the default search engine results page.
Setting the policy to True or leaving it unset means Google Chrome will accept web contents served as Signed HTTP Exchanges.
Setting the policy to False prevents Signed HTTP Exchanges from loading.
This policy is deprecated, consider using BrowserSignin instead.
Allows the user to sign in to Google Chrome.
If you set this policy, you can configure whether a user is allowed to sign in to Google Chrome. Setting this policy to 'False' will prevent apps and extensions that use the chrome.identity API from functioning, so you may want to use SyncDisabled instead.
This settings enables or disables signin interception.
When this policy not set or is enabled, the signin interception dialog triggers when a Google account is added on the web, and the user may benefit from moving this account to another (new or existing) profile.
When this is disabled, the signin interception dialog does not trigger. When this is disabled, a dialog will still be shown if managed account profile separation is enforced by ManagedAccountsSigninRestriction.
Since Google Chrome 67, site isolation has been enabled by default on all Desktop platforms, causing every site to run in its own process. A site is a scheme plus eTLD+1 (e.g., https://example.com). Setting this policy to Enabled does not change that behavior; it only prevents users from opting out (for example, using Disable site isolation in chrome://flags). Since Google Chrome 76, setting the policy to Disabled or leaving it unset doesn't turn off site isolation, but instead allows users to opt out.
IsolateOrigins might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).
On Google Chrome OS version 76 and earlier, set the DeviceLoginScreenSitePerProcess device policy to the same value. (If the values don't match, a delay can occur when entering a user session.)
Note: For Android, use the SitePerProcessAndroid policy instead.
Setting the policy to Enabled isolates all sites on Android, such that each site runs in its own process, and it prevents users from opting out. A site is a scheme plus eTLD+1 (e.g., https://example.com). Note that Android isolates certain sensitive sites by default starting in Google Chrome version 77, and this policy extends that default site isolation mode to apply to all sites.
Setting the policy to Disabled turns off any form of site isolation, including isolation of sensitive sites and field trials of IsolateOriginsAndroid, SitePerProcessAndroid, and other site isolation modes. Users can still turn the policy on manually.
Leaving the policy unset means users can change this setting.
IsolateOriginsAndroid might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).
Note: Support for isolating every site on Android will improve, but currently it may cause performance problems, especially on low-end devices. This policy applies only to Chrome on Android running on devices with strictly more than 1 GB of RAM. To isolate specific sites while limiting performance impact for users, use IsolateOriginsAndroid with a list of the sites you want to isolate. To apply the policy on non-Android platforms, use SitePerProcess.
If this setting is enabled, users will be allowed to sign into their account with Smart Lock. This is more permissive than usual Smart Lock behavior which only allows users to unlock their screen.
If this setting is disabled, users will not be allowed to use Smart Lock Signin.
If this policy is left not set, the default is not allowed for enterprise-managed users and allowed for non-managed users.
Setting the policy to Enabled lets users set up their devices to sync their text messages to Chromebooks. Users must explicitly opt in to this feature by completing a setup flow. On completion, users can send and receive texts on their Chromebooks.
Setting the policy to Disabled means users can't set up text syncing.
Leaving the policy unset means that by default, the feature isn't allowed for managed users but is allowed for other users.
Setting the policy to Enabled puts a Google web service in use to help resolve spelling errors. This policy only controls the use of the online service. Setting the policy to Disabled means this service is never used.
Leaving the policy unset lets users choose whether to use the spellcheck service.
The spell check can always use a downloaded dictionary locally unless the feature is disabled by SpellcheckEnabled in which case this policy will have no effect.
Setting the policy to Enabled turns spellcheck on, and users can't turn it off. On Microsoft® Windows®, Google Chrome OS and Linux®, spellcheck languages can be switched on or off individually, so users can still turn spellcheck off by switching off every spellcheck language. To avoid that, use the SpellcheckLanguage to force-enable specific spellcheck languages.
Setting the policy to Disabled turns off spellcheck from all sources, and users can't turn it on. The SpellCheckServiceEnabled, SpellcheckLanguage and SpellcheckLanguageBlocklist policies have no effect when this policy is set to False.
Leaving the policy unset lets users turn spellcheck on or off in the language settings.
Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.
If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the SpellcheckEnabled policy is set to false, this policy will have no effect.
If a language is included in both this policy and the SpellcheckLanguageBlocklist policy, this policy is prioritized and the spellcheck language is enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.
Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the SpellcheckEnabled policy is set to false, this policy will have no effect.
If a language is included in both this policy and the SpellcheckLanguage policy, the latter is prioritized and the spellcheck language will be enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.
Setting the policy to True prevents the browser window from launching at the start of the session.
Setting the policy to False or leaving it unset allows the window to launch.
Note: The browser window might not launch due to other policies or command-line flags.
This policy has been removed as of M85, please use InsecureContentAllowedForUrls to allow insecure content on a per-site basis instead. This policy controls the treatment for mixed content (HTTP content in HTTPS sites) in the browser. If the policy is set to true or unset, audio and video mixed content will be autoupgraded to HTTPS (i.e. the URL will be rewritten as HTTPS, without a fallback if the resource is not available over HTTPS) and a 'Not Secure' warning will be shown in the URL bar for image mixed content. If the policy is set to false, autoupgrades will be disabled for audio and video, and no warning will be shown for images. This policy does not affect other types of mixed content other than audio, video, and images. This policy will no longer take effect starting in Google Chrome 84.
The policy only applies to managed guest sessions. Setting the policy to True or leaving it unset will show a dialog asking the user to confirm or deny logout when the last window is closed. Setting the policy to False will prevent the dialog from being displayed and therefore also disables auto-logout after closing the last window.
As described in https://www.chromestatus.com/feature/5148698084376576 , JavaScript modal dialogs, triggered by window.alert, window.confirm, and window.prompt, will be blocked in Google Chrome if triggered from a subframe whose origin is different from the main frame origin. This policy allows overriding that change. If the policy is set to enabled or unset, JavaScript dialogs triggered from a different origin subframe will be blocked. If the policy is set to disabled, JavaScript dialogs triggered from a different origin subframe will not be blocked.
This policy will be removed in Google Chrome version 95.
Setting the policy to Enabled suppresses the warning that appears when Google Chrome is running on an unsupported computer or operating system.
Setting the policy to Disabled or leaving it unset means the warnings appear on unsupported systems.
Setting the policy to Enabled turns off data synchronization in Google Chrome using Google-hosted synchronization services. To fully turn off Chrome Sync services, we recommend that you turn off the service in the Google Admin console.
If the policy is set to Disabled or not set, users are allowed to choose whether to use Chrome Sync.
Note: Do not turn on this policy when RoamingProfileSupportEnabled is Enabled, because that feature shares the same client-side functionality. The Google-hosted synchronization is off completely in this case.
Disabling Chrome Sync will cause Android Backup and Restore to not function properly.
If this policy is set all specified data types will be excluded from synchronization both for Chrome Sync as well as for roaming profile synchronization. This can be beneficial to reduce the size of the roaming profile or limit the type of data uploaded to the Chrome Sync Servers.
The current data types for this policy are: "bookmarks", "readingList", "preferences", "passwords", "autofill", "themes", "typedUrls", "extensions", "apps", "tabs", "wifiConfigurations". Those names are case sensitive!
Allows you to set a list of Google Chrome OS features to be disabled.
Disabling any of these features means that the user can't access it from the UI and will see it as "disabled by admin". The user experience of disabled features is decided by SystemFeaturesDisableMode
If the policy is left not set, all Google Chrome OS features will be enabled by default and the user can use any of them.
Note: The scanning feature is currently disabled by default via a feature flag. If the user enables the feature via the feature flag, the feature can still be disabled by this policy.
Controls the user experience of disabled features listed in SystemFeaturesDisableList.
If this policy is set to "blocked", the disabled features will become unusable but still visible to users.
If this policy is set to "hidden", the disabled features will become unusable and invisible to users.
If this policy is left unset or has an invalid value, the disable mode of system features will be "blocked".
Configures the availability of System-proxy service and the proxy credentials for system services. If the policy is not set, System-proxy service will not be available.
Setting the policy to Disabled prevents users from ending processes in the Task Manager.
Setting the policy to Enabled or leaving it unset lets users end processes in the Task Manager.
Setting the policy means Google Chrome OS downloads the Terms of Service and presents them to users whenever a device-local account session starts. Users can only sign in to the session after accepting the Terms of Service.
Leaving the policy unset means no Terms of Service appear.
The policy should be set to a URL from which Google Chrome OS can download the Terms of Service. The Terms of Service must be plain text, served as MIME type text/plain. No markup is allowed.
Setting the policy to Enabled or leaving it unset prevents third-party software from injecting executable code into Google Chrome's processes.
Setting the policy to Disabled allows this software to inject such code into Google Chrome's processes.
By default the Terms of Service are shown when CCT is first-run. Setting this policy to SkipTosDialog will cause the Terms of Service dialog to not appear during the first-run-experience or subsequent runs. Setting this policy to StandardTosDialog or leaving it unset will cause the Terms of Service dialog to appear during the first-run-experience. The other caveats are:
- This policy only works on fully managed Android devices that can be configured by Unified Endpoint Management vendors.
- If this policy is SkipTosDialog the BrowserSignin policy will have no effect.
- If this policy is SkipTosDialog metrics will not be sent to the server.
- If this policy is SkipTosDialog the browser will have limited functionality.
- If this policy is SkipTosDialog admins must communicate this to end users of the device.
Configures the amount of memory that a single Google Chrome instance can use before tabs start being discarded (I.E. the memory used by the tab will be freed and the tab will have to be reloaded when switched to) to save memory.
If the policy is set, browser will begin to discard tabs to save memory once the limitation is exceeded. However, there is no guarantee that the browser is always running under the limit. Any value under 1024 will be rounded up to 1024.
If this policy is not set, the browser will only begin attempts to save memory once it has detected that the amount of physical memory on its machine is low.
Controls the on-screen keyboard, acting as a supplementary policy to the VirtualKeyboardEnabled policy.
If the VirtualKeyboardEnabled policy is True or if the Enable on-screen keyboard ChromeOS setting is on, this policy has no effect.
If the VirtualKeyboardEnabled policy is False or not set and the Enable on-screen keyboard ChromeOS setting is off, this policy has the following effect: If this policy is not set, the on-screen keyboard is displayed when the device is in tablet mode. If this policy is set to True, the on-screen keyboard is always displayed. If this policy is set to False, the on-screen keyboard is never displayed.
The on-screen keyboard may change to a compact layout depending on the input method.
If you set the policy, users can't change it.
Setting the policy to True provides translation functionality when it's appropriate for users by showing an integrated translate toolbar in Google Chrome and a translate option on the right-click context menu. Setting the policy to False shuts off all built-in translate features.
If you set the policy, users can't change this function. Leaving it unset lets them change the setting.
If set to Enabled, the deprecated U2F Security Key API can be used and the deprecation reminder prompt shown for U2F API requests is suppressed.
If the policy is set to Disabled or left unset, the default behavior will apply.
The U2F Security Key API is deprecated and it will be disabled by default in Chrome 98.
This is a temporary opt-out mechanism. The U2F API will be removed from Chrome in Chrome 104, at which point this policy will cease to be supported.
For more information about the deprecation of the U2F Security Key API, please refer to https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A.
Setting the policy provides access to the listed URLs, as exceptions to URLBlocklist. See that policy's description for the format of entries of this list. For example, setting URLBlocklist to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( https://www.chromium.org/administrators/url-blocklist-filter-format ). The most specific filter determines if a URL is blocked or allowed. The URLAllowlist policy takes precedence over URLBlocklist. This policy is limited to 1,000 entries.
This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".
Leaving the policy unset allows no exceptions to URLBlocklist.
From Google Chrome version 92, this policy is also supported in the headless mode.
On Microsoft® Windows®, this functionality is only available on instances that are joined to a Microsoft® Active Directory® domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On macOS, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
Android apps may voluntarily choose to honor this list. You cannot force them to honor it.
Setting the policy prevents webpages with prohibited URLs from loading. It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited in the browser. Format the URL pattern according to this format ( https://www.chromium.org/administrators/url-blocklist-filter-format ). Up to 1,000 exceptions can be defined in URLAllowlist.
From Google Chrome version 73, you can block javascript://* URLs. However, it affects only JavaScript entered in the address bar (or, for example, bookmarklets). In-page JavaScript URLs with dynamically loaded data aren't subject to this policy. For example, if you block example.com/abc, then example.com can still load example.com/abc using XMLHTTPRequest.
From Google Chrome version 92, this policy is also supported in the headless mode.
Note: Blocking internal chrome://* URLs can lead to unexpected errors.
Android apps may voluntarily choose to honor this list. You cannot force them to honor it.
Setting the policy to True turns on Unified Desktop, which allows applications to span multiple displays. Users can turn off Unified Desktop for individual displays.
Setting the policy to False or leaving it unset turns off Unified Desktop, and users can't turn it on.
Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.
The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.
The intent is to allow organizations to allow origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.
Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.
This policy is deprecated in M69 in favor of OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are present, OverrideSecurityRestrictionsOnInsecureOrigin will override this policy.
For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/
Setting the policy to Enabled means URL-keyed anonymized data collection, which sends URLs of pages the user visits to Google to make searches and browsing better, is always active.
Setting the policy to Disabled results in no URL-keyed anonymized data collection.
If you set the policy, users can't change. If not set, then URL-keyed anonymized data collection at first, but users can change it.
When enabled or not set, the URL parameter filter may remove some parameters when a user selects "Open Link in Incognito Window" from the context menu. When disabled, no filtering is performed. This policy is temporary and may be removed in a future release.
When enabled the User-Agent Client Hints GREASE Update feature aligns the User-Agent GREASE algorithm with the latest spec. The updated spec may break some websites that restrict the characters that requests may contain. See the spec for more information: https://wicg.github.io/ua-client-hints/#grease If this policy is enabled or not set, the browser will decide which User-Agent GREASE algorithm to use. If the policy is disabled the prior User-Agent GREASE algorithm is used. This policy is a temporary measure and will be removed in a future release.
The User-Agent HTTP request header is scheduled to be reduced. In order to facilitate testing and compatibility, this policy can enable the reduction feature for all websites, or disable the ability for origin trials or field trials to enable the feature.
To learn more about the User-Agent Reduction and its timeline, read here:
https://blog.chromium.org/2021/09/user-agent-reduction-origin-trial-and-dates.html
This policy allows you to configure the avatar image representing the user on the login screen. The policy is set by specifying the URL from which Google Chrome OS can download the avatar image and a cryptographic hash used to verify the integrity of the download. The image must be in JPEG format, its size must not exceed 512kB. The URL must be accessible without any authentication.
The avatar image is downloaded and cached. It will be re-downloaded whenever the URL or the hash changes.
If this policy is set, Google Chrome OS will download and use the avatar image.
If you set this policy, users cannot change or override it.
If the policy is left not set, the user can choose the avatar image representing them on the login screen.
Configures the directory that Google Chrome will use for storing user data.
If you set this policy, Google Chrome will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a directory used for other purposes, because Google Chrome manages its contents.
See https://support.google.com/chrome/a?p=Supported_directory_variables for a list of variables that can be used.
If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.
Following each major version update, Chrome will create a snapshot of certain portions of the user's browsing data for use in case of a later emergency version rollback. If an emergency rollback is performed to a version for which a user has a corresponding snapshot, the data in the snapshot is restored. This allows users to retain such settings as bookmarks and autofill data.
If this policy is not set, the default value of 3 is used
If the policy is set, old snapshots are deleted as needed to respect the limit. If the policy is set to 0, no snapshots will be taken
Controls the account name Google Chrome OS shows on the login screen for the corresponding device-local account.
If this policy is set, the login screen will use the specified string in the picture-based login chooser for the corresponding device-local account.
If the policy is left not set, Google Chrome OS will use the device-local account's email account ID as the display name on the login screen.
This policy is ignored for regular user accounts.
Setting the policy to Enabled or leaving it unset lets users send feedback to Google through Menu > Help > Report an Issue or key combination.
Setting the policy to Disabled means users can't send feedback to Google.
Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the VideoCaptureAllowedUrls list, users get prompted for video capture access.
Setting the policy to Disabled turns off prompts, and video capture is only available to URLs set in the VideoCaptureAllowedUrls list.
Note: The policy affects all video input (not just the built-in camera).
Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to video capture devices without prompt
For detailed information on valid url patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.
Instructs Google Chrome OS to enable or disable virtual machine management console tools.
If the policy is set to true or left unset, the user will be able to use VM management CLI. Otherwise, all of VM management CLI is disabled and hidden.
Setting the policy to Enabled or leaving it unset lets users manage (disconnect or modify) VPN connections. If the VPN connection is created using a VPN app, the UI inside the app isn't affected. So, users might still be able to use the app to modify the VPN connection. Use this policy with the Always on VPN feature, which lets the admin decide to establish a VPN connection when starting a device.
Setting the policy to Disabled turns off the Google Chrome OS user interfaces that would let the user disconnect or modify VPN connections.
Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in Google Chrome.
Setting the policy to Disabled turns off WPAD optimization, causing Google Chrome to wait longer for DNS-based WPAD servers.
Whether or not this policy is set, users can't change the WPAD optimization setting.
If you set the policy, Google Chrome OS
downloads and uses the wallpaper image you set for the user's desktop and sign-in screen background, and users can't change it. Specify the URL (that's accessible without authentication) which Google Chrome OS
can download the wallpaper image from, as well as a cryptographic hash (in JPEG format with a file size up to 16 MB) to verify its integrity.
If not set, users choose the image for the desktop and sign-in screen background.
Controls "Warn Before Quitting (⌘Q)" dialog when the user is attempting to quit browser.
If this policy is set to Enabled or not set, a warning dialog is shown when the user is attempting to quit.
If this policy is set to Disabled, a warning dialog is not shown when the user is attempting to quit.
Setting the policy specifies a list of web apps that install silently, without user interaction, and which users can't uninstall or turn off.
Each list item of the policy is an object with a mandatory member: url (the URL of the web app to install)
and 5 optional members: - default_launch_container (for how the web app opens—a new tab is the default)
- create_desktop_shortcut (True if you want to create Linux and Microsoft® Windows® desktop shortcuts).
- fallback_app_name (Starting with Google Chrome version 90, allows you to override the app name if it is not a Progressive Web App (PWA), or the app name that is temporarily installed if it is a PWA but authentication is required before the installation can be completed. If both custom_name and fallback_app_name are provided, the latter will be ignored.)
- custom_name (Starting with Google Chrome version 99, allows you to permanently override the app name for all web apps and PWAs. Currently only supported on Google Chrome OS.)
- custom_icon (Starting with Google Chrome version 99, allows you to override the app icon of installed apps. The icons have to be square, maximal 1 MB in size, and in one of the following formats: jpeg, png, gif, webp, ico. The hash value has to be the SHA256 hash of the icon file. Currently only supported on Google Chrome OS.)
See PinnedLauncherApps for pinning apps to the Google Chrome OS shelf.
This policy allows an admin to specify settings for installed web apps.
This policy maps a Web App ID to its specific setting. A default configuration can be set using the special ID "*", which applies to all web apps without a custom configuration in this policy.
The "manifest_id" field is the Manifest ID for the Web App. See https://developer.chrome.com/blog/pwa-manifest-id/ for instructions on how to determine the Manifest ID for an installed web app. The "run_on_os_login" field specifies if a web app can be run during OS login. If this field is set to "blocked", the web app will not run during OS login and the user will not be able to enable this later. If this field is set to "run_windowed", the web app will run during OS login and the user will not be able to disable this later. If this field is set to "allowed", the user will be able to configure the web app to run at OS login. The default configuration only allows the "allowed" and "blocked" values.
Setting the policy controls which WebAuthn factors can be used.
To allow:
* Every WebAuthn factor, use ["all"] (includes factors added in the future).
* Only PIN, use ["PIN"].
* PIN and fingerprint, use ["PIN", "FINGERPRINT"].
If the policy is unset or set to an empty list, no WebAuthn factors are available for managed devices.
If enabled, WebRTC peer connections can downgrade to obsolete versions of the TLS/DTLS (DTLS 1.0, TLS 1.0 and TLS 1.1) protocols. When this policy is disabled or not set, these TLS/DTLS versions are disabled.
This policy is temporary and will be removed in a future version of Google Chrome.
Setting the policy to Enabled means Google Chrome can collect WebRTC event logs from Google services such as Hangouts Meet and upload them to Google. These logs have diagnostic information for debugging issues with audio or video meetings in Google Chrome, such as the time and size of RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs have no audio or video content from the meeting. To make debugging easier, Google might associate these logs, by means of a session ID, with other logs collected by the Google service itself.
Setting the policy to Disabled results in no collection or uploading of such logs.
Leaving the policy unset on versions up to and including M76 means Google Chrome defaults to not being able to collect and upload these logs. Starting at M77, Google Chrome defaults to being able to collect and upload these logs from most profiles affected by cloud-based, user-level enterprise policies. From M77 up to and including M80, Google Chrome can also collect and upload these logs by default from profiles affected by Google Chrome on-premise management.
This policy allows restricting which IP addresses and interfaces WebRTC uses when attempting to find the best available connection. See RFC 8828 section 5.2 (https://tools.ietf.org/html/rfc8828.html#section-5.2). When unset, defaults to using all available interfaces.
Patterns in this list will be matched against the security origin of the requesting URL. If a match is found or chrome://flags/#enable-webrtc-hide-local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC ICE candidates. Otherwise, local IP addresses are concealed with mDNS hostnames. Please note that this policy weakens the protection of local IPs if needed by administrators.
If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).
If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.
WebSQL is on by default as of M101, but can be disabled via Chrome flag. If this policy is set to false or unset, WebSQL can be disabled. If this policy is set to true, WebSQL cannot be disabled.
If this setting is enabled, users will be allowed to sync Wi-Fi network configurations between their Google Chrome OS device(s) and a connected Android phone. Before Wi-Fi network configurations can sync, users must explicitly opt in to this feature by completing a setup flow.
If this setting is disabled, users will not be allowed to sync Wi-Fi network configurations.
This feature depends on the wifiConfigurations datatype in Chrome Sync being enabled. If wifiConfigurations is disabled in the SyncTypesListDisabled policy, or Chrome Sync is disabled in the SyncDisabled policy this feature will not be enabled.
If this policy is left not set, the default is not allowed for managed users.
Enables window occlusion in Google Chrome.
If you enable this setting, to reduce CPU and power consumption Google Chrome will detect when a window is covered by other windows, and will suspend work painting pixels.
If you disable this setting Google Chrome will not detect when a window is covered by other windows.
If this policy is left not set, occlusion detection will be enabled.